Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114

1.       A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Applicant's submission filed on 4-29-2022 has been entered.

 2.        Claims 1 - 20 are pending.  Claims 1, 3, 5, 12 have been amended.   Claims 1, 12 are independent.   This application was filed on 6-13-2019.  

Response to Arguments

3.    Applicant's arguments have been fully considered, however upon further consideration of the prior art and the claimed limitation, they were not persuasive.

A.  Applicant argues on page 1 of Remarks: The relied upon references fail to teach “determining a suspicious URL from the at least one URL saved in the web page visit record’ and “wherein each of the at least one URL identifies one web page provided by the protected host.”. 

    The Examiner respectfully disagrees. Donahue discloses the content server to be the protected host which provides webpages to requesting clients.  (see Donahue paragraph [0027], lines 1-4: proxy server obtains an access log that includes URL requests intended for content server from multiple clients; paragraph [0027], lines 17-19: each URL (i.e. each URL points to a web page) request to content server is logged accordingly in the access log of proxy server)  
    The URL is deemed to be suspicious based on the webpage visit record (i.e. count of IP address-based visiting of the webpage (i.e. the associated URL).  IP addresses are the basis of a network address for the visitor (i.e. user device) of the webpage (i.e. URL visited) and the webpage server.  It is understood that multiple webpages can be associated with a single IP address (i.e. server associated with multiple webpages (i.e. URLs)).  A URL is a resource associated with a server and still resolves to an IP address of the content server (web server) comprising the URL designated webpage.  The actions of the IP address requesting the URL (i.e. URL request) are counted and used to designate the URL as being suspicious or not.  
    Donahue discloses the determination of a URL as a suspicious URL by utilizing a count of the number of URLs determined to be suspicious and comparing with a threshold parameter. (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria are designated as suspicious; maintains a list of IP addresses (associated URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests (from an IP addressed device); paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing (i.e. data records) particular IP addresses (URLs) in a listing of potential sources of attacks associated with content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time, with each detected suspicious request being counted and then compared to a threshold; (creating entry corresponding to URI); paragraph [0033], lines 4-6: processes list of suspicious activity and determines if the count of received suspicious URL requests exceeds a first threshold value; paragraph [0034], lines 1-4: process list of suspicious activity to determine if the count of received suspicious URL requests exceeds or equals a second threshold value) 

B.  Applicant argues on page 2 of Remarks: The Office Action, by making that assertion, apparently equates a URL to an IP address. For example, the Office Action include the text of “IP addresses (URLs)” in several places. (Office Action, Pages 3 4, and 7). By putting “URLs” in the parentheses, the Office Action clearly treats the “IP addresses” as “URLs”.

    The Examiner respectfully disagrees.  The URL is deemed to be suspicious based on the webpage visit record information (i.e. count of IP address-based visiting of the webpage (associated URL).  IP addresses are the basis of a network address for the visitor (i.e. user device) of the webpage (i.e. URL visited) and the webpage.  It is understood that multiple webpages can be associated with a single IP address (i.e. server associated with multiple webpages (i.e. URLs)).  A URL is a resource associated with a server and still resolves to an IP address of the content server (web server) comprising the URL designated webpage.  The actions of the IP address requesting the URL (i.e. URL request) are counted and used to designate the URL as being suspicious or not.  Donahue discloses the determination of a URL as a suspicious URL by utilizing a count of the number of URLs determined to be suspicious and comparing with a threshold parameter.  

C.  Applicant argues on page 2 of Remarks:    ...   Donahue merely discloses that “entries in the access log that meet the above criteria are indicated as suspicious by the proxy server 204”; that “the proxy server 204 may maintain a listing of all IP addresses that are marked as suspicious in the above processing of the access log”; and that “[t]his listing may include, in one instance, the IP addresses and a count of the number of noted suspicious URL requests to the content server”.

