METHOD AND APPARATUS FOR IDENTIFYING A LOGIC DEFECT IN AN APPLICATION

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1, 10 and 12, 21 are emended. Claim 1-24 are pending. Response to Arguments Applicant’s arguments with respect to amended claim(s) 1, 10, 12 and 21 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Applicant’s arguments, see page 12-13 filed 02/23/2026 with respect to claims 10 and 21 have been fully considered and are persuasive. The claim rejection under 35 USC § 112 (a) of 09/23/2025 has been withdrawn. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-5 and 9-10, 13-16 and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Kling et al (U. S. PGPub. No. 2014/0181965 A1) (hereinafter “Kling”) in view of Bhattacharya et al (U. S. PGPub. No. 2017/0250989 A1) (hereinafter “Bhattacharya”); and in further view of Griffin et al. (U. S. Pat. No. 8,296,848 B1 1) (hereinafter “Griffin”). Regarding Claim 1, Kling teaches: establishing a webserver instance of the webserver device with a client device, the webserver instance of the webserver device having a corresponding set of client device permissions (Kling: [0053] The first stage in implementing an IAM system 302 for processing access requests involves establishing the IAM system itself…[0055], information 406 describing the computer system architecture may be utilized to generate a list 408 of physical computing resources (=Client devices) and corresponding physical permissions ((=set of permissions = set of access rights to access files, database, documents etc.)).…Examples of physical computing resources (=Client devices) also include computing devices and systems such as servers, gateways, workstations, databases, and other types of computing devices and systems); detecting a violation of a permission of the set of client device permissions associated with the webserver instance of the webserver device (Kling: [0095], If at least one of the new access rights to add is associated with a business task that is incompatible with a current business task of the user, then the SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag the access request as a potential SoD violation (block 1014)). identifying at least one webserver function (Kling: [0095], SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag the access request as a potential SoD violation (block 1014); and displaying a visual identification of the at least one webserver function associated with the violation of the permission of the set of client device permissions (Kling: [0106], The access review summary may be provided as an electronic display presented at an interface such as a web portal or dashboard. The access review summary may also indicate the information about the access request, e.g., the date the access request was submitted, the requestor, the requestee, the date the access request was approved, the individual that approved the access request (an approver), and other types of access request information); Kling does not explicitly disclose: receiving a content request from the client device associated with the webserver instance of the webserver device, However, in an analogous art, Bhattacharya teaches: receiving a content request from the client device associated with the webserver instance of the webserver device (Bhattacharya: [0012], receiving a request by a user to access the specific website. [0032], the step of receiving 112 user request to access a specific website) It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Kling’s method of identifying a SoD violation for access request by applying Bhattacharya’s method of receiving a request to access the specific website’s at the website’s server, in order get appropriate response from the website’s server in order to improve method for controlled browsing of the Internet to provide user safety (Bhattacharya: [0009]). Kling in view of Bhattacharya does not explicitly teaches: identifying at least one webserver function as having a logic error during execution of the webserver instance However, Griffin teaches: identifying at least one webserver function as having a logic error during execution of the webserver instance (Griffin: [Col 2, lines 40-45], (9) The server 110 provides content to the client 112 via the network 114. In one embodiment, the server 110 is a web server that provides content such as HTML web pages (=webserver function), scripts written in interpreted languages such as VBScript and JavaScript, executable programs…[Col 3, lines 21-37], (13) A security module 118 executing on the client 112 detects when malicious code such as a script is attempting to exploit a vulnerability of an application 116…), the logic error configured as a defect in the code of the webserver application executed by the webserver instance (Griffin: [Col 2, lines 57-61], vulnerability is faulty logic error (=logic error) processing, where the malicious code performs an illogical operation that causes the computer to enter a state where it can be compromised. Once the client 112 is compromised, the code can perform other malicious actions. [Col 3, lines 21-37], (13) A security module 118 executing on the client 112 detects when malicious code (=defect in the code) such