Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1- 4, 6, 8,  9-14, 16 and 18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-2, 6-8, 10-12 and 19 of U.S. Patent No. 11,303,695. Although the claims at issue are not identical, they are not patentably distinct from each other.

Instant Application 
U.S. Patent No. 11,303,695
A method by a network device comprising: 






sending an analysis request to a bot detector component to analyze a request made by a client for a resource provided by an origin server, wherein the request is a POST request; 



obtaining an interstitial page in response to receiving an analysis response from the bot detector component indicating that the client is to be identified, wherein the interstitial page includes challenge code for interrogating the client and code for submitting a form included in the interstitial page after the client is interrogated; 


encrypting a payload of the request made by the client; 

adding the encrypted payload to a hidden input field of the form included in the interstitial page; and sending the interstitial page with the encrypted payload added to the hidden input field of the form to the client as a response to the request made by the client. 




2.The method of claim 1, further comprising: receiving the encrypted payload from the client, wherein the encrypted payload is received from the client due to the client submitting the form included in the interstitial page after the client is interrogated; decrypting the encrypted payload to recover the payload of the request made by the client; reconstructing the request made by the client using the recovered payload; and sending the reconstructed request to the origin server.


.









3. The method of claim 2, wherein the request made by the client is reconstructed and sent to the origin server in response to a determination that the client is not operated by a bot. 






4. The method of claim 1, wherein the challenge code is included in the interstitial page using a script tag that references a location of the challenge code.


6. The method of claim 1, wherein the encrypted payload is generated based on applying an encryption mechanism to the payload of the request made by the client using an initialization vector and a secret key.


8. The method of claim 7, further comprising:
receiving the initialization vector from the client as a cookie along with the encrypted
payload.


9. The method of claim 1, wherein the bot detector component determines that the client is to be identified because the client has not acquired a valid token.


10. The method of claim 1, wherein the payload of the request is encrypted and added to the hidden input field of the form included in the interstitial page in response to a determination that the request is a POST request as opposed to a GET request.





11. A non-transitory machine-readable storage medium that provides instructions that, if executed by a processor of a network device, causes the network device to perform operations comprising:






sending an analysis request to a bot detector component to analyze a request made by a client 


for a resource provided by an origin server, wherein the request is a POST request; 
obtaining an interstitial page in response to receiving an analysis response from the bot detector component indicating that the client is to be identified, wherein the interstitial page includes challenge code for interrogating the client and code for submitting a form included in the interstitial page after the client is interrogated; 



encrypting a payload of the request made by the client; adding the encrypted payload to a hidden input field of the form included in the interstitial page; and sending the interstitial page with the encrypted payload added to the hidden input field of the form to the client as a response to the request made by the client.




	







12. The non-transitory machine-readable storage medium of claim 11, wherein the operations further comprise: 


receiving the encrypted payload from the client, wherein the encrypted payload is received from the client due to the client submitting the form included in the interstitial page after the client is interrogated; 

decrypting the encrypted payload to recover the payload of the request made by the client; reconstructing the request made by the client using the recovered payload; and sending the reconstructed request to the origin server.











13. The non-transitory machine-readable storage medium of claim 12, wherein the request made by the client is reconstructed and sent to the origin server in response to a determination that the client is not operated by a bot.





14. The non-transitory machine-readable storage medium of claim 11, wherein the challenge code is included in the interstitial page using a script tag that references a location of the challenge code.








16.  The non-transitory machine-readable storage medium of claim 11, wherein the encrypted payload is generated based on applying an encryption mechanism to the payload of the request made by the client using an initialization vector and a secret key.


18.  The non-transitory machine-readable storage medium of claim 17, wherein the operation further comprise: receiving the initialization vector from the client as a cookie along with the encrypted payload.


