DETAILED ACTION

Response to Arguments
Applicant’s arguments (“REMARKS”), filed July 13, 2022, have been fully considered but are only partially persuasive. 
Claims 16-33 are currently pending. Claims 16, 18-20, 23, 24, and 26-30 were amended. Claims 31-33 were added.

Re: Claim Rejections – 35 USC § 101
Applicant argues on pg. 1 of the REMARKS that claims 29 and 30 have been amended to overcome the 101 rejection. After further consideration, the rejection of claim 30 under 101 as being directed to non-statutory subject matter has been withdrawn. However, claim 29 remains rejected under 101 as being directed to non-statutory subject matter. Specifically, the system of claim 29 was amended to further include one of “a proxy server and a streaming server”. The claims and specifications fail to specifically define “server” as hardware only. Servers are commonly defined as either software of hardware. Therefore, under broadest reasonable interpretation, the claims remain directed to a software system.

Re: Claim Rejections – 35 USC § 112
	Applicant argues on pg. 1 of the REMARKS that claims 18-20, 23, 24, and 26-28 have been amended to resolve the 112(b) issues raised in the previous Office Action. After further consideration and review of the claims, the 112(b) rejection has been withdrawn.

Re: Claim Rejections – 35 USC § 102 and 103
Applicant argues on pg. 2 of the REMARKS that the amended features of claim 16 are not taught in Kuperman. Specifically, the predetermined categories of bots in Kuperman are malicious and non-malicious, whereas the claim requires there being “more than two predetermined bot categories”. After further consideration of the amended claim and Applicant’s arguments, the rejection of Kuperman under 35 USC 102 has been withdrawn. However, a new ground of rejection has been asserted under Kuperman in view of Kaminsky (applied in dependent claim 18) and Call (US 2015/0350181).
Furthermore, Applicant argues on pp. 3-4 that Kuperman does not disclose the features presented in claim 26. After further consideration of the Applicant’s arguments to claim 26, they are deemed persuasive and the prior art rejection to claim 26 has been withdrawn. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 29 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim does not fall within at least one of the four categories of patent eligible subject matter because they are directed to software per se. The term “computer” does not limit the system to hardware. Computer systems can be virtualized, e.g. a virtual machine or virtual PC. Furthermore, the inclusion of servers to the system does not provide any physical structure to the system. The servers are not limited to hardware in the claim, and servers are also known as software programs running typically running as background processes (e.g. they run constantly in the background to provide services/functions to requests from clients). Thus, the system claim is directed to a software system under broadest reasonable interpretation. Software is not patentable subject matter. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 16-18, 21-25, 27, and 28-33 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0244737 to Kuperman et al. (hereinafter, “Kuperman”) in view of US 2016/0191554 to Kaminsky (hereinafter, “Kaminsky”) and in further view of US 2015/0350181 to Call et al. (hereinafter, “Call”). 
As per claim 16: Kuperman discloses: A method of processing web requests directed to a website (“A system (and method, and computer readable storage medium storing computer program instructions) is configured for protecting web applications at a host by analyzing web application behavior to detect malicious client requests.” [Kuperman, ¶0020]), the method including: (i) receiving a plurality of web requests directed to the website (a proxy 205 receives traffic (e.g. client requests and responses) from clients 101, 105, which is passed onto the host 145 containing a web application 120 [Kuperman, ¶0036; Fig. 2]); (ii) for each of the plurality of web requests, identifying a source from which the web request has originated (identifying known non-malicious and known malicious clients from the requests [Kuperman, ¶0039]); (iii) for at least one web request identified as having originated from a given source: determining whether the source is a bot or a non-bot based on the at least one web request (the proxy 205 analyzes canvas events to detect human activities and indications of non-human actors, that can include non-malicious or malicious bots [Kuperman, ¶0044]); .
Kuperman does not disclose the strikethrough limitations. However, Kaminsky discloses: if the source is determined to be a bot, using a machine learning engine to assign one of a plurality of predetermined bot categories to the source based on the at least one web request (one or more intrusive tests are selected after a calculated probability implying a confidence that a bot is present [Kaminsky, ¶0023]; these intrusive tests not only detect a bot, but identify the class or type of bot – different classes of automated agents can be identified [Kaminsky, ¶0037]; various metrics are obtained to contribute to a statistical model (“machine learning engine”) for identification and classification [Kaminsky, ¶0041-0042, 0044-0046]).
Hence, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to compute probabilities to the classification of the requesting clients in Kuperman, which would have improved the accuracy of identifying malicious and non-malicious clients. The type of bots would have been identified to further separate malicious and non-malicious bots.
Kuperman do not disclose: wherein there are more than two predetermined bot categories. While [Kaminsky, ¶0037] suggests that the classification process is “not just bot versus human, but different classes of automated agents”, Kaminsky does not explicitly disclose “more than two” classes of automated agents being classified. However, the existence of multiple types of bots is well-known. For example, Call discloses known types of bots that can perform content scaping, ratings manipulation, fake account creation, reserving rival goods, and web site scraping attacks [Call, ¶0006].
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to incorporate any number of bot types to be classified in the modified system of Kuperman in view of Kaminsky. This incorporation would have been a design choice in selecting what types of bots were desired to be identified, beyond the classification of malicious and non-malicious bots in Kaminsky. The types of bots may have been selected for the system based on the most common bot attacks and would have enabled a more granular design composing of targeted responses to specific bots in the modified system of Kuperman and Kaminsky.

