Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to communication filed 08/08/2022. Claims 1, 8 and 15 are amended, claims 2, 9 and 16 are canceled, and claims 1, 3-8, 10-15 and 17-20 remain pending.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 3-8, 10-15 and 17-20 have been considered but are not persuasive.
Applicant argues “At best, paragraph [0032] of Bhalode states, “The application information model can then be used to produce a comprehensive whitelist of security-relevant behaviors of the application, which can be used with various security applications such as attack prediction, detection, prevention, and response tools. In this manner, users of an enterprise software application are better safeguarded against client-side attacks on the application”. However, generating and comparing a normalized fingerprint for a web object to normalized fingerprints for web resources to determine a match as required by claim 1 is different than producing a comprehensive whitelist as taught by Bhalode” – Remarks: page 8.

Bhalode discloses metadata describing dependencies in the application image file, such as the application relying on certain libraries, and this information could be included in static analysis results, wherein the static analysis is used to analyze scripts and their structure, and abstract syntax trees are built to break the scripts down to abstractions, and the scripts can then be mapped down to a fewer number of abstractions. The representation of the application information model, which is based on the Abstract Syntax Tree (AST), i.e., a fingerprinting algorithm, is abstracted or normalized across all operating systems, languages, frameworks, and likely users of the model – Bhalode: par. 0020-0025. Bhalode further discloses some relevant security features are extracted during the (Application Information Model) AIM extraction process to identify a whitelist of all code and script resources utilized by the application,  which enables the security service to ensure that scripts are only retrieved from legitimate sources and have not been tampered with, to effectively block attackers trying to introduce a new piece of code or tamper with existing code. The AIM extraction process also identifies a whitelist of all third-parties that an application retrieves resources from, to ensure that the application does not interact with untrusted third-party domains – Bhalode: par. 0030 – Note: “determining a matched fingerprinted web object” is equivalent to “identifying a whitelist according to the AIM using AIM extraction process”, wherein AIM is generated based on abstract syntax tree (a fingerprinting algorithm), and “ensuring that scripts are only retrieved from legitimate sources and have not been tampered with” inherently includes “comparing”. 

Allowable Subject Matter
Claims 7 and 14 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim, any intervening claims and additional features from the specification found in par. 0025-0027, for example, as shown below.

“A method of operating a computing system to facilitate creation of security profiles for web application components comprising a plurality of web resources, the method comprising:
analyzing [[a]] the plurality of web resources used to construct web applications to generate normalized fingerprints for plurality of security risk factors each of the plurality of web resources;
determining a plurality of security risk factors for each of the plurality of web resources based on the normalized fingerprints generated for each of the plurality of web resources; 
generating a reputation score for each of the plurality of web resources based on  a level of information gain associated with the web resource determined by a weighted score of relative weights assigned to each of the plurality of the security risk factors of the web resource;
upon receiving an Application Programming Interface (API) call that identifies a web object of a web application[[; ]]:
generating a normalized fingerprint for the web object and comparing the normalized fingerprint for the web object to the normalized fingerprints for each of the plurality of web resources to determine one of the web resources that matches the web object, wherein simple syntactical differences are ignored in the determining; and 
returning the reputation score for the one of the web resources that matches the web object.”
Applicant is invited to initiate an interview to resume the discussion initiated in the interview dated 11/21/2022. Please see the attached summary.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.



Claims 1, 8 and 15 are rejected under 35 U.S.C. 102 (a) (1) as being anticipated over Bhalode, WO2018/081629.