as a script is attempting to exploit a vulnerability of an application 116 and blocks the exploit); A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Kling in view of Bhattacharya by applying the well-known technique as disclosed by Griffin of detect malicious code /script attempting to exploit a vulnerability of application. The motivation is to detect attempted exploits of vulnerabilities of applications and other programs executing on a computer (Griffin: [Col 1, lines 9-10]). Regarding Claim 2, Kling in view of Bhattacharya and Griffin teaches: The method of claim 1 (see rejection of claim 1 above), storing the content request for the webserver instance of the webserver device in a content request log (Kling: [0049], the data store 304 may also store access request records (=Content request log) . [0063] The IAM system 302 may also store respective records for each access request. These records may thus be referred to as access request records (322 in FIG. 3). [0077], create an access request event record for the access request received (block 804)); storing an identification of a webserver function associated with processing the content request for the webserver instance of the webserver device in a webserver function log (Kling: [0053], The data store 304 may organize the logical computing resource records in accordance with the IAM data model 306); and storing a permission comparison result associated with the webserver instance of the webserver device in a permission log (Kling: [0049], The data store 304 may also include a storage, and retrieval of information in the data store [0106], The access review summary (=comparison result) may be provided, as an electronic display presented at an interface such as a web portal or dashboard.), the permission comparison result based upon a comparison of the content request and the set of client device permissions (Kling: [0102], The business manager may compare the selected current logical resource to each logical entitlement in the set of logical entitlements (=set of client device permission) associated with the user (block 1212). If the current logical resource is found in one of the logical entitlements, then the current logical resource is traceable back to an access request associated with the logical entitlement through the relationship between access requests and logical entitlements provided by the IAM data model) wherein receiving a content request from the client device further comprises (Bhattacharya: [0012], receiving a request by a user to access the specific website. [0032], the step of receiving 112 user request to access a specific website): It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Kling’s method of identifying a SoD violation for access request by applying Bhattacharya’s method of receiving a request to access the specific website’s at the website’s server, in order get appropriate response from the website’s server in order to improving method for controlled browsing of the Internet to provide user safety (Bhattacharya: [0009]). Regarding Claim 3, the Kling in view of Bhattacharya and Griffin teaches: The method of claim 2 (see rejection of claim 2 above), wherein detecting the violation of the permission of the set of client device permissions associated with the webserver instance of the webserver device comprises (Kling: [0095], If at least one of the new access rights to add is associated with a business task that is incompatible with a current business task of the user, then the SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag the access request as a potential SoD violation (block 1014): reviewing the permission log associated with the webserver instance of the webserver device (Kling: [0102], business manager may then select for review one of the current logical resources accessible to the individual (block 1210).); and identifying a permission comparison result that indicates the content request from the client device associated with the webserver instance of the webserver device as violating a permission of the set of client device permissions. (Kling: [0106], The access review summary (=permission comparison result) may be provided as an electronic document which can be printed in hardcopy or, additionally or alternatively, as an electronic display presented at an interface such as a web portal or dashboard). Regarding Claim 4, Kling in view of Bhattacharya and Griffin teaches: The method of claim 3 (see rejection of claim 3 above), wherein identifying at least one webserver function associated with the violation of the permission comprises (Kling: [0095], If at least one of the new access rights to add is associated with a business task that is incompatible with a current business task of the user, then the SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag (=identifying) the access request as a potential SoD violation (block 1014))): (Kling: [0095], If at least one of the new access rights to add is associated with a business task that is incompatible with a current business task of the user, then the SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag the access request as a potential SoD violation (block 1014) reviewing the webserver function