DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/15/2022 has been entered.

Response to Arguments
Applicant's arguments filed 11/15/2022 have been fully considered but they are not persuasive. 	

Applicant Asserts: Gupta may address the same or a similar problem but does it in a different way than what is recited in claim 1. In particular, Gupta creates a “golden table” (i.e. “a table of valid web requests”) with which to compare incoming requests (para. [0043]), whereas the method of claim 1 classifies incoming queries in order to determine expected characteristics of such queries when the queries are executed. These are distinct approaches, in spite of the Office Action and Advisory Action attempting to map them to one another. Applicant intends for the amendments made herein to make distinctions between the instant claims and the cited references even clearer. Several of these distinctions are identified and discussed in more detail in the following paragraphs. First, both Gupta and Suleman are silent with respect to a database driver proxy that includes computing hardware of at least one processor and memory as now recited in claim 1.

Examiner Response:  Respectfully, the Examiner disagrees with applicant representative declaration that the prior art of record does not teach a database driver proxy.  The examine is compelled to consider the claims under a broad yet reasonable interpretation in light of the specification and one or ordinary skill in the art.  The plain meaning of the database driver proxy is disclosed in the instant specification especially in Figure 2.  Turning to Figure 2 the database driver proxy classifies attributes and class queries plus the proxy executes and monitors the queries.  Applicant amends claim 1 to include the supported database driver proxy which directs the Examiner to the prior art Gupta to determine if the feature is present.  Gupta teaches database driver as the instrumentation engine depicted in Figure 4 as representative of the claimed database driver proxy. The Examiner further notes that any application with an executable file will require a driver.

Applicant Asserts: Second, Gupta does not use classes of queries as in amended claim 1. In claim 1, a class has associated attributes that define expected characteristics of queries of that class when such a query 1s executed by the database. The Advisory Action argues that a class of query “maps to Gupta’s expression parameters and keywords which enable parsing prior to execution.” Page 3. Gupta discloses that its expression parameters can be checked to determine if they include an incorrect data type or query-specific expressions/keywords, since these things “may be maliciously placed to alter the results of the database queries.” Gupta, para. [0047]. But this is not disclosure of, and does not make Gupta’s expression parameters equivalent to, defining expected query execution characteristics of an overall class as now claimed.
Examiner Response:  Respectfully, the Examiner disagrees that Gupta does not suggest class of queries if for no other category than for network traffic such as voice and data. Gupta suggests class of queries be use of machine vectors applied to the query. Machine vectors are directed to commands and features which are clearly classifications.  The Examiner finds Gupta teaches the class of queries at the cited location below.

Applicant Asserts:  The Office Action also used matching of data stored in Gupta’s “golden table” with the claimed class of query: “the claimed ‘class of query’ is taught by Gupta as ‘correlated/matched’ because a criteria classifies the query.” Office Action, p. 8. This is insufficient to the meet the requirements of amended claim 1, however, because the class must have associated attributes that define expected characteristics of queries of the class when the query is executed by the database.

Examiner Response:  Base on applicant amendments, the Examiner maintains that the correlated/matched is at least suggesting a class or query.  The Examiner introduced a secondary reference to clearly teach the class of query determined by its associated attributes.

Applicant Asserts: Next, there is no teaching in Gupta of a database driver proxy monitoring characteristics of a query execution when the query is executed by the database. The Office Action again refers to Gupta’s golden table but admits it is formed to “prepare for detecting and preventing injection attacks” (Office Action, id.). There is no monitoring of a query being executed by the database disclosed. Instead, Gupta “intercept[s] traffic” and requests for comparison with the golden table to detect injection attacks (paras. [0046]-[0047]; see also step 390 in FIG. 3A); it does monitor queries being executed by the (target) database.

Examiner Response:  Respectfully, the Examiner disagrees and maintains the rejections at the cited portion of the references with the accompanying rationale for the making the rejection.

Applicant Asserts:  Finally, because of the aforementioned distinctions in its approach from that of amended claim 1 (e.g., Gupta does not monitor a query being executed by a database), Gupta logically cannot determining that any monitored characteristics deviate from expected characteristics to identify the query as malicious.  

