DETAILED ACTION
This action is in response to the claims filed 11/27/2023. Claims 1-20 are pending. Independent claims 1, 9 and 17, and corresponding dependent claims are directed towards a method, non-transitory computer readable storage medium for providing application security using causal graph.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 and 12 of U.S. Patent No. 10,873,599. Although the claims at issue are not identical, they are not patentably distinct from each other because of subject matter indicated below:
Application 18/519828
US Patent No. 10,873,599
1. A method comprising:
based on receipt from a remote device of a first request that includes a first application programming interface (API) call to a website, determining whether the first request is valid based on a first sequence of previous API calls indicated in a first cookie of the first request matching one of a plurality of legitimate sequences of API calls that corresponds to legitimate use of the first API call;
based on a determination that the first request is valid, transmitting the first request to a server corresponding to the website; and
based on a determination that the first request is invalid, delaying or foregoing transmission of the first request to a server corresponding to the website.
1. A method for providing application security using a path profile, including: receiving, from a first remote device, a first request to access a first location of a website; transmitting, to a server that corresponds to the website, the first request to access the first location; receiving, from the server, a first cookie that includes identifying information for the first location; in response to receiving the first cookie, storing the identifying information for the first location; receiving, from the first remote device, a second request to access a second location of the website, wherein: the second location is distinct from the first location, and the second request includes the identifying information for the first location; transmitting, to the server, the second request to access the second location; receiving, from the server, a second cookie that includes the identifying information for the first location and identifying information for the second location; in response to receiving the second cookie, storing a first path profile that includes the identifying information for the first location and the identifying information for the second location; receiving, from a second remote device, a third request to access the second location of the website; determining whether the third request meets request criteria based on the first path profile; in accordance with a determination that the third request meets the request criteria, transmitting, to the server, the third request to access the second location; and in accordance with a determination that the third request does not meet the request criteria, performing one or more enforcement operations.
+
12. The method of claim 1, wherein: the second location corresponds to an application programming interface (API) call; the third request meets the request criteria when the third request includes API call information that corresponds to the second location; and the third request does not meet the request criteria when the third request does not include the API call information that corresponds to the second location.
Specification
The disclosure is objected to because of the following informalities: the first recitation of the following acronyms is not expanded: [0024] API; [0077] DRAM, SRAM, DDR RAM and CPU; and [0079] HSPA and IEEE. Appropriate correction is required.
Claim Objections
Claims 3-7, 9, 11 and 17 are objected to because of the following informalities, shown with suggested amendments: Claim 3 ll. 2-3 “some of the API calls” for grammar; Claim 4 l. 1 “whether the first request [[if]]is valid” for grammar; Claim 5 l. 3 “whether the first request is valid” for grammar; Claim 6 l. 1 “wherein each of the plurality of legitimate sequences” for grammar; Claim 7 ll. 1-2 “wherein the first sequence of previous API calls corresponds to different locations of the website” for grammar; Claim 9 l. 8, 11-12, 13-14 and 15-6 “the request” should be “the successive request” for proper antecedent basis; Claim 11 l. 3 “at least some of the API calls” for grammar; and Claim 17 l. 10, 13-14,15-16, 17 and 18 “the request” should be “the successive request” for proper antecedent basis. Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 1 l. 2 recites the limitation “based on receipt from a remote device of a first request” which is vague and indefinite as it is unclear to which entities the “remote device” is “remote” (a user, an unclaimed device performing the method, the website, etc.). For purposes of applying prior art the limitation has been construed as a device that is remote from the website and the device performing the method.
Claim 9 l. 5 recite the limitation “for each successive request from a remote device” which is vague and indefinite as it is unclear to which entities the “remote device” is “remote” (a user, an unclaimed device performing the method, the website, etc.). For purposes of applying prior art the limitation has been construed as a device that is remote from the website and the device performing the method.
Claim 17 l. 7 recite the limitation “for each successive request from a remote device” which is vague and indefinite as it is unclear to which entities the “remote device” is “remote” (e.g. a user, website, the system, etc.). For purposes of applying prior art the limitation has been construed as a device that is remote from the website and the system.
Claims 2-8, 10-16 and 18-20 incorporate the deficiencies of claims 1, 9 and 17, respectively, through dependency, and are therefore also rejected.
Allowable Subject Matter
Claims 1-20 would be allowable if rewritten or amended to overcome the claim objections, Double Patenting rejections and claim rejection(s) under 35 U.S.C. 112(b), set forth in this Office action.
The following is a statement of reasons for the indication of allowable subject matter:
Regarding claim 1 and its dependent claims, the prior art of record fails to disclose or fairly suggest, in combination, a method in which a request is determined valid or invalid and respectively forwarded or delayed/not forwarded based on a previous sequence of API calls presented in a cookie of the request matching one of a plurality of legitimate API call sequences, in the specific manner and combination as recited in claim 1.
Regarding claims 9 and 17, and their dependent claims, the prior art of record fails to disclose or fairly suggest, in combination, a non-transitory computer readable storage medium or system for protecting a website from attacks using legitimate access patterns in which after a minimum number of requests from a device, each successive request is determined valid or invalid and respectively forwarded or delayed/not forwarded based on a previous sequence of API calls presented in a cookie of the successive request matching one of a plurality of legitimate API call sequences, in the specific manner and combination as recited in claims 9 and 17.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Bai et al. “Detecting Malicious Behavior using Critial API calling Graph Matching” is related to detecting malware using API call graph matching.
Wang et al. “Using API Sequence and Bayes Algorithm to Detect Suspicious Behavior” is related to detecting suspicious behavior based on API sequence.
Holloway et al. (US 2018/0007085 A1) is related to mitigating a DDoS attack in a cloud-based proxy service.
Doron et al. (US 10,887,341 B2) is related to detection and mitigation of slow application layer DDoS attacks.
Clayton et al. (US 2021/0258329 A1) is related to detecting and mitigating golden SAML attacks against federated services.
Muddu et al. (US 2018/0367551 A1) is related to anomaly detection based on connection requests in network traffic.
Sadika et al. (US 2016/0308900 A1) is related to identifying and preventing malicious API attacks.
Arnoth et al. (US 2019/0311132 A1) is related to determining a threat score.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERIC W SHEPPERD whose telephone number is (571)270-5654. The examiner can normally be reached on Monday - Thursday, Alt. Friday, 7:30AM - 5:00PM, EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on (571)272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Eric W Shepperd/Primary Examiner, Art Unit 2492