log associated with the webserver instance of the webserver device (Bhattacharya: [0033], The step of creating a data repository 105 (=webserver function logs) may further employ use of relists, such as relist 620 (as shown in FIG. 6), [0034], a simple mandatory lookup of the website (=reviewing) in whitelist or blacklist that is updated regularly); and identifying a set of webserver functions (Bhattacharya: [0033], identify websites that may require further analysis to determine whether they are safe to allow access or not by creating a data repository 105 (=set of webserver functions) may further employ use of relists, such as relist 620 (as shown in FIG. 6)). It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Kling’s method of identifying a SoD violation for access request by applying Bhattacharya’s method of receiving a request to access the specific website’s at the website’s server, in order to get appropriate response from the website’s server and to improving method for controlled browsing of the Internet to provide user safety (Bhattacharya: [0009]). Regarding Claim 5, Kling in view of Bhattacharya and Griffin teaches: The method of claim 4 (see rejection of claim 4 above), (Kling: [0095], The SoD verifier may then compare each physical new access right to add to the existing access rights for the user (block 1022). Through the relationship between physical permissions and logical permissions in the IAM data model, the SoD verifier may identify the current business tasks associated with the user. If at least one of the new access rights to add is associated with a business task that is incompatible with a current business task of the user, then the SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag (=can be a detection of logic defect and violation of the permission) the access request as a potential SoD violation (block 1014) (Kling: [0095], the SoD verifier may identify the current business tasks associated with the user. If at least one of the new access rights to add is associated with a business task that is incompatible with a current business task of the user, then the SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag the access request as a potential SoD violation (block 1014)); identifying a function calling pattern of the set of webserver functions (Bhattacharya: [0034], In an embodiment, the access rule may include, preexisting data (=origin webserver function) associated with similarly situated users in some data repository, traffic patterns for the requested website…); and identifying an origin webserver function of the function calling pattern,(Bhattacharya: [0034], In an embodiment, the access rule may include, preexisting data (=origin webserver function) associated with similarly situated users in some data repository, traffic patterns for the requested website…), It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Kling’s method of identifying a SoD violation for access request by applying Bhattacharya’s method of identifying the usage and control patterns of other similarly situated users, in order to enhance detection of insider threats by monitoring user behavior to find any actions that appear to be the unauthorized work of an employee or insider in order to improve method for controlled browsing of the Internet to provide user safety (Bhattacharya: [0009]). Regarding Claim 9, The Kling in view of Bhattacharya and Griffin teaches: The method of claim 4 (see rejection of claim 4 above), and displaying the content request (Kling: [0106], The access review summary, as an electronic display presented at an interface such as a web portal or dashboard. The access request summary may include information about the access request (=content request)) that violated the permission of the set of client device permissions (Kling: [0095], the SoD verifier may identify the current business tasks associated with the user. If at least one of the new access rights to add is associated with a business task that is incompatible with a current business task of the user, then the SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag the access request as a potential SoD violation (block 1014)); reviewing the content request log for the content request for the webserver instance of the webserver device (Bhattacharya: [0033], using of relists, such as relist 620 (as shown in FIG. 6), to identify websites that may require further analysis to determine whether they are safe to allow access or not. the user is always denied access to each blacklist website identified as unsafe, and maybe required to receive authorization from an admin to access a website); identifying the content request associated with the violation of the permission of the set of client device permissions (Bhattacharya: [0033], the user is always denied access to each blacklist website identified as unsafe. Users may be unable to access known unsafe websites at all, or may be permitted by receiving admin authorization); It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Kling’s method of identifying a SoD violation for access request by applying Bhattacharya’s method of identifying the usage and control patterns of other similarly situated users, in order to enhance