Examiner Response:  Respectfully, the Examiner disagrees and interprets Gupta as teaching both static formation of a golden table, and a dynamic runtime formation and monitoring of queries against the golden table via instrumentation engine depicted in Figure 4A.

        				Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over Gupta; Satya Vrat, US 20160337400 A1, November 17, 2016, hereafter referred to as Gupta in view of Suleman et al., US 20170140027 A1, hereinafter referred to as Suleman.       

               As to claim 1, Gupta teaches a computer implemented method to identify a malicious database request – Gupta [0053] FIG. 3A illustrates a flowchart depicting an example method of detecting (and preventing) injection attacks.  Here, the claimed ‘method’ is taught by Gupta as ‘example method’ depicted in Figure 3A whereas the claimed ‘malicious request’ is  taught by Gupta as ‘injection attack’ since injection attacks inject in queries are malicious content)  by a database driver proxy including computing hardware of at least one processor and memory operably coupled to the at least one processor - Gupta [0056] ... Then, the instrumentation engine may simulate (i.e., fire) each of the formed web request with contextually appropriate user and form data. Using an initiated packet capture tool (PCAP), the instrumentation engine may capture the database queries 430 triggered in response to each simulated request.  Here, the claimed ‘database driver proxy’ is taught by Gupta as ‘instrumentation engine’ depicted in figure 4A since the engine performs static or dynamic formation of valid queries and addresses.  The claimed ‘processor and memory’ is taught by Gupta as ‘packet capture tool (PCAP)’ since it maps requests and valid addresses extracted from application files on behalf of the security monitoring agent, the method comprising:
       the database driver proxy receiving a query for retrieving data from a database – Gupta [0046] Once a golden table is present at the analysis engine, at step 340, web requests, and corresponding database entries, may be captured from network traffic received in the web application infrastructure. In some embodiments, the analysis engine may capture the requests and database queries, and in other embodiments the instrumentation engine may capture the requests and database queries.  Here, the claimed ‘receiving’ is taught by Gupta as ‘entries, may be captured’);
         before execution of the query – Gupta [0046] ... The instrumentation engine or analysis engine may capture the request by instrumenting strategic code, such as the HTTP Event pipeline, to detect and intercept traffic at the web server or application server or monitoring specific APIs at the web server or application server. Here, the claimed ‘before execution’ is taught by Gupta as ‘detect and intercept traffic’ whereas the claimed ‘query’ is taught by Gupta as ‘traffic’ which includes the database query), the database driver proxy classifying the query based on instructions contained in the query to identify a class of query for the query – Gupta [0046] ... The instrumentation engine may also parse the request and database queries into regular expressions for matching against network traffic. The regular expressions may be added to the regular expression files which are stored in the golden table, or in another memory location, on the analysis engine.  Here, the claimed ‘instructions’ is taught by Gupta as ‘request’ since the request identifies the resource and under what conditions to retrieve the resource.  The claimed ‘class of query’ is suggested by Gupta as ‘regular expressions for matching’ which suggests that the classes are the regular expressions and matching the queries is the classification since the categories of code identify network traffic such as voice or data), the class of query having associated attributes defining expected characteristics of queries of the class when the query is executed by the database – Gupta [0041] …the information of the respective database queries (or other database activities) correlated/matched to a particular user, user data, context, URL, and session may be sent to an analysis engine (or security monitoring agent in other example embodiments) to check for a potential database injection attack (e.g., SQL injection attack.  Here, the claimed ‘class of query’ is taught by Gupta as ‘database activities’ because a criteria classifies the query the claimed ‘expected characteristics’ is taught by Gupta as ‘user data, context, URL’ because these characteristics are known and stored in the golden table);
