Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Egbert et al. – hereinafter Egbert (US 2019/0132355) in view of Kejriwal et al. – hereinafter Kejriwal (US  2011/0289582)

As per claim 1. Egbert discloses a method for testing a website anomaly, the method comprising: 
retrieving website code of a website, the website code including a script; executing the website code with automation script, the automation script simulating a user interaction with the website;  ([0016]; In either case, a script emulation module 140 such as a script emulator as disclosed herein may emulate execution of the script data received from the extractor 72 and/or the extraction module 130. For example, all identified script segments, such as all JavaScript segments, may be stitched together into a single JavaScript component that is analyzed by the emulation module 140. The combined JavaScript or other script segment may be prepended with generic script code that mocks the Document Object Model (DOM) and common JavaScript functions.)
monitoring a dynamic behavior of the website including a functional user flow through the website based on a simulated user interaction; ([0018];  More generally, the protocol analyzer 105 may provide a serialized or otherwise processable version of scripts or similar material identified in network traffic being received by a system being monitored by the system disclosed herein; [0020]; the extracted script is executed by the script emulator 140, it may be determined that the script would have a particular known effect on the end user device if delivered to and executed on the device, such as redirecting the user's browser to a different website, causing the device to download malicious software (“malware”), connecting the end user device to a specific remote computer, or the like.)
generating a log of the dynamic behavior; ([0028] Data obtained by the data interception module 170 and state tracking module 175 may be provided to a feature collection module 177. This module may analyze the received data to identify known features or types of features for further processing by the analyzer 180 as previously disclosed)
Egbert fails to disclose applying a set of rules to: evaluate the website code including the script, evaluate source and destination information in the log of the dynamic behavior; and evaluate website behavior in the log of the dynamic behavior; and determining presence of a potential malicious script based on the evaluation.
Kejriwal discloses applying a set of rules to: evaluate the website code including the script, ([0111]; determining from the patterns observed by recording the execution of scripts one or more of the following behaviors which suggest malicious behavior: dynamically changing the location URI of the resource (the web page) to force a reload of the browser 461; determining that a target (destination) for receiving a cookie is not the domain name of the website (who owns the cookie) 462; determining that a target is a host on a list of malicious hosts 463)
evaluate source and destination information in the log of the dynamic behavior; and evaluate website behavior in the log of the dynamic behavior ([0110]; receiving files from websites and recording the origin website in the form or an Internet Protocol (IP) address or a fully qualified domain name (FQDN), [0111];  recording the operation of selected library elements by recording which flares are fired and recording a log of the outputs of the browser during execution of the script text embedded in the html file 460. Referring now to FIG. 3, the method further comprises inter alia, determining from the patterns observed by recording the execution of scripts one or more of the following behaviors which suggest malicious behavior: dynamically changing the location URI of the resource (the web page) to force a reload of the browser 461; determining that a target (destination) for receiving a cookie is not the domain name of the website (who owns the cookie) 462; determining that a target is a host on a list of malicious hosts 463)
determining presence of a potential malicious script based on the evaluation. ([0113]; inferring malware such as certain keywords as arguments to the document write function 473; inferring malware such as malicious content such as flash in pdf files 474; inferring phishing attacks such as cookie theft via addition operation tracing 475; inferring phishing attacks such as transferring a cookie via an html tag 476; inferring memory manipulation such as by unusual use of createElement function 477; inferring memory manipulation such by an attack described as HeapSpray 478; and any equivalent operation which can be inferred to cause redirection of the browser away from the original website 479.)
It would have been obvious before the effective filing date of the invention for the teachings of Egbert to implements the heuristics to evaluate the origin and destination information with the patterns or behaviors of the script to detect whether the script is malicious as taught by Kejriwal.  This would have been beneficial in order to detect and prevent browser based malicious javascript contents and identify websites that attempt to download malicious javascripts.  (Kejriwal, [0003])

As per claim 17, Egbert / Kejriwal disclose the method of claim 1.  Kejriwal discloses wherein executing the website code comprises: hooking a plurality of attributes in runtime of the website. ([0129];  enhanced browser environment 930 with instrumented functions which have a channel for hooks or introspects to monitor, analyze, and report javascript actions 950 in addition to performing the operations invoked by the attributes of the appropriate javascript element.)