20.  The non-transitory machine-readable storage medium of claim 11, wherein the payload of the request is encrypted and added to the hidden input field of the form included in the interstitial page in response to a determination that the request is a POST request as opposed to a GET request. 
1. A method by a network device implementing a web application layer proxy communicatively coupled between a client and an origin server for performing automated POST resubmission, the method comprising:
sending an analysis request to a bot detector component to analyze the request in response to intercepting the request intercepting a request by the client for a resource provided by the origin server, wherein the request is a POST request;
obtain an interstitial page in response to receiving a response from the bot detector component indicating that the client needs to be identified, wherein the interstitial page includes challenge code for interrogating the client and code for automatically submitting a form included in the interstitial page if the client successfully acquires a token;                                                                    encrypting a payload of the request using an initialization vector and a secret key; 
adding the encrypted payload to a hidden input field of the form included in the interstitial page; and sending the interstitial page with the encrypted payload added to the hidden input field of the form to the client as a response to the request, wherein the interstitial page is sent with the initialization vector as a cookie.
The method of claim 1, further comprising: receiving the encrypted payload from the client, wherein the encrypted payload is received from the client due to the client submitting the form included in the interstitial page after acquiring the token; decrypting the encrypted payload using the initialization vector and the secret key to recover the payload of the request; reconstructing the request using the recovered payload of the request; and sending the reconstructed request to the origin server.


6. The method of claim 1, further comprising: intercepting a further request by the client for a resource provided by the origin server, wherein the further request is sent with the token as a cookie; sending a further analysis request to the bot detector component to analyze the further request in response to intercepting the further request; and forwarding the further request to the origin server in response to receiving a response from the bot detector component that the client is not operated by a bot, wherein the bot detector determines that the client is not operated by a bot based on a determination that the token acquired by the client is valid

10. The method of claim 1, wherein the challenge code is included in the interstitial page using a script tag that references a location of the challenge code.

1.encrypting a payload of the request using an initialization vector and a secret key;

The method of claim 2, further comprising: receiving the initialization vector from the client as a cookie along with the encrypted payload.
8. The method of claim 1, wherein the bot detector component determines that the client needs to be identified because the client has not acquired a valid token.

7. The method of claim 1, wherein the payload of the request is encrypted and added to the hidden input field of the form included in the interstitial page in response to a determination by the web application layer proxy that the request is a POST request as opposed to a GET request.

11. A network device configured to implement a web application layer proxy that is to be communicatively coupled between a client and an origin server to perform automated POST resubmission, the network device comprising: one or more processors; and a non-transitory machine-readable storage medium having instructions stored therein, which when executed by the one or more processors, causes the network device to: 
send an analysis request to a bot detector component to analyze the request in response to intercepting the request,
intercept a request by the client for a resource provided by the origin server, wherein the request is a POST request, obtain an interstitial page in response to receiving a response from the bot detector component indicating that the client needs to be identified, wherein the interstitial page includes challenge code for interrogating the client and code for automatically submitting a form included in the interstitial page if the client successfully acquires a token, 
encrypt a payload of the request using an initialization vector and a secret key, add the encrypted payload to a hidden input field of the form included in the interstitial page, and send the interstitial page with the encrypted payload added to the hidden input field of the form to the client as a response to the request, 
wherein the interstitial page is sent with the initialization vector as a cookie.



12. The network device of claim 11, wherein the instructions, when executed by the one or more processors, further causes the network device to: 
receive the encrypted payload from the client, wherein the encrypted payload is received from the client due to the client submitting the form included in the interstitial page after acquiring the token, 
decrypt the encrypted payload using the initialization vector and the secret key to recover the payload of the request, reconstruct the request using the recovered payload of the request, and send the reconstructed request to the origin server.
19. The non-transitory machine-readable storage medium of claim 16, wherein the operations further comprise: intercepting a further request by the client for a resource provided by the origin server, wherein the further request is sent with the token as a cookie; sending a further analysis request to the bot detector component to analyze the further request in response to intercepting the further request; and forwarding the further request to the origin server in response to receiving a response from the bot detector component that the client is not operated by a bot, wherein the bot detector determines that the client is not operated by a bot based on a determination that the token acquired by the client is valid.

10. The method of claim 1, wherein the challenge code is included in the interstitial page using a script tag that references a location of the challenge code.





