Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/18/2022 has been entered.

Status of Claims
This in response to the amendments filed on 06/14/2022.  Claims 1, 5-6, 11 and 15-16 have been amended.  Claims 1-20 are pending and have been considered below.

Priority
16666092, filed 10/28/2019 is a continuation of 14927580, filed 10/30/2015 ,now U.S. Patent #10476893 and having 2 RCE-type filings therein.

Drawings
The drawings filed on 10/28/2019 are accepted.

Specification
The specification filed on 10/28/2019 is accepted.

Response to Arguments
Applicant’s arguments with respect to newly amended independent claims  have been considered but are moot in view of the new ground of rejection in view of the newly found prior art to Ghosh et al U.S. 7,181,768 B1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-6, 8-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ghosh et al U.S. 7,181,768 B1 in view of Shimoni et al U.S. 2010/0192201 A1.
Claims 1 and 11: Ghosh et al teaches a method and a system comprising: 
a device comprising one or more processors, coupled to memory and configured to (Fig, 2, col.12, lines 37-39)
establishing, by a device, a plurality of anomaly detection profiles, each of the plurality of anomaly detection profiles identifying an anomaly and one or more detection features for the anomaly (col, 6, lines 20-50, claim 1, 13, lines, claims creating a plurality of application profiles, wherein each application profile comprises a plurality of application data for a corresponding one of the plurality of applications, wherein said application data is collected during the session);
monitoring, by the device, network traffic of an application traversing the device to identify application characteristics of the application (col. 10, line 57 to col. 11, line 30,the application monitor then processes the data and outputs an anomaly value. The anomaly value is tracked via a temporal locality identifier system described more fully in the next section. If the temporal locality identifier indicates numerous anomalies accumulated over a short period of time, then the session is labeled intrusive);
 	selecting, by the device, from the plurality of anomaly detection profiles,  an anomaly detection profile to apply to the network traffic of the application based at least on the application characteristics of an application identified (col. 10, line 57 to col. 11, line 30, The data pre-processor collects this data, separates each monitored application's data into distinct application data streams and converts each data stream into the representation for that particular application's monitor. These data streams represent an execution trace for each monitored application, and are also referred to herein as "application data profiles." The application data profile is fed into the appropriate trained application monitor (i.e., trained neural network). Note that the same encoding for exemplar strings used to train the networks should be used for the application monitoring phase);
establishing, by the device for the anomaly detection profile, values for one or more threshold values for each of the one or more detection features based at least on a range of values identified via the monitored network traffic of the application that is non-anomalous (col.7, line 55 to col. 6, line30, for each application in the session, the data strings are compared, in the order they were generated, with the associated model application profile. For each segment, a data string counter tracks the number of data strings that are not found in the model profile for the application. If the ratio of such data strings to the total number of data strings in a segment exceeds a pre-determined data string threshold, the segment is labeled anomalous. Similarly, for each anomalous segment in an application profile for a session, a segment counter is incremented. If the ratio of the number of anomalous segments to the total number of segments in the application profile exceeds a segment threshold, the application is labeled anomalous and an application counter is incremented. This process is repeated for each application profile in the session);
detecting, by the device, an anomaly in the network traffic of the application responsive to comparing values of one or more detection features identified in the network traffic of the application to the one or more threshold values set for the anomaly detection profile (col.7, line 40 to col.8, line 30, col.2, lines 37 to col.13, line 20, for each application in the session, the data strings are compared, in the order they were generated, with the associated model application profile. For each segment, a data string counter tracks the number of data strings that are not found in the model profile for the application. If the ratio of such data strings to the total number of data strings in a segment exceeds a pre-determined data string threshold, the segment is labeled anomalous); and 
Shimoni et al in a similar field of endeavor teaches 
blocking, by the device responsive to detecting the anomaly, at least a portion of the network traffic of the application (par.135, 138, the requests exceeding the threshold may be blocked and/or another responsive action may be performed. For example, a user can be logged out of the system, an alert can be generated for an administrator, subsequent requests from the user or from the user's IP address can be blocked, and/or other actions may be performed in response to the threshold being exceeded). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Ghosh et al with the additional features of Shimoni et al in order to provide the ability to protect Web applications from security breaches, as suggested Shimoni et al par.6.
Claims 2 and 12: the combination teaches 
 	communicating, by the device responsive to detecting the anomaly, an alert regarding the detected anomaly (Shimoni et al, par. 52, 135). 
The same motivation to modify Ghosh et al in view of Shimoni et al applied to claims 1 and 11 above applies here.
Claims 3 and 13: the combination teaches
 wherein each of the plurality of anomaly detection profiles identifies the one or more threshold values to use for comparing the values of the one or more detection features (Ghosh et al, col7,line 40 to col 8, line30, Shimoni et al, par. 107, 118, 120, 132-135). 
The same motivation to modify Ghosh et al in view of Shimoni et al applied to claims 1 and 11 above applies here.
Claims 4 and 14: the combination teaches  
wherein the one or more threshold values are specific to the application (Ghosh et al, col7,line 40 to col 8, line30, Shimoni et al, par. 107, 118, 120, 132-135). 
The same motivation to modify Ghosh et al in view of Shimoni et al applied to claims 1 and 11 above applies here.
Claims 5 and 15: the combination teaches 
wherein the values for the one or more threshold values are established using an anomaly detection model (Ghosh et al, col7,line 40 to col 8, Shimoni et al, par. 107, 118, 120, 132-135).
The same motivation to modify Ghosh et al in view of Shimoni et al applied to claims 1 and 11 above applies here.
Claims 6 and 16: the combination teaches
 Wherein the anomaly detection model of the device monitors the network traffic  to establish the values for the one or more threshold values (Ghosh et al, col7,line 40 to col 8, Shimoni et al, par. 107, 118, 120, 132-135).
The same motivation to modify Ghosh et al in view of Shimoni et al applied to claims 5 and 15 above applies here.
Claims 8 and 18: the combination teaches  
identifying the application characteristics from a log of network traffic received by the device (Shimoni et al, par. 84, 88). 
The same motivation to modify Ghosh et al in view of Shimoni et al applied to claims 1 and 11 above applies here.
Claims 9 and 19: the combination teaches 
further comprising monitoring, by the device, network traffic of the application to identify the values of the one or more detection features (Shimoni et al, par. 91, 107-112).
The same motivation to modify Ghosh et al in view of Shimoni et al applied to claims 1 and 11 above applies here.
Claims 10 and 20: the combination teaches
 wherein the device is intermediary to a plurality of clients and the application (Shimoni et al, Figs.1 &3). 
The same motivation to modify Ghosh et al in view of Shimoni et al applied to claims 1 and 11 above applies here.