Per claim 1, Bhalode discloses a method of operating a computing system to facilitate creation of security profiles for web application components, the method comprising: 
analyzing a plurality of web resources used to construct web applications used to construct web applications to generate normalized fingerprints for each of the web resources (metadata might describe dependencies in the application image file, such as the application relying on certain libraries, and this information could be included in the static analysis results. In at least one implementation, static analysis is used to analyze scripts and their structure, and abstract syntax trees are built to break the scripts down to abstractions, and the scripts can then be mapped down to a fewer number of abstractions …representation of the application information model should be abstracted or normalized across all operating systems, languages, frameworks, and likely users of the model, such as CSP and other security enforcement engines that can be configured to protect the application by leveraging the information provided in the model – Bhalode: par. 0020 and 0022– Note: Abstract Syntax Tree (AST) is a fingerprinting algorithm used in generating an application information model representing a structure of the application information which is normalized across all operating systems, languages, frameworks, and likely users of the model);
determining a plurality of security risk factors for each of the plurality of web resources based on the normalized fingerprints generated for each of the web resources (the application information model may define a set of security-relevant behavior and attributes of the application that describe the application's interaction with the surrounding infrastructure, such as hardware, operating system, network, file system, libraries, frameworks, and public, private, or hybrid cloud. The security-relevant behaviors that may be derived from the static and dynamic analysis results and included in the application information model could also describe the application's interaction with other application-level entities, such as clients, servers, and remote peers, and may further describe dependencies on resource providers, such as memory, external code or scripts, URLs, data, and other resources – Bhalode: par. 0023); and 
generating a reputation score for each of the plurality of web resources based on the security risk factors determined for each of the web resources (computing system 140 could compute confidence levels for comprehensiveness of the static analysis results and the dynamic analysis results. These confidence levels could further be broken down into the classes of security-relevant behaviors described above. For example, confidence levels for the comprehensiveness of each category of attributes may be computed, either partially or completely for each component or subsystem of the application. The combination of analysis techniques that are used to generate the application information model may thus provide confidence levels about the accuracy and completeness on a per-attribute or pre-attribute class basis. Computing system 140 determines security policies for the software application based on the application information model (204)… by generating a whitelist for the software application that indicates approved behavior of the software application. All behaviors in this set are legitimate when the application is running in an uncompromised state, meaning the application's execution code has not been altered with malicious code or data injection. Any behavior outside of this set indicates that the application has been compromised – Bhalode: par. 0024-0025);
receiving an Application Programming Interface (API) call that identifies a web object of a web application (computing system 140 could determine the security policies for the software application based on the application information model by generating a whitelist for the software application that indicates approved behavior of the software application. All behaviors in this set are legitimate when the application is running in an uncompromised state, meaning the application's execution code has not been altered with malicious code or data injection…the browser executing on client device 101 and 102 observes any behavior of the software application that deviates from the whitelist of behaviors identified in the security policies – Bhalode: par. 0025 and 0030– Note: application information model is associated with a respective class of security-relevant behaviors and describes the applications interactions with surrounding infrastructures, e.g., API calls, library calls, etc.);
generating a normalized fingerprint for the web object and comparing the normalized fingerprint for web object to the normalized fingerprints for each of the web resources to determine one of the web resources that matches the web object (The dynamic analysis captures a comprehensive set of security-relevant behaviors or attributes of the application that describe the application's interaction with the client device, the server, third- party content and code repositories, such as CDNs and advertisement networks. Some relevant security features that are extracted during the [Application Information Model] AIM extraction process include identifying a whitelist of all code and script resources utilized by the application,  which enables the security service to ensure that scripts are only retrieved from legitimate sources and have not been tampered with, effectively blocking attackers trying to introduce a new piece of code or tamper with existing code. The AIM extraction process could also identify a whitelist of all third-parties that an application retrieves resources from, to ensure that the application does not interact with untrusted third-party domains – Bhalode: par. 0030 – Note: Abstract Syntax Tree (AST) is a fingerprinting algorithm used for generating a normalized structure of the application information which is matched against the generated application information model, i.e., a whitelist of all codes, script resources and third-party application providers); and
returning the reputation score for the one of the web resources that matches the web object (the application information model provides confidence levels/scores about the accuracy and completeness on a per-attribute or pre-attribute class basis …The dynamic analysis captures a comprehensive set of security-relevant behaviors or attributes of the application that describe the application's interaction with the client device, the server, third- party content and code repositories, such as CDNs and advertisement networks. Some relevant security features that are extracted during the [Application Information Model] AIM extraction process include identifying a whitelist of all code and script resources utilized by the application…The AIM extraction process could also identify a whitelist of all third-parties that an application retrieves resources from – Bhalode: par. 0024 and 0030 – Note: implementing AIM as an application security service ensures that scripts are only retrieved from legitimate sources and have not been tampered with, to effectively block attackers trying to introduce a new piece of code or tamper with existing code. It further ensures that the application does not interact with untrusted third-party domains).

