DETAILED ACTION
Claims 1-8 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The specification is objected to because it uses the term “regex” without defining it.
Claim Objections
Claims 1-8 are objected to because they recite the term “regex” which appears to be a shorthand or acronym for regular expression without indicating what it stands for. The claims must spell out what acronyms or shorthand stand for upon their first occurrence.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 1, 4 and 7 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. 
Claim 1 contains a grammatical error which renders the scope of the claim unclear. The claim recites in the last limitation “wherein the valid regex sanitizer and the valid validator is used for checking the tainted input in the user's input”. The verb in this sentence is singular whereas the subject is plural. It is unclear how the verb, or subjects should be corrected. For the purpose of examination, this limitation has been interpreted as reciting “wherein the at least one of the valid regex sanitizer and the valid validator is used for checking the tainted input in the user's input”.
Claim 4 recites “the method as claimed in claims 5”, however claim 5 is a system claim. In addition, claim 5 is subsequent to claim 4 and a claim should depend on a prior claim not on a subsequent claim. For the purpose of examination, claim 4 is being interpreted as reciting “the method as claimed in claim 1”. 
Claim 7 depends on itself which is indefinite. For the purpose of examination claim 7 is being interpreted as being dependent on claim 5.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-2, 4, 5-6 and 8 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,397,813. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the issued patent anticipate the claims in the current application.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8 are rejected under 35 U.S.C. 103 as being unpatentable over Berg et al (US Pub.No.2012/0131668) in view of Ghose (US Pub.No.2014/0325239).

Re Claim 1. Berg method of verifying at least one of a regex sanitizer and a validator in an application testing process (i.e. Exemplary embodiments of the invention can then verify those sanitizers (and/or validators) by performing string analysis on them and comparing the results of the analysis with the white-list policy mentioned above. It can then be reported whether the specified sanitizers (and/or validators) are valid or invalid.) [Berg, para.0020], the method comprising: processing, through a processor, the at least one of the regex sanitizer and the validator configured for checking a tainted input in a user's input (i.e. FIG. 1 shows an example of a flow representation 100 of a portion of a program to be analyzed for policy-driven detection and verification of methods such as sanitizers and validators. The flow representation 100 is, e.g., a control flow graph, call graph, or any other representation useful for tracking paths through a software program……………………Depending on the outcome of the comparison between the grammar and the policy, different reporting operations may be performed. For instance, if the comparison establishes that the computed string values are safe to use in that particular security-sensitive operation, then the Web application is declared safe with respect to the security vulnerability to which that security-sensitive operation could expose the Web application (for example, SQLi or XSS). Otherwise, a potential security problem is reported) [Berg, para.0021-0027]; verifying, through the processor, the at least one of the regex sanitizer and validator (i.e. FIG. 2, a flowchart is shown of an exemplary method 200 for policy-driven detection and verification of methods such as sanitizers and validators.) [Berg, para.0028]  checking for the tainted input through the at least one of the regex sanitizer and the validator (i.e. Typically, to categorize a sanitizer to identify which vulnerabilities it prevents, and to verify is correctness) [Berg, para.0014], 
	Berg does not explicitly teach that the verifying is before the checking, however it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Berg to verify “before” checking because testing a module before using it yields the expected result of identifying bugs and correcting them before using the module.
 	Berg further discloses: wherein the verifying comprises: applying, the at least one of the regex sanitizer and the validator over multiple predefined tainted strings associated with a previously checked input received from the user (i.e. For string variables 120 in the program that begin at sources 110 (e.g., string variables 120-1 and 120-3), the grammar (e.g., grammar 125-1 and 125-3) is computed of all possible string values for each of the string variables 120 (block 2C). In block 2D, for methods in the program operating on any of the string variables, grammar of string variables 120 returned by the methods 130 is computed………………………….) [Berg, para.0029-0031, Fig.1-2] ; checking, if an output obtained after applying the at least one of the regex sanitizer and the validator is one of a tainted output or a non-tainted output; qualifying, the at least one of the regex sanitizer and the validator to be at least one of a valid regex sanitizer and a valid validator based on the checking (i.e. both blocks 2M and 2I may also include reporting on user constructs. In FIG. 1, the user-defined sanitizer, method 130-2, is a user construct. If a user defines the construct (e.g., a portion of code such as a method of an object) as being a sanitizer (or validator), the user-defined construct will be reported on in blocks 2M and 2I. Once path 1 reaches the sink 140-1, it can be determined if the grammar 125-7 of the string variable 120 meets requirements of the policy corresponding to the security-sensitive operation performed by the sink 140-1. If so, the user-defined sanitizer is declared to be a valid sanitizer and a report of such can be made (block 2M). If not, the user-defined sanitizer is declared not to be a valid sanitizer and a report of such can be made (block 2I)) [Berg, para.0032]; and tagging each of the valid regex sanitizer and the valid validator with a validation  (i.e. One user-defined construct is user-defined sanitizer, method 130-2 shown in FIG. 1. The security-sensitive operation 420-1 is, e.g., an SQL instruction creation and submittal to an SQL database. Such an instruction could be created from a username and password entry. A vulnerability corresponding to this operation 420-1 is an SQL injection (SQLi). The construct information 410-1 specifies that the user-defined sanitizer, method 130-2 is a construct. The user-defined sanitizer, method 130-2 returns the output string variable 120-7, from which the grammar 125-7 is determined. The grammar 127-7 is compared with the policy 430-1 of (.SIGMA.-{;,'})*, and if the grammar 127-7 meets the policy 430-1, the user-defined construct of the user-defined sanitizer, method 130-2 is determined to meet the policy 430-1. This fact may be reported. If the grammar 127-7 does not meet the policy 430-1, the user-defined construct of the user-defined sanitizer, method 130-2 is determined not to meet the policy 430-1 and this fact is typically reported……….. Section 510 reports potential security problems in particular methods (sanitizers or validators), and section 515 reports methods (sanitizers or validators) that are declared safe in that the sink 140 and its associated security-sensitive operation(s) 420 have string variable 120 input(s) where the grammar 125 of the string variable(s) 120 meet the corresponding policy (policies) 430) [Berg, para.0040-0042, Fig. 5] wherein the valid regex sanitizer and the valid validator is used for checking the tainted input in the user's input (i.e. it is necessary for the Web application to perform sanitization operations on the user input before using the input in security-sensitive operations. For example, to prevent SQLi attacks, before using any user-generated input to form a SQL query, a Web application should parse that input and ascertain that that input does not embed SQL commands. Similarly, to prevent XSS attacks, before displaying any user-generated input to a Web browser, a Web application should ascertain that that input does not embed any JavaScript command. This sort of verification is performed through methods that are called sanitizers) [Berg, para.0013].
 	Berg does not explicitly disclose that the tagged validation is a validation signature however Ghose does:, (i.e. receiving a reference signature corresponding to a hash of a verified corresponding sequence of instructions) [Ghose, para.0079].
 	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Berg with Ghose because Ghose’s method provides for Detection of malicious attempts to modify code. [0072] 2. Ensure that only certified code can run and provides detection at run-time tampering of such code. [0073] 3. Permit trustworthy code to be distributed and used. [0074] 4. Detect instruction corruption due to faults--permanent or transient. [0075] 5. Execute instructions with results dependent on a signature verification [Ghose, para.0071-0075].