    The Examiner respectfully disagrees. The URL is deemed to be suspicious based on the webpage visit record (i.e. count of IP address-based visiting of the webpage (i.e. the associated URL).  IP addresses are the basis of a network address for the visitor (i.e. user device) of the webpage (i.e. URL visited) and the webpage.  It is understood that multiple webpages can be associated with a single IP address (i.e. server associated with multiple webpages (i.e. URLs)).  A URL is a resource associated with a server and still resolves to an IP address of the content server (web server) comprising the URL designated webpage.  
    The actions of the IP address requesting the URL (i.e. URL request) are counted and used to designate the URL as being suspicious or not.  Donahue discloses the determination of a URL as a suspicious URL by utilizing a count of the number of URLs determined to be suspicious and comparing with a threshold.  (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria are designated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests; paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time, with each detected suspicious request being counted and then compared to a threshold; paragraph [0033], lines 4-6: processes list of suspicious activity and determines if the count of received suspicious URL requests exceeds a first threshold value; paragraph [0034], lines 1-4: process list of suspicious activity to determine if the count of received suspicious URL requests exceeds or equals a second threshold value) 

D.  Applicant argues on page 2 of Remarks: Donahue does not describe determining a suspicious URL from the at least one URL saved in the web page visit record, wherein each of the at least one URL identifies one web page provided by the protected host.

    The Examiner respectfully disagrees.  Donahue discloses the content server to be the protected host which provides webpages to requesting clients.  (see Donahue paragraph [0027], lines 1-4: proxy server obtains an access log that includes URL requests intended for content server from multiple clients; paragraph [0027], lines 17-19: each URL (i.e. each URL points to a web page) request to content server is logged accordingly in the access log of proxy server)
    The URL is deemed to be suspicious based on the webpage visit record (i.e. count of IP address-based visiting of the webpage (i.e. the associated URL).  IP addresses are the basis of a network address for the visitor (i.e. user device) of the webpage (i.e. URL visited) and webpage.  It is understood that multiple webpages can be associated with a single IP address (i.e. server associated with multiple webpages (i.e. URLs)).  A URL is a resource associated with a server and still resolves to an IP address of the content server (web server) comprising the URL designated webpage.  The actions of the IP address requesting the URL (i.e. URL request) are counted and used to designate the URL as being suspicious or not.  Donahue discloses the determination of a URL as a suspicious URL by utilizing a count of the number of URLs determined to be suspicious and comparing with a threshold parameter.

E.  Applicant argues on page 3 of Remarks:    ...   a URL request cannot be equated to a URL because such an interpretation is unreasonable in light of the specification of Donahue,   ...   . 

    The Examiner respectfully disagrees. The URL is deemed to be suspicious based on the webpage visit record (i.e. count of IP address-based visiting of the webpage (i.e. the associated URL).  IP addresses are the basis of a network address for the visitor (i.e. user device) of the webpage (i.e. URL visited) and webpage.  It is understood that multiple webpages can be associated with a single IP address (i.e. server associated with multiple webpages (i.e. URLs)).  A URL is a resource associated with a server and still resolves to an IP address of the content server (web server) comprising the URL designated webpage.  The actions of the IP address requesting the URL (i.e. URL request) are counted and used to designate the URL as being suspicious or not.  Donahue discloses the determination of a URL is a suspicious URL by utilizing a count of the number of URLs determined to be suspicious and comparing with a threshold parameter.   

F.  Applicant argues on page 3 of Remarks:    ...   fail to disclose “wherein a total quantity of visits to the suspicious URL is less than a first threshold, and a ratio of a quantity of different IP addresses visiting the suspicious URL to the total quantity of visits to the suspicious URL is less than a second threshold.

    The Examiner respectfully disagrees.   Donahue discloses a comparison of a count of URL accesses by an entity (user device associated with an IP address) to a first threshold parameter utilized for a determination of a suspicious URL.  And, Donahue discloses a count of URL accesses by an entity (user device associated with an IP address) to a second threshold parameter.  It would be obvious to calculate a ratio of a count of URL accesses against a threshold over the total count of URL accesses. 
    Donahue discloses a URL associated with a content server (i.e. a protected host). (Donahue paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of attacks associated with content server)   Donahue discloses the determination of a URL as a suspicious URL by utilizing a count of the number of URLs determined to be suspicious and comparing with a threshold parameter. (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria are designated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests; paragraph [0033], lines 4-6: processes list of suspicious activity and determines if the count of received suspicious URL requests exceeds a first threshold value; paragraph [0034], lines 1-4: process list of suspicious activity to determine if the count of received suspicious URL requests exceeds or equals a second threshold parameter)

G.  Applicant argues on page 4 of Remarks:    ...   In Donahue, a suspicious URL request is a URL request that is not followed by related URL requests (Paragraph [0030]), while in Applicant’s claim 1, a suspicious URL is determined based on whether a total quantity of visits to the suspicious URL is less than a first threshold,   ...   . 