Per claim 8, it recites one or more computer-readable storage media having program instructions stored thereon to facilitate creation of security profiles for web application components, wherein the program instructions, when executed by a computing system (When executed by computing system 500 in general, and processing system 501 in particular, software 505 directs computing system 500 to operate as described herein for wireless communication device and/or server 130 for execution of software application security process 200 – Bhalode: par. 0040 – Fig. 5), direct the computing system to at least:
Therefore, claim 8 is rejected based on the same analysis set forth in the rejection of claim 1 above. 

Per claim 15, it recites an apparatus comprising: 
one or more computer-readable storage media (storage system 503); and program instructions stored on the one or more computer-readable storage media (Computing system 500 includes processing system 501, storage system 503, software 505, communication interface 507, and user interface 509. Processing system 501 is operatively coupled with storage system 503, communication interface 507, and user interface 509. Processing system 501 loads and executes software 505 from storage system 503 – Bhalode: par. 0040 – Fig. 5) that, when executed by a processing system (When executed by computing system 500 in general, and processing system 501 in particular, software 505 directs computing system 500 to operate as described herein for wireless communication device and/or server 130 for execution of software application security process 200 – Bhalode: par. 0040 – Fig. 5), direct the processing system to at least operate as set forth by the method steps of claim 1. 
Therefore, claim 15 is rejected based on the same analysis set forth in the rejection of claim 1 above. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 5-7, 12-14 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bhalode, WO2018/081629 in view of Gorny, US2017/0324760.

Per claims 5, 12 and 19, Bhalode discloses features of claims 1, 8 and 15, respectively, wherein the normalized fingerprints generated for each of the web resources comprise abstract syntax trees (metadata might describe dependencies in the application image file, such as the application relying on certain libraries, and this information could be included in the static analysis results. In at least one implementation, static analysis is used to analyze scripts and their structure, and abstract syntax trees are built to break the scripts down to abstractions, and the scripts can then be mapped down to a fewer number of abstractions – Bhalode: par. 0020).

Per claims 6, 13 and 20, Bhalode discloses features of claims 1, 8 and 15, respectively.
Bhalode is not relied on to explicitly disclose but Gorny discloses wherein determining the plurality of security risk factors for each of the plurality of web resources comprises determining the plurality of security risk factors for each of the plurality of web resources based on prevalence of each of the web resources (Content elements, categories, risk factors and the like 106 may be processed with the website content to determine website characteristics 108 and their corresponding occurrence count 110. These characteristics may be dichotomized 112 to produce a website characteristic value 114. Such a value 114 may be weighted 118 to produce a characteristic contribution to website vulnerability risk value 120. Risk values in each of a plurality of categories of characteristics may be summed within each category and further processed to produce a risk sum 122 that may be normalized and fitted to a risk prediction range 124 to produce a risk assessment 128 – Gorny: par. 0045 – Note: prevalence of web resources is equivalent to occurrence count of website characteristics).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bhalode in view of Gorny to include determining a plurality of security risk factors for each of the plurality of web resources based on the normalized fingerprints generated for each of the web resources; and generating a reputation score for each of the plurality of web resources based on the security risk factors determined for each of the web resources.
One of ordinary skill in the art would have been motivated because it would allow including “an algorithm that supports weighting certain characteristics over others to produce a rare website security breach event prediction” – Gorny: par. 0009. It would further allow to include “a predefined range of probabilities to determine a degree of risk such as HIGH, MEDIUM, and LOW” – Gorny: par. 0065.

Per claims 7 and 14, Bhalode discloses features of claims 1 and 8, respectively.
Bhalode is not relied on to explicitly disclose but Gorny discloses wherein generating the reputation score for each of the plurality of web resources based on the security risk factors comprises generating the reputation score for each of the web resources based on levels of information gain associated with each of the web resources (Risk factors that can be determined with website content may include complexity factors, and the like. As an example, merely determining the number of different website elements 208 (e.g., apps, and the like) can help determine a risk level. Generally, a larger number of website elements is associated with a higher likelihood of incurring a security breach…Comparing risk assessments in finer detail than the overall risk score by comparing websites that have content that results in similar high risk categories provides risk scores that are more actionable. Therefore, in addition to the overall risk score, a category-specific risk score is provided – Gorny: par. 0073 and 0076 – Note: Service providers of comparable, but differently sourced components (e.g., from different service providers) may be detected through the use of fingerprinting. This information may then be used to assess which services and their potential value 310 are being used on each analyzed website –par. 0079);
The same motivation to modify Bhalode in view of Gorny applied to claim 6 above applies here.

