Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/24/2025 has been entered.
Claims 1-2, 4-6, 9-10, 12-14 and 17-20 have been amended.
Claims 1-20 are pending.
Claim Interpretation
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application, claim 17, that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
Response to Arguments
Applicant’s arguments see Remarks filed on 11/25/2025 with respect to 35 U.S.C. 103 rejection of pending claim(s) have been considered but are moot because the new ground of rejection set forth below in view of the Singh reference (US2023/0131682).
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claims 1, 9 and 17 recite “determining that the list of known vulnerabilities comprises at least one actionable vulnerability and activating a mitigation process to attenuate the at least one actionable vulnerability based on code actually delivered to the client device” is unclear. The limitation is unclear and creates ambiguity as it the independent claims does not set forth any code actually delivered to the client device. Furthermore, earlier in the claims the activating mitigation is based on determination of code library by querying a database with the list of known vulnerabilities, it is unclear whether the activating of the mitigation process is based on the result of the comparison of the code or based on code actually delivered to the client device. There is no link established between web traffic to the client device, list of known vulnerabilities associated with code library and code actually delivered to the client device. Dependent claims 2-8, 10-16 and 18-20 are also rejected under the same rationale set forth above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 2, 4, 9, 10, 12, 17, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lejin P J (US 2024/0275808 A1) in view of Dalessio et al. (US 10229251) in view of Singh (US2023/0131682).
Regarding Claim 1¸ Lejin P J discloses “A method for determining a client-side threat, comprising: monitoring web traffic to a client device” (Para. 0027 describes how a web application firewall is implemented to monitor or filter network traffic to/from the virtual web application running on the client device);
“identifying, from the web traffic, a code library utilized by the client device” (Lejin P J: Para. 0028 describes how the firewall may identify third-party libraries utilized by the virtual web application running on the client device);
determining, from the identified code library, a code library name and a code library version; (Lejin P J: Para. 0035 describes how a library vulnerability data may include the names and versions of potentially vulnerable libraries.);
“a database of known code library vulnerabilities with the determined code library name and code library version number and, in response, receiving a list of known vulnerabilities associated with the code library” (Lejin P J: Para. 0035 describes how a library vulnerability data may include the names and versions of potentially vulnerable libraries. Para. 0036 describes how a request to the database system may be made, and the library vulnerability information associated with the web application running on the client device is provided); and
“determining that the list of known vulnerabilities comprises at least one actionable vulnerability based on the code actually delivered to the client device based on code actually delivered to the client device” (Lejin P J: Para. 0039 describes how a monitoring service may transmit to the web application firewall information associated with the detected vulnerability that may allow an administrator to initiate appropriate remedial actions to mitigate these identified vulnerabilities).
Although Lejin discloses storing and maintaining the library information and comparing hash value to the reference hash of code library name and library version, Lejin does not explicitly disclose querying a database of known code library vulnerabilities with the code library name and code library version number. Greene in analogous art, however, discloses querying a database of known code library vulnerabilities with the determined code library name and code library version number. (see dol 13, lines 36-65, col. 17, lines 13-20, determining the respective vulnerability including querying the vulnerability database using each library identifier and the corresponding library version… and provides a notification to a client one or more security breaches). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Dalessio with Lejin P J in order to determine what security vulnerabilities the libraries have and provide notifications about the vulnerabilities to a user (see col 1, lines 41-43, Dalessio).
While Lejin in view of Dalessio teaches monitoring web traffic, both references do not explicitly teach the monitoring is performed by an embedded device operating with a client device, client-side application activity including Document Object Model (DOM) data generated from web traffic to the client device; and identifying is from the monitored DOM data of the web traffic.
Singh in analogues art, however, discloses monitoring is performed by an embedded device operating with a client device, client-side application activity including Document Object Model (DOM) data generated from web traffic to the client device; (para. [0089]–[0099], [0115]–[0126]; the monitor implemented as a background/local process, part of a workspace app, or embedded in client software; it receives UI data, filters changes, runs classifiers, and communicates with backend services; para 181, the client application 1102 includes an embedded browser 1106, the remediator 108 of FIG. 1, and the monitor 102 of FIG. 1. para. [0071]–[0072], [0116]–[0121], [0120]–[0124]; the monitored application is a browser or includes an embedded browser, the filter 404 is configured to interoperate with the browser via the MutationObserver Web API to subscribe to notifications regarding DOM events) and identifying is from the monitored DOM data of the web traffic. (para. ]0093], [0104] identify the changes to the UI by contrasting consecutive representations can include DOMs. [0116]–[0121], [0120]–[0124]; the filter 404 is configured to process the details, such as new objects added to the DOM and/or attribute changes to existing objects in the DOM; see also DOM snapshots and using MutationObserver APIs to detect DOM changes)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Singh with Dalessio and Lejin P J in order to provide client-side monitoring implemented as local process that can be locally embedded in client software, and interacts with web traffic in a variety of monitored software applications, such as web applications, software as a service (SaaS) applications, virtual applications, and local applications (see para. [0064], Singh).