    The Examiner respectfully disagrees. Donahue discloses an example of an action implemented by a user during accessing of a particular URL that could lead to a determination of a suspicious URL.  But, Donahue does disclose a comparison of a count of URL accesses by an entity (user device associated with an IP address) to a threshold parameter utilized for a determination of a suspicious URL.     
    Donahue discloses a URL associated with a content server (i.e. a protected host). (Donahue paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with content server)   Donahue discloses the determination of a URL as a suspicious URL by utilizing a count of the number of URLs determined to be suspicious and comparing with a threshold parameter. (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria are designated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests; paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time, with each detected suspicious request being counted and then compared to a threshold parameter; (creating entry corresponding to URI); paragraph [0033], lines 4-6: processes list of suspicious activity and determines if the count of received suspicious URL requests exceeds a first threshold value; paragraph [0034], lines 1-4: process list of suspicious activity to determine if the count of received suspicious URL requests exceeds or equals a second threshold value) 
    And, Roelker discloses a determination of whether a particular signature has been found (i.e. webshell signature). (see Roelker paragraph [0044], lines 1-6: IDS contains signatures to detect malicious parameters keys and values; (signature parameter designates a suspicious URL, associated IP address); URL parameter field is the field where most database and common gateway interface (CGI) attacks occur)  

H.  Applicant argues on page 4 of Remarks:    ...   fail to teach the limitation of “determining whether a web page identified by the suspicious URL contains a webshell signature in a webshell signature database.”. 

    The Examiner respectfully disagrees.  Donahue discloses a URL associated with a content server (i.e. a protected host). (Donahue paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with content server)   Donahue discloses the determination of a URL as a suspicious URL by utilizing a count of the number of URLs determined to be suspicious and comparing with a threshold parameter. (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria are designated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests; paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time, with each detected suspicious request being counted and then compared to a threshold; (creating entry corresponding to URI); paragraph [0033], lines 4-6: processes list of suspicious activity and determines if the count of received suspicious URL requests exceeds a first threshold value; paragraph [0034], lines 1-4: process list of suspicious activity to determine if the count of received suspicious URL requests exceeds or equals a second threshold value) 
    And, Roelker discloses a determination of whether a particular signature has been found (i.e. webshell signature). (see Roelker paragraph [0044], lines 1-6: IDS contains signatures to detect malicious parameters keys and values; (signature parameter designates a suspicious URL, associated IP address); URL parameter field is the field where most database and common gateway interface (CGI) attacks occur)  
    The Specification in paragraph [0003] discloses a webshell to be analogous to a CGI implementation associated with a webpage. (Specification paragraph [0003]: “A webshell file may be a web page file written using the active server page (ASP) application, or a web page file written using the hypertext preprocessor (PHP) language, or a common gateway interface (CGI) program file”)  Roelker discloses suspicious activity associated with a CGI implementation for a webpage server. 

I.  Applicant argues on page 4 of Remarks:    ...   Applicant’s claim 1 does not read on Roelker because Applicant’s claim 1 recites identifying a webshell in a webpage on a protected host, rather than identifying a webshell in an attacking URL request.

    The Examiner respectfully disagrees.  Roelker discloses a determination of whether a particular signature has been found (i.e. webshell signature). (see Roelker paragraph [0044], lines 1-6: IDS contains signatures to detect malicious parameters keys and values; (signature parameter designates a suspicious URL, associated IP address); URL parameter field is the field where most database and common gateway interface (CGI) attacks occur)  
    The Specification in paragraph [0003] discloses a webshell to be analogous to a CGI implementation associated with a webpage. (Specification paragraph [0003]: “A webshell file may be a web page file written using the active server page (ASP) application, or a web page file written using the hypertext preprocessor (PHP) language, or a common gateway interface (CGI) program file”)  Roelker discloses suspicious activity associated with a CGI implementation utilizing a webpage server.     