            the database driver proxy monitoring characteristics of the query when the query is executed by the database - Gupta [0043] … the security monitoring agent may form the golden table at load time ... the security monitoring agent may form the golden table at runtime. In some embodiments, the formed table may be updated at runtime with additional valid web requests and additional valid database queries mapped to the requests. The security monitoring agent forms the golden table to prepare for detecting and preventing injection attacks that trigger invalid database queries.  Here, the claimed ‘monitoring characteristics’ is taught by Gupta as ‘update golden table’ whereas the claimed ‘query is executed’ is taught by Gupta as ‘at runtime’);
            the database proxy determining that the monitored characteristics deviate from the expected characteristics and identifying the query as malicious – Gupta [0050] … If the URL match fails, at step 311, the instrumentation engine checks for code at the URL path (e.g., methods of the web application for processing the web request), and if no such code exists for the web application, the instrumentation engine may communicate with the analysis engine, at step 312, to declare an attack. Here, the claimed ‘determining’ is taught by Gupta as ‘checks for code’ whereas the claimed ‘deviate from ...expected’ is taught by Gupta as ‘URL match fails’.  The claimed ‘characteristics’ is taught by Gupta as ‘methods of web application’ since the instrumentation engine can compare known or expected methods against the current code in the query whereas the claimed ‘identifying ...malicious’ is taught by Gupta as ‘no such code exists’ which is the anomaly associated with the known valid database query); and
          the database driver proxy implementing at least one protective measure in response to the identifying – Gupta [0047] ... If one or more of the queries does not map to the request in the mapping table, then at step 390, the analysis engine may communicate this status to the validation engine to declare an injection attack. In some embodiments, the analysis engine may use the regular expression files to perform additional validation of captured database queries prior to declaring attack. Here, the claimed ‘protective measure’ is taught by Gupta as ‘declare an injection attack’.
GUPTA SUGGESTS the query based on instructions contained in the query to identify a class of query for the query HOWEVER SULEMAN TEACHES 
             the query based on instructions contained in the query to identify a class of query for the query – Suleman [0038 and 0041] since at ’38 Block 510 comprises receiving a query for classification at the server 54 from the client device 70. In the present embodiment, the query comprises a text string received from the client device 70…since at ‘41 Block 520 comprises applying a plurality of support vector machine models to the query. It is to be appreciated that each application of a support vector machine model makes a binary determination of which of two classes the query is more likely to be classified.   Here, the claimed ‘instructions’ is taught by Suleman as ‘query for classification’ because queries are identified/associated with a known class at Block 530. The claimed ‘identify a class’ is taught by Gupta as ‘binary determination’ which is how the method determines which class to associate the query.    It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Gupta Golden Table construct to include Suleman class constructs.  Gupta already attempts to identify SQL injections targeted to exploit specific vulnerabilities in target applications.  Gupta with Suleman now has a classification scheme in support of the proxy determination for class definitions increasing processing efficiency which improves the data protection of Gupta’s enterprise web assets depicted in Figure 1).

