DETAILED ACTION
Remarks and amendments submitted by the Applicant up to and including October 14, 2020, for the above-identified application, have been considered and examined by the Examiner.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Priority
No claim for foreign or domestic priority has been made to date.
Information Disclosure Statement
No information disclosure statements (IDSs) have been submitted to date.
Drawings
No concerns have been noted with respect to the drawings.
Specification
No concerns have been noted with respect to the specification.
Claim Objections
Claim 1, line 4, “a database” should be changed to “the database” for correct antecedent.
Claim 11, line 8, “a database” should be changed to “the database” for correct antecedent.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Joshipura et al. (US20210165899A1), hereinafter, “Joshipura”, in view of Pandey et al. (US20200042647A1), hereinafter, “Pandey”.
Per claim 11, Joshipura discloses:
A computing apparatus (Joshipura FIG. 6, and FIGS. 2-5’s flow diagrams) for controlling access to a database, the computing apparatus comprising:
a processor (Joshipura FIG. 6, “processor 610”);
a memory (Joshipura FIG. 6, “memory 620”); and
a communication interface coupled to each of the processor and the memory (Joshipura FIG. 6, “bus 690”), 
wherein the processor is configured to:
receive, from a user via the communication interface, a first request for data that is accessible via a database, the first request including a first query (Joshipura para. [0025], “  … when a user device attempts to access data stored at a database …”.  para. [0027], “…a database query from …received user input …”);
	analyze the first query to determine whether the first query is potentially harmful (Joshipura para. [0028], “…exemplary constraints in table 1 include a selection of *.* all users and a selection of user.passwords of all users do not significantly limit the scope of a database query as these constraints could cause information related to many users to be retrieved with a single database query…”; Joshipura Table 1, 2nd row indicates that any SQL Query to “Select *.* of Users” should be responded to with a “Deny” action; similarly, Joshipura Table 1, 3rd row indicates that any SQL Query to “Select User.password of all Users” should be responded to with a “Deny” action; Joshipura para. [0030], “… Furthermore, any SQL information that requests more than a threshold amount of information may be judged suspicious and be denied (or blocked). Examiner submits that any query attempt to access information or passwords of all users is being interpreted as being “potentially harmful” in that such query would reveal confidential and security information with regards to many users);
when the first query is determined as not potentially harmful, forward, via the communication interface, the first request to a server configured to respond to the first request (Joshipura para. [0025], “…When the generated request is identified a being legitimate, web server 130 may send the request to database server 140 and database server may provide data associated with the request to web server 130 such that the retrieved data can be provided to user device 110 …”); and …
However, Joshipura does not disclose sending a warning message to a user when a query is determined as being potentially harmful.
Pandey explicitly teaches that, when the first query is determined as being potentially harmful, transmit, to the user via the communication interface, a warning message (Pandey para. [0037], “…In the event that the program code determines that a requested query has a probability of failure, …the program code informs a user of an anticipated issue (e.g., utilizing interface 150, FIG. 1) and provides the user with an option to execute the query despite the warning. …”; one harmful type of query discussed in Pandey (Pandey para. [0044]) is one in which “…the query will hog system resources and  …[cause] …denials of service to other queries…”; Pandey para. [0022] further mentions “…to provide alarms regarding bad queries and/or preempt unwanted corrupt queries…”; still further, Pandey para. [0042] teaches that “…The size of resources upon which requested queries are to execute (e.g., FIG. 3, database resource 330) can also be a consideration …”).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, for Joshipura’s arrangement to be modified to include user messaging as taught by Pandey, in order to provide user-friendly feedback to keep the user informed and/or to empower the user to improve his/her query formation.
Motivation to modify or combine would have been a commercial interest to incorporate user-friendliness into its database security product, to remain attractive to users and competitive in the marketplace.

Per claim 1, it is a method claim that recites features/limitations corresponding to the features/limitations of the apparatus claim 11, and is therefore rejected with the same rationale and motivation set forth above for apparatus claim 11.

Per claim 12, the rejection of claim 11 is incorporated.  In addition, Joshipura discloses: wherein the processor is further configured to analyze the first query by applying at least one database access rule to the first query (Joshipura para. [0021], “…identifies whether generated database requests were generated in a manner consistent with entries and rules cross-referenced in a set of ACL management data. Rules included in such a set of ACL management data, may identify that certain database requests can be sent to a database server and may identify that other database requests should be blocked (prevented) from being sent to the database server …”.  Joshipura para. [0022]-[0023], “… Once intercepted, information in the query or associated with the query may be compared to information in an access control list (ACL). This comparison could compare information associated with known good requests that the ACL may cross-reference with an “allow” action that would cause this good request to be sent to a database server. …”).

Per claim 2, the rejection of claim 1 is incorporated.  In addition, the method claim 2 recites features/limitations corresponding to the ones of the apparatus claim 12.  Therefore, claim 2 is rejected with the same rationale and motivation set forth above for apparatus claim 12”. 

Per claim 13, the rejection of claim 12 is incorporated.  In addition, Pandey discloses: wherein the at least one database access rule includes at least one from among a rule that relates to a maximum amount of memory to be consumed by granting the first request and a rule that relates to a maximum amount of central processing unit (CPU) resources to be consumed by granting the first request (Pandey para. [0043], “In some embodiments of the present invention, the program code may utilize heuristic algorithms or a rule based system, when considering one or more components of a requested query”.  Pandey para. [0044], “…the query will hog system resources and  …[cause] …denials of service to other queries…”; still further, Pandey para. [0042] teaches that “…The size of resources upon which requested queries are to execute (e.g., FIG. 3, database resource 330) can also be a consideration…”; Examiner submits that such Pandey teachings are being interpreted as teaching a rule about whether query will hog the system (i.e., relates to a maximum amount of memory and/or a maximum amount of CPU resources (e.g., processor time) which is allowed to be consumed by granting a request)). 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, for Joshipura’s arrangement to be modified to include user maximum resource usage arrangements as taught by Pandey, in order to block illicit queries on a basis of excessive resource usage in addition to blocking on a basis of content.
Motivation to modify or combine would have been a commercial interest to incorporate resource usage protection into its database security product, to remain attractive to users and competitive in the marketplace

Per claim 3, the rejection of claim 2 is incorporated.  In addition, the method claim 3 recites features/limitations corresponding to the ones of the apparatus claim 13.  Therefore, claim 3 is rejected with the same rationale and motivation set forth above for apparatus claim 13. 

Per claim 14, the rejection of claim 13 is incorporated.  In addition, Joshipura discloses: wherein the processor is further configured to store a result of the analysis in a historical database access data repository (Joshipura para. [0019], “…Once received data is judged to be illegitimate, information that cross-references this fact with the information collected from the computer that originally sent the request could be stored and this stored information could identify that the computer is a suspicious device. For example, the web-server may store information that identifies that the IP address of the requesting computer is not trustworthy and future requests from that IP address could be blocked…”; see also, Joshipura FIG. 5, operation 580). 

Per claim 4, the rejection of claim 3 is incorporated.  In addition, the method claim 4 recites features/limitations corresponding to the ones of the apparatus claim 14.  Therefore, claim 4 is rejected with the same rationale and motivation set forth above for apparatus claim 14. 

Per claim 15, the rejection of claim 14 is incorporated.  In addition, Joshipura discloses: wherein the processor is further configured to analyze the first query by using at least one machine learning technique for determining whether the first query is potentially harmful (Joshipura’s FIG. 5 teaches steps which can implement as a machine learning (ML) function to learn whether a given input query is good/allowable or bad/deniable; Joshipura Table 1, 2nd row indicates that any SQL Query to “Select *.* of Users” should be responded to with a “Deny” action; similarly, Joshipura Table 1, 3rd row indicates that any SQL Query to “Select User.password of all Users” should be responded to with a “Deny” action; Joshipura para. [0030], “… Furthermore, any SQL information that requests more than a threshold amount of information may be judged suspicious and be denied (or blocked). Joshipura [0040], “…The steps illustrated in FIG. 5 could be used by a program that receives user inputs that are judged to be good or bad when a machine learning function is implemented… “; Joshipura para. [0040], “…where good user inputs result in collecting data that are associated with an allow action …[and] …bad user inputs …result in collecting data that should be associated with a deny function.  …”; whether the given input query is ultimately judged good/allowable or bad/deniable, the FIG. 5 ML flow may store “location data”, “identified function data” and/or “query function” related to the given input query into Joshipura’s Table 1 as sets of data that may be used to identify whether a request for data is legitimate or not; see Joshipura’s FIG. 5 and para. [0026] and [0038]-[0040]; Joshipura’s para. [0038]-[0040] discuss opposing examples of a good/allowable query request for salary information of a specified employee, and a bad/deniable query request for salary information of all employees; any query attempt to access salary information of all users is being interpreted as being “potentially harmful” in that such query would reveal confidential business information as well as confidential salary information with regards to many employees).

Per claim 5, the rejection of claim 4 is incorporated.  In addition, the method claim 5 recites features/limitations corresponding to the ones of the apparatus claim 15.  Therefore, claim 5 is rejected with the same rationale and motivation set forth above for apparatus claim 15. 

Per claim 16, the rejection of claim 14 is incorporated.  In addition, Joshipura teaches: wherein the processor is further configured to use the first query (Joshipura para. [0038], “…FIG. 5 includes a series of steps that may allow methods and apparatus consistent with the present disclosure to acquire program code contextual information that may be used to identify whether a database request should be serviced or not. FIG. 5 begins with a first step where a set of good user inputs are identified. This step may include one or more pieces of user data that is used to generate a database query.  …”) and data stored in the historical database access data repository as inputs to a predetermined machine learning algorithm (Joshipura para. [0019], “…Once received data is judged to be illegitimate, information that cross-references this fact with the information collected from the computer that originally sent the request could be stored and this stored information could identify that the computer is a suspicious device. For example, the web-server may store information that identifies that the IP address of the requesting computer is not trustworthy and future requests from that IP address could be blocked…”. Joshipura para. [0032], “… As such, the database server or a proxy computer could be sent client device IP address information, information that identifies the user input, location information related to the request generation, information that identifies a function, or query filter information ….  then perform additional evaluations on the database request when that processor makes a determination to either allows or block the database request.”.  Joshipura, FIG. 5 ML flow may store “location data”, “identified function data” and/or “query function” related to the given input query into Joshipura’s Table 1 as sets of data that may be used to identify whether a request for data is legitimate or not; This information is useful in judging whether future requests are legitimate or not, i.e., Joshipura para. [0039] states, “…This information could also be classified as including reference information that can be compared to location or function data collected during the generation of a database request and the query filter information that could identify constraints used to identify whether a database request should be allowed to be sent to a database server or whether a database request should be blocked…”) and to determine whether the first query is potentially harmful based on an output of the predetermined machine learning algorithm (Joshipura para. [0032], “… As such, the database server or a proxy computer could be sent client device IP address information, information that identifies the user input, location information related to the request generation, information that identifies a function, or query filter information ….  then perform additional evaluations on the database request when that processor makes a determination to either allows or block the database request.”.  Joshipura, FIG. 5 ML flow may store “location data”, “identified function data” and/or “query function” related to the given input query into Joshipura’s Table 1 as sets of data that may be used to identify whether a request for data is legitimate or not; This information is useful in judging whether future requests are legitimate or not, i.e., Joshipura para. [0039] states, “…This information could also be classified as including reference information that can be compared to location or function data collected during the generation of a database request and the query filter information that could identify constraints used to identify whether a database request should be allowed to be sent to a database server or whether a database request should be blocked… Joshipura [0040], “…The steps illustrated in FIG. 5 could be used by a program that receives user inputs that are judged to be good or bad when a machine learning function is implemented… “; Joshipura para. [0040], “…where good user inputs result in collecting data that are associated with an allow action …[and] …bad user inputs …result in collecting data that should be associated with a deny function.  …”; Joshipura’s para. [0038]-[0040] discuss opposing examples of a good/allowable query request for salary information of a specified employee, and a bad/deniable query request for salary information of all employees; any query attempt to access salary information of all users is being interpreted as being “potentially harmful” in that such query would reveal confidential business information as well as confidential salary information with regards to many employees; whether the given input query is ultimately judged good/allowable or bad/deniable, the FIG. 5 ML flow may store “location data”, “identified function data” and/or “query function” related to the given input query into Joshipura’s Table 1 as sets of data that may be used to identify whether a request for data is legitimate or not; see Joshipura’s FIG. 5 and para. [0026] and [0038]-[0040]; the fact that Joshipura’s FIG. 5 flow identifies and stores (Joshipura para. [0038]) “…program code contextual information that may be used to identify whether a database request should be serviced or not…” which may be used for machine learning (ML), and that Joshipura updates its table via storing query results (e.g., from FIG. 5) back into the table, is being interpreted as an arrangement to determine that the “…query is potentially harmful based on an output of the predetermined machine learning algorithm…”). 