11.  encrypt a payload of the request using an initialization vector and a secret key                                                                                            
13. The network device of claim 12, wherein the instructions, when executed by the one or more processors, further causes the network device to: receiving the initialization vector from the client as a cookie along with the encrypted payload.
20. The non-transitory machine-readable storage medium of claim 16, wherein the payload of the request is encrypted and added to the hidden input field of the form included in the interstitial page in response to a determination by the web application layer proxy that the request is a POST request as opposed to a GET request.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-5, 9, 11, 14-15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Holloway et al. – hereinafter Holloway (US 8,613,089) in view of Martin et al. – hereinafter Martin (US 8,051,465) 

As per claim 1, Holloway discloses a method by a network device comprising: 
sending an analysis request to a bot detector component to analyze a request made by a client for a resource provided by an origin server, wherein the request is a POST request; (Col 14 lines 44-54; In some embodiments, instead of or in addition to the proxy server 120 identifying a DoS attack, a control server 125 of the proxy service node identifies a DoS attack and causes mitigation actions to be performed. For example, the information in the logs 540 may be communicated to the control server 125 (e.g., the information may be periodically pushed to the control server 125 or pulled from the proxy server 120) and used to identify an attack as previously described.)
obtaining an interstitial page in response to receiving an analysis response from the bot detector component indicating that the client is to be identified,; (Col 22 lines 11-25; In one embodiment, enabling the rule for the domain will cause each visitor to that website to receive an interstitial page for an amount of time (e.g., five seconds) while the proxy server determines whether the visitor is likely to be part of the DoS attack based on visitor request patterns. For example, the proxy server may determine a likelihood of whether the visitor is a legitimate human (which typically would not be part of a DoS attack) or a bot (which may be part of the DoS attack).)
	wherein the interstitial page includes challenge code for interrogating the client and code for submitting a form included in the interstitial page after the client is interrogated (Col 23 line 51 – Col 24 line 5; For example, in the case where the presented set of challenges includes a client-side script that, when executes, causes a message to be sent and received by the proxy server, the proxy server may compare that message with an expected value to determine whether the visitor passed the challenge. As a specific example, if the client-side script executes a math problem, the message will include the answer to the math problem (e.g., the client-side script may cause a POST request to be transmitted that includes the answer to the math problem). As another example, the proxy server may receive the result of the CAPTCHA, the solution to the math question or trivia question if presented. The proxy server compares these answers to their expected values to determine whether they are correct. If the visitor passed the set of challenges, then flow moves to operation 740.)
encrypting a payload of the request made by the client;  (Col 2 line 61 – Col 3 line 8; For example, web traffic (e.g., HTTP requests/responses, HTTPS requests/responses, SPDY requests/responses, etc.) for domains of the origin servers 130A-N may be received and processed at the proxy server(s) 120; Examiner note: HTTPS encrypts the payload of the request)
Holloway fails to disclose adding the encrypted payload to a hidden input field of the form included in the interstitial page; and sending the interstitial page with the encrypted payload added to the hidden input field of the form to the client as a response to the request made by the client. 
Martin discloses adding the encrypted payload to a hidden input field of the form included in the interstitial page; and sending the interstitial page with the encrypted payload added to the hidden input field of the form to the client as a response to the request made by the client.  (Col 6 lines 53-62; A submission in one embodiment contains all form data, represented as URL parameters in the case of a GET submission, or form header parameters in the case of a POST submission. If the user has an authentication cookie to the Web site then the cookie is contained in an HTTP/HTTPS header; Col 7 line 42 – Col 8 line 9; Also, the user's session ID is stored in a hidden form field of the interstitial page to be submitted with the next submission, along with the information in the user's session cookie or other secure token. If the user did not have a valid session ID previously, a valid session ID is generated during construction of the interstitial page and returned both in the interstitial page and in the session cookie returned to the user together with the interstitial page.)
It would have been obvious before the effective filing date for the teachings of of Holloway to be modified so that the encrypted payload is stored and added to a hidden input field in an interstitial page as taught by Martin as this causes the user to resubmit the request to verify their identity.  The motivation would have been to mitigate or otherwise reduce the number of fraudulent submissions that are received purporting to be submitted on behalf of an unknowing user. (Martin, Col 3 lines 18-31)



As per claim 4,  Holloway / Martin disclose the method of claim 1.  Holloway discloses wherein the challenge code is included in the interstitial page using a script tag that references a location of the challenge code. . (Col 25 lines 1-35; The code includes the client-side script 1110; Fig. 11: item 1110)
    PNG
    media_image1.png
    164
    466
    media_image1.png
    Greyscale


As per claim 5, Holloway / Martin disclose the method of claim 1 wherein the challenge code includes code for presenting a challenge-response test to an end user of the client. (Col 23 line 51 – Col 24 line 5; For example, in the case where the presented set of challenges includes a client-side script that, when executes, causes a message to be sent and received by the proxy server, the proxy server may compare that message with an expected value to determine whether the visitor passed the challenge. As a specific example, if the client-side script executes a math problem, the message will include the answer to the math problem (e.g., the client-side script may cause a POST request to be transmitted that includes the answer to the math problem). As another example, the proxy server may receive the result of the CAPTCHA, the solution to the math question or trivia question if presented. The proxy server compares these answers to their expected values to determine whether they are correct. If the visitor passed the set of challenges, then flow moves to operation 740.)