detection of insider threats by monitoring user behavior to find any actions that appear to be the unauthorized work of an employee or insider and improving method for controlled browsing of the Internet to provide user safety (Bhattacharya: [0009]). Regarding Claim 10, The Kling in view of Bhattacharya and Griffin teaches: The method of claim 9 (see rejection of claim 9 above), identifying the content request as including an adversary supply input, the adversary input configured to induce a logic error in the webserver instance(Griffin: [Col 1, lines 22-29], (6) Malicious attackers can compromise such applications by crafting specially-formulated input that exploits vulnerabilities in the programs. This input contains code (=induce logic error) that, when executed, gives the attackers control over the applications and allows them to perform malicious acts such as capturing keystrokes, sending messages on the network, deleting files, installing malicious software (malware) such as spyware and adware, etc. [Col 3, lines 21-37], (13) A security module 118 executing on the client 112 detects when malicious code such as a script is attempting to exploit a vulnerability of an application 116…) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Kling in view of Bhattacharya by applying the well-known technique as disclosed by Griffin of detect malicious code /script attempting to exploit a vulnerability of application. The motivation is to detect attempted exploits of vulnerabilities of applications and other programs executing on a computer (Griffin: [Col 1, lines 9-10]). Regarding Claim 12, Kling in view of Bhattacharya and Griffin teaches: a controller having a memory and a processor, the controller configured to (Kling: [0031], The IAM system 101 (= controller) may have a processor 103 for controlling overall operation of the system and its associated components, including RAM 105, ROM 107, input/output (I/O) module 109, and memory 115): this claim contains identical limitations found within that of claim 1 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 12. Regarding Claim 13, this claim contains identical limitations found within that of claim 2 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 13. Regarding Claim 14, this claim contains identical limitations found within that of claim 3 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 14. Regarding Claim 15, this claim contains identical limitations found within that of claim 4 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 15. Regarding Claim 16, this claim contains identical limitations found within that of claim 5 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 16. Regarding Claim 17, this claim contains identical limitations found within that of claim 6 below albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 17. Regarding Claim 18, this claim contains identical limitations found within that of claim 7 below albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 18. Regarding Claim 19, this claim contains identical limitations found within that of claim 8 below albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 19. Regarding Claim 20, this claim contains identical limitations found within that of claim 9 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 20. Regarding Claim 21, this claim contains identical limitations found within that of claim 10 above albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 21. Regarding Claim 22, this claim contains identical limitations found within that of claim 11 below albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 22. Regarding Claim 24. this claim contains identical limitations found within that of claim 23 below albeit directed to a different statutory category (apparatus medium). For this reason the same grounds of rejection are applied to claim 24. Claim(s) 6 is rejected under 35 U.S.C. 103 as being unpatentable over Kling et al (U. S. PGPub. No. 2014/0181965 A1) (hereinafter “Kling”) in view of Bhattacharya et al (U. S. PGPub. No. 2017/0250989 A1) (hereinafter “Bhattacharya”) and Griffin et al. (U. S. Pat. No. 8,296,848 B1 1) (hereinafter “Griffin”); and in further view of “A multi-model approach to the detection of web-based attacks, by Christopher Kruegel, Giovanni Vigna, William Robertson” and Bates et al (U. S. PGPub. No. 2002/0174118 A1) (Hereinafter “Bates”) Regarding Claim 6, Kling in view of Bhattacharya and Griffin teaches: The method of claim 5 (see rejection of claim 5 above), wherein identifying the function calling pattern of the set of webserver functions further comprises (Bhattacharya: The classification of websites may further include using crowdsourced data, information from community and social networks, and usage and control patterns of other similarly situated users in an enrolled community; results from a web crawler that searches for various keywords on websites; or a combination of same): The Kling in view of Bhattacharya and Griffin does not explicitly teaches: detecting a probability statistic associated with each webserver function of the set of webserver functions, the probability statistic relating to a probability of each webserver function defining the logic defect relative