J.  Applicant argues on page 4 of Remarks: Claim 12 recites limitations similar to those recited by claim 1 and therefore is also patentable over Donahue and Roelker.

    Independent claim 12 has similar limitations as independent claim 1.  Responses to arguments against independent claim 1 also answer arguments against independent claim 12.  

K.  Applicant argues on page 4 of Remarks: Given that each of the rest of the claims depend from one of the above independent claims, at least for the reasons similar to those discussed above, it is respectfully submitted that each of the rest of the claims are patentable over Donahue and Roelker.

    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.       

Claim Rejections - 35 USC § 103  

4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.        Claims 1 - 20 are rejected under 35 U.S.C. 103 as being unpatentable over Donahue et al. (US PGPUB No. 20170366576) in view of Roelker et al. (US PGPUB No. 20080276316).     	

Regarding Claims 1, 12, Donahue discloses a webshell detection method and a security device, comprising: 
a)  obtaining first web traffic of a protected host, wherein the first web traffic is traffic generated when a web page provided by the protected host is visited during a first period; (see Donahue paragraph [0008], lines 6-25: proxy server configured to obtain an access log comprising URL requests for content intended for an associated content server (protected host) and detect a plurality of entries in the access log indicating proxy server receiving a first URL request of a group of related URL requests from a particular Internet Protocol (IP) address associated with a requesting device; paragraph [0027], lines 3-10: client device transmits URL request to content server (protected host) to obtain webpages (web traffic); request received at proxy server, stored in access log, and transmits request to content server)    
b)  generating a web page visit record of the protected host based on the first web traffic, wherein the web page visit record saves at least one uniform resource locator (URL), an IP address visiting each of the at least one URL, and a total quantity of visits to each of the at least one URL, wherein each of the at least one URL identifies one web page on the protected host; (see Donahue paragraph [0027], lines 1-4: proxy server obtains an access log that includes URL requests intended for content server from multiple clients; paragraph [0027], lines 17-19: each URL (i.e. each URL points to a web page) request to content server is logged accordingly in the access log of proxy server; paragraph [0030], lines 3-5: server maintains a listing of all IP addresses processed (or accessed)) and    
c)  determining a suspicious webpage on the protected host, wherein the suspicious webpage is identified by a suspicious URL from the at least one URL saved in the web page visit record, wherein a total quantity of visits to the suspicious URL is less than a first threshold, and a ratio of a quantity of different IP addresses visiting the suspicious URL to the total quantity of visits to the suspicious URL is less than a second threshold. (see Donahue paragraph [0030], lines 1-22: entries in access log (webpage visit records) that meets predefined criteria are indicated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests; paragraph [0033], lines 4-6: processes list of suspicious activity and determines if the count of received suspicious URL requests exceeds a first threshold value; paragraph [0034], lines 1-4: process list of suspicious activity to determine if the count of received suspicious URL requests exceeds or equals a second threshold value, and a calculated ratio) 

    Furthermore, Donahue discloses for d) determining whether the suspicious web page is identified by a suspicious URL. (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria are indicated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests)
    And, Donahue discloses for e) the suspicious web page identified by the suspicious URL. (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria are indicated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests)

Donahue does not specifically disclose for d) URL contains a signature within a signature database, and e) detecting, based on a webshell signature determining results, whether a webshell exists in a web page. 
However, Roelker discloses: 
d)  contains a webshell signature in a webshell signature database, and e) suspicious identified by the suspicious URL. (see Roelker paragraph [0044], lines 1-6: IDS contains signatures (i.e. analogous to webshell signature) to detect malicious parameters keys and values associated with a URL; (signature parameter designates a suspicious URL, associated IP address); URL parameter field is the field where most database and common gateway interface (CGI) attacks occur)   
    (The Specification in paragraph [0003] discloses a webshell to be analogous to a CGI implementation associated with a webpage. (Specification paragraph [0003]: “A webshell file may be a web page file written using the active server page (ASP) application, or a web page file written using the hypertext preprocessor (PHP) language, or a common gateway interface (CGI) program file”)  Roelker discloses suspicious activity associated with a CGI implementation for a webpage server.) 
e)  detecting, based on a webshell signature determining results, whether a webshell exists in the web page. (see Roelker paragraph [0044], lines 1-6: IDS contains signatures (i.e. analogous to webshell signature) to detect malicious parameters keys and values associated with a URL; (signature parameter keys and values designates a suspicious URL, associated IP address); URL parameter field is the field where most database and common gateway interface (CGI) attacks occur)
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for d) suspicious URL contains a signature within a signature database, and for e) detecting, based on a webshell signature determining results, whether a webshell exists in a web page as taught by Roelker. One of ordinary skill in the art would have been motivated to employ the teachings of Roelker for the benefits achieved from a system that enables the identification of Intrusion Detection System (IDS) evasions that utilize HTTP encoding schemes or HTTP protocol parameters.  (see Roelker paragraph [0012], lines 1-5)