Per claim 6, the rejection of claim 5 is incorporated.  In addition, the method claim 6 recites features/limitations corresponding to the ones of the apparatus claim 16.  Therefore, claim 6 is rejected with the same rationale and motivation set forth above for apparatus claim 16.

Per claim 17, the rejection of claim 15 is incorporated.  In addition, Joshipura further discloses: wherein the processor is further configured to:
use the data stored in the historical database access data repository as an input to a predetermined machine learning algorithm (As set forth previously, whether a given input query is ultimately judged good/allowable or bad/deniable, the FIG. 5 ML flow may store “location data”, “identified function data” and/or “query function” related to the given input query into Joshipura’s Table 1 as sets of data that may be used to identify whether a request for data is legitimate or not; This information is useful in judging whether future requests are legitimate or not, i.e., Joshipura para. [0039] states, “…This information could also be classified as including reference information that can be compared to location or function data collected during the generation of a database request and the query filter information that could identify constraints used to identify whether a database request should be allowed to be sent to a database server or whether a database request should be blocked…”; the “location data”, “identified function data” and/or “query function” stored into Joshipura’s Table 1 by prior ML operations and used by later ML operations to judge later query legitimacy, is being interpreted as “historical data” within a Table 1 which represents (in essence) a “historical database access data repository”); …
modify the at least one database access rule based on an output of the predetermined machine learning algorithm (Joshipura discloses that when a machine learning function is implemented and user inputs (e.g., for a query) are judged to be good or bad, then the FIG. 5 steps could be implemented. [0040], “…The steps illustrated in FIG. 5 could be used by a program that receives user inputs that are judged to be good or bad when a machine learning function is implemented… “; FIG. 5, in turn, includes steps for identifying and storing program code contextual information rules; More particularly, if the user inputs requesting salary information for a single employee were judged good, then Table 1 could be updated with a corresponding rule, i.e., (Joshipura para. [0038]) “…information in table 1 could be updated to identify that a request for salary information generated from the salary page that is limited to the salary of a single particular employee should be allowed…”; Joshipura discloses (Joshipura para. [0026]) that “…Table 1 may be referred to as an access control list (ACL)…”; The ACL is being interpreted as a list of database access rules, and adding the program code contextual information as described above, is being interpreted as modifying a database access rule); and
determine whether the first query is potentially harmful based on the modified at least one database access rule (Joshipura’s FIG. 5 teaches steps which can implement as a machine learning (ML) function to learn whether a given input query is good/allowable or bad/deniable; Joshipura Table 1, 2nd row indicates that any SQL Query to “Select *.* of Users” should be responded to with a “Deny” action; similarly, Joshipura Table 1, 3rd row indicates that any SQL Query to “Select User.password of all Users” should be responded to with a “Deny” action; Joshipura para. [0030], “… Furthermore, any SQL information that requests more than a threshold amount of information may be judged suspicious and be denied (or blocked). Joshipura [0040], “…The steps illustrated in FIG. 5 could be used by a program that receives user inputs that are judged to be good or bad when a machine learning function is implemented… “; Joshipura para. [0040], “…where good user inputs result in collecting data that are associated with an allow action …[and] …bad user inputs …result in collecting data that should be associated with a deny function.  …”; whether the given input query is ultimately judged good/allowable or bad/deniable, the FIG. 5 ML flow may store “location data”, “identified function data” and/or “query function” related to the given input query into Joshipura’s Table 1 as sets of data that may be used to identify whether a request for data is legitimate or not; see Joshipura’s FIG. 5 and para. [0026] and [0038]-[0040]; Joshipura’s para. [0038]-[0040] discuss opposing examples of a good/allowable query request for salary information of a specified employee, and a bad/deniable query request for salary information of all employees; any query attempt to access salary information of all users is being interpreted as being “potentially harmful” in that such query would reveal confidential business information as well as confidential salary information with regards to many employees; regading the modified rule, according to Fig. 4 and parag. [0037] of Joshipura, the “ACL rule” having the information and filter parameters are to be updated and stored for enforcement as a new ACL rule.  The fact that the “new ACL rule is enforced”, along with the teaching in parag. [0030] (“Furthermore, any SQL information that requests more than a threshold amount of information may be judged suspicious and be denied (or blocked). As such, information stored in table 1 or in a similar access control list may identify data that can be accessed according to a set of specific constraints”), is being interpreted as teaching “the modified at least one database access rule).