to the content request; ranking each webserver function of the set of webserver functions according to the probability statistic; However, in an analogous art, “A multi-model approach to the detection of web-based attacks, by Christopher Kruegel, Giovanni Vigna, William Robertson” teaches: detecting a probability statistic associated with each webserver function of the set of webserver functions, the probability statistic relating to a probability of each webserver function defining the logic defect relative to the content request (“A multi-model approach to the detection of web-based attacks, by Christopher Kruegel, Giovanni Vigna, William Robertson”: [page 721, para 1, lines 1-9], The task of a model is to assign a probability value to either a query as a whole or one of the query’s attributes. This probability value reflects the probability of the occurrence of the given feature value with regards to an established profile. The assumption is that feature values with a sufficiently low probability (i.e., abnormal values) indicate a potential attack); ranking each webserver function of the set of webserver functions according to the probability statistic (“A multi-model approach to the detection of web-based attacks, by Christopher Kruegel, Giovanni Vigna, William Robertson”: [Page 721, Col 1, para 3, lines 1-3], The anomaly score (=rank) for a query (or one its attributes) is derived from the probability values returned by the models that are associated with the query (or attribute). [Col 721, Col 1, para 3, lines 12], The anomaly score for a query (or one its attributes) is derived from the probability values returned by the models that are associated with the query (or attribute)). (“A multi-model approach to the detection of web-based attacks, by Christopher Kruegel, Giovanni Vigna, William Robertson”: [Page 721, Para 2, lines 5-9], A query is reported as anomalous if at least one of these anomaly scores is above the corresponding detection threshold (detection thresholds are established during a training phase, as described below). Otherwise a query is reported as “normal”) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Kling in view of and Bhattacharya and Griffin by applying the well-known technique as disclosed by “A multi-model approach to the detection of web-based attacks, by Christopher Kruegel, Giovanni Vigna, William Robertson” of detecting probability value and ranking derived from the probability value. The motivation is to detect anomalies/vulnerabilities of web-based attacks (“A multi-model approach to the detection of web-based attacks, by Christopher Kruegel, Giovanni Vigna, William Robertson “: [Abstract]). The Kling in view of Bhattacharya and Griffin and “A multi-model approach to the detection of web-based attacks, by Christopher Kruegel, Giovanni Vigna, William Robertson” does not explicitly disclose: and displaying a list of the webserver functions of the set of webserver functions However, in an analogous art, Bates teaches: and displaying a list of the webserver functions of the set of webserver functions (Bates: [0024], The search results may include a list of uniform resource locators (URLs) that identify sources such as web pages. The browser 150 presents the results of the search (=a list of uniform resource locators (URLs) that identify sources such as web pages) to the searcher 100 on the display screen 120. [0027], The exemplary presentation includes information about a first web page 210A, information about a second web page 210B, and information about a third web page 210C found by the search). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Kling in view of Bhattacharya and Griffin and “A multi-model approach to the detection of web-based attacks, by Christopher Kruegel, Giovanni Vigna, William Robertson” by applying the well-known technique as disclosed by Bates of presenting the link to the sources on the display screen. The motivation is to provides the requested information to the user and examine sources that lack relevant information yet appear nevertheless in the list of sources found by the search engine (Bates: [0009]). Claim(s) 7 is rejected under 35 U.S.C. 103 as being unpatentable over Kling et al (U. S. 2014/0181965 A1) (hereinafter “Kling”) in view of of Bhattacharya et al (U. S. PGPub. No. 2017/0250989 A1) (hereinafter “Bhattacharya”) and Griffin et al. (U. S. Pat. No. 8,296,848 B1 1) (hereinafter “Griffin”); and in further view of Bates et al (U. S. 2002/0174118 A1) (Hereinafter “Bates”) Regarding Claim 7, The Kling in view of Bhattacharya and Griffin teaches: The method of claim 4 (see rejection of claim 4 above), (Kling: [0095], the SoD verifier may identify the current business tasks associated with the user. If at least one of the new access rights to add is associated with a business task that is incompatible with a current business task of the user, then the SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag the access request as a potential SoD violation (block 1014)): (Kling: [0095], the SoD verifier may identify the current business tasks associated with the user. If at least one of the new access rights to add is associated with a business task that is incompatible with a current