DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the amended claim language, have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Townsend (US 2022/0303289 A1).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-2, 5, 9-10, 13, 17-18, and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kao (US 2008/0148408 A1) in view of Townsend (US 2022/0303289 A1), Lancioni (US 11,539,738 B1) and Olalere (US 2021/0297441 A1).
Regarding claim 1, Kao discloses: A method of operating a web application scanner component, comprising:
retrieving a set of first web page vector (“vector” interpreted in view of, e.g., [0072] of the instant specification and referring to attack vectors) elements associated with a first web page;
Refer to at least FIG. 1, [0005], and [0029]-[0030] of Kao with respect to parsing web page elements.
Producing a set of first deduplicated web page vector elements associated with the set of first web page vector elements by performing
(i) a first deduplication function on the set of first web page vector elements to remove one or more non-auditable vector elements from the set of first web page vector elements, and
Refer to least the abstract, [0030], and [0034]-[0035] of Kao with respect to parsing the web page elements for attackable elements rather than those which are not attackable.
(ii) a second deduplication function on the set of first web page vector elements to remove one or more attack vector elements from the set of first web page vector elements that are already queued for scanning via a security scan function or have already been scanned via the security scan function;
Refer to at least [0040] of Kao with respect to avoiding repetitive tests testing the same attackable elements over and over by determining whether they are the same as stored attackable components. The same components are not stored to prevent the test module from using the same attackable components.
scanning the first web page for detection of vulnerabilities via the security scan function based on a degree of similarity between the set of first deduplicated web page vector elements and a set of second deduplicated web page vector elements that is deduplicated from a set of second web page vector elements associated with a second web page; and
Refer to at least the abstract, [0012], [0026], [0042], and [0044] of Kao with respect to performing a “penetrable test” and an “unpenetrable test” to identify vulnerabilities associated with the web page. As per its description in [0042], Kao avoids continuously testing the same link.
wherein the set of first web page vector elements and the set of second web page vector elements are different, and
Refer to at least FIG. 2, [0012], and [0039] of Kao with respect to a second target web page having second attackable elements to analyze.
wherein the one or more non-auditable vector elements that are removed from the set of first web page vector elements via the first deduplication function include: web page transition content, or text content, or image content, or video content, or audio content, or style or formatting content, or any combination thereof.
Refer to at least the abstract, FIG. 1-2, FIG. 5A-B, [0005], and [0035] of Kao with respect to web page elements under analysis and filtering test-free elements. For instance, [0035] filters an example FORM element.
Kao does not specify: the web page vector elements further in association with one or more different web pages; scanning for vulnerabilities further comprising scanning in a public vulnerability database; performing one or more actions to facilitate remediation of one or more vulnerabilities associated with the first web page that are detected by the scanning. However, Kao in view of Townsend discloses: the web page vector elements further in association with one or more different web pages.
Refer to at least [0094] of Townsend with respect to a “validation server and a hash repository (e.g., comprising hashes corresponding to trusted elements of DOMs of webpages, and/or hashes corresponding to malicious elements as may be inserted by malware) may be shared across servers corresponding to multiple enterprise organizations providing different services.”
The teachings of Kao and Townsend both concern security scanning websites and website elements, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Kao to further implement storing known elements of different web pages for the purpose of preventing rescanning the same elements for each website (e.g., a scan server having to constantly scan the same elements every time for each website).
Kao-Townsend does not specify: scanning for vulnerabilities further comprising scanning in a public vulnerability database; performing one or more actions to facilitate remediation of one or more vulnerabilities associated with the first web page that are detected by the scanning. However, Kao-Townsend in view of Lancioni discloses: scanning for vulnerabilities further comprising scanning in a vulnerability database;
Refer to at least 504-506 in FIG. 5A and 530 in FIG. 5B of Lancioni with respect to scanning websites including checking against CVE databases. Further see at least 214 in FIG. 2 and Col. 4, Ll. 55-61 of Lancioni with respect to the CVE databases.
performing one or more actions to facilitate remediation of one or more vulnerabilities associated with the first web page that are detected by the scanning.
Refer to at least 540 in FIG. 5B and Col. 9, Ll. 3-25 of Lancioni with respect to remedial actions concerning the scanned website.
The teachings of both Kao-Townsend and Lancioni concern scanning websites for vulnerabilities, and are considered to be within the same field of endeavor and combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Kao-Townsend to further implement cross-checking vulnerability databases and performing remedial actions on the website for at least the purpose of improving security with a more comprehensive security suite having additional points of data for comparison (e.g., checking for additional security issues; improving testing; and reducing false positives and false negatives), as well as remedial capability (e.g., preventing access to insecure websites).
Kao-Townsend-Lancioni does not explicitly disclose: that the vulnerability database is a public vulnerability database. However, Kao-Townsend-Lancioni in view of Olalere discloses: that the vulnerability database is a public vulnerability database.
Refer to at least [0195] of Olalere with respect to the CVE database being a public database.
Olalere likewise concerns a CVE database such as that in Kao-Lancioni, and is considered to be combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Kao-Townsend-Lancioni to further use the public CVE database because the particular known technique was recognized as part of the ordinary capabilities of one skilled in the art.
Regarding claim 2, it is rejected for substantially the same reasons as claim 1 above (e.g., the abstract, [0040], and [0042] of Kao).
Regarding claim 5, Kao-Townsend-Lancioni-Olalere discloses: The method of claim 1, wherein the one or more attack vector elements comprise: one or more forms, or one or more cookies, or any combination thereof.
Refer to at least [0034] of Kao with respect to form elements being found to be attackable elements.
Regarding independent claim 9, it is substantially similar to independent claim 1 above, and is therefore likewise rejected (i.e., the citations and obviousness rationale).
Regarding dependent claims 10 and 13, they are substantially similar to claims 2 and 5 above, and are therefore likewise rejected.
Regarding independent claim 17, it is substantially similar to independent claim 1 above, and is therefore likewise rejected (i.e., the citations and obviousness rationale).
Regarding dependent claims 18 and 21, they are substantially similar to claims 2 and 5 above, and are therefore likewise rejected.
Claim(s) 3, 11, and 19 s/are rejected under 35 U.S.C. 103 as being unpatentable over Kao-Townsend-Lancioni-Olalere as applied to claims 1-2, 5, 9-10, 13, 17-18, and 21 above, and further in view of Call (US 2014/0283067 A1).
Regarding claim 3, Kao-Townsend-Lancioni-Olalere does not specify: wherein the set of first deduplicated web page vector elements comprises a hash of a portion of the set of first web page vector elements, wherein the portion excludes the one or more non-auditable vector elements and the one or more attack vector elements. However, Kao-Townsend-Lancioni-Olalere in view of Call discloses: wherein the set of first deduplicated web page vector elements comprises a hash of a portion of the set of first web page vector elements, wherein the portion excludes the one or more non-auditable vector elements and the one or more attack vector elements.
Refer to at least [0008]-[0009] and [0069] of Call with respect to hashing elements of a website DOM, targeting “portions of the DOM that are most likely to be affected by abnormal behavior and/or alien content such as elements that load content or introduce content such as images or scripts, that direct the user to another location (e.g., a link), that collect information from a user such as form fields, AJAX calls, or elements that can be used to modify the DOM.”
The teachings of Call likewise concern scanning website code and identifying security issues, and are considered to be combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Kao-Townsend-Lancioni-Olalere to further use hashes for storing and identifying attackable elements (e.g., with respect to the table in FIG. 6 of Kao) for at least the purpose of reducing storage space and/or allowing for computationally quick comparisons using the properties of hash digests.
Regarding claims 11 and 19, they are substantially similar to claim 3 above, and are therefore likewise rejected.
Claim(s) 6-8, 14-16, and 22-24 s/are rejected under 35 U.S.C. 103 as being unpatentable over Kao-Townsend-Lancioni-Olalere as applied to claims 1-2, 5, 9-10, 13, 17-18, and 21 above, and further in view of Zaitsev (US 2013/0145437 A1).
Regarding claim 6, Kao-Townsend-Lancioni-Olalere discloses: The method of claim 1, wherein the scanning scans the first web page if the degree of similarity between the set of first deduplicated web page vector elements and the set of second deduplicated web page vector elements exceeds a similarity threshold (a threshold may be interpreted as whether the elements are the same elements or not).
Refer to at least the abstract, [0040], and [0042] of Kao with respect to avoiding testing the same elements and retesting the same linked web page.
Kao-Townsend-Lancioni-Olalere does not specify: scanning the web page via one or more web page plugins. However, Kao-Townsend-Lancioni-Olalere in view of Zaitsev discloses: scanning the web page via one or more web page plugins.
Refer to at least 703 in FIG. 7, FIG. 8, and [0092]-[0093] of Zaitsev with respect to website plugins for security scanning.
The teachings of Zaitsev likewise concern website security scanning, and are considered to be combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Kao-Townsend-Lancioni-Olalere to further implement plugins for security scanning because the substitution of one known element for another (type of security scanner) would have yielded predictable results to one of ordinary skill in the art at the time (performing security scans using the scanner).
Regarding claim 7, it is rejected for substantially the same reasons as claim 6 above (i.e., the citations and obviousness rationale).
Regarding claim 8, Kao-Townsend-Lancioni-Olalere-Zaitsev discloses: The method of claim 6, wherein, if the degree of similarity between the set of first deduplicated web page vector elements and the set of second deduplicated web page vector elements does not exceed the similarity threshold, the selectively scanning comprises: scanning a server associated with the first web page via one or more server plugins of the security scan function,
Refer to at least [0027] of Kao with respect to testing the web page server.
Refer to at least [0092] of Zaitsev with respect to the plugin also loaded on the server.
scanning a uniform resource locator (URL) associated with the first web page via one or more URL plugins of the security scan function.
Refer to at least [0029], [0031], [0039], and [0042] of Kao with respect to scanning links.
Refer to at least FIG. 4 and [0071] –[0072] of Zaitsev with respect to URLs as scan parameters.
This claim would have been obvious for substantially the same reasons as claim 6 above.
Regarding claims 14-16 and 22-24, they are substantially similar to claims 6-8 above, and are therefore likewise rejected.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432
/V.S/Examiner, Art Unit 2432