Claims  7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Ghosh et al U.S. 7,181,768 Bi in view of Shimoni et al U.S. 2010/0192201 A1 in further view of Roundy et al U.S. 9,275,226 B1.
Claims 7 and 17: the combination teaches
further comprising identifying the application characteristics that correspond to the one or more detection features used to detect at least one of a denial of service attack, a brute force attempt at determining login credentials associated with the application or anomalous packet payloads (Shimoni et al, par. 107, 11, 116, 130),
The same motivation to modify Ghosh et al in view of Shimoni et al applied to claims 1 and 11 above applies here.
the combination fails to teach, however Roundy et al in the same field of endeavor teaches 
comprising identifying the application characteristics that correspond to the one or more detection features used to detect at least one of web scraping (col.4, lines 21-25)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Ghosh et al with the additional features of Roundy et al in order to provide the ability to determine whether the identified website includes a malicious software attack designed to selectively attack visitors to the website, as suggested Roundy et al abstract.
The following prior art are cited to further show the state of the art at the time of Applicants’ invention with respect to anomalous applications profiles.
Jang et al U.S. 2009/0313699 A1 teaches an apparatus and method for preventing an anomaly of an application program are provided. More particularly, an apparatus and method for preventing an anomaly of an application program that detect and stop an anomaly on the basis of a behavior profile for an application program are provided.
Gadde et al U.S. 2006/0037077 A1 teaches an intrusion detection system and method for a computer network includes a processor and one or more programs that run on the processor for application inspection of data packets traversing the computer network. The one or more programs also obtaining attribute information from the packets specific to a particular application and comparing the attribute information against a knowledge database that provides a baseline of normal network behavior. The processor raises an alarm whenever the attribute information exceeds a predetermined range of deviation from the baseline of normal network behavior. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





Wednesday, November 16, 2022
/FATOUMATA TRAORE/              Primary Examiner, Art Unit 2436