DETAILED ACTION
This is a non-final office action in response to applicant’s communication filed on 12/17/2020.
Claims 1-21 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Applicant’s claim for the benefit of a prior-filed application (No. 62/950,644, filed on 12/19/2019) under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged.
Oath/Declaration
Applicant is reminded an Oath/Declaration has not been filed.
Specification
The disclosure is objected to because of the following informalities: 
Paragraph [025] line 3, “not deployed in the backbone network 110”, where reference number 110 is referring to Client Device in Fig. 1.
Paragraph [026]. It appears the contents of this paragraph is part of another paragraph, describing the flow data, etc.
Appropriate correction is required.

Claim Objections
Claims 1-2, 7-8, 11-13, 16-21 are objected to because of the following informalities:  
Claim 21 recites “The system of claim 1 …” where claim 1 is a method claim. It appears applicant intends to recite “The system of claim 12 …” instead.
Claim 1 line 5 recites “… by associating each event with …”. It is not clear whether “each event” is referring to the each received request.  
Similarly, claim 11 line 6, claim 12 line 8.
Claim 1 line 8, “generating … based on periodically generated analysis” may read “generating … based on the periodically analyzing”.
Similarly, claim 11 line 9; claim 12 line 11.
Claim 2 line 2, “wherein the analysis” may read “wherein the periodically analyzing”.
Similarly, claim 13 line 2.
Claim 7 line 1, “wherein a change an enriched request …” appears to recite “wherein a change in the each enriched request …”.
Similarly, claim 18 line 1.
Claim 8 line 4, “… based on events…” may read “… based on the events…”.
Similarly, claim 19 line 4.
Claim 13 line 1, claim 14 line 1, “further configured:” may read “further configured to:”.
Claim 16 line 1, claim 17 line 1, “wherein the system is further configured to:” may read “ further configured to:”
Claim 19 line 1, Claim 20 line 1, “wherein it is further comprising:” may read “configured to:”.
Similarly claim 21, “further comprising:” may read “further configured to:”.
Corrective action is required.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 9, 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 9 lines 7-8 recites “generating at least one network traffic rule defining how to generate the anomalous request”. Examiner reviewed the Specification of the instant application. In particular, regarding “anomalous request”, paragraph [49] states: “At S440, a rule is generated by the WAF server based on the generated first cluster, to determine how to process the anomalous request.” It appears the defining is to process the anomalous request, rather than “to generate the anomalous request” as recited in the claim. Similarly, for claim 20. Applicant is suggested to amend the claim or explain this deficiency in response to resolve the issue.

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 4, 10, 15, 21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 4 line 1 recites “wherein IP status information …”. The use of “wherein” suggest “IP status information” is referring to claim 1, however has not been recited in claim 1 to which claim 4 depends. There is insufficient antecedent basis concern for this limitation in the claim.
Similarly, claim 15 line 1.
Claim 10 (similarly claim 21), recites “generating the at least one network traffic rule in a notation complies with the second WAF”. It is not clear the underlined “complies” is referring to “generating” or “notation” rendering the claim indefinite. The limitation can be interpreted as: generating … complies with …, or … in a notation that complies with …