As per claim 9, Holloway / Martin disclose the method of claim 1.  Holloway discloses wherein the bot detector component determines that the client is to be identified because the client has not acquired a valid token. (Col 22 lines 26-38; If the request does not include a valid pass cookie then flow moves to operation 730. If the request includes a valid pass cookie, then flow moves to operation 745; Col 22 lines 39-59;  At operation 730 (the request does not include a valid pass cookie), the proxy server presents a set of challenges to the visitor which if not passed are an indication that the visitor is part of the DoS attack.)

As per claim 11, please see the discussion under claim 1 as similar logic applies.

As per claim 14, please see the discussion under claim 4 as similar logic applies.

As per claim 15, please see the discussion under claim 5 as similar logic applies.

As per claim 19, please see the discussion under claim 9 as similar logic applies.

Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Holloway (US 8,613,089) / Martin (US 8,051,465) further in view of  Moore (US 10,284,526)

As per claim 2, Holloway / Martin disclose the method of claim 1.  The combined teachings of Holloway / Martin fail to teach further comprising: receiving the encrypted payload from the client, wherein the encrypted payload is received from the client due to the client submitting the form included in the interstitial page after the client is interrogated; decrypting the encrypted payload to recover the payload of the request made by the client; reconstructing the request made by the client using the recovered payload; and sending the reconstructed request to the origin server.
Moore discloses receiving the encrypted payload from the client, wherein the encrypted payload is received from the client, decrypting the encrypted payload to recover the payload of the request made by the client; reconstructing the request made by the client using the recovered payload; and sending the reconstructed request to the origin server. (Col 6 line 40 – Col 7 line 4; If or when there is not a match or sufficient correspondence, then in Step 1-5a the MITM agent may take no action to decrypt the session, thereby saving computational resources and possibly enforcing policies, such as privacy protection policies. If or when there is a match or sufficient correspondence, then in Step 1-5b the agent may set up and use an SSL/TLS proxy function to (a) decrypt the HTTPS session; and (b) inspect the plaintext of the HTTPS session. Before applying any intermediating logic to the plaintext, the MITM agent checks if the session's domain name value was inserted into the domain-name-decrypt-list because it was a host name extracted from the URI-decrypt-list. If so, then the agent compares the session's URI value to elements in the URI-decrypt-list. If there is not a match or sufficient correspondence, then in Step 1-6a, the agent may re-encrypt the session and forward to the destination without applying any intermediating logic to the session's plaintext.)
It would have been obvious before the effective filing date of the invention for the teachings of Holloway / Martin to be modified to implements SSL / TLS proxy of Moore to decrypt and re-encrypt the data from the client the submitting the form included in the interstitial page after the client is interrogated.  This would have been beneficial to defend a network from cybercriminals and cyber-attacks (Moore, Col 4 lines 15-26) when checking for whether the request is a bot or a human.
	As per claim 12, please see the discussion under claim 2 as similar logic applies.




Allowable Subject Matter
Claims 3, 6-8, 10, 13, 16-18 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

 Conclusion
The prior art made of record and not relied upon is considered pertinent toapplicant's disclosure.  See PTO-892 form.
Any inquiry concerning this communication or earlier communications from theexaminer should be directed to Chirag R Patel whose telephone number is (571)272-7966. The examiner can normally be reached on Monday to Friday from 8:00AM to 4:30PM. If attempts to reach the examiner by telephone are unsuccessful, theexaminer's supervisor, Glenton Burgess, can be reached on 571-272-3949. The fax phone number for the organization where this application or proceedingis assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status informationfor published applications may be obtained from either Private PAIR or PublicPAIR. Status information for unpublished applications is available throughPrivate PAIR only. For more information about the PAIR system, seehttp://pairdirect.uspto.gov. Should you have questions on access to the PrivatePAIR system, contact the Electronic Business Center (EBC) at 866-217-9197(toll free). 

/Chirag R Patel/
Primary Examiner, Art Unit 2454