DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 7/31/2020. Claims 1-20 are pending.

Examiner's Notes
Claim 11 recites “A system comprising: a device arranged intermediate a client and a server, the device configured to:…” is directed to one of the four statutory categories because specification [0045] discloses ‘The device 202 can be implemented using hardware or a combination of software and hardware. For example, each component of the device 202 can include logical circuitry (e.g., a central processing unit or CPU) that responses to and processes instructions fetched from a memory unit (e.g., memory 212).’ See FIG. 2.

Claim Objections
Claims 1, 3, 5-6, 11, 13, 15-16 and 19-20 are objected to because of the following informalities: 
Claim 1 recites “transmitting, by the device, one or more data packets to the client, the one or more data packets including a response to the request from the server …”, which should be “the first request” to avoid insufficient antecedent basis for this limitation in the claim. Similar objection applies to claims 11 and 19.
Claim 1 recites “determining, by the device, using the one or more attributes, whether the client is associated with an autonomous program; and blocking, by the device, responsive to determining that the client is associated with an autonomous program, one or more subsequent requests from the client to the server.”. The second “an autonomous program” should be “the autonomous program”. Similar objection applies to claims 3, 5, 11, 13, 15 and 19-20.
Claims 6 and 16 recite “prior to transmitting the one or more subsequent request to the server via the session”, which should be “the one or more subsequent requests” to avoid insufficient antecedent basis for this limitation in the claim.
Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-3, 11-13 and 19-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Bhogavilli (US 20170034209 A1).

Regarding claim 1, Bhogavilli teaches a method comprising:
receiving, by a device intermediary to a client and a server, from the client, a first request for the server; ([0036] In step 310, a proxy server in the set of proxy servers intercepts at least one HTTP request from a client or an agent of the client, such as a browser or an application running on the client. The intercepted HTTP request may be directed to one or more application servers in the set of application servers via, for example, a destination IP address, a port number, a URI, and/or other identifiers associated with the one or more application servers.)
transmitting, by the device, one or more data packets to the client, the one or more data packets including a response to the request from the server and an attribute collector script configured to execute on the client to automatically transmit, to the device, one or more attributes corresponding to at least one of the client or a browser of the client; ([0040] In step 350, the proxy server may provide a response to the intercepted HTTP request and embed one or more customized client-side scripts in the response. The client-side scripts may include one or more strings of random bytes necessary for the client to generate a follow-through random URI redirection request expected by the proxy server. The proxy server may associate the strings of random bytes with the intercepted HTTP request and/or the client…The client-side scripts, upon execution, challenge the client by demanding user interaction within a specified period of time.) Here Bhogavilli in ¶40 provides details on “an attribute collector script”. In addition, Bhogavilli discloses “data packets including a response to the request from the server” by reciting “the same physical servers may perform the roles of both monitoring servers 145 and proxy servers 245. Proxy servers 245 may also be within the network path between clients (e.g., legitimate clients 210 and malicious clients 220) and application servers 135 or may be outside of the path. Proxy servers 245 may operate as reverse proxy servers and may be transparent to the clients” (¶30). By definition a reverse proxy is a server that sits in front of one or more web servers, intercepting requests from clients. With a reverse proxy, when clients send requests to the origin server of a website, those requests are intercepted at the network edge by the reverse proxy server. The reverse proxy server will then send requests to and receive responses from the origin server.
receiving, by the device, from the client, a second request including one or more attributes collected using the attribute collector script; ([0040] The client-side scripts, upon execution, challenge the client by demanding user interaction within a specified period of time. For example, the client-side scripts, upon execution by the client, may present a popup box to the client demanding user interaction—e.g., requiring a user to click an OK button. Only after the demanded interaction is performed within the specified period of time would the client-side scripts generate the follow-through random URI redirection request expected by the proxy server.)
determining, by the device, using the one or more attributes, whether the client is associated with an autonomous program; and ([0041, 0042] Next, in step 360, the proxy server determines whether or not the client is following through with the demanded user interaction and/or providing the correct value for the challenge cookie previously set on the client. In step 360, if the proxy server determines that the client has not yet followed through with the demanded user interaction, method 300 may proceed to step 370, during which the proxy server determines whether or not the demanded user interaction has timed out, i.e., whether or not the specified time has passed.)
blocking, by the device, responsive to determining that the client is associated with an autonomous program, one or more subsequent requests from the client to the server. ([0042] if in step 360 the proxy server determines that the demanded user interaction has timed out and/or the client has failed to provide the correct value for the challenge cookie previously set on the client, then method 300 proceeds to step 380, in which the proxy server may determine that the client is suspect or malicious [analogous to claim limitation “autonomous”] and blacklist the client for a configurable duration, during which the proxy server blocks or rate-limits any subsequent HTTP requests from the client.)

