DETAILED ACTION
	Claims 1-20 are presented on 05/04/2021 for examination on merits.  Claims 1, 11, and 18 are independent base claims. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Claim Objections
Claims 1, 5-6, 11, 15-16, and 20 are objected to because of the following informalities: 
Claim 1 recites a phrase “by a device intermediary between a plurality of clients and a server” deficiently because the word intermediary here may be read as a noun or adjective.  It appears that the Applicant means “by a device that is intermediary between a plurality of clients and a server.”  For formality and clarity reasons, the Examiner suggests changing the phrase to: by a device that is intermediary between a plurality of clients and a server.
Claim 5, 15 and 20 each recite a limitation “selecting, by the device, the request to access the server from the client identified as trusted to modify [ ] to include the payload” or the like deficiently.  For formality reasons, the Examiner suggests changing the limitation to: selecting, by the device, the request to access the server from the client identified as a trusted client and modifying the request to include the payload.  
Similarly, claims 5-6, 15-16, and 20 each recite the phrase “second client identified as not trusted” should have been “second client not identified as a trusted client”
Claim 11 recites a phrase containing word “intermediary.”  For the same reason as that for claim 1, the Examiner suggests changing the phrase to: a device having one or more processors coupled with memory, the device being intermediary between a plurality of clients and a server,
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 1-17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claims 1 and 11 each recite two instances of “a configuration profile” unclearly, the first instance in the preamble and the second one in the generating step of the respective claims.  
Claims 2-10 and 12-17 are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, because they depend from the rejected base claims 1 and 11, respectively.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-6, 8, and 10-20 are rejected under 35 U.S.C. 103 as being unpatentable over Roichman (US 20170270303 A1; hereinafter “Roi”) in view of Peterson (US 20150143502 A1).
As per claim 1, Roi teaches a method for testing a software application program to detect security vulnerabilities using attack payload (Roi, 0007-0009), comprising:
modifying, by a device intermediary between a plurality of clients and a server, a request from a client of the plurality of clients to access the server to include a payload provided by the device (Roi, par. 0009: at least one request submitted from a client to a server running the program; par. 0022: requests taken from the original recordings but enhanced with malicious payloads for security testing), the payload comprising an action type selected from a plurality of action types used to probe the server for a corresponding security vulnerability of a plurality of security vulnerabilities (Roi, par. 0034: generates requests … to test different types of attacks); 
transmitting, by the device to the server, the request including the payload to cause the server to provide a response to the device (Roi, par. 0028: submit requests to and receive responses from server and the requests and responses normally travel over a path 32 through network 30; par. 0026); 
determining, by the device, that the server is susceptible to a security vulnerability of the plurality of security vulnerabilities corresponding to the action type based at least on the response (Roi, par. 0070: Test generator 56 reviews responses returned by application 22 and reports … when the responses are indicative of possible vulnerabilities); and 
While Roi discusses that the user sets the proxy configuration of QA test, Roi is silent about generating a configuration profile for the firewall to restrict requests of the action type to access the server from the plurality of clients.  This aspect of the claim is identified as a difference.
In a related art, Peterson teaches:
a method of generating a configuration profile for a firewall, comprising: 
generating, by the device, a configuration profile for the firewall to restrict requests of the action type to access the server from the plurality of clients (Peterson, par. 0022: generates the necessary configuration to mitigate the vulnerability (step 208); see also par. 0021 for setting up the firewall configuration system to test an application to be protected by the application firewall (step 202); par. 0023-0024: a testing and firewall configuration system can be used to avoid or at least mitigate any harmful effects of cross-site scripting (XSS) vulnerabilities, which is a type of action to access the server).
Roi and Peterson are analogous art, because they are in a similar field of endeavor in improving mitigations for the computer vulnerability.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Roi by Peterson to include adding or updating a configuration profile for a firewall that restricts certain types of access requests that cause security risks.  For this combination, the motivation would have been to improve the level of security with newly generated or updated configuration profile for the firewall.

As per claim 2, the references as combined above teach the method of claim 1, further comprising: 
determining, by the device, that the server is not susceptible to a second vulnerability of the plurality of security vulnerabilities corresponding to a second action type of the plurality of action types based at least on a second response to a second request including a second payload comprising the second action type (Peterson, par. 0026: As the previously recorded benchmark results represent the expected behavior of the application 306 in response to the legitimate request); and 
generating, by the device, a second configuration profile for the firewall to permit requests of the second action type to access the server from the plurality of clients (Peterson, par. 0028-0029: providing … application firewall configuration; various parameters associated with an application firewall can be adjusted. The security policy of the firewall may also be updated and [added] …to permit a legitimate request; see par. 0010).