Furthermore for Claim 12, Donahue discloses wherein comprising a memory, a processor, a network interface, and a bus, wherein the memory, the processor, and the network interface are connected to each other by using the bus. (see Donahue paragraph [0041], lines 1-8: computer readable devices coupled to processors; main memory for storing information and instructions used during execution; paragraph [0017], lines 1-5: managing distribution of content and/or communications from a computer network to an end user of network)    

Regarding Claims 2, 13, Donahue-Roelker discloses the method according to claim 1 and the security device according to claim 12, wherein the web page visit record comprises at least one entry, each of the at least one entry corresponds to one of the at least one URL, and saves a total quantity of visits and an IP address list; and wherein the generating the web page visit record of the protected host based on the first web traffic comprises:
d)  searching the web page visit record for an entry corresponding to the URL included in the selected access request packet; (see Donahue paragraph [0007], lines 1-5: comparing the plurality of entries within access log (i.e. particular IP addresses and URLs received by proxy server) to a threshold value) and
e)  adding 1 to a total quantity of visits in the found entry, and recording the source IP address into an IP address list in the found entry if the entry corresponding to the URL carried in the access request packet is found, or creating, in the web page visit record, the entry corresponding to the URL, setting a total quantity of visits in the created entry to 1 and recording the source IP address into an IP address list in the created entry when the entry corresponding to the URL included in the access request packet is not found. (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time, with each detected suspicious request being counted and then compared to a threshold; (creating entry corresponding to URI))    

Donahue does not specifically disclose obtaining access request packet from web traffic and parsing selected request packet to obtain a source IP address and a URL. 
However, Roelker discloses: 
a)  obtaining at least one access request packet from the first web traffic, wherein a destination IP address of each of the at least one access request packet is an IP address of the protected host; (see Roelker paragraph [0017], lines 1-11: packet is parsed and IP address of packet identified, HTTP IDS located at IP address) and
b)  performing the following operations on each of the at least one access request packet; and c) parsing the access request packet to obtain a source IP address of and a URL in the access request packet. (see Roelker paragraph [0017], lines 1-11: packet is parsed and IP address of packet identified, HTTP IDS located at IP address; paragraph [0020], lines 1-6: one or more additional URIs embedded in packet are identified)     
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for obtaining access request packet from web traffic and parsing selected request packet to obtain a source IP address and a URL as taught by Roelker. One of ordinary skill in the art would have been motivated to employ the teachings of Roelker for the benefits achieved from a system that enables the identification of Intrusion Detection System (IDS) evasions that utilize HTTP encoding schemes or HTTP protocol parameters.  (see Roelker paragraph [0012], lines 1-5)