Regarding claim 2, Bhogavilli teaches all the features with respect to claim 1, as outlined above. Bhogavilli further teaches wherein transmitting the one or more data packets including the attribute collector script is performed responsive to the first request not including a cookie from the client. ([0037-0039] In step 330, the proxy server may determine whether or not the client has been whitelisted or blacklisted. The proxy server may look up the client's network address (e.g., an IP address), a unique identifier associated with the client, or the like, in a whitelist and/or a blacklist. Alternatively or in addition, the proxy server may attempt to read a status cookie previously set on the client that indicates whether the client is whitelisted or blacklisted. if the proxy server determines that the client is whitelisted, then in step 335 the proxy server may, for a configurable duration, forward the intercepted HTTP request and any additional HTTP requests from the client to the set of application servers without requiring client-side active validation; and if the proxy server determines that the client is blacklisted, then in step 335 the proxy server may, for a configurable duration, block or rate-limit the intercepted request and any additional HTTP requests from the client. However, if in step 330 the proxy server determines that the client is neither whitelisted nor blacklisted, then method 300 proceeds to step 340… proceeds to step 350 “provide a random URI redirect via client-side script”.)

Regarding claim 3, Bhogavilli teaches all the features with respect to claim 1, as outlined above. Bhogavilli further teaches transmitting, by the device, responsive to determining that the client is not associated with an autonomous program, the one or more subsequent requests to the server. ([0041] in step 360, the proxy server determines whether or not the client is following through with the demanded user interaction and/or providing the correct value for the challenge cookie previously set on the client. If the client provides the demanded user interaction within the specified time, for example, by sending a follow-through random URI redirection request that targets the randomized URI associated with the intercepted HTTP request or the client and/or includes the correct value stored in the challenge cookie, then in step 365 the proxy server may determine that the client is non-suspect or legitimate and provide the client with an original URI HTTP redirect, which causes the client to make another HTTP request to the application servers sought by the client via the intercepted HTTP request. In step 365, the proxy server may also whitelist the client for a configurable duration, during which the proxy server forwards any subsequent HTTP requests from the client to the application servers without requiring additional client-side active validation.)

Regarding claims 11-13 and 19-20, the scope of the claims are similar to that of claims 1-3, respectively. Accordingly, the claims are rejected using a similar rationale.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4-10 and 14-18 are rejected under 35 U.S.C. 103 as being unpatentable over Bhogavilli (US 20170034209 A1) in view of Holloway (US 20140047542 A1).

Regarding claim 4, Bhogavilli teaches all the features with respect to claim 1, as outlined above. Bhogavilli further teaches generating, by the device, the one or more data packets using the response to the first request by inserting the attribute collector script into the one or more data packets. ([0040] In step 350, the proxy server may provide a response to the intercepted HTTP request and embed one or more customized client-side scripts in the response. [0030] the same physical servers may perform the roles of both monitoring servers 145 and proxy servers 245. Proxy servers 245 may also be within the network path between clients (e.g., legitimate clients 210 and malicious clients 220) and application servers 135 or may be outside of the path. Proxy servers 245 may operate as reverse proxy servers and may be transparent to the clients.) But Bhogavilli does not teach transmitting, by the device, the first request received from the client to the server; receiving, by the device, from the server, the response to the first request; and generating, by the device, the one or more data packets using the response to the first request by inserting the response into the one or more data packets. This aspect of the claim is identified as a difference.
However, Holloway in an analogous art explicitly teaches 
transmitting, by the device, the first request received from the client to the server; ([0021] The cloud-based proxy service illustrated in FIG. 1 includes a set of proxy server(s) 120 that are situated between the client computing devices 110A-I and the origin servers 130A-N. In one embodiment, the proxy server(s) 120 are reverse proxy servers. ([0025-0026] FIG. 1, the incoming traffic 154 is received at one of the proxy server(s) 120. The proxy server(s) 120 analyze the incoming traffic 154. The proxy server 120 may transit the outgoing traffic 156 to the appropriate origin server 130. For example, the proxy server may transmit a request (e.g., an HTTP GET request) for a resource of the origin server 130.)
receiving, by the device, from the server, the response to the first request; and ([0026] The origin servers 130A-N respond to the outgoing traffic 156 with the incoming traffic 158. For example, an origin server may transmit a response (e.g., an HTTP response) with the requested resource to the proxy server(s) 120.)
generating, by the device, the one or more data packets using the response to the first request by inserting the response and the attribute collector script into the one or more data packets. ([0026] The proxy server(s) 120 may analyze the incoming traffic 158 and take one or more actions, including, for example, transmitting the outgoing traffic 159 to the requesting client device.) Here reference Holloway discloses inserting the response from the server into the data packets. Reference Bhogavilli discloses inserting the attribute collector script into the data packets. Therefore the combination discloses the entire limitation.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “client-side active validation” concept of Bhogavilli, and the “mitigating denial-of-service attack” approach of Holloway. One of ordinary skill in the art would have been motivated to perform such a modification for protecting against Internet-based threats (e.g., proactively stopping botnets, cleaning viruses, trojans, and worms, etc.) and providing DoS attack detection and mitigation services using cloud-based proxy service and pass cookie (Holloway [0024]).

Regarding claim 5, Bhogavilli teaches all the features with respect to claim 1, as outlined above. Bhogavilli in view of Holloway further teaches wherein the response is a first response, the method further comprising:
receiving, by the device from the server in response to the client not being associated with an autonomous program, a second response to the second request; ([Holloway 0119] FIG. 7, flow moves from operation 730 to operation 735, where the proxy server determines whether the visitor passed the set of challenges. For example, in the case where the presented set of challenges includes a client-side script… If the visitor passed the set of challenges, then flow moves to operation 740. [Holloway 0123] At operation 745, the proxy server retrieves the requested network resource. In one embodiment, if the requested resource is not in the local cache of the proxy server or the cached resource has expired, the proxy server requests the resource from the origin server.)
generating, by the device, a cookie associated with a session between the client and the server; and ([Holloway 0121] At block 740, the proxy server sets a pass cookie and causes the visitor to re-submit the request (e.g., the proxy server transmits a response with a redirection code to the visitor). In one embodiment, the pass cookie may be a value that is stored on the proxy server. In other embodiments, the pass cookie is a self expiring hash of the visitor's IP address.)
transmitting, by the device, to the client, the second response and the cookie. ([Holloway 0122-0123] Assuming that the visitor re-submits the request (e.g., as a result of a redirect), the proxy server will receive the request again in step 720. The visitor will include the pass cookie in the request. Flow then moves to operation 750 where the proxy server transmits the requested network resource to the visitor.) Here “transmitting the cookie to the client by the device” is disclosed because client includes the cookie in the subsequent request.

Regarding claim 6, Bhogavilli in view of Holloway teaches all the features with respect to claim 5, as outlined above. The combination further teaches
receiving, by the device from the client, one or more subsequent requests for the server, the one or more subsequent requests including the cookie; and ([Holloway 0112] At operation 725, the proxy server determines whether the request includes a valid pass cookie, which indicates that the visitor has passed the set of challenges.)
validating, by the device, the cookie included the one or more subsequent requests for the server, prior to transmitting the one or more subsequent request to the server via the session. ([Holloway 0112, 0123] If the request includes a valid pass cookie, then flow moves to operation 745. At operation 745, the proxy server retrieves the requested network resource. In one embodiment, if the requested resource is not in the local cache of the proxy server or the cached resource has expired, the proxy server requests the resource from the origin server.)

