Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed 12/22/25 have been fully considered but they are not persuasive.
As per the USC 101 rejection Applicant argues in part that the claim method “requires use of specialized computer hardware and network infrastructure”.
Examiner does not find this argument persuasive. Nothing in the claims currently stated could not be performed by a user at a generic computer.
Applicant may overcome this USC 101 rejection with more specific claim amendments.
As per the USC 103 rejection, Applicant argues that Leung does not teach “3 distinct scanning operations”. Applicant appears to apply “parsing DNS responses” and additional steps in order to perform these “distinct scanning operations”.
Examiner points out that the claim merely recites executing a web crawl, scanning domain names, and scanning subdomains. The claim limitations do not even connect these three activities. For example the web crawl in claim 1 is completely separated from a “subdomain scan”.
Examiner further argues, despite what is stated above, that Leung teaches [0052] that the web crawl that begins with a domain scan, includes further crawling subdomains, and this very clearly aligns with the claim as stated.
Applicant argues that Stamos fails to teach “web crawling” but merely “passively discovers”.
Examiner argues that Stamos teaches periodic “external scanner” usage and is not relied upon to teach a web crawl. Stamos teaches the amalgamation of data from a plurality of sources which are used to determined if a domain is known.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected. The claimed invention is directed to without significantly more. The claim(s) recite(s) determining whether a domain is known based on web crawling. This judicial exception is not integrated into a practical application because it is directed to an abstract idea. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because
Step 2A Prong One: Claims 1-20 recite determining whether a domain is known based on web crawling. A human being can take URL data and go through domain and subdomains to determine if certain domains are new or unknown.
Step 2A Prong Two: The invention is implemented on a generic computer that does not significantly improve the technology. The claims as stated may use a generic computer and a web browser, which do not significantly improve the art.
Therefore The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 2, 11, 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Leung US 2008/0313181 in view of Stamos US 9,264,395
As per claims 1, 11 Leung teaches A method comprising: executing, by an enumeration server system, a web crawl using a plurality of seed uniform resource locators; executing, by the enumeration server system, a domain name service subdomain scan; executing, by the enumeration server system, a subdomain scan; obtaining, by the enumeration server system, asset data associated with one or more client assets; [0006][0049][0050][0056][0057] (teaches a web crawl by using seed information and executing a domain/subdomain scan, and data)
Stamos teaches determining, by the enumeration server system, based upon the asset data and results of the web crawl, the domain name service subdomain scan, and the subdomain scan, whether each domain of a plurality of domains is known. (Column 6 lines 1-8, 26-46) (Column 7 lines 40-55) (Column 26 line 17 to Column 27 line 6) (teaches using seed data to scan domains and subdomains and determining whether a domain is known and reporting to the client who has subscribed to the service)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Stamos with the prior art because it increases security.
As per claims 2, 12. Stamos teaches The method of claim 1, wherein executing, by the enumeration server system, the web crawl comprises: initializing, by the enumeration server system, a web crawler service; obtaining, by the enumeration server system, the plurality of seed uniform resource locators as initial points of entry for the web crawl; performing, by the enumeration server system, the web crawl via the web crawler service using the plurality of seed uniform resource locators as the initial points of entry for the web crawl; and outputting, by the enumeration server system, results of the web crawl. (Column 27 line 58 to Column 28 line 27)
Leung more explicitly teaches seed URLS. [0006][0049][0050][0056][0057]
Claim(s) 3-10, 13-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Leung US 2008/0313181 in view of Stamos US 9,264,395 in view of Crabtree US 2024/0291869
As per claims 3, 13 Crabtree teaches The method of claim 1, further comprising: responsive to determining a specific domain of the plurality of domains is unknown, determining, by the enumeration server system, whether the specific domain of the plurality of domains is in-scope. [0024][0073] (teaches determining domains and subdomains to establish a scope for further testing for vulnerabilities)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Crabtree with the prior art because it promotes more efficient resource usage.
Leung teaches determining a strict scope of Domains.
Stamos teaches discovering of unknown domains and allowing a user/client/administrator to determine whether to approve the domain into an asset database as shown above.
As per claim 4. Crabtree teaches The method of claim 3, 13 further comprising: responsive to determining that the specific domain of the plurality of domains is out-of-scope, dropping, by the enumeration server system, the specific domain from further consideration. [0024][0073] (teaches determining domains and subdomains to establish a scope for further testing for vulnerabilities)
Leung teaches determining a strict scope of Domains.
Stamos teaches discovering of unknown domains and allowing a user/client/administrator to determine whether to approve the domain into an asset database as shown above.