Claim 2 Lejin in view of Dalessio in view of Singh further discloses “The method of claim 1, wherein activating the mitigation process further comprises activating the mitigation process within a runtime environment of the client-side application” (Singh, para. [0102]-[0108], the remediator 108 is configured to receive and process requests from the monitor 102 to provide remediations to error messages, para. [0185]–[0195], [0298]–[0303] … the remediator 108 is configured to parse the requests, identify remediations stored in the requests, and apply the remediations, clients run rule processors and CV/ML locally, and when a match is detected the remediator executes the remediation locally in the client runtime). The same motivation set forth for claim1 above applies.
Regarding Claim 4, Lejin in view of Dalessio in view of Singh further discloses “. The method of claim 1, wherein the code library comprises at least one of a programming language code library and an open-source code library” (Para. 0061 describes how JavaScript code describes how JavaScript objects may be associated with vulnerable libraries, Lejin).
Claims 9, 10, and 12 are system claims directed to the use of the method claimed in claims 1, 2, and 4. Therefore, the system claims 9, 10, and 12 correspond to method claims 1, 2, and 4, and are likewise rejected for the same reasons of anticipation as above. In addition, Legin discloses a network interface to a network; and a processor coupled to a computer memory having instructions therein. (para. 65-66, network interface and processors coupled to memory)
Claims 17 and 18 are apparatus claims directed to the use of the system claims in claims 1 and 4. Therefore, the apparatus claims 17 and 18 correspond to system claims 1 and 4, and are likewise rejected for the same reasons of anticipation as above.
Claim(s) 3, 8, 11 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Lejin P J (US 2024/0275808 A1) in view of Dalessio et al. (US 10229251) and in view of Singh (US2023/0131682) and further in view of Baset et al (US 2017/0372072 A1), hereinafter Baset.
Regarding Claim 3, Lejin P J in view of Dalessio in view of Singh discloses “The method of claim 1, wherein: receiving the list of known vulnerabilities further comprises receiving a replacement code library” (Lejin P J: Para. 0061 describes how “fallback objects” are noted. If a vulnerability is detected, the user is notified, and modifications to the functionality of the web application resulting from the use of these objects in lieu of original objects of the vulnerable third party library (i.e., replacing the original objects with the fallback objects));
“wherein the replacement code library comprises the code library name and a replacement code library version absent the at least one actionable vulnerability” (Lejin P J: Para. 0061 describes how fallback objects, absent the vulnerability, replace the original, vulnerable objects found in the code library).
Lejin P J in view of Dalessio in view of Singh discloses the above subject matter content, but fails to expressly disclose “and activating the mitigation process comprises downloading the replacement code library”. However, analogous art from the same field of endeavor, Baset, teaches this: Para. 0020 describes the use of a vulnerability finding server (VFS). Para. 0065 describes the action of downloading libraries from known locations of the network, in response to a trigger event (such as determining prior vulnerability of prior libraries), upon request from a user device.
Therefore, based on Lejin P J in view of Dalessio in view of Singh in view of Baset, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Baset to the system of Lejin P J in order to identify security concerns in user device code libraries (Baset, para. 0005).
Regarding Claim 8, Lejin P J in view of Dalessio in view of Singh discloses the method of claim 1 as set forth above. However, Lejin in view of Dalessio in view of Singh fails to expressly disclose but Baset further discloses wherein determining the code library from the web traffic further comprises identifying an attribute of at least a portion of the web traffic known to be associated with the code library” (Baset: Para. 0004 describes how libraries are downloaded (i.e., a form of web traffic) and stored in a database. For each library, a set of features (i.e., attributes of code library) are extracted). Therefore, based on Lejin P J in view of Dalessio in view of Singh in view of Baset, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Baset to the system of Lejin P J, Delessio and Singh in order to identify security concerns in user device code libraries (Baset, para. 0005).