Regarding claim 7, Bhogavilli in view of Holloway teaches all the features with respect to claim 5, as outlined above. The combination further teaches determining, by the device, that the cookie included in a subsequent request is expired or invalid. ([Holloway 0112, 0121-0122] At operation 725, the proxy server determines whether the request includes a valid pass cookie, which indicates that the visitor has passed the set of challenges. If the request does not include a valid pass cookie then flow moves to operation 730. The pass cookie may also include a timestamp which, for a given period of time (e.g., 1 hour), will result in the same hash (but a different hash after that time period). This effectively embeds a TTL in the pass cookie. For example, the proxy server performs the same hash function with the IP address (or portion of the IP address) that was used to set the cookie and the current time. If the two match, then the pass cookie is valid and the request can pass through unchallenged (without being presented with a challenge page) until the pass cookie TTL expires. If a pass cookie is used after it has expired, then the expiring timestamp will result in a different hash.)

Regarding claim 8, Bhogavilli in view of Holloway teaches all the features with respect to claim 7, as outlined above. The combination further teaches responsive to determining that the cookie included in the subsequent request is expired or invalid, performing one of: ([Holloway 0112] At operation 725, the proxy server determines whether the request includes a valid pass cookie, which indicates that the visitor has passed the set of challenges. If the request does not include a valid pass cookie then flow moves to operation 730.)
generating, by the device, a new cookie for the client; or ([Holloway 0121] At block 740, the proxy server sets a pass cookie and causes the visitor to re-submit the request (e.g., the proxy server transmits a response with a redirection code to the visitor). In one embodiment, the pass cookie may be a value that is stored on the proxy server. In other embodiments, the pass cookie is a self expiring hash of the visitor's IP address.)
blocking the subsequent request from being transmitted to the server responsive to the cookie being expired or invalid.

Regarding claim 9, Bhogavilli in view of Holloway teaches all the features with respect to claim 7, as outlined above. The combination further teaches transmitting, by the device, the one or more subsequent requests responsive to a count of grace requests in which the cookie is expired or invalid is less than a threshold. ([Holloway 0112, 0123] At operation 725, the proxy server determines whether the request includes a valid pass cookie, which indicates that the visitor has passed the set of challenges. If the request does not include a valid pass cookie then flow moves to operation 730. If the request includes a valid pass cookie, then flow moves to operation 745. At operation 745, the proxy server retrieves the requested network resource.) Here Holloway discloses transmitting, by the device, the one or more subsequent requests only when the cookie is valid or not expired, meaning grace requests threshold being zero. Indeed, it would be obvious to change the size of grace requests threshold if it is desired; See MPEP 2144.04(IV)(A).

Regarding claim 10, Bhogavilli in view of Holloway teaches all the features with respect to claim 7, as outlined above. The combination further teaches wherein determining that the cookie is invalid comprises:
storing, by the device, in one or more data storage devices, a first value associated with the cookie associated with the session; ([Holloway 0108] A successful response may be embedded into a cookie. In some embodiments, the cookie may be a value that is stored on the proxy server. In other embodiments, the cookie is a self expiring hash of the client's IP address.)
computing, by the device, a second value corresponding to the cookie received with the subsequent request from the client; comparing, by the device, the first value stored in the one or more data storage devices with the second value corresponding to the cookie received with the subsequent request; and ([Holloway 0122] At operation 725, the proxy server 120 determines whether the request includes a valid pass cookie. For example, the proxy server performs the same hash function with the IP address (or portion of the IP address) that was used to set the cookie and the current time. If the two match, then the pass cookie is valid and the request can pass through unchallenged (without being presented with a challenge page) until the pass cookie TTL expires. If a pass cookie is used after it has expired, then the expiring timestamp will result in a different hash.)
determining, by the device, that the cookie is invalid based on the first value being different from the second value. ([Holloway 0125] In an alternative embodiment, the proxy server maintains a lookup table of valid pass cookies that is checked upon each request. If the request includes a cookie that is not valid according to the lookup table, then the request will be dropped by the proxy server.) 