Regarding Claims 3, 14, Donahue-Roelker discloses the method according to claim 2 and the security device according to claim 13, wherein the determining the suspicious webpage on the protected host, wherein the suspicious webpage is identified by a suspicious URL from the at least one URL based on the web page visit record comprises:
a)  selecting one entry from the web page visit record; (see Donahue paragraph [0008], lines 6-25: proxy server configured to obtain an access log comprising URL requests for content intended for an associated content server (protected host) and detect a plurality of entries in the access log indicating proxy server receiving a first URL request of a group of related URL requests from a particular Internet Protocol (IP) address associated with a requesting device; paragraph [0007], lines 1-5: comparing the plurality of entries in access log (i.e. particular IP addresses and URLs received by proxy server) to a threshold value; paragraph [0027], lines 1-4: proxy server obtains an access log that includes URL requests intended for content server from multiple clients; paragraph [0027], lines 17-19: each URL (i.e. each URL points to a web page) request to content server is logged accordingly in the access log of proxy server; paragraph [0030], lines 3-5: server maintains a listing of all IP addresses processed (or accessing); paragraph [0014], lines 10-20: through an analysis of content requests received at server, one or more IP addresses (i.e. different IP addresses) are identified as involved in suspicious behavior)     
b)  determining a quantity of IP addresses different from one another in an IP address list in the selected entry; and c) determining a URL corresponding to the selected entry as the suspicious URL when a total quantity of visits in the selected entry is less than the first threshold and a ratio of the determined quantity of IP addresses different from one another to the total quantity of visits in the selected entry is less than the second threshold. (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold; paragraph [0033], lines 4-6: processes list of suspicious activity and determines if the count of received suspicious URL requests exceeds a first threshold value; paragraph [0034], lines 1-4: process list of suspicious activity to determine if the count of received suspicious URL requests exceeds or equals a second threshold value)     

Regarding Claims 4, 15, Donahue-Roelker discloses the method according to claim 1 and the security device according to claim 12, 
a)  wherein the web page visit record comprises at least one entry, each of the at least one entry corresponds to one of the at least one URL, and the entry saves a total quantity of visits, an IP address count, and an IP address list; (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold) and
generating a web page visit record of the protected host based on the first web traffic comprises:
e)  searching the web page visit record for an entry corresponding to the URL included in the access request packet; (see Donahue paragraph [0007], lines 1-5: comparing the plurality of entries in access log (i.e. particular IP addresses and URLs received by proxy server) to a threshold value)    
f)   adding 1 to a total quantity of visits in the found entry when the entry corresponding to the URL included in the access request packet is found; (see Donahue paragraph [0008], lines 6-25: proxy server configured to obtain an access log comprising URL requests for content intended for an associated content server (protected host) and detect a plurality of entries in the access log indicating proxy server receiving a first URL request of a group of related URL requests from a particular Internet Protocol (IP) address associated with a requesting device; paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold)    
g)  determining whether the source IP address has been saved in an IP address list in the found entry; (see Donahue paragraph [0027], lines 1-4: proxy server obtains an access log that includes URL requests intended for content server from multiple clients; paragraph [0027], lines 17-19: each URL request to content server is logged accordingly in the access log of proxy server; paragraph [0030], lines 3-5: server maintains a listing of all IP addresses)     
h)  ending processing the access request packet when the source IP address has been saved in the IP address list in the found entry; or adding 1 to an IP address count in the found entry and recording the source IP address into the IP address list in the found entry when the source IP address has not been saved in the IP address list in the found entry; or creating, in the web page visit record, the entry corresponding to the URL included in the access request packet, setting a total quantity of visits in the created entry to 1, setting an IP address count in the created entry to 1, and recording the source IP address into an IP address list in the created entry when the entry corresponding to the URL included in the access request packet is not found. (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated (saved) over a particular period of time; with each detected suspicious request being counted and then compared to a threshold; (selected: adding 1 to an IP count)) 
   
Donahue does not specifically disclose obtaining and performing processing on selected access request packets. 
However, Roelker discloses: 
b)  obtaining at least one access request packet from the first web traffic, wherein a destination IP address of the access request packet is an IP address of the protected host; and c) performing the following operations on each of the at least one access request packet is processed; and d) obtaining a source IP address of a URL included in the selected access request packet. (see Roelker paragraph [0017], lines 1-11: packet is parsed and IP address of packet identified, HTTP IDS located at IP address; paragraph [0020], lines 1-6: one or more additional URIs embedded in packet are identified)  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for obtaining and performing processing on selected access request packets as taught by Roelker. One of ordinary skill in the art would have been motivated to employ the teachings of Roelker for the benefits achieved from a system that enables the identification of Intrusion Detection System (IDS) evasions that utilize HTTP encoding schemes or HTTP protocol parameters.  (see Roelker paragraph [0012], lines 1-5)

