Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments

Applicant argues against the double patenting rejection in view of Application 16/636,280.  Applicant’s argument is not persuasive.   Applicant argues that there is a patentable distinction between “characteristic of a content of a web page for the web application” and “web application” as listed in the current application and “characteristics of the web application”.   Examiner notes that the term “characteristic” is broader than Applicant gives credit.  Examiner must read the claim limitations with a broad but reasonable interpretation.  Examiner asserts that a “characteristic” of a web application is itself the content input/output/produced/used by said web application.   Therefore claims of US 16/363,280 read on the claims of the instant application.
Examiner also asserts that it is an obvious variation.  Examiner also asserts that a web application by its nature utilizes web pages and content.  One of ordinary skill in the art at the time the invention was filed, in 2017, would understand that a cloud application by its nature utilizes web pages as a fundamental part of its application, and therefore also shares the same characteristics.
Applicant argues that there is no motivation to combine as stated in the previous office action.  Examiner respectfully disagrees.

Examiner has replaced Chao US 2018/0020024 with Lee US 2009/0282480, because Lee more specifically teaches “web application operating in training mode”.  Examiner notes that De Sousa Webber [0057] arguably teaches the same features.


Double Patenting
Claims 1-7 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-7 of copending Application No. 16/636,280 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because The claims of US 16/636,280 are nearly identical to the present claims at issue.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4-6, 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over De Sousa Webber US 2017/0053025 in view of Hawkins II US 2015/0127595 in view of Lee US 2009/0282480.

As per claims 1, 7, De Sousa Webber teaches A computer implemented method to detect an anomalous change to a web application, the web application executing with a web server, the method comprising: receiving a first set of records for the web application operating in a training mode of operation, each record in the first set of records including characteristics of a content of a web page for the web application; generating a sparse distributed representation of the first set of records to form a training set for a hierarchical temporal memory (HTM); training the HTM based on the training set in order that the trained HTM provides a model of operation of the web application in the training mode of operation; receiving a second set of records for the web application, each record in the second set of records including characteristics of content of the web page; generating a sparse distributed representation of the second set of records to form an input set for the trained HTM; executing the trained HTM based on the input set to determine a degree of recognition of the records of the input set; and responsive to a determination that a degree of recognition of one or more records of the input set is below a threshold degree, identifying an anomalous change to the web page. 
[0054]-[0057][0204][0205][0214]-[0218] (teaches training based on a first set of records that generate a sparse distributed representation, and provides a model of operation for a web application, then comparing a second set of records based on said first mapping from trained data to determine a degrees of recognition, including detecting anomalies)
De Sousa Webber does not explicitly teach “HTM based training”.

Hawkins teaches that the training is HTM based training [0017][0048]
It would have been obvious to one of ordinary skill in the art to use the model of Hawkins with the training of Webber because it is a well known machine learning algorithm.Lee teaches teaches a training time period and an operational time period being distinct from a training time period, in which a web application is identified as being anomalous [0013][0016][0018][0020][0021](teaches learning behavior of a web application in a “training mode” which is free from attack before the web application is put into production, and where deviations from the training mode model are shown as security anomalies)
It would have been obvious to one of ordinary skill in the art to use the teaching of Lee with the previous combination because it more accurately trains the web application model for normal  behavior.
As per claim 2. De Sousa Webber teaches The method of claim 1, wherein, in response to the identification of the anomalous change to the web page, the method further comprises implementing a responsive measure to the anomalous change. [0057][0214][0215] (determines anomaly/malware and sends an alert)As per claim 4. De Sousa Webber teaches The method of claim 1, wherein, in the training mode of operation, the HTM evaluates an anomaly score for records in the first set of records and the HTM is trained until the anomaly score meets a predetermined threshold degree of anomaly. [0054][0055] [0218]  (training documents to threshold, detecting anomalies)

As per claim 5. De Sousa Webber teaches The method of claim 1, wherein the characteristics of the web page include records corresponding to hypertext markup language (HTML) tags in the web page. [0046][0050][0057]  (teaches web data and metadata tags, HTML is the well known web format)
As per claim 6. De Sousa Webber teaches A computer system comprising: a processor and memory storing computer program code for detecting an anomalous change to a web application, the web application executing with a web server, by: receiving a first set of records for the web application operating in a training mode of operation, each record in the first set of records including characteristics of a content of a web page for the web application; generating a sparse distributed representation of the first set of records to form a training set for a hierarchical temporal memory (HTM); training the HTM based on the training set in order that the trained HTM provides a model of operation of the web application in the training mode of operation; receiving a second set of records for the web application, each record in the second set of records including characteristics of content of the web page; generating a sparse distributed representation of the second set of records to form an input set for the trained HTM; executing the trained HTM based on the input set to determine a degree of recognition of the records of the input set; and responsive to a determination that a degree of recognition of one or more records of the input set is below a threshold degree, identifying an anomalous change to the web page. [0054]-[0057][0204][0205][0214]-[0218] (teaches training based on a first set of records that generate a sparse distributed representation, and provides a model of operation for a web application, then comparing a second set of records based on said first mapping from trained data to determine a degrees of recognition, including detecting anomalies)
De Sousa Webber does not explicitly teach “HTM based training”.

Hawkins teaches that the training is HTM based training [0017][0048]
It would have been obvious to one of ordinary skill in the art to use the model of Hawkins with the training of Webber because it is a well known machine learning algorithm.
Lee teaches teaches a training time period and an operational time period being distinct from a training time period, in which a web application is identified as being anomalous [0013][0016][0018][0020][0021](teaches learning behavior of a web application in a “training mode” which is free from attack before the web application is put into production, and where deviations from the training mode model are shown as security anomalies)
It would have been obvious to one of ordinary skill in the art to use the teaching of Lee with the previous combination because it more accurately trains the web application model for normal  behavior.


Claims 3, is/are rejected under 35 U.S.C. 103 as being unpatentable over De Sousa Webber US 2017/0053025 in view of Hawkins II US 2015/0127595 in view of in view of Lee US 2009/0282480 in view of Stickle US 11,050,768.

As per claim 3. Stickle teaches The method of claim 2 wherein the responsive measure includes one or more of: interrupting operation of the web application; identifying client components in communication with the web application as potentially compromised; executing at least one of an intrusion detection, malware detection, virus removal, or a malware removal process for the web application; or effecting at least one of a redeployment, a reinstallation, or a reconfiguration of the web application. (Column 2 lines 40-67, Column 3 lines 1-12, Column 6 lines 5-50) (teaches detecting intrusion/malware and redeploying software as a means for countering said malware)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the remediation of Stickle with the previous art because it increases the security of the system


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439