2.	Claims 3-4, 10-11 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Bhalode, WO2018/081629 in view of Haddock, WO2013/009713.

Per claims 3, 10 and 17, Bhalode discloses features of claims 1, 8 and 15, respectively.
Bhalode is not relied on to explicitly disclose but Haddok discloses wherein analyzing the plurality of web resources to generate the normalized fingerprints for each of the web resources comprises analyzing syntactic structures of the plurality of web resources to generate the normalized fingerprints for each of the web resources (Using syntactical fingerprinting as a distance metric has shown the ability to group websites based on the common structural components that compose the main index page of the website. Analysis shows syntactical fingerprinting at varying thresholds may cause clustering based on phish versus nonphish, branding, or possibly the phisher…Members in the same high threshold cluster may have been created by the same phisher – Haddock: pages 17-18).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bhalode in view of Haddock to include analyzing the plurality of web resources to generate the normalized fingerprints for each of the web resources comprises analyzing syntactic structures of the plurality of web resources to generate the normalized fingerprints for each of the web resources.
One of ordinary skill in the art would have been motivated because it would allow “to show relationships between files that could lead to file provenance and family, especially when the file format follows a particular syntax tree or protocol” – Haddock: page 4, which would allow “comparing similar phishing website file structural components, or constructs, to determine similarity” – Haddock: page 5.

Per claims 4, 11 and 18, Bhalode discloses features of claims 1, 8 and 15, respectively, wherein the normalized fingerprints generated for each of the web resources describe security attributes of each of the web resources (static analysis is used to analyze scripts and their structure, and abstract syntax trees are built to break the scripts down to abstractions, and the scripts can then be mapped down to a fewer number of abstractions – Bhalode: par. 0020 – Note: instant specification par. 0023 discloses that in order to generate the normalized fingerprints, each of the web resources 110 are processed by computing system 101 to perform various techniques for extracting security attributes of the web objects, such as object fingerprinting algorithms, abstract syntax trees, hash functions, and other data categorization and parsing techniques; therefore, abstract syntax trees are used to break down a script and map it into fewer number of abstractions, wherein the abstractions are equivalent to description of security attributes).
In the alternative where one argues that Bhalode does not inherently disclose the limitation, Haddock explicitly discloses the normalized fingerprints generated for each of the web resources describe security attributes of each of the web resources (Utilizing a program such as Beautiful Soup, a Python package that parses broken HTML, HTML tags within the normalized website content files, such as <form>, <script>, and <table> tags, are identified, and an abstract syntax tree 17 is created for each website…Following parsing of the normalized website content files into abstract syntax trees, a hash value is calculated 18 for each of the identified HTML entities. Hash value sets are constructed from the hash values of each HTML entity of each website content file and stored in database… Once stored, a randomly selected hash value from the set of hash values of a website content file is compared 19 to the hash values of HTML entities of known phishing websites. Hash values are presented in a chronologically arranged hash value table and stored on a database 20 – Haddock: pages 6 and 7 – Note: HTML tags are equivalent to security attributes in the context of the instant disclosure).
The same motivation to modify Bhalode in view of Haddock applied to claim 3 above applies here.
Additionally, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bhalode in view of Haddock to include analyzing the plurality of web resources to generate normalized fingerprints for each of the web resources.
One of ordinary skill in the art would have been motivated because it would allow “automatically identifying newly observed phishing websites within a toolbar, correctly branding the phishing websites for investigation, and determining the prevalence and provenance of the phishing websites” – Haddock: page 1. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Sharifi (US10318543) is directed to identifying a resource, via a network, wherein the resource includes a reference to a content item, and extracting metadata associated with the resource and the reference to the content item. The system can further include an index component configured to associate at least a portion of the metadata with the content item in a data store, and a matching component configured to identify one or more reference content items based on correspondence between the metadata and reference metadata respectively associated with the one or more reference content items.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/Examiner, Art Unit 2494