Regarding Claims 5, 16, Donahue-Roelker discloses the method according to claim 4 and the security device according to claim 15, wherein the determining the suspicious webpage on the protected host, wherein the suspicious webpage is identified by a suspicious URL from the at least one URL based on the web page visit record comprises:
a)  selecting one entry from the web page visit record; (see Donahue paragraph [0008], lines 6-25: proxy server configured to obtain an access log comprising URL requests for content intended for an associated content server (protected host) and detect a plurality of entries in the access log indicating proxy server receiving a first URL request of a group of related URL requests from a particular Internet Protocol (IP) address associated with a requesting device; paragraph [0007], lines 1-5: comparing the plurality of entries in access log (i.e. particular IP addresses and URLs received by proxy server) to a threshold value) and
b)  determining a URL corresponding to the selected entry as the suspicious URL when a total quantity of visits in the selected entry is less than the first threshold and a ratio of an IP address count in the selected entry to the total quantity of visits in the selected entry is less than the second threshold. (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria are indicated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests; paragraph [0033], lines 4-6: processes list of suspicious activity and determines if the count of received suspicious URL requests exceeds a first threshold value; paragraph [0034], lines 1-4: process list of suspicious activity to determine if the count of received suspicious URL requests exceeds or equals a second threshold value)     

Regarding Claims 6, 8, 17, Donahue-Roelker discloses the method according to claim 2 and the method according to claim 4 and the security device according to claim 13. 
Donahue does not specifically disclose selecting and obtaining an access request packet corresponding to each web page access response packet.
However, Roelker discloses wherein the obtaining at least one access request packet from the first web traffic comprises: 
a)  selecting at least one access response packet from the first web traffic, wherein a status code included in each of the at least one access response packet indicates a successful visit, and a source address of each access response packet is the IP address of the protected host; and b) obtaining an access request packet corresponding to each of the at least one web page access response packet from the first web traffic, as the obtained at least one access request packet. (see Roelker paragraph [0017], lines 1-11: packet is parsed and IP address of packet identified, HTTP IDS located at IP address; paragraph [0020], lines 1-6: one or more additional URIs embedded in packet are identified)   
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for selecting and obtaining an access request packet corresponding to each web page access response packet as taught by Roelker. One of ordinary skill in the art would have been motivated to employ the teachings of Roelker for the benefits achieved from a system that enables the identification of Intrusion Detection System (IDS) evasions that utilize HTTP encoding schemes or HTTP protocol parameters.  (see Roelker paragraph [0012], lines 1-5)   

Regarding Claims 7, 9, 18, Donahue-Roelker discloses the method according to claim 2 and the method according to claim 4 and the security device according to claim 13, wherein the searching the web page visit record for the entry corresponding to the URL carried in the access request packet comprises:
b)  searching the web page visit record for an entry corresponding to the processed URL; (see Donahue paragraph [0008], lines 6-25: proxy server configured to obtain an access log comprising URL requests for content intended for an associated content server (protected host) and detect a plurality of entries in the access log indicating proxy server receiving a first URL request of a group of related URL requests from a particular Internet Protocol (IP) address associated with a requesting device; paragraph [0007], lines 1-5: comparing the plurality of entries in access log (i.e. particular IP addresses and URLs received by proxy server) to a threshold value) and
c)  creating, in the web page visit record, the entry corresponding to the processed URL. (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold)    

Donahue does not specifically disclose for performing at least one type of normalization processing on a URL carried in a selected access request packet to obtain a normalization-processed URL. 
However, Roelker discloses: 
a)  performing at least one type of normalization processing on the URL carried included in the access request packet to obtain a normalization-processed URL, wherein the normalization processing comprises one or more of the following: converting the URL included in the access request packet into a predetermined code scheme, converting characters in the URL included in the access request packet into a predetermined uppercase/lowercase type, and removing a parameter in the URL included in the access request packet; and c) a normalization-processed URL, and d) a normalization-processed URL. (see Roelker paragraph [0103], lines 8-10: URI normalization module: attempts to decode an obfuscation within a URI; decodes obfuscations detected by URI discovery components including encoded characters; (selected: converting characters in URL)) 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for performing at least one type of normalization processing on a URL carried in a selected access request packet to obtain a normalization-processed URL as taught by Roelker. One of ordinary skill in the art would have been motivated to employ the teachings of Roelker for the benefits achieved from a system that enables the identification of Intrusion Detection System (IDS) evasions that utilize HTTP encoding schemes or HTTP protocol parameters.  (see Roelker paragraph [0012], lines 1-5) 