Claims 11 and 16 are system claims directed to the use of the method claimed in claims 3 and 8. Therefore, the system claims 11 and 16 correspond to method claims 3,and 8, and are likewise rejected for the same reasons of obviousness as above.
Claim(s) 5, 13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Lejin P J (US 2024/0275808 A1) in view of Dalessio et al. (US 10229251) and in view of Singh (US 2023/0131682) and further in view of Jennings et al (US 2023/0019837 A1), hereinafter Jennings.
Regarding Claim 5, Lejin P J in view of Dalessio in view of Singh discloses the method of claim 1 as set forth above. However, Lejin in view of Dalessio in view of Singh fails to expressly disclose but Jennings further discloses “wherein the database of known code library vulnerabilities comprises at least one of a Micro Focus Debricked Common Vulnerabilities and Exposures (CVE) database, and a GitHub Security Advisory (GHSA)” (Jennings: para. [0027] describes a database, file, collection, and/or databank comprising all of the packages and/or libraries may include one or more open-source distribution indexes and/or services such as, National Vulnerability Database (NVD), GitHub Security Advisories, NPM Security Advisories, OSS License Data, SPDX OSS License Database, GitHub, GitLab, BitBucket, and the like thereof). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Jennings with based on Lejin P J, Dalessio and Singh in order to utilize database maintained by continually polling all known repositories for new and updated libraries, packages, versions and metadata using any of a variety of polling (Jennings, para. [0027]).
Claim 13 and 19 is an apparatus claim directed to the use of the system claimed in claim 5. Therefore, the apparatus claims 19 and 13 corresponds to system claim 5, and is likewise rejected for the same reasons of obviousness as above.
Claim(s) 6, 7, 14, 15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lejin P J (US 2024/0275808 A1), in view of Dalessio et al. (US 10229251) and in view of Singh (US 2023/0131682) in view of Pedro Freitas Fortuna dos Santos et al (US 2016/0119344 A1), hereinafter Pedro Freitas Fortunas dos Santos.
Regarding Claim 6, Lejin P J in view of Dalessio in view of Singh discloses the above subject content matter, but fails to expressly disclose “The method of claim 1, wherein determining, from the code library, the code library name and the code library version of the code library comprises inspecting a Document Object Model (DOM) corresponding to the code library”. However, analogous art from the same field of endeavor, Pedro Freitas Fortunas dos Santos, teaches this: Para. 0024 describes how a DOM structure of web application code (i.e., code library) is swept and analyzed.
Therefore, based on Lejin P J in view of Dalessio in view of Singh in view of Pedro Freitas Fortunas dos Santos, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Pedro Freitas Fortunas dos Santos to the system of Lejin P J, Dalessio and Singh in order to protect web browser from potential DOM-based attacks and ensure its security (Pedro Freitas Fortunas dos Santos, para. 0002, 0004).
Regarding Claim 7, the combination of Lejin P J and Dalessio and Singh and Pedro Freitas Fortunas dos Santos further discloses “The method of claim 6, wherein inspecting the DOM further comprises intercepting a DOM hook utilized by the code library” (Pedro Freitas Fortunas dos Santos: Para. 0007 describes how a DOM structure of web application code (i.e., code library) is intercepted to determine whether it is “clean” (i.e., free of vulnerabilities)).
Claims 14 and 15 are system claims directed to the use of the method claimed in claims 6 and 7. Therefore, the system claims 14 and 15 correspond to method claims 6 and 7, and are likewise rejected for the same reasons of obviousness as above.
Claim 20 is an apparatus claim directed to the use of the system claimed in claim 15. Therefore, the apparatus claim 20 corresponds to system claim 15, and is likewise rejected for the same reasons of obviousness as above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2022/0345483 - Shua discloses a method and systems based on the list of known vulnerabilities scanning system or its end user may identify one or more ports of accessibility to said block storage that may be accessed by a known, associated vulnerability from listed vulnerabilities to determine an avenue for potential vulnerability.
US 2016/0028746 – Tonn discloses a method and system for detecting malicious computer code are provided. A dataset may be accessed and converted to a binary dataset according to a predefined conversion algorithm. One or more cycles in the binary dataset may be identified. Statistical analysis may be performed on the identified one or more cycles. A determination that the set of dataset includes malicious software code may be made based on the performed statistical analysis.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Shewaye Gelagay whose telephone number is (571)272-4219. The examiner can normally be reached 08:00 - 16:00 Eastern.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amy C. Johnson can be reached on (571)272-2238. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHEWAYE GELAGAY/ Supervisory Patent Examiner, Art Unit 2436