As per claim 3, the references as combined above teach the method of claim 1, further comprising: 
determining, by the device, that a second response from a server is to be restricted in accordance with the configuration profile for the firewall (Peterson, par. 0022: generates the necessary configuration to mitigate the vulnerability (step 208); par. 0023: firewall configuration system can be used to avoid or at least mitigate any harmful effects of cross-site scripting (XSS) vulnerabilities); 
identifying, by the device based at least on the determination that the second response is to be restricted, a level of violation of the second response (Peterson, par. 0022: After a defined period of time and/or a defined number of iterations, if ultimately unsuccessful, the system reports the identified vulnerability); and 
modifying, by the device, the configuration profile using the level of violation determined for the second response (Peterson, clm. 1: modification to a first parameter of the application firewall and adjusting the first parameter; and par. 0025: adjusting one of several parameters and/or one or more security policies associated with an application firewall 308).

As per claim 4, the references as combined above teach the method of claim 1, further comprising 
identifying, by the device responsive to determining that the server is susceptible to the security vulnerability, at least one of a level of security check or a level of counteraction for the security vulnerability based at least on the response (Peterson, par. 0022: After a defined period of time and/or a defined number of iterations, if ultimately unsuccessful, the system reports the identified vulnerability), and 
wherein generating the configuration profile further comprises generating the configuration profile for the firewall in accordance with at least one of the level of security check or the level of counteraction (Peterson, par. 0025-0028: iterative testing is an increased level of security check or the level of counteraction.  Peterson here describes a method of repeating testing using the XSS test and the legitimate request).

As per claim 5, the references as combined above teach the method of claim 1, further comprising: 
identifying, by the device from the plurality of clients, the client as trusted for generation of the configuration profile and a second client as not trusted (Peterson, par. 0023-0024: a malicious client vs. legitimate client); and 
selecting, by the device, the request to access the server from the client identified as trusted to modify to include the payload, concurrent with not selecting a second request to access the server from the second client identified as not trusted (Peterson, par. 0023: to block such malicious data/command using an application firewall 308; par. 0024: the application firewall 308 not block the legitimate request).

As per claim 6, the references as combined above teach the method of claim 1, further comprising: 
determining, by the device, that a second response from the server is transmitted in response to a second request from a second client device of the plurality of clients identified as not trusted (Peterson, par. 0023: A malicious user); and 
applying, by the device, a default configuration profile of the firewall to determine whether to permit or restrict the second response from the server (Peterson, par. 0023: desirable to block such malicious data/command using an application firewall 308, e.g., a Web Application Firewall (WAF)).


As per claim 8, the references as combined above teach the method of claim 1, wherein determining that the server is susceptible further comprises determining that the response includes data matches at least one pattern defined for the security vulnerability (Peterson, par. 0026: compares the result now obtained to previously recorded benchmark results (that were obtained in the step 322). Peterson discloses the previously recorded benchmark results represent the expected behavior of the application 306, which is the same as at least one pattern defined for the security vulnerability, and in response to the legitimate request, any significant difference between the two results are compared to determine whether the server is susceptible).

As per claim 10, the references as combined above teach the method of claim 1, further comprising providing, by the device for display, information identifying the configuration profile for the firewall to restrict requests of the action type (Peterson, par. 0022-0023: the system provides information by downloading any existing application firewall configuration.  If the firewall configuration system identifies a security defect that leaves at least a part of the application vulnerable to attack, it then generates the necessary configuration to mitigate the vulnerability (step 208)).