Regarding Claims 10, 19, Donahue-Roelker discloses the method according to claim 1 and the security device according to claim 12, further comprising: 
a)  determining a normal URL from the at least one URL saved in the web page visit record, wherein the normal URL is a URL whose total quantity of visits is greater than the first threshold in the at least one URL or a suspicious URL for which a webshell detection result indicates that no webshell exists in an identified web page; (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold; paragraph [0034], lines 8-16: if count for an IP address has not exceeded (or equals a second threshold value), then server  returns to operation 402 to monitor additional potential suspicious URL requests (i.e. URL “considered” normal or OK; threshold not exceeded); if suspicious activity count exceeds or equals second threshold value, server may execute a blocking feature in operation preventing suspected IP address from access to content server for a period of time) and
b)  deleting an IP address visiting the normal URL and a total quantity of visits to the normal URL that are saved in the web page visit record. (see Donahue paragraph [0034], lines 18-20: suspicious address included in IP table for a set period of time and removed when period of time expires; (address and associated data removed))    

Regarding Claims 11, 20, Donahue-Roelker discloses the method according to claim 10 and the security device according to claim 19, further comprising: 
a)  obtaining second web traffic of the protected host, wherein the second web traffic is traffic generated when the web page provided by the protected host is visited during a second period after the first period; (see Donahue paragraph [0027], lines 3-10: client device transmits a URL request to content server (protected host) to obtain a webpage (web traffic); request received at proxy server, stored in access log, and transmit request to content server)       
d)  adding 1 to a total quantity of visits to the saved URL included in the first access request packet, and adding the source IP address of the first access request packet to an IP address visiting the URL included in the first access request packet when the URL included in the first access request packet is different from the normal URL and the URL included in the first access request packet has been saved in the web page visit record; (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold; paragraph [0034], lines 8-16: if count for an IP address has not exceeded or equals a second threshold value, then server  returns to operation 402 to monitor additional potential suspicious URL requests (i.e. URL “considered” normal or OK; threshold not exceeded); if suspicious activity count exceeds or equals the second threshold value, server may execute a blocking feature in operation preventing suspected IP address from access to content server for a period of time)    
f)   saving the URL carried in the second access request packet into the web page visit record, setting a total quantity of visits to the URL carried in the second access request packet to 1, and setting an IP address visiting the URL included in the second access request packet to the source IP address of the second access request packet when the URL included in the second access request packet is different from the normal URL and the URL included in the second request packet has not been saved in the web page visit record; (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold) and    
h)  ending processing the third access request packet when the URL included in the third access request packet is the same as the normal URL. (see Donahue paragraph [0034], lines 8-11: if count for IP address has not exceeded threshold proxy server returns to monitoring additional potential suspicious URL requests (i.e. normal operation))    

Donahue does not specifically disclose obtaining an access request packet (first, second, third) and parsing an access request packet (first, second, third) to obtain a source IP address of and a URL. 
However, Roelker discloses:
b)  obtaining a first access request packet, a second access request packet, and a third access request packet from the second web traffic; (see Roelker paragraph [0017], lines 1-11: packet is parsed and IP address of packet identified, HTTP IDS located at IP address)    
c)  parsing the first access request packet to obtain a source IP address of and a URL carried in the first access request packet; e) parsing the access request packet to obtain a source IP address of and a URL included in the second access request packet; and g) parsing the third access request packet to obtain a URL carried in the third access request packet. (see Roelker paragraph [0017], lines 1-11: packet is parsed and IP address of packet identified, HTTP IDS located at IP address; paragraph [0020], lines 1-6: one or more additional URIs embedded in packet are identified)      
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for obtaining an access request packet (first, second, third) and parsing an access request packet (first, second, third) to obtain a source IP address of and a URL as taught by Roelker. One of ordinary skill in the art would have been motivated to employ the teachings of Roelker for the benefits achieved from a system that enables the identification of Intrusion Detection System (IDS) evasions that utilize HTTP encoding schemes or HTTP protocol parameters.  (see Roelker paragraph [0012], lines 1-5)

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032.  The examiner can normally be reached on Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CJ/
May 23, 2022

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436