business task of the user, then the SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag the access request as a potential SoD violation (block 1014) (Kling: [0106], The access review summary may be provided as an electronic display presented at an interface such as a web portal or dashboard. The access review summary may also indicate the information about the access request, e.g., the date the access request was submitted, the requestor, the requestee, the date the access request was approved, the individual that approved the access request (an approver), and other types of access request information (=access request information can be identification of the webserver function): Kling in view of Bhattacharya and Griffin does not explicitly disclose: assigning a visual indicator to the at least one webserver function However Bates teaches: assigning a visual indicator to the at least one webserver function (Bates: [0028], The first correlation indicator 212A includes a visual area that is colored according to the color code and the occurrence data of each keyword that occurs in the web page identified by the first URL 211A. Likewise for the second and third correlation indicators 212B and 212C, with respect to the second and third URLs 211B and 211C. [0032], The correlation indicator 212 includes a visual area that is colored according to the color code of the color code map 205 and according to the occurrence data for each keyword that occurs in the web page identified by the URL. The browser 150 displays the URLs and the associated correlation indicators 212 to the searcher 100 as shown, for example, in FIG. 2B); displaying an identification of the at least one webserver function (Bates: [0028], The information about the first web page 210A includes a link to a first URL 211A that identifies the first web page, and a first correlation indicator 212A; the information about the second web page 210B includes a link to a second URL 211B that identifies the second web page, and a second correlation indicator 212B; and the information about the third web page 210C includes a line to a third URL 211C that identifies the third web page, and a third correlation indicator 212C). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Kling in view of Bhattacharya and Griffin by applying the well-known technique as disclosed by Bates of presenting color coded information on the display screen. The motivation is to provides the requested information to the user and examine sources that lack relevant information yet appear nevertheless in the list of sources found by the search engine (Bates: [0009]). Claim(s) 8 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Kling et al (U. S. 2014/0181965 A1) (hereinafter “Kling”) in view of Bhattacharya et al (U. S. PGPub. No. 2017/0250989 A1) (hereinafter “Bhattacharya”) and Griffin et al. (U. S. Pat. No. 8,296,848 B1) (hereinafter “Griffin”); and further view of Krebs et al. (U. S. Pat. No. 6,668,369 B1) (hereinafter “Krebs”) Regarding Claim 8, The Kling in view of Bhattacharya teaches: The method of claim 4 (see rejection of claim 4 above), wherein displaying the visual identification of the at least one webserver function associated with the violation of the permission comprises (Kling: [0106], The access review summary may be provided as an electronic display presented at an interface such as a web portal or dashboard. The access review summary (=identification of webserver function) may also indicate the information about the access request, e.g., the date the access request was submitted, the requestor, the requestee, the date the access request was approved, the individual that approved the access request (an approver), and other types of access request information) that interacted with the content request associated with the violation of the permission of the set of client device permissions (Kling: [0095], the SoD verifier may identify the current business tasks associated with the user. If at least one of the new access rights to add is associated with a business task that is incompatible with a current business task of the user, then the SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag the access request as a potential SoD violation (block 1014)) The Kling in view of Bhattacharya and Griffin does not explicitly disclose: displaying application code associated with at least one webserver function of the set of webserver functions However, in an analogous art, Krebs teaches: displaying application code associated with at least one webserver function of the set of webserver functions A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Kling in view of Bhattacharya and Griffin by applying the well-known technique as disclosed by Krebs of displaying the dynamic code to locate errors and then identify and correct portion so the script causing generation of the erroneous code . The motivation is to assists the programmer to locate errors in, or "debug", software, since it is frequently easier to detect errors in the results of an executed script than it is to detect errors in the script itself (Krebs: [Abstract]). Regarding Claim 23, The Kling in view of Bhattacharya, Griffin teaches: The method of claim 8 (see rejection