As per claim 18, Egbert / Kejriwal discloses the method of claim 17.   wherein the plurality of attributes include one or more of IP addresses being redirected, ports accessed, ongoing requests, incoming responses, data packets being transmitted, timing of the transmission, URLs of various resources to/from which requests/responses/data are transmitted, cookies, and downloads, other events occurring as a result of executing the website, function calls, messages, and network traffic.  ([0113]; inferring malware such as certain keywords as arguments to the document write function 473; inferring malware such as malicious content such as flash in pdf files 474; inferring phishing attacks such as cookie theft via addition operation tracing 475; inferring phishing attacks such as transferring a cookie via an html tag 476; inferring memory manipulation such as by unusual use of createElement function 477; inferring memory manipulation such by an attack described as HeapSpray 478; and any equivalent operation which can be inferred to cause redirection of the browser away from the original website 479.)


As per claim 19, please see the discussion under claim 1 as similar logic applies.

As per claim 20, Egbert discloses a non-transitory computer-readable medium having stored therein a program for causing
a computer to execute a process of testing a website security anomaly,  ([0010]; provide for real-time or near real-time detection of malicious logic at the network-level. ) 
executing the website code with automation script; ([0016]; In either case, a script emulation module 140 such as a script emulator as disclosed herein may emulate execution of the script data received from the extractor 72 and/or the extraction module 130. For example, all identified script segments, such as all JavaScript segments, may be stitched together into a single JavaScript component that is analyzed by the emulation module 140. The combined JavaScript or other script segment may be prepended with generic script code that mocks the Document Object Model (DOM) and common JavaScript functions.)
generating simulated user inputs based on the automation script; ([0020]; the extracted script is executed by the script emulator 140, it may be determined that the script would have a particular known effect on the end user device if delivered to and executed on the device, such as redirecting the user's browser to a different website, causing the device to download malicious software (“malware”), connecting the end user device to a specific remote computer, or the like.)
monitoring a dynamic behavior of the website interacting with the simulated user inputs; ([0018];  More generally, the protocol analyzer 105 may provide a serialized or otherwise processable version of scripts or similar material identified in network traffic being received by a system being monitored by the system disclosed herein; [0020]; the extracted script is executed by the script emulator 140, it may be determined that the script would have a particular known effect on the end user device if delivered to and executed on the device, such as redirecting the user's browser to a different website, causing the device to download malicious software (“malware”), connecting the end user device to a specific remote computer, or the like.)
generating a log of the dynamic behavior; and ([0028] Data obtained by the data interception module 170 and state tracking module 175 may be provided to a feature collection module 177. This module may analyze the received data to identify known features or types of features for further processing by the analyzer 180 as previously disclosed)applying a set of rules to: evaluate the website code including the script)
Egbert fails to disclose the process comprising: receiving a user input of a URL of a website, transmitting the URL to a web server to retrieve website code of the website;  receiving website code of the website from the web server,  the website code including a third party script  receiving the third party script from a third party script server different from the web server; applying a set of rules to: evaluate the website code including the script
evaluate source and destination information in the log of the dynamic behavior;