Per claim 7, the rejection of claim 5 is incorporated.  In addition, the method claim 7 recites features/limitations corresponding to the ones of the apparatus claim 17.  Therefore, claim 7 is rejected with the same rationale and motivation set forth above for apparatus claim 17.

Per claim 18, the rejection of claim 11 is incorporated.  In addition, Pandey further discloses: wherein the warning message includes information indicating that the first request is denied and that the first query is not to be executed, in conjunction with explanatory information indicating a reason for the denial of the first request (Pandey para. [0020], “…whether to decline to run the requested query and to send an error to the user, based on predicted results, including, but not limited to, a predicted cost (actual approximate time) of executing the requested query exceeding a timeout value … “).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, for Joshipura’s arrangement to be modified to include user messaging as taught by Pandey, in order to provide user-friendly feedback to keep the user informed and/or to empower the user to improve his/her query formation.
Motivation to modify or combine would have been a commercial interest to incorporate user-friendliness into its database security product, to remain attractive to users and competitive in the marketplace.

Per claim 8, the rejection of claim 1 is incorporated.  In addition, the method claim 8 recites features/limitations corresponding to the ones of the apparatus claim 18.  Therefore, claim 8 is rejected with the same rationale and motivation set forth above for apparatus claim 18.

Per claim 19, the rejection of claim 11 is incorporated.  In addition, Pandey further discloses: wherein the warning message includes explanatory information indicating a reason for the warning message (Pandey para. [0037], “…In the event that the program code determines that a requested query has a probability of failure, …the program code informs a user of an anticipated issue…”) and a user reply request for prompting the user to provide at least one from among a second request that includes a second query (Pandey para. [0029], “…The program code …can suggest configuration changes to the user that would enable the query to succeed in a database where it would previously have failed. … “) and a third request that includes a user instruction to override the warning message and to grant the first request (Pandey para. [0037], “…In the event that the program code determines that a requested query has a probability of failure, …the program code informs a user of an anticipated issue (e.g., utilizing interface 150, FIG. 1) and provides the user with an option to execute the query despite the warning. …”). 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, for Joshipura’s arrangement to be modified to include user messaging and overriding as taught by Pandey, in order to provide user-friendly feedback to keep the user informed, to empower the user to improve his/her query formation, and/or to allow a user to force running of the query in spite of any warning.
Motivation to modify or combine would have been a commercial interest to incorporate user-friendliness into its database security product, to remain attractive to users and competitive in the marketplace.

Per claim 9, the rejection of claim 1 is incorporated.  In addition, the method claim 9 recites features/limitations corresponding to the ones of the apparatus claim 19.  Therefore, claim 9 is rejected with the same rationale and motivation set forth above for apparatus claim 19. 

Per claim 20, the rejection of claim 11 is incorporated.  In addition, regarding claim 20, Joshipura further discloses: wherein the first query includes a Structured Query Language (SQL) query (Joshipura para. [0020], “…SQL database request… “). 

Per claim 10, the rejection of claim 1 is incorporated.  In addition, the method claim 10 recites features/limitations corresponding to the ones of the apparatus claim 20.  Therefore, claim 10 is rejected with the same rationale and motivation set forth above for apparatus claim 20. 

Conclusion
The prior art made of record and listed on the attached Form PTO-892 not relied upon is considered pertinent to applicant's disclosure.  For example, some Form PTO-892-listed references include:
Dodor et al. (US20190220607A1) relates to mechanism that dynamically creates a new access policy for a set of database servers when a policy violation has been identified in a database access response issued by any database in the set.
Rodniansky (US20170318027A1) relates to validating dynamic structured query language (SQL) database queries through database activity monitoring.
Rodniansky (US20190354712A1) also relates to relates in general to computer systems and more particularly to effectively validating dynamic structured query language (SQL) database queries through database activity monitoring.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Paul J Skwierawski whose telephone number is (571)272-2642. The examiner can normally be reached 7:30am-4:00pm weekdays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisory primary examiner (SPE) Yin-Chen Shaw can be reached on (571)272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Paul Skwierawski/
Patent Examiner, Art Unit 2498

/YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498