Re Claim 2. Berg in view of Ghose discloses the method as claimed in claim 1, Berg further discloses: wherein the at least one of the regex sanitizer and validator comprises one of a verified sanitizer and validator or a non-verified sanitizer and validator (i.e. Section 510 reports potential security problems in particular methods (sanitizers or validators), and section 515 reports methods (sanitizers or validators) that are declared safe in that the sink 140 and its associated security-sensitive operation(s) 420 have string variable 120 input(s) where the grammar 125 of the string variable(s) 120 meet the corresponding policy (policies) 430) [Berg, para.0042, Fig. 5].

Re Claim 3. Berg in view of Ghose discloses the method as claimed in claim 1, Berg in view of Ghose further discloses: comprising: storing, each of the valid regex sanitizer and validator along with the valid signature as a previously verified valid regex sanitizer and validator (i.e. A table may be provided in which a plurality of reference signatures are stored in encrypted form. The table may have an entry for every flow control instruction in a program module that can change the flow of control. The entry for each flow control instruction in the table may store one reference signature for each path that leads into the sequence of instructions which that instruction terminates ) [Ghose, para.0094]; tracking, if at least one of a new regex sanitizer and validator to be verified is associated with a signature; mapping, the signature of the at least one of the valid regex sanitizer and validator (i.e. When the flow control instruction at the end of a sequence of instructions is to be committed, an entry in a table for the respective sequence of instructions is looked up using an address of the flow control instruction that terminates the sequence. The method may thus further comprise looking up an entry in a table for the respective sequence of instructions using an address of the flow control instruction that terminates the sequence, when the flow control instruction at the end of a sequence of instructions is committed) [Ghose, para.0096]; and verifying, the at least one of the new regex sanitizer and validator as the valid regex sanitizer and validator based on the mapping (i.e. the signal may be selectively generated if and only if exactly one of these addresses stored in the table matches the value stored in the register, and the verification logic compares a generated hash with a corresponding entry in the table. The signal may be selectively suppressed except when a single value in the table matches the value stored in the register. The hash generator may generate a hash as, for example: a function of a set of complete bit patterns that represent individual instructions, as a function of a subset of each of a set of complete bit patterns representing individual instructions; or as a function of all or a portion of a set of bit patterns representing individual instructions and respective addresses of the individual instructions) [Ghose, para.0097-0098], [Berg, as in claim 1, discloses regex sanitizer and validator].
	The same motivation to modify Berg with Ghose, as in claim 1, applies.