of claim 8 above), s (Kling: [0095], the SoD verifier may identify the current business tasks associated with the user. If at least one of the new access rights to add is associated with a business task that is incompatible with a current business task of the user, then the SoD verifier may identify a SoD violation for the access request (block 1010:Y) and flag the access request as a potential SoD violation (block 1014)) displaying application code associated with at least one webserver function of the set of webserver functions displaying the application code associated with at least one webserver function of the set of webserver functions (Krebs:[Col 4, lines 6-16], (5) FIG. 4 is an image of a portion of the source code shown at "A" in FIG. 2. The source code also includes a revision to the script as shown at "C". The erroneous line of the script is shown at "E" in FIG. 4 for illustrative purposes, but has been flagged such that it will not be processed by the script. The script may be revised by a user using a text editor to edit the source file, as is known in the art. This revision to the script produces properly formatted dynamic code, as shown at "D" in FIG. 4. The revised script and the dynamic code generated by the script appear in the source window 22 for debugging purposes). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Kling in view of Bhattacharya and Griffin by applying the well-known technique as disclosed by Krebs of displaying the dynamic code to locate errors and then identify and correct portion so the script causing generation of the erroneous code . The motivation is to assists the programmer to locate errors in, or "debug", software, since it is frequently easier to detect errors in the results of an executed script than it is to detect errors in the script itself (Krebs: [Abstract]). Claim(s) 11 is rejected under 35 U.S.C. 103 as being unpatentable over Kling et al (U. S. 2014/0181965 A1) (hereinafter “Kling”) in view of Bhattacharya et al (U. S. 2017/0250989 A1) (hereinafter “Bhattacharya”) and Griffin et al. (U. S. Pat. No. 8,296,848 B1) (hereinafter “Griffin”); and in further view of Goswami et al (U. S. 2021/0056404 A1) (hereinafter “Goswami”) Regarding Claim 11, The Kling in view of Bhattacharya and Griffin teaches: The method of claim 1 (see rejection of claim 1 above), receiving user annotation input regarding the at least one webserver function associated with the violation of the permission of the set of client device permissions (Goswami: [0145], The operation shown in FIG. 5 is for a runtime operation based on an input image received from a client computing device. [0146] As shown in FIG. 5, the operation starts by receiving input data which may or may not comprise adversarial input (step 510). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Kling in view of Bhattacharya by applying the well-known technique as disclosed by Goswami of indicating that input image is an adversarial input image. The motivation is to determining and mitigating the presence of adversarial inputs to an image classification computing model (Goswami: [Abstract]). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art. Brown (U. PGPub. No. 2014/0033183 A1): A debugging method for use with computer programs that may include a number of program components such as objects within a software framework. The debugging method includes providing a debugging environment with a debugger that generates debugging information, including runtime state information, for each of the program components. The method includes identifying one of the program components for inspection within the debugging environment. The method includes using an inspector selection module to select a set of program inspectors to perform the inspection of the identified program component, e.g., by first determining the type of object or program component that has been identified or based upon a type of issue being debugged. The method includes performing the inspection with these program inspectors or scripts that each define a particular potential user error or nonstandard usage of an object, and outputting a report of the programming issues identified by the program inspectors. MacPherson et al. (U. S. Pat. No. 8,719,791 B1): Embodiments described herein relate to systems and methods for displaying aggregated stack traces in a source code viewer. One or more execution identifiers are received in response to an execution of a first program executing on one or more client computing devices. Each execution identifier can include one or more stack frames, which correspond to a function call within the first program. An error-likeliness score is identified for each execution identifier. An error-weight is determined for each of the execution identifiers based on the identified error-likeliness scores for instances of the execution identifiers. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to RUPALI DHAKAD whose telephone number is (571)270-3743. The examiner can normally be reached M-F 8:30-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at 5712705143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /R.D./ Examiner, Art Unit 2437 /ALI S ABYANEH/Primary Examiner, Art Unit 2437