             As to claim 2, the combination of Gupta and Suleman teaches the method of claim 1 wherein the class of query further comprises a class query including the instructions of the query and the expected characteristics are defined based on the execution of the class query – Suleman [0013] The method involves receiving a query for classification. Furthermore, the method involves applying a plurality of support vector machine models to generate a plurality of votes for the query. Each vote of the plurality of votes is configured to indicate an assignment to a class selected from the plurality of classes. In addition, the method involves calculating a probability for each of the plurality of classes. The probability is associated with support vector machine scores between the each of the plurality of classes and the remaining classes. Also, the method involves determining a top class from the plurality of classes. The top class is based on a greatest number of votes and the probability. Here, the claimed ‘instructions’ is taught by Gupta as ‘query for classification’ because in protocol provides for a ‘where clause’ which one of ordinary skill in the art would understand contains the instructions of the query.  The claimed ‘expected characteristics’ is taught by Suleman as ‘vector machine models’ which are feature and command vectors known to the processor and used for parsing).

           As to claim 3, the combination of Gupta and Suleman teaches the method of claim 1 wherein the query is received from a software application – Gupta [0045] using the extracted methods and corresponding data types for the expression parameters, the instrumentation engine may form the web requests for the web application) and responsive to the determination the software application is identified as a malicious application – Gupta [0041] ….the analysis engine may use the matched information (together with a generated golden table or AppMap table) to perform deep context aware searches for detecting a database injection attack.  Here, the claimed ‘software application’ is taught by Gupta as ‘AppMap table’ whereas the claimed ‘identified’ is taught by Gupta as ‘detecting’).

              As to claim 4, the combination of Gupta and Suleman teaches the method of claim 3, wherein the at least one protective measure includes rejecting subsequent queries received from the identified malicious application - Gupta [0089] New events can also be created and linked into the Event and Event Chain database 722 with a severity and remedial action recommended to the analyst. This allows unique events and event chains for a new attack at one installation to be dispatched to other installations. For this purpose, all new events and event chains are loaded into the Event Upgrade Server 735. Here, the claimed ‘protective measure’ is taught by Gupta as ‘remedial action’ whereas the claimed ‘subsequent queries’ are taught by Gupta as ‘new events’).

            As to claim 5, the combination of Gupta and Suleman teaches the method of claim 1 wherein the at least one protective measure includes rejecting subsequent queries belonging to the same class as the query - Gupta [0089] New events can also be created and linked into the Event and Event Chain database 722 with a severity and remedial action recommended to the analyst. This allows unique events and event chains for a new attack at one installation to be dispatched to other installations.  Here, the claimed the claimed ‘protective measure’ is taught by Gupta as ‘severity and remedial action’ whereas the claimed ‘same class’ are taught by Gupta as ‘event chains’) and having attributes determined to be similar to attributes of the query – Gupta [0071] …the output of the captured database query may also be referenced against an additional file on the REGEX engine to determine whether the captured query output matches valid output (e.g., in format or content) for the query.  Here, the claimed ‘determined to be similar’ is taught by Gupta as ‘output matches valid output’) based on predetermined threshold degree of similarity of attributes – Gupta [0073] In addition, these cyber security tools depend on security analysts to set the threshold of events that signify an attack.  Here, the claimed ‘attributes’ are taught by Gupta as ‘threshold events’ because the forensics of the events are captured/classified as further taught by Gupta at [0074]).