and evaluate website behavior in the log of the dynamic behavior; and determining presence of a potential malicious script based on the evaluation and receiving a user input of a URL of a website; 
Kejriwal discloses receiving a user input of a URL of a website; transmitting the URL to a web server to retrieve website code of the website; receiving website code of the website from the web server, ([0129] Referring to FIG. 9, an exemplary embodiment system 900 is disclosed which has a network attached processor 910 intercepting and filtering a request for a Uniform Resource Identifier to at least one of a plurality of websites 991-999 and the response to the request. The network attached processor is coupled to an enhanced browser environment 930 to which it provides a file such as an html file containing text extracted from the response received from a website 991)
the process comprising:  the website code including a third party script ([0129];  The enhanced browser environment requests and receives other objects from the same or other websites according to the control of the initial javascript and other javascript that is requested by a predecssor javascript.)
receiving the third party script from a third party script server different from the web server; the process comprising:  the website code including a third party script ([0129];  The enhanced browser environment requests and receives other objects from the same or other websites according to the control of the initial javascript and other javascript that is requested by a predecssor javascript.)
applying a set of rules to: evaluate the website code including the script; ([0111]; determining from the patterns observed by recording the execution of scripts one or more of the following behaviors which suggest malicious behavior: dynamically changing the location URI of the resource (the web page) to force a reload of the browser 461; determining that a target (destination) for receiving a cookie is not the domain name of the website (who owns the cookie) 462; determining that a target is a host on a list of malicious hosts 463)
evaluate source and destination information in the log of the dynamic behavior; and evaluate website behavior in the log of the dynamic behavior (0110]; receiving files from websites and recording the origin website in the form or an Internet Protocol (IP) address or a fully qualified domain name (FQDN), [0111];  recording the operation of selected library elements by recording which flares are fired and recording a log of the outputs of the browser during execution of the script text embedded in the html file 460. Referring now to FIG. 3, the method further comprises inter alia, determining from the patterns observed by recording the execution of scripts one or more of the following behaviors which suggest malicious behavior: dynamically changing the location URI of the resource (the web page) to force a reload of the browser 461; determining that a target (destination) for receiving a cookie is not the domain name of the website (who owns the cookie) 462; determining that a target is a host on a list of malicious hosts 463)
determining presence of a potential malicious script based on the evaluation ([0113]; inferring malware such as certain keywords as arguments to the document write function 473; inferring malware such as malicious content such as flash in pdf files 474; inferring phishing attacks such as cookie theft via addition operation tracing 475; inferring phishing attacks such as transferring a cookie via an html tag 476; inferring memory manipulation such as by unusual use of createElement function 477; inferring memory manipulation such by an attack described as HeapSpray 478; and any equivalent operation which can be inferred to cause redirection of the browser away from the original website 479.)
It would have been obvious before the effective filing date of the invention for the teachings of Egbert to receive user input and website code and a third party script in response to the input, and for the heuristics to evaluate the origin and destination information with the patterns or behaviors of the script to detect whether the script is malicious as taught by Kejriwal.  This would have been beneficial in order to detect and prevent browser based malicious javascript contents and identify websites that attempt to download malicious javascripts.  (Kejriwal, [0003])