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-8, 11-19 are rejected under 35 U.S.C. 103 as being unpatentable over Owens et al (US20210036991A1, hereinafter, “Owens”), in view of Lewis (US20200036615A1, hereinafter, “Lewis”).
Regarding claim 1, Owens teaches:
A method for configuring a web application firewall (WAF) (Owens, discloses method and system for efficiently protecting web applications with web application firewall, see [Abstract]), the method comprising: 
continuously receiving requests related to a first WAF, each request indicative of network traffic directed to a web application protected by the WAF (Owens, see Fig. 4, steps 410-425: receiving an incoming application request and route the application request to the WAF. Fig. 4 also shows after step 450 the method proceeds to step 410, i.e. continuously receiving requests); 
enriching each received request by associating each event with information from an enrichment source (Owens, [Abstract] The WAF updates the application request to include a first header, … (i.e. enriching). And [0052] At block 430, the WAF processes and analyzes the application request. The WAF parses the application request and determines the URL of the web application. The WAF adds a header, such as Forwarded-URL header shown in FIG. 3 that includes the original URL. The WAF may update the URL in the application request with a URL of a reverse proxy (i.e. enrichment source)); 
periodically analyzing the enriched requests (Owens, [0047] Platform router 320 also determines whether the timestamp is within the allotted time period, that is the application request is not expired (i.e. router parse the request within a period and forwards the request to WAF, suggesting the WAF analyzing the request periodically). And [0053] At block 430, the WAF analyzes the application request to determine whether to allow or block the application request); 
generating at least one network traffic rule based on periodically generated analysis (Owens, [0023] The system and method in the current disclosure propose a solution to the above issues by implementing a WAF that can be bound for a specific web application or a specific set of web applications. By binding the WAF to one or more web applications, security rules applied by the WAF may be customized specifically to the needs of that specific web application(s)); 
While Owens teaches the main concept of the invention of provisioning WAF for analyzing web application request but does not specifically teach the following limitation, however in the same field of endeavor Lewis teaches:
and configuring at least a second WAF to perform the network traffic rule (Lewis, discloses method and system for implementing high availability WAF functionality using containerized WAF cluster, see [Abstract]. And [0027] one or more of the at least one first WAF cluster might each comprise at least one first WAF mini cluster, each first WAF mini cluster comprising two or more first WAF containers, wherein each first WAF mini cluster might be configured to apply a WAF rule, wherein the first WAF cluster might be configured to apply multiple WAF rules using different first WAF mini clusters. According to some embodiments, launching one or more second WAF containers might comprise launching one or more second WAF containers in at least one of one or more second WAF clusters or one or more second WAF mini clusters, wherein each second WAF mini cluster might be configured to apply a WAF rule, …).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Lewis in the implementing web application firewall of Owens by configuring two or more WAF to apply WAF rule(s). This would have been obvious because the person having ordinary skill in the art would have been motivated to implement WAF cluster for robust and scalable solutions for implementing firewall functionalities (Lewis, [Abstract], [0004-0005]).

Regarding claim 11, Owens-Lewis combination teaches:
A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process for configuring a web application firewall (WAF) (Owens, discloses method and system for efficiently protecting web applications with web application firewall, see [Abstract]. See Fig. 3 WAF 340 includes an application request processor 350. And [0064] computer-readable medium), the process comprising: performing method steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 12, Owens-Lewis combination teaches:
A system for a process for configuring a web application firewall (WAF), comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry (Owens, discloses method and system for efficiently protecting web applications with web application firewall, see [Abstract]. See Fig. 3 WAF 340 includes an application request processor 350. And Fig. 1 Memory and [0012]), configure the system to: perform method steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 2, similarly claim 13, Owens-Lewis combination further teaches:
The method of claim 1, the system of claim 12, further comprising: storing the enriched requests in a database, wherein the analysis is performed on requests stored in the database (Owens, [0044] The request processor adds a first header and copies the extracted URL to the first header. In addition, application request processor 350 may update the URL in application request 305 with the URL for a reverse proxy. For example, application request processor 350 may use a header “Forwarded-URL” to contain the extracted URL. The application request 305 that includes the header “Forwarded-URL” may now be referred to as application request 345).  

Regarding claim 3, similarly claim 14, Owens-Lewis combination further teaches:
The method of claim 1, the system of claim 12, wherein enriching each received request further comprises: associating each received request with IP status information and a timestamp (Owens, [0046] The rules engine 360 may also include information and/or metadata for platform router 320 to determine whether the forwarded application request has been analyzed and/or validated, such as a time stamp, IP address of WAF 340, etc. And [0060] At block 450, the WAF updates the application request to indicate that the application request has been validated or secure. For example, the WAF may add a second header that includes a value signaling that the application request has been validated or secure by the WAF. For example, the second header may include the original URL, a signature, a flag, a timestamp, or a combination thereof).  

Regarding claim 4, similarly claim 15, Owens-Lewis combination further teaches:
The method of claim 1, the system of claim 12, wherein IP status information includes at least one of: IP reputation feeds, IP geolocation databases, whitelists, blacklists, Open Web Application Security Project (OWASP) tagging, and global events (Owens, [0045] For example, rules engine 360 may block or deny incoming application requests. Rules engine 360 may also blacklist a particular client internet protocol (IP) address (i.e. IP status is blacklisted) or limit the number of connections accepted from the particular client. During the analysis, rules engine 360 may retrieve the set of security rules from a data store such as rule repository 370).  