Regarding claims 14-18, the scope of the claims are similar to that of claims 4-6 and 8-10, respectively. Accordingly, the claims are rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20210281605 A1, "Generating Urls To Detect Autonomous Programs Systems And Methods", by Thangellapalli, teaches that a device, intermediary to a plurality of clients and a plurality of servers, can receive a first request from a first client of the plurality of clients to a server of the plurality of servers via a connection between the device and the first client. The device can include, into a response from the server to the first client, a uniform resource locator (URL) comprising one or more randomly generated characters within a predetermined character space. The device can determine that the first client has an autonomous program responsive to receiving a second request from the first client using the URL. The device can terminate, responsive to the determination, the connection to the first client.
US 11343357 B2, "Systems and methods for autonomous program detection", by Katta, teaches a device which may transmit data to a client in response to a first request from the client. The data may include a response to the first request and a copy of data available to the device corresponding to the first request or the client. The device may receive a second request including the copy of data from the client. The device may determine that the second request is from an autonomous program rather than a user of the client based on the copy of data from the second request. The device may block at least one subsequent request from the client in response to the determination that the second request is from an autonomous program.
US 10326789 B1, "Web Bot detection and human differentiation", by Vines, teaches Web Bot detection methods and systems provided that receive a request, in connection with a network session. The methods and systems determine whether the request is associated with potential Bot activity, and based thereon assign a Bot confidence designation. The Bot confidence designation indicates a likelihood that the request represents an agent-based request. The methods and systems analyze a session trait of the network session relative to predetermined session traits indicative of human-based requests, and assign a human confidence designation based on the analysis. The human confidence designation indicates a likelihood that the request represents a human-based request. The request is then classified to represent an agent-based request or human-based request based on the Bot and human confidence designations.
US 11356433 B2, "System and method for detecting unauthorized activity at an electronic device", by Krylov, teaches analyzing a first request from the user device, the first request including original client cookie; in response to the original client cookie meeting a predetermined threshold: causing the user device to receive a Java Script Module, thereby enabling the user device to generate a second request, by: receiving server cookie indicative of a given activity associated with the user device being one of: a user activity and a bot activity; generating the second request including first client cookie and the server cookie; determining if the second request is to be transmitted to a web content server associated with the first web page; in response to the server cookie data being indicative of the bot activity: the second request is blocked.
US 11233802 B1, "Cookie and behavior-based authentication", by Rudeanu, teaches that a client sends a request for access to a webpage and receives a cookie and code to obtain data about the client in response to the request. The cookie may be cryptographically secured and contain first data about the client. The client subsequently sends a second request with the cookie to access the same webpage. Any additional information about the client, received in the second request, is then compared with the first data about the client obtained from the cookie to determine whether anomalous activity exists in connection with the client. That is, data about the client is compared to previous client activity history to determine whether there were any anomalous activity and the result of the comparison indicates whether the client is trustworthy.
US 20210350277 A1, "Adaptive anomaly detector", by Agrawal, teaches to receive a response to a request to verify whether an ostensible client of a service is actually a client or a bot, the response including an indicator of whether the ostensible client is a client or a bot; receive information descriptive of interoperations between the ostensible client and the service that are indicative of whether the ostensible client is a client or a bot; and train a plurality of machine learning classifiers using the information and the indicator to generate a next generation of the plurality of machine learning classifiers.
"What Is A Reverse Proxy? | Proxy Servers Explained", by Cloudflare, teaches that a reverse proxy protects web servers from attacks and can provide performance and reliability benefits. It defines a proxy server, describes the differences between a forward and reverse proxy, and outlines the benefits of using a reverse proxy.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HAN YANG/Examiner, Art Unit 2493