As per claim 17: Kuperman in view of Kaminsky and Call disclose all limitations of claim 16. Furthermore, Kuperman discloses: wherein the machine learning engine uses at least one model and/or algorithm that has been trained by the machine learning engine using historical web request data to assign one of the plurality of predetermined bot categories to the source, wherein the historical web request data includes previous web requests directed to the website (the model generator 209 may retrain on newly classified and previous known requests to create a newly trained model 205 [Kuperman, ¶0053]; the attribute of distinguishing between a malicious and non-malicious bot in [Kuperman, ¶0044], are used for training the model 205 using various algorithms, such as logistic regression, neural networks, and the like [Kuperman, ¶0049, 0054-0055]).

As per claim 18: Kuperman in view of Kaminsky and Call discloses all limitations of claim 16. Furthermore, Kuperman in view of Kaminsky disclose: wherein the machine learning engine may assign one or the predetermined bot categories to the source along with a confidence level associated with the assigned bot category, wherein the confidence level associated with the assigned bot category represents a level of confidence that the assigned bot category is correct (performance metric for visitors to a given web page are compiled and aggregated for remote analysis, wherein the analysis results in probabilities of the likelihood a visitor was human or an automated agent, including the particular type/class of bot [Kaminsky, ¶0034]).

As per claim 21: Kuperman in view of Kaminsky and Call disclose of claim 16. Furthermore, Kuperman discloses: wherein the machine learning engine assigns one of a plurality of predetermined bot categories to the source based indirectly on the at least one request, using information describing the at least one request, wherein the information describing the at least one web request is extracted from the at least one web request before being passed to the machine learning engine (the attribute collector is configured to collect associated attributes to the requests, such as static attribute features directly from the request [Kuperman, ¶0041] and derived attributes that are inferred [Kuperman, ¶0051, 0052]; attributes are used to train the model [Kuperman, ¶0054]).

As per claim 22: Kuperman in view of Kaminsky and Call discloses all limitation of claim 16. Furthermore, Kuperman discloses: wherein a proxy server is configured to manage web requests directed to the website and responses to web requests issued by the website, wherein the proxy server is configured to receive web requests directed to the website, and to direct each response issued by the website to the source to which the response is directed (the proxy 20 manages the client requests and response between clients and the host of the web application [Kuperman, ¶0036; Fig. 2]).

As per claim 23: Kuperman in view of Kaminsky and Call discloses all limitations of claim 22. Furthermore, Kuperman discloses: wherein the method includes: (a) if the source is determined to be a non-bot, the proxy server passing the/each subsequent web request sent by the source on to a web server hosting the website; and (b) if the source is determined to be a bot, the proxy server not passing one or more subsequent web requests sent by the source on to a web server hosting the website (a web application firewall 110 within the proxy 205 permits or denies requests and/or future requests from clients based on classifications [Kuperman, ¶0085]).

As per claim 24: Kuperman in view of Kaminsky and Call discloses all limitations of claim 22. Furthermore, Kuperman discloses: wherein the method includes: (I) if a first bot category is assigned to the source, the proxy server passing the/each subsequent web request sent by the source on to a web server hosting the website; and (II) if a second bot category is assigned to the source, the proxy server not passing one or more subsequent web requests sent by the source on to a web server hosting the website (the proxy distinguishes between requests in order to permit non-malicious clients access to the host of the web application [Kuperman, ¶0038]; as discussed in claim 16, a non-human client/actor does not necessary mean it is a malicious client, which can be further distinguished by the model as non-malicious bots (“first bot category”) or malicious bots (“second bot category”)).

As per claim 25: Kuperman in view of Kaminsky and Call discloses all limitations of claim 16. Furthermore, Kuperman discloses: wherein the method includes: (c) if the source is determined to be a non-bot, the website issuing a response that contains website content configured for a non-bot to the/each subsequent web request sent by the source; and (d) if the source is determined to be a bot, the website not issuing a response to one or more subsequent web requests sent by the source and/or the website issuing responses that contain website content configured for a bot to one or more subsequent web requests sent by the source (permitting access to the functionality of the web application 120, or denying access to the functionality of the web application, based on the label/classification of the requests [Kuperman, ¶0038, 0058]).