Regarding claim 5, similarly claim 16, Owens-Lewis combination further teaches:
The method of claim 1, the system of claim 12, wherein enriching each received request further comprises: associating each received request with data collected from at least one data source, wherein the at least one data source includes Internet-based services (Owens, [0040] At stage A, a user may use one of clients 100a-100n such as client 100a to transmit application request 305 to web application 325a via network 210. Application request 305 may be an HTTP request (i.e. Internet-based services) that includes a uniform resource locator (URL), one or more parameters, or any other data for processing the application request. In this example, the URL is equal to “ABC.com” and a parameter “param” is equal to a value “safe.” ABC.com is mapped to web application 325a. Application request 305 may also include a method, for example “GET”, a version, a header, and a body. And [0052] As shown in application request 345 in FIG. 3, the header Forwarded-URL has been updated to include the URL “ABC.com/param=safe”. In addition, the URL has been updated to “WAF.com” from “ABC.com.”).  

Regarding claim 6, similarly claim 17, Owens-Lewis combination further teaches:
The method of claim 1, the system of claim 12, wherein periodically analyzing the enriched requests further comprises: analyzing each enriched request that have been changed to determine if the at least one network traffic rule is required to be generated (Owens, [0023] By binding the WAF to one or more web applications, security rules applied by the WAF may be customized specifically to the needs of that specific web application(s). And [0048] During the binding of the WAF to the web application, a set of security policies or security rules may be associated with the web application. Associating the security rules to the web application means that the WAF uses the associated security rules or a portion thereof to monitor and/or validate application requests transmitted to the web application. And [0053] At block 430, the WAF analyzes the application request to determine whether to allow or block the application request).  

Regarding claim 7, similarly claim 18, Owens-Lewis combination further teaches:
The method of claim 6, the system of claim 17, wherein a change an enriched request includes any one of: a new enrichment source added to the request, a new edge in a graph database storing the enriched request, and an updated label in the enriched request (Owens, [0033] The original URL is then replaced with a URL of a reverse proxy (i.e. updated label in the enriched request), such as rules engine 360, that would be used to redirect the incoming request and would then determine and apply one or more security rules to the updated application request, such as application request 345. And [0052] The WAF adds a header, such as Forwarded-URL header shown in FIG. 3 that includes the original URL. The WAF may update the URL in the application request with a URL of a reverse proxy).  

Regarding claim 8, similarly claim 19, Owens-Lewis combination further teaches:
The method of claim 1, The system of claim 17, further comprising: classifying events included in the enriched requests into a first group, wherein the classification is based on at least one network parameter (Lewis, [0015] A WAF cluster is then created using container management software or systems, …, so that WAF containers can be launched on demand. The container management system may be coupled with a load-balancing proxy server or a load-balancing proxy application programming interface (“API”) that proactively evaluates any latency being introduced by the WAF cluster. The various embodiments might continuously invoke the proxy server or proxy API to evaluate client device latency (i.e. network parameter)); and generating the at least one network traffic rule based on events in the first group (Lewis, [0015] to be able to run multiple configurations simultaneously on the cluster, mini-clusters may be created inside one or more primary HA clusters. This allows multiple WAF rule sets to be run simultaneously. And [0043] updating one or more existing protection rules in at least one of the WAF containers 150 and/or in at least one of the HA WAF mini-clusters or the HA WAF cluster to address the one or more network attacks). 

Claims 9, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Owens-Lewis combination as applied above, further in view of Karuppusamy et al (US20190349320A1, hereinafter, “Karuppusamy”), further in view of Sharifi Mehr (US10158658B1, hereinafter, “Sharifi Mehr”) and Xiang et al (US20210034754A1, hereinafter, “Xiang”).
Regarding claim 9, similarly claim 20, Owens-Lewis combination teaches:
The method of claim 1, the system of claim 17, further comprising: clustering the received requests based on a timeframe associated with the request to generate at least one cluster (Lewis, [0009] FIGS. 3A-3C are schematic diagrams illustrating different examples of configurations of a HA WAF Cluster that may be used for implementing HA WAF functionalities at different times of a day (i.e. clustering received requests with WAF clusters at different timeframes) or in response to different levels of requests for access to applications by users via user devices); 
While the combination of Owens-Lewis does not explicitly teach, Karuppusamy in the similar field of endeavor teaches:
matching newly received requests to each of the least one generated cluster (Karuppusamy, discloses method for automatically response to user requests, [Abstract]. And [0041] Once a match has been found between the new request and one or more groups of previous requests, one or more automatic responses 420 mapped to the one or more groups of previous requests can be identified (e.g., based on response IDs) by the suggestion module 418 and provided to the user. In some instances, for example, the suggestion module 418 can rank any matches between the new request and multiple groups of previous requests (e.g., based on calculated cosine similarities for the groups)); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Karuppusamy in the implementing web application firewall of Owens-Lewis by matching new request to a group of previous requests to identify automatic responses. This would have been obvious because the person having ordinary skill in the art would have been motivated to automatically map the new request to previous automatic response and provide automatic response to user in online messaging (Karuppusamy, [Abstract]).
The combination of Owens-Lewis-Karuppusamy does not explicitly teach the following limitation(s), Sharifi Mehr in the same field of endeavor teaches:
detecting an anomaly request based on the matching (Sharifi Mehr, discloses techniques for determining abnormalities in transmission of data, [Abstract]. And [Col. 15 lines 30-35] If the set of anomaly values 114 for the current request 102 does not match or falls outside of a threshold tolerance of any of the value sets 328 of the security profile data 204, this determination may indicate that one or more of the anomaly detection services 112 is affected by an abnormality); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Sharifi Mehr in the implementing web application firewall of Owens-Lewis-Karuppusamy by determining network anomalies based on matching. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify network anomalies based on anomaly values indicative of the likelihood that the request is anomalous (Sharifi Mehr, [Abstract]).
The combination of Owens-Lewis-Karuppusamy-Sharifi Mehr does not explicitly teach the following limitation(s), Xiang in the same field of endeavor teaches:
and generating at least one network traffic rule defining how to generate the anomalous request (Xiang, [0053] Additionally, while forwarding the real-time user request 410 to the target application, the computing device 420 may generate one or more malicious request 440 based on the real-time user request 410… Based on a vulnerability rule, the computing device 420 would be able to generate a malicious request associated with the vulnerability rule from a normal user request).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Xiang in the implementing web application firewall of Owens-Lewis-Karuppusamy-Sharifi Mehr by generating malicious request based on a vulnerability rule for security testing. This would have been obvious because the person having ordinary skill in the art would have been motivated to generate malicious request associated with vulnerability rule to improve the accuracy of security testing (Xiang, [Abstract], [0053]).

Claims 10, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Owens-Lewis combination as applied above, further in view of Chang et al (CN107426028A, hereinafter, “Chang”). 
Regarding claim 10, similarly claim 21, Owens-Lewis combination teaches:
The method of claim 1, the system of claim 1,
The combination of Owens-Lewis does not explicitly teach the following limitation(s), Chang in the same field of endeavor teaches:
further comprising: generating the at least one network traffic rule in a notation complies with the second WAF (Chang, discloses design method of WAF engine, [Abstract]. And [0022] A WAF engine architecture and design method of the present invention, the lexical, grammatical, semantic engine and the rules engine are combined to flow through the mirror website for establishing model, rule generation and service are combined. the multi-subject to integration, so as to form a high-efficiency, with strong protective ability and can remedy the 0day, for complete WAF engine scheme).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Chang in the implementing web application firewall of Owens-Lewis by generating WAF rule for WAF scheme with rule generation engine. This would have been obvious because the person having ordinary skill in the art would have been motivated to WAF scheme with rule for improved protection capability (Chang, [Abstract]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Cruz Farmer et al (US20200314066A1) discloses method for generating firewall rule to apply to requests directed to resource and received by edge server.
Phonsa et al (20160182454A1) discloses method to provide reconfigurable WAF functionality across distributed platform where server screens the inbound message for attacks using a first set of rules and policies defined as part of a production profile from a WAF instance defined by the specific customer while contemporaneously testing the inbound message against a second set of rules and polices defined as part of an audit profile from the same WAF instance.
Nadir (US20100199345A1) discloses techniques to provide a secure web application firewall ("WAF") service server to protect one or more web servers from malicious activity. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436