DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 01 December 2025 has been received and considered.
Claims 1-7 and 9-21 are pending.
This Action is Final.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1 and 9-14 are rejected under 35 U.S.C. 103 as being unpatentable over Singh (US 20220131851) in view of Hamilton et al. (US 20220191193).
As per claims 1, 9, and 10, Singh discloses a medium, device, and access request capturing method, wherein the method comprises: upon receiving an initial access request from a current user, returning session response information, wherein the session response information comprises a session control identifier and auxiliary authentication data that are stored at different locations; receiving a current non-initial access request from the current user (see paragraph [0031] where the session id is stored in a cookie and the authentication data is separately stored in a JWT).
While Singh discloses verifying the session information and authentication information for the subsequent requests and it is generally known that if any of this data is different or missing the request would fail, there lacks an explicit recitation that when the current non-initial access request carries the session control identifier and does not carry the auxiliary authentication data, capturing the current non-initial access request and in response to that the current non-initial access request is captured, executing a malicious request handling operation.
However, Hamilton et al. teaches receiving a session response including a session control identifier that is set in cookie data, and auxiliary authentication data set in a text location outside the cookie data and receiving an access request when the current non-initial access request carries the session control identifier and does not carry the auxiliary authentication data, capturing the current non-initial access request and in response to that the current non-initial access request is captured, executing a malicious request handling operation (see paragraphs [0051], [0066]-[0067], and [0089]-[0097] where the CSFR token is the auxiliary authentication data that is not included in the cookie, and when a request does not include the CSFR token the service is not executed, i.e. captured, and a second operation is performed, i.e. a malicious request handling operation).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art, to capture requests with missing authentication data in the Singh system.
Motivation to do so would have been to protect against cross-site request forgery attacks (see Hamilton et al. paragraph [0051]).
As per claim 11-13, the modified Singh and Hamilton et al. system discloses the auxiliary authentication data is set at different locations in a response header of the session response information, wherein the auxiliary authentication data is field values of a plurality of fields, wherein the auxiliary authentication data is a character with a specified number of digits in a field value of one field (see Singh paragraph [0031]).
As per claim 14, the modified Singh and Hamilton et al. system discloses the non-initial access request comprises: an access request for requesting the access to website resources, requesting the change of resource attributes or requesting the change of permissions that is received after the initial access request (see Singh paragraph [0031] and Hamilton et al. paragraph [0051]).
Claims 2, 15, 19, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Singh and Hamilton et al. system as applied to claims 1, 9, and 10 above, and further in view of Harguindeguy et al. (US 20200220875).
As per claims 2, 19, and 21, the modified Singh and Hamilton et al. system discloses accepting requests when the current non-initial access request carries the session control identifier and carries the auxiliary authentication data, and generally protecting API request but fails to explicitly disclose judging whether an API called by the current non-initial access request is consistent with a preset trap API; and when the API called by the current non-initial access request is consistent with the preset trap API, capturing the current non-initial access request.
However, Harguindeguy et al. teaches judging whether an API called by the current non-initial access request is consistent with a preset trap API; and when the API called by the current non-initial access request is consistent with the preset trap API, capturing the current non-initial access request (see paragraph [0245]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the judging and trapping capturing of Harguindeguy et al. in the modified Singh and Hamilton et al. system.
Motivation to do so would have been to detect an attack or an attempt to attack the API (see Harguindeguy et al. paragraph [0245]).
As per claim 15, the modified Singh, Hamilton et al. and Harguindeguy et al. system discloses calling a core API in a hidden manner and setting a trap API by using the Representational State Transfer (REST) technology (see Harguindeguy et al. paragraphs [0244] and [0279]).
Claims 3 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Singh and Hamilton et al. system as applied to claims 1 and 9 above, and further in view of Goodridge et al. (US 20190325133).
As per claims 3 and 20, the modified Singh and Hamilton et al. system discloses accepting requests when the current non-initial access request carries the session control identifier and carries the auxiliary authentication data, but fails to explicitly disclose judging whether the time corresponding to a time stamp carried by the current non-initial access request has been shifted previously; and when the time has been shifted previously, capturing the current non-initial access request.
However, Goodridge et al. teaches judging whether the time corresponding to a time stamp carried by the current non-initial access request has been shifted previously; and when the time has been shifted previously, capturing the current non-initial access request (see paragraph [0061]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the judging and trapping capturing of Goodridge et al. in the modified Singh and Hamilton et al. system.
Motivation to do so would have been to detect an EoP attack (see Goodridge et al. paragraph [0061]).
Claims 4, 5, 16, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Singh and Hamilton et al. system as applied to claim 1 above, and further in view of Stickle (US 10973601).
As per claims 4 and 5, the modified Singh and Hamilton et al. system discloses accepting requests when the current non-initial access request carries the session control identifier and carries the auxiliary authentication data, but fails to explicitly disclose judging whether request data carried by the current non-initial access request is consistent with preset trap data; and when the request data carried by the current non-initial access request is consistent with the preset trap data, capturing the current non-initial access request and judging whether the current non-initial access request instructs to call an authentication interface of a preset false database; and when the current non-initial access request instructs to call the authentication interface of the preset false database, capturing the current non-initial access request.
However, Stickle teaches judging whether request data carried by the current non-initial access request is consistent with preset trap data; and when the request data carried by the current non-initial access request is consistent with the preset trap data, capturing the current non-initial access request and judging whether the current non-initial access request instructs to call an authentication interface of a preset false database; and when the current non-initial access request instructs to call the authentication interface of the preset false database, capturing the current non-initial access request (see column 7 line 36 through column 9 line 67).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the decoy credentials and corresponding authentication databases of Stickle in the modified Singh and Hamilton et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to detect use of compromised credentials.
As per claims 16 and 17, the modified Singh, Hamilton et al., and Stickle system discloses the step of judging whether request data carried by the current non-initial access request is consistent with preset trap data comprises: judging whether a username in the request data is consistent with a username in the preset trap data, wherein the step of judging whether request data carried by the current non-initial access request is consistent with preset trap data further comprises: judging whether a character at another location in the request data is consistent with a preset character in the trap data (see Stickle column 7 line 36 through column 9 line 67).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over the modified Singh and Hamilton et al. system as applied to claim 1 above, and further in view of Harguindeguy et al., Goodridge et al. and Stickle.
As per claim 6, the modified Singh and Hamilton et al. system fails to disclose the various judging steps. However, as put forth above Harguindeguy et al., Goodridge et al. and Stickle teach each of these judging steps and executing a malicious request handling operation where the steps are being performed in any preset order desired.
At a time before the effective filing date of the invention, it would have bene obvious to include each of the judging steps from Harguindeguy et al., Goodridge et al. and Stickle in the modified Singh and Hamilton et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to improve the system to detect multiple types of attacks or suspicious activities.
This combination, fails to explicitly disclose to stop the subsequent judging steps once one judging step is determined to be satisfied. However, Official Notice is taken that at a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to stop the processing once one step is satisfied in the combined system in order to save resources by not judging additional steps when it is already determined the request is malicious.
Claims 7 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Singh, Hamilton et al., Harguindeguy et al., Goodridge et al. and Stickle system as applied to claim 6 above, and further in view of Allen (US 20180262529).
As per claim 7, the modified Singh, Hamilton et al., Harguindeguy et al., Goodridge et al. and Stickle system fails to explicitly disclose determining a malicious access level corresponding to the current non-initial access request, and updating malicious access data corresponding to the current user, wherein the malicious access data is used for recording numbers of malicious access attempts corresponding to different malicious access levels; and when the number of malicious access attempts corresponding to any one of the malicious access levels reaches a corresponding preset threshold value, executing an access restriction operation.
However, Allen teaches determining a malicious access level corresponding to the current non-initial access request, and updating malicious access data corresponding to the current user, wherein the malicious access data is used for recording numbers of malicious access attempts corresponding to different malicious access levels; and when the number of malicious access attempts corresponding to any one of the malicious access levels reaches a corresponding preset threshold value, executing an access restriction operation (see paragraph [0050]).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the tracking of Allen in the modified Singh, Hamilton et al., Harguindeguy et al., Goodridge et al. and Stickle system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to limit the number of false positive results.
As per claim 18, the modified Singh, Hamilton et al., Harguindeguy et al., Goodridge et al., Stickle, and Allen system discloses a first-level of malicious access request: the time corresponding to a time stamp carried by the current non-initial access request has been shifted previously; a second-level of malicious access request: an API called by the current non-initial access request is consistent with a preset trap API, or request data carried by the current non-initial access request is consistent with preset trap data, or the current non-initial access request instructs to call an authentication interface of a preset false database; and a third-level of malicious access request: the current non-initial access request carries a session control identifier and does not carry auxiliary authentication data (see Allen paragraph [0050] in combination with the remaining references as put forth above, where there is no requirement that the levels be different and are therefore considered to be the same).
Response to Arguments
Applicant’s arguments with respect to claim(s) 1-7 and 9-21 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 are directed towards monitoring requests and/or trapping requests.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875. The examiner can normally be reached Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached at (571) 270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Michael Pyzocha/ Primary Examiner, Art Unit 2409
Prosecution Insights