As per claim 11, Roi teaches a system for generating a configuration profile for a firewall, comprising: 
a device having one or more processors coupled with memory intermediary between a plurality of clients and a server, configured to: 
modify a request from a client of the plurality of clients to access the server to include a payload provided by the device (Roi, par. 0009: at least one request submitted from a client to a server running the program; par. 0022: requests taken from the original recordings but enhanced with malicious payloads for security testing), the payload comprising a content type selected from a plurality of content types used to probe the server for a corresponding security vulnerability of a plurality of security vulnerabilities (Roi, par. 0034: generates requests … to test different types of attacks); 
transmit, to server, the request including the payload to cause the server to provide a response to the device (Roi, par. 0028: submit requests to and receive responses from server and the requests and responses normally travel over a path 32 through network 30; par. 0026); 
determine that the server is susceptible to a security vulnerability of the plurality of security vulnerability corresponding to the content type based at least on the response (Roi, par. 0070: Test generator 56 reviews responses returned by application 22 and reports … when the responses are indicative of possible vulnerabilities); and 
While Roi discusses that the user sets the proxy configuration of QA test, Roi is silent about  generating a configuration profile for the firewall to restrict requests of the action type to access the server from the plurality of clients.  This aspect of the claim is identified as a difference.
In a related art, Peterson teaches:
generate a configuration profile for the firewall to restrict requests of the content type to access the server from the plurality of clients (Peterson, par. 0022: generates the necessary configuration to mitigate the vulnerability (step 208); see also par. 0021 for setting up the firewall configuration system to test an application to be protected by the application firewall (step 202); par. 0023-0024: a testing and firewall configuration system can be used to avoid or at least mitigate any harmful effects of cross-site scripting (XSS) vulnerabilities, which is a type of action to access the server).
Roi and Peterson are analogous art, because they are in a similar field of endeavor in improving mitigations for the computer vulnerability.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Roi by Peterson to include adding or updating a configuration profile for a firewall that restricts certain types of access requests that cause security risks.  For this combination, the motivation would have been to improve the level of security with newly generated or updated configuration profile for the firewall.

As per claim 12, the references as combined above teach the system of claim 11, wherein the device is further configured to: 
determine that the server is not susceptible to a second vulnerability of the plurality of security vulnerabilities corresponding to a second action type of the plurality of action types based at least on a second response to a second request including a second payload comprising the second action type (Peterson, par. 0026: As the previously recorded benchmark results represent the expected behavior of the application 306 in response to the legitimate request); and 
generate a second configuration profile for the firewall to permit requests of the second action type to access the server from the plurality of clients (Peterson, par. 0028-0029: providing … application firewall configuration; various parameters associated with an application firewall can be adjusted. The security policy of the firewall may also be updated and [added] …to permit a legitimate request; see par. 0010).

As per claim 13, the references as combined above teach the system of claim 11, wherein the device is further configured to: 
determine that a second response from a server is to be restricted in accordance with the configuration profile for the firewall (Peterson, par. 0022: generates the necessary configuration to mitigate the vulnerability (step 208); par. 0023: firewall configuration system can be used to avoid or at least mitigate any harmful effects of cross-site scripting (XSS) vulnerabilities); 
identify, based at least on the determination that the second response is to be restricted, a level of violation of the second response (Peterson, par. 0022: After a defined period of time and/or a defined number of iterations, if ultimately unsuccessful, the system reports the identified vulnerability); and 
modify the configuration profile using the level of violation determined for the second response (Peterson, clm. 1: modification to a first parameter of the application firewall and adjusting the first parameter; and par. 0025: adjusting one of several parameters and/or one or more security policies associated with an application firewall 308).

As per claim 14, the references as combined above teach the system of claim 11, wherein the device is further configured to:
identify, responsive to determining that the server is susceptible to the security vulnerability, at least one of a level of security check or a level of counteraction for the security vulnerability based at least on the response (Peterson, par. 0022: After a defined period of time and/or a defined number of iterations, if ultimately unsuccessful, the system reports the identified vulnerability), and 
generate the configuration profile for the firewall in accordance with at least one of the level of security check or the level of counteraction (Peterson, par. 0025-0028: iterative testing is an increased level of security check or the level of counteraction.  Peterson here describes a method of repeating testing using the XSS test and the legitimate request).

As per claim 15, the references as combined above teach the system of claim 11, wherein the device is further configured to: 
identify, from the plurality of clients, the client as trusted for generation of the configuration profile and a second client as not trusted (Peterson, par. 0023-0024: a malicious client vs. legitimate client); and 
select the request to access the server from the client identified as trusted to modify to include the payload, concurrent with not selecting a second request to access the server from the second client identified as not trusted (Peterson, par. 0023: to block such malicious data/command using an application firewall 308; par. 0024: the application firewall 308 not block the legitimate request).

As per claim 16, the references as combined above teach the system of claim 11, wherein the device is further configured to: 
determine that a second response from the server is transmitted in response to a second request from a second client device of the plurality of clients identified as not trusted (Peterson, par. 0023: A malicious user is not a trusted client); and 
apply a default configuration profile of the firewall to determine whether to permit or restrict the second response from the server (Peterson, par. 0023: desirable to block such malicious data/command using an application firewall 308, e.g., a Web Application Firewall (WAF)).