As per claim 5. Stamos teaches The method of claim 3, further comprising: responsive to determining that the specific domain of the plurality of domains is in-scope, inserting, by the enumeration server system, the specific domain into a host table for further consideration. (Column 28 lines 1-19) (Teaches administrator confirming new asset to be inserted into database)
As per claims 6, 15 Stamos teaches The method of claim 5, further comprising: classifying, by the enumeration server system, the specific domain based on an assessed significance of the one or more client assets. (Column 27 line 58 to Column 28 line 27) (teaches comparing to asset database of client and submitting domain to administrator approval)
As per claims 7, 16. Stamos teaches The method of claim 5, further comprising: determining, by the enumeration server system, whether the specific domain is hosted by a third-party. (Column 26 line 56- Column 27 line 7) (teaches the customer domain may be hosted by a third party)
As per claims 8, 17. Stamos teaches The method of claim 7, further comprising: responsive to determining that the specific domain is hosted by the third-party, determining, by the enumeration server system, whether the specific domain is approved to be scanned; and responsive to determining that the specific domain is hosted by the third-party and is approved to be scanned, determining, by the enumeration server system, whether the specific domain is associated with a web application. (Column 26 line 56- Column 27 line 7) (teaches the customer domain may be hosted by a third party) (Column 5 lines 52-Column 6 line 8) ( Column 6 line 46- Column 7 line 26) (Column 9 lines 36-62) (Column 11 lines 10-50) (Column 16 lines 39-55) (Column 17 lines 8-20) (teaches scanning assets including web applications and new hosts including port scans/network scans, and application security scanning)
As per claims 9, 18. Stamos teaches The method of claim 8, further comprising: responsive to determining that the specific domain is associated with the web application, adding, by the enumeration server system, a new host associated with the specific domain to a port scan and to a dynamic application security testing scan; and instructing, by the enumeration server system, a scanner cluster server system to perform the port scan and the dynamic application security testing scan on the new host. (Column 5 lines 52-Column 6 line 8) ( Column 6 line 46- Column 7 line 26) (Column 9 lines 36-62) (Column 11 lines 10-50) (Column 16 lines 39-55) (Column 17 lines 8-20) (teaches scanning assets including web applications and new hosts including port scans/network scans, and application security scanning)
As per claims 10, 19. Stamos teaches The method of claim 8, further comprising: responsive to determining that the specific domain is associated with the web application, adding, by the enumeration server system, a new host associated with the specific domain to a port scan; and instructing, by the enumeration server system, a scanner cluster server system to perform the port scan on the new host. (Column 5 lines 52-Column 6 line 8) ( Column 6 line 46- Column 7 line 26) (Column 9 lines 36-62) (Column 16 lines 39-55) (teaches scanning assets including web applications and new hosts including port scans/network scans)
As per claim 14. Crabtree teaches The system of claim 13, wherein the operations further comprise: responsive to determining that the specific domain of the plurality of domains is out-of-scope, dropping the specific domain from further consideration; or responsive to determining that the specific domain of the plurality of domains is in-scope, inserting the specific domain into a host table for further consideration. [0024][0073] (teaches determining domains and subdomains to establish a scope for further testing for vulnerabilities)
Leung teaches determining a strict scope of Domains.
Stamos teaches discovering of unknown domains and allowing a user/client/administrator to determine whether to approve the domain into an asset database as shown above.
As per claim 20. Leung teaches A computer-readable storage medium having computer-executable instructions stored thereon that, when executed by a processor, cause the processor to perform operations comprising: obtaining asset data associated with one or more client assets; determining, based upon the asset data, results of a web crawl, [0006][0049][0050][0056][0057] (teaches a web crawl by using seed information and executing a domain/subdomain scan, and data)
Stamos teaches results of a domain name service subdomain scan, and results of a subdomain scan, whether each domain of a plurality of domains is known; responsive to determining a specific domain of the plurality of domains is unknown, (Column 6 lines 1-8, 26-46) (Column 7 lines 40-55) (Column 26 line 17 to Column 27 line 6) (teaches using seed data to scan domains and subdomains and determining whether a domain is known and reporting to the client who has subscribed to the service)
Stamos teaches inserting the specific domain into a host table for further consideration; and classifying the specific domain based on an assessed significance of the one or more client assets. (Column 27 line 58 to Column 28 line 27) (teaches comparing to asset database of client and submitting domain to administrator approval, adding the domain to the host table)
Crabtree teaches determining whether the specific domain of the plurality of domains is in-scope; responsive to determining that the specific domain of the plurality of domains is in-scope, [0024][0073] (teaches determining domains and subdomains to establish a scope for further testing for vulnerabilities)
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439