Re Claim 4. Berg in view of Ghose discloses the method as claimed in claim 1, Berg in view of Ghose further discloses: wherein the signature is defined according to a code path followed by the regex sanitizer and validator (i.e.   a signature defined by a state of a processor as a result of the execution of instructions in a processor is verified within the processor) [Ghose, para.0090], [Berg, as in claim 1, discloses regex sanitizer and validator].
And Berg in view of Ghose’s signature further discloses: signature defined according to each of the regex sanitizer and validator, a regex of the regex sanitizer and validator, and the vulnerability type being sanitized. (i.e. FIG. 4 shows an exemplary policy mapping 355, coupled with user-defined sanitizer/validator information 370. These may be stored separately or, as shown in FIG. 4, together. The policy mapping 355 includes in this example security sensitive operations 420-1 through 420-z. Each security-sensitive operation 420 has a corresponding policy 430-1 through 430-z. In this example, each of the security-sensitive operations 420 is to be operated on by a user-defined construct (e.g., a user-defined sanitizer or validator), which is specified by the user using construct information 410-1 through 410-z……………..The security-sensitive operation 420-1 is, e.g., an SQL instruction creation and submittal to an SQL database. Such an instruction could be created from a username and password entry. A vulnerability corresponding to this operation 420-1 is an SQL injection (SQLi). The construct information 410-1 specifies that the user-defined sanitizer, method 130-2 is a construct. The user-defined sanitizer, method 130-2 returns the output string variable 120-7, from which the grammar 125-7 is determined. The grammar 127-7 is compared with the policy 430-1 of (.SIGMA.-{;,'})*,………………………………… multiple security-sensitive operations 420 (each corresponding to a different vulnerability),) [Berg, para.0039-0041, Fig. 4, Note: the security-sensitive operations disclose a type of vulnerability].
 	The same motivation to modify Berg with Ghose, as in claim 1, applies.

Re Claim 5. This claim recites features similar to those recited in claim 1, therefore it is rejected in a similar manner as claim 1 for teaching: a system of verifying regex sanitizer and validator in an application testing process, the system comprising: a processor; and a memory configured to the processor, wherein the memory stores a set of instructions to be executed by the processor, and wherein the processor is configured to: process, at least one of a regex sanitizer and validator configured for checking a tainted input in a user's input; verify, the at least one of the regex sanitizer and validator before checking for the tainted input through the regex sanitizer and validator, wherein the verifying comprises: apply, the at least one of the regex sanitizer and validator over multiple predefined tainted strings associated with a previously checked input received from the user; check, if an output obtained after applying the at least one of the regex sanitizer and validator is one of a tainted output or a non-tainted output; qualify, the at least one of the regex sanitizer and validator to be a valid regex sanitizer and validator based on the checking; and tag, each of the valid regex sanitizer and validator with a validation signature, wherein the at least one of the valid regex sanitizer and validator is used for checking the tainted input in the user's input.

Re Claim 6. This claim recites features similar to those recited in claim 2, therefore it is rejected in a similar manner as claim 1 for teaching: wherein the at least one of the regex sanitizer and validator comprises one of a verified sanitizer and validators or a non-verified sanitizer and validator.

Re Claim 7. This claim recites features similar to those recited in claim 3, therefore it is rejected in a similar manner as claim 1 for teaching: wherein the processor is further configured to: store, each of the valid regex sanitizer and validator along with the valid signature as a previously verified valid regex sanitizer and validator. track, if at least one of a new regex sanitizer and validator to be verified is associated with a signature; map, the signature of the at least of the valid regex sanitizer and validator; and verify, the at least one of the new regex sanitizer and validator as the valid regex sanitizer and validator based on the mapping.

Re Claim 8. This claim recites features similar to those recited in claim 4, therefore it is rejected in a similar manner as claim 1 for teaching: wherein the signature is defined according to each of the regex sanitizer and validator, a regex of the regex sanitizer and validator, a code path followed by the at least one of the regex sanitizer and validator and the vulnerability type being sanitized.


Prior art references made of record, however not relied upon, include:

Molnar et al (US Pub.No.2012/0167209) describes an automatic context-sensitive sanitization technique detects errors due to the mismatch of a sanitizer sequence with a browser parsing context. A pre-deployment analyzer automatically detects violating paths that contain a sanitizer sequence that is inconsistent with a browsing context associated with outputting an untrusted input. The pre-deployment analyzer determines a correct sanitizer sequence which is stored in a sanitization cache. During the runtime execution of the web application, a path detector tracks execution of the web application in relation to the violating paths. The correct sanitizer sequence can be applied when the runtime execution follows a violating path
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434