           As to claim 6, Gupta teaches a computer system – Gupta [0013] FIG. 1 illustrates an example configuration of an advanced persistent malware attack comprising:
           a processor and memory storing computer program code for identifying a malicious database request, the processor and memory configured to operate as a database driver proxy - Gupta [0056] ... Then, the instrumentation engine may simulate (i.e., fire) each of the formed web request with contextually appropriate user and form data. Using an initiated packet capture tool (PCAP), the instrumentation engine may capture the database queries 430 triggered in response to each simulated request.  Here, the claimed ‘database driver proxy’ is taught by Gupta as ‘instrumentation engine’ depicted in figure 4A since the engine performs static or dynamic formation of valid queries and addresses.  The claimed ‘processor and memory’ is taught by Gupta as ‘packet capture tool (PCAP)’ since it maps requests and valid addresses extracted from application files on behalf of the security monitoring agent to:
              receive a query for retrieving data from a database – Gupta [0046] Once a golden table is present at the analysis engine, at step 340, web requests, and corresponding database entries, may be captured from network traffic received in the web application infrastructure. In some embodiments, the analysis engine may capture the requests and database queries, and in other embodiments the instrumentation engine may capture the requests and database queries.  Here, the claimed ‘receiving’ is taught by Gupta as ‘entries, may be captured’);
           classify the query prior to execution of the query based on query instructions contained in the query to identify a class of query for the query – Gupta [0046] ... The instrumentation engine may also parse the request and database queries into regular expressions for matching against network traffic. The regular expressions may be added to the regular expression files which are stored in the golden table, or in another memory location, on the analysis engine.  Here, the claimed ‘instructions’ is taught by Gupta as ‘request’ since the request identifies the resource and under what conditions to retrieve the resource.  The claimed ‘class of query’ is suggested by Gupta as ‘regular expressions for matching’ which suggests that the classes are the regular expressions and matching the queries is the classification since the categories of code identify network traffic such as voice or data), the class of query having associated attributes defining expected characteristics of queries of the class when executed by the database – Gupta [0041] …the information of the respective database queries (or other database activities) correlated/matched to a particular user, user data, context, URL, and session may be sent to an analysis engine (or security monitoring agent in other example embodiments) to check for a potential database injection attack (e.g., SQL injection attack.  Here, the claimed ‘class of query’ is taught by Gupta as ‘database activities’ because a criteria classifies the query the claimed ‘expected characteristics’ is taught by Gupta as ‘user data, context, URL’ because these characteristics are known and stored in the golden table);
monitor characteristics of execution of the query execution by the database - Gupta [0043] … the security monitoring agent may form the golden table at load time ... the security monitoring agent may form the golden table at runtime. In some embodiments, the formed table may be updated at runtime with additional valid web requests and additional valid database queries mapped to the requests. The security monitoring agent forms the golden table to prepare for detecting and preventing injection attacks that trigger invalid database queries.  Here, the claimed ‘monitoring characteristics’ is taught by Gupta as ‘update golden table’ whereas the claimed ‘query is executed’ is taught by Gupta as ‘at runtime’);
           determine that the monitored characteristics deviate from the expected characteristics and identify the query as malicious– Gupta [0050] … If the URL match fails, at step 311, the instrumentation engine checks for code at the URL path (e.g., methods of the web application for processing the web request), and if no such code exists for the web application, the instrumentation engine may communicate with the analysis engine, at step 312, to declare an attack. Here, the claimed ‘determining’ is taught by Gupta as ‘checks for code’ whereas the claimed ‘deviate from ...expected’ is taught by Gupta as ‘URL match fails’.  The claimed ‘characteristics’ is taught by Gupta as ‘methods of web application’ since the instrumentation engine can compare known or expected methods against the current code in the query whereas the claimed ‘identifying ...malicious’ is taught by Gupta as ‘no such code exists’ which is the anomaly associated with the known valid database query), and implement at least one protective measure– Gupta [0047] ... If one or more of the queries does not map to the request in the mapping table, then at step 390, the analysis engine may communicate this status to the validation engine to declare an injection attack. In some embodiments, the analysis engine may use the regular expression files to perform additional validation of captured database queries prior to declaring attack. Here, the claimed ‘protective measure’ is taught by Gupta as ‘declare an injection attack’.
GUPTA SUGGESTS the query based on instructions contained in the query to identify a class of query for the query HOWEVER SULEMAN TEACHES 
             the query based on instructions contained in the query to identify a class of query for the query – Suleman [0038 and 0041] since at ’38 Block 510 comprises receiving a query for classification at the server 54 from the client device 70. In the present embodiment, the query comprises a text string received from the client device 70…since at ‘41 Block 520 comprises applying a plurality of support vector machine models to the query. It is to be appreciated that each application of a support vector machine model makes a binary determination of which of two classes the query is more likely to be classified.   Here, the claimed ‘instructions’ is taught by Suleman as ‘query for classification’ because queries are identified/associated with a known class at Block 530. The claimed ‘identify a class’ is taught by Gupta as ‘binary determination’ which is how the method determines which class to associate the query.    It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Gupta Golden Table construct to include Suleman class constructs.  Gupta already attempts to identify SQL injections targeted to exploit specific vulnerabilities in target applications.  Gupta with Suleman now has a classification scheme in support of the proxy determination for class definitions increasing processing efficiency which improves the data protection of Gupta’s enterprise web assets depicted in Figure 1).

            As to claim 7, claim 7 is a non-transitory computer readable medium - Gupta [0158] Embodiments or aspects thereof may be implemented in the form of hardware, firmware, or software. If implemented in software, the software may be stored on any non-transient computer readable medium that is configured to enable a processor to load the software or subsets of instructions thereof) that is directed to the method of claim 1.  Therefore, claim 7 is rejected for the reasons as set forth in claim 1. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 7:00 a.m. to 3:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 /WILLIAM B JONES/Examiner, Art Unit 2491Date: 12/2/2022