Claims 3 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Egbert (US 2019/0132355) / Kejriwal (US  2011/0289582) further in in view of  Sawhney et al. – hereinafter Sawhney (US 11,314,862) / Sallam (US 2011/0185428) 

As per claim 3, Egbert / Kejriwal disclose the method of claim 1.  The combination of teachings of Egbert / Kejriwal fail to disclose wherein evaluating source and destination information comprises: applying a known bad actors rule against the log of the dynamic behavior; and applying an unknown actors rule against the log of the dynamic behavior.
Sallam discloses wherein evaluating source and destination information comprises: applying a known bad actors rule against the log of the dynamic behavior. ([0016]; Behavioral analysis rules database 106 may be a module on electronic device 102. Behavioral analysis rules database 106 and monitor 105 may be functionally coupled. Behavioral analysis rules database 106 may be configured to provide rules to monitor 105 for monitoring the running of an application, given suitable parameters, [0023]; whether the domain's content is malware-free; whether the site host of the domain is deviating from known historical behavior; or whether the domain appears on a blacklist (indicating malicious sites) or a whitelist (indicating safe sites). The entries in reputation score field 202 may change as new information is used to populate domain content classification database 113. In one embodiment, the value of reputation score field 202 may range from 0 to 100, wherein 0 indicates the least degree of trustworthiness, and 100 indicates the greatest degree of trustworthiness of the domain.) 
It would have been obvious before the effective filing date of the invention for the teachings of Egbert / Kejriwal to be modified so that the heuristics take into account the bad actor rules and comparing to a known blacklist or whitelist as taught by Sallam.  This would have to protect the users from accessing malicious websites. 
The combination of teachings of  Egbert / Kejriwal / Sallam fail to disclose applying an unknown actors rule against the log of the dynamic behavior. 
Sawhney discloses applying an unknown actors rule against the log of the dynamic behavior (abstract, method for modeling the structure of embedded unclassified scripts to compare the abstract dynamism of similar scripts. The method may determine structure of unclassified end user browser script by building abstract structure using code from unclassified end user browser script; compare determined structure of unclassified end user browser script with a plurality of generalized abstract structures; if the determined structure of unclassified end user browser script matches within a predetermined threshold of any of the plurality of generalized abstract structures, then the unclassified end user browser script is classified as benign, otherwise the determined structure is classified as malicious. This, in turn, provides a scalable and efficient way of identifying benign, malicious, known and unknown scripts from a script available in full or in part.)
It would have been obvious before the effective filing date of the invention for the combined teachings of Egbert / Kejriwal / Sallam to be modified so that the heuristics implement a bad actor and an unknown actor rule to detect the malicious scripts as taught by Sawhney.  The would have been advantages to reduce false-positives and accurately when performing detection of malware. (Sawhney, Col 2 lines 18-27)185428

As per claim 10, Egbert / Kejriwal / Sallam / Sawhney disclose the method of claim 3.  Sallam discloses wherein applying a known bad actors rule against the log of the dynamic behavior comprises: accessing a list of known bad actors; accessing the log of the dynamic behavior; searching for one or more known bad actors in the log;. ([0016]; Behavioral analysis rules database 106 may be a module on electronic device 102. Behavioral analysis rules database 106 and monitor 105 may be functionally coupled. Behavioral analysis rules database 106 may be configured to provide rules to monitor 105 for monitoring the running of an application, given suitable parameters, [0023]; whether the domain's content is malware-free; whether the site host of the domain is deviating from known historical behavior; or whether the domain appears on a blacklist (indicating malicious sites) or a whitelist (indicating safe sites). The entries in reputation score field 202 may change as new information is used to populate domain content classification database 113. In one embodiment, the value of reputation score field 202 may range from 0 to 100, wherein 0 indicates the least degree of trustworthiness, and 100 indicates the greatest degree of trustworthiness of the domain)
and upon determining that at least one known bad actor is present in the log, returning an alert of presence of a potential malicious script in the website ([0023]; whether the domain's content is malware-free; whether the site host of the domain is deviating from known historical behavior; or whether the domain appears on a blacklist (indicating malicious sites) or a whitelist (indicating safe sites); [0052] In one embodiment, monitor 105 may notify users of application 101 that the site contains dangerous malware, and allow the user to continue or abandon the operation. For example, a user of application 101 may access a site such as "malware_infested.com" 528 known to host malware for phishing attacks, which would cause behavioral analysis database to yield rule 562, which would alert a user. )

Allowable Subject Matter
Claims 2, 4-9 and 11-16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent toapplicant's disclosure.   See PTO-892 form.
Any inquiry concerning this communication or earlier communications from theexaminer should be directed to Chirag R Patel whose telephone number is (571)272-7966. The examiner can normally be reached on Monday to Friday from 8:00AM to 4:30PM. If attempts to reach the examiner by telephone are unsuccessful, theexaminer's supervisor, Glenton Burgess, can be reached on 571-272-3949. The fax phone number for the organization where this application or proceedingis assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status informationfor published applications may be obtained from either Private PAIR or PublicPAIR. Status information for unpublished applications is available throughPrivate PAIR only. For more information about the PAIR system, seehttp://pairdirect.uspto.gov. Should you have questions on access to the PrivatePAIR system, contact the Electronic Business Center (EBC) at 866-217-9197(toll free). 

/Chirag R Patel/
Primary Examiner, Art Unit 2454