As per claim 27: Kuperman in view of Kaminsky and Call discloses all limitations of claim 23. Therefore, Kuperman in view of Kaminsky disclose: wherein any one or more of steps (a)-(b) is dependent on a confidence level associated with the assigned bot category (performance metric for visitors to a given web page are compiled and aggregated for remote analysis, wherein the analysis results in probabilities of the likelihood a visitor was human or an automated agent, including the particular type/class of bot [Kaminsky, ¶0034]).

As per claim 28: Kuperman in view of Kaminsky and Call discloses all limitations of claim 23. Furthermore, Kuperman discloses: wherein any one or more of steps (a)-(b) is dependent on a rate of web requests directed to the website (client request rate per minute at time of request receipt is one of the attributes used by model generator 209 [Kuperman, ¶0052]).

As per claim 29: Kuperman in view of Kaminsky and Call discloses all limitations of claim 16. Furthermore, Kuperman discloses: A computer system for processing web requests directed to a website, wherein the computer system comprises a machine learning engine and at least one of a proxy server and a streaming server configured to produce information based on at least one of the web requests for the machine learning engine, wherein the computer system is configured to carry out a method according to claim 16 (a system comprising one or more proxy devices [Kuperman, ¶0020]).

As per claim 30: Kuperman in view of Kaminsky and Call discloses all limitations of claim 16. Furthermore, Kuperman discloses: A non-transitory computer-readable medium having computer-executable instructions configured to cause a computer system to perform a method according to claim 16 (computer readable storage medium storing computer program instructions [Kuperman, ¶0020]).

As per claim 31: Kuperman in view of Kaminsky and Call discloses all limitations of claim 16. Furthermore, Kuperman in view of Kaminsky and Call disclose: wherein the plurality of predetermined bot categories contains two or more of: price scraping, ad fraud, content theft, search engine spider, account takeover, and fake account creation (bots that can perform content scaping, ratings manipulation, password snooping, fake account creation, and web site scraping attacks).

As per claim 32: Kuperman in view of Kaminsky and Call discloses all limitations of claim 25. Therefore, Kuperman in view of Kaminsky disclose: wherein any one or more of steps (c)-(d) is dependent on a confidence level associated with the assigned bot category (performance metric for visitors to a given web page are compiled and aggregated for remote analysis, wherein the analysis results in probabilities of the likelihood a visitor was human or an automated agent, including the particular type/class of bot [Kaminsky, ¶0034]).

As per claim 33: Kuperman in view of Kaminsky and Call discloses all limitations of claim 25. Furthermore, Kuperman discloses: wherein any one or more of steps (c)-(d) is dependent on a rate of web requests directed to the website (client request rate per minute at time of request receipt is one of the attributes used by model generator 209 [Kuperman, ¶0052]).

Claims 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kuperman, Kaminsky, Call and in further view of US 10,326,789 to Vines et al. (hereinafter, “Vines”).
As per claim 19: Kuperman in view of Kaminsky and Call discloses all limitations of claim 16. Furthermore, Kuperman discloses using code injection and device fingerprinting to determine if a client is a human actor or a bot [Kuperman, ¶0042]. This method of detecting if a client (“source”) is a human actor or a bot is distinct from the elements recited in claim 19. However, Vines is directed to analogous art of classifying human or bot traffic in a network [Vines, col. 2, lines 59-64]. Therefore, Vines discloses: wherein the machine learning engine is configured to use at least one model and/or algorithm that has been trained by the machine learning engine using historical web request data to determine whether the source is a bot or a non-bot based on the at least one web request (a human confidence module 130 utilizes machine learning or a predefined model to determine bot behavior and human behavior [Vines, col. 8, lines 11-24]; historical traits and sessions are analyzed by the human confidence module 130 [Vines, col. 7, lines 21-26 & 38-46]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to utilized any known method for distinguishing between human and bot actions in a network in Kuperman. The method of detecting humans and bots in Kuperman would have been replaced with the machine learning method of Vines. The method of Vines is adaptive to evolving patterns of humans and bots and provides a more granular result in the form of confidence levels/ratings [Vines, col. 3, lines 18-39].  

As per claim 20: Kuperman in view of Kaminsky and Call discloses all limitations of claim 16. Furthermore, Kuperman in view of Kaminsky, Call and Vines disclose: wherein a machine learning engine is configured to determine whether the source is a bot or a non-bot based on the at least one web request (a proxy service 112 processes HTTP requests to determine if their origin is from a human user or a bot [Vines, col. 5, lines 17-50]).

Allowable Subject Matter
Claim 26 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        9-13-2022