As per claim 17, the references as combined above teach the system of claim 11, wherein the device is further configured to provide, for display, information identifying the configuration profile for the firewall to restrict requests of the action type (Peterson, par. 0022: generates the necessary configuration to mitigate the vulnerability (step 208); see also par. 0021 for firewall configuration and par. 0023-0024: to avoid cross-site scripting (XSS) vulnerabilities).

As per claim 18, Roi teaches a non-transitory computer readable medium storing program instructions for causing one or more processors to: 
modify a request from a client of a plurality of clients to access a server to include a payload provided by the one or more processors (Roi, par. 0009: at least one request submitted from a client to a server running the program; par. 0022: requests taken from the original recordings but enhanced with malicious payloads for security testing), the payload comprising a content type selected from a plurality of content types used to probe the server for a corresponding security vulnerability of a plurality of security vulnerabilities (Roi, par. 0034: generates requests … to test different types of attacks); 
transmit, to server, the request including the payload to cause the server to provide a response to the one or more processors (Roi, par. 0028: submit requests to and receive responses from server and the requests and responses normally travel over a path 32 through network 30; par. 0026); 
determine that the server is susceptible to a security vulnerability of the plurality of security vulnerability corresponding to the content type based at least on the response (Roi, par. 0070: Test generator 56 reviews responses returned by application 22 and reports … when the responses are indicative of possible vulnerabilities); and 
While Roi discusses that the user sets the proxy configuration of QA test, Roi is silent about generating a configuration profile for the firewall to restrict requests of the action type to access the server from the plurality of clients.  This aspect of the claim is identified as a difference.
In a related art, Peterson teaches:
generate a configuration profile for the firewall to restrict requests of the content type to access the server from the plurality of clients (Peterson, par. 0022: generates the necessary configuration to mitigate the vulnerability (step 208); see also par. 0021 for setting up the firewall configuration system to test an application to be protected by the application firewall (step 202); par. 0023-0024: a testing and firewall configuration system can be used to avoid or at least mitigate any harmful effects of cross-site scripting (XSS) vulnerabilities, which is a type of action to access the server).
Roi and Peterson are analogous art, because they are in a similar field of endeavor in improving mitigations for the computer vulnerability.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to modify Roi by Peterson to include adding or updating a configuration profile for a firewall that restricts certain types of access requests that cause security risks.  For this combination, the motivation would have been to improve the level of security with newly generated or updated configuration profile for the firewall.

As per claim 19, the references as combined above teach the non-transitory computer readable medium of claim 18, wherein the program instructions further cause the one or more processors to: 
determine that the server is not susceptible to a second vulnerability of the plurality of security vulnerabilities corresponding to a second action type of the plurality of action types based at least on a second response to a second request including a second payload comprising the second action type (Peterson, par. 0026: As the previously recorded benchmark results represent the expected behavior of the application 306 in response to the legitimate request); and 
generate a second configuration profile for the firewall to permit requests of the second action type to access the server from the plurality of clients (Peterson, par. 0028-0029: providing … application firewall configuration; various parameters associated with an application firewall can be adjusted. The security policy of the firewall may also be updated and [added] …to permit a legitimate request; see par. 0010).
.

As per claim 20, the references as combined above teach the non-transitory computer readable medium of claim 18, wherein the program instructions further cause the one or more processors to: 
identify, from the plurality of clients, the client as trusted for generation of the configuration profile and a second client as not trusted (Peterson, par. 0023-0024: a malicious client vs. legitimate client); and 
select the request to access the server from the client identified as trusted to modify to include the payload, concurrent with not selecting a second request to access the server from the second client identified as not trusted (Peterson, par. 0023: to block such malicious data/command using an application firewall 308; par. 0024: the application firewall 308 not block the legitimate request).

Allowable Subject Matter
Claims 7 and 9 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The claim 7 recites elements of “wherein modifying the request to access further comprises modifying, in response to setting the device to a mode for generation of the configuration profile using requests from a subset of the plurality of clients, the request from the client to access the server to include the payload”.  The features of setting the device to a mode for generation of the configuration profile using requests from a subset of the plurality of clients with including the payload, in combination with the other limitations in the claim 1, are not anticipated by, nor made obvious over the prior art of record.
The claim 9 recites elements of “applying, by the device in response to setting the device to a mode for use of the configuration profile, the configuration profile to the firewall to restrict responses from the server transmitted in response to corresponding requests from at least one of the plurality of clients.”  These features, especially setting the device to a mode for use of the configuration profile … to restrict responses from the server, in combination with the other limitations in the claim 1, are not anticipated by, nor made obvious over the prior art of record.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        11/17/2022