DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s remarks filed on 03/09/2026 has been fully considered.
Regarding claim[s] 1 – 20 under the anticipatory rejection, applicant’s remarks are moot because the new ground of rejection does not rely on all the reference[s] applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Therefore, see the office action below.
The examiner will respond to all other remarks that do not concern the prior art rejections, if any, in the office action below.
Response to Amendment
Status of the instant application:
Claim[s] 1 – 20 are pending in the instant application.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claim(s) 1, 2, 5, 8, 9, 12, 15, 16, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhao et al. [US PGPUB # 2019/0327265] in view of Zhou et al. [US PGPUB # 2025/0150472]
As per claim 1. Zhao does teach a system [Zhao, Figure # 1, and paragraph: 0117, FIG. 1 illustrates an example of a computing environment 100 in which web page code is modified for the purpose of combatting MitB attacks.] comprising:
a memory that stores a set of parameters associated with processing of data interactions [Zhao, paragraph: 0019, A simplified block diagram of such a network appliance 120 is shown in FIG. 2. Appliance 120 contains one or more processors 200, including one or more single or multi-core processors configured to execute stored instructions. Appliance 120 also includes one or more memories 204. Memory 204 comprises non-transitory computer-readable storage media that could potentially include a wide variety of forms of volatile and non-volatile storage media. For instance, memory 204 could include electronic storage media, magnetic storage media, optical storage media, quantum storage media, mechanical storage media, etc. Memory 204 provides storage for computer readable instructions, data structures, program modules and other data for the operation of appliance 120.]; and
a processor communicatively coupled to the memory [Zhao, paragraph: 0119, A simplified block diagram of such a network appliance 120 is shown in FIG. 2. Appliance 120 contains one or more processors 200, including one or more single or multi-core processors configured to execute stored instructions. Appliance 120 also includes one or more memories 204] and configured to:
detect a request from a first user to perform a data interaction [Zhao, paragraph: 0027, Web Page code representing a web page requested by a client device is received (304). The web page code can represent a web page requested by a client device, such as the login page for the banking website discussed above. The web page code can be received at network appliance 120 of FIG. 1 from Server(s) 104 by way of load balancer 116, as discussed above.]……………………….;
detect that processing of the requested data interaction is initiated [Zhao, paragraph: 0028, lines 1 – 3, The web page code is modified (308). The modification of web page code can include a variety of steps, which can occur in a varying order.];
monitor the set of parameters ………… associated with the processing of the requested data interaction [Zhao, Figure # 3, and paragraph: 0046, lines 1 – 11, Returning to FIG. 3, in some implementations, monitoring code is added to the web page code (320). For example, Monitoring Code 420 of FIG. 4 can be injected into Modified Web Page Code 220 at Monitoring Module 424. Monitoring Code 420 can include JavaScript code that is configured to detect when malicious code is injected into Decoy Code 412. For example, Monitoring Code 420 can include JavaScript that can analyze elements of Decoy Code 412 to perform a code comparison to detect elements that are present in decoy code as it exists on a client device but not in original Decoy Code 412 that was added to Web Page Code 212 at 316 of FIG. 3];
determine, based on the monitoring, whether anomalous activity has occurred relating to processing of the data interaction, wherein the anomalous activity comprises at least one activity not known to normally occur when processing the data interaction [Zhao, paragraph: 0053, lines 1 – 7, According to some implementations, a notification is received that injected code was detected in the decoy code (332). For instance, such a notification can be received at Monitoring Module 424 of FIG. 4 from Monitoring Code 420. By way of example, injection of malicious code can be detected by Monitoring Code 420 operating on a client device at 328 of FIG. 3.]……………………………………………………………………………….;
in response to determining that no anomalous activity has occurred relating to processing the data interaction, obtain a response associated with the processing of the data interaction, wherein the response comprises software code to be executed by a user device to present at least a portion of the response on a display associated with the user device [Zhao, paragraph: 0038, lines 4 – 5, Unlike Obfuscated Target Code 408 which is rendered by a browser and presented to a user, Decoy Code 412 is not presented to a user. ];
obfuscate at least a portion of the software code comprised in the response [Zhao, Figure # 3, and paragraph: 0029, Returning to FIG. 3, a portion of the web page code is transformed (312). For example, as described above, a portion of the web page code that includes “target code” which might be vulnerable to MitB attacks can be obfuscated such that it is no longer detectible by the malware implementing the MitB attacks. For example, Target Code 400 can be transformed at Obfuscation Module 404 of FIG. 4 to produce Obfuscated Target Code 408.];
replace the portion of the software code with the obfuscated software code in the response [Zhao, Figure # 3, and paragraph: 0029, Returning to FIG. 3, a portion of the web page code is transformed (312). For example, as described above, a portion of the web page code that includes “target code” which might be vulnerable to MitB attacks can be obfuscated such that it is no longer detectible by the malware implementing the MitB attacks. For example, Target Code 400 can be transformed at Obfuscation Module 404 of FIG. 4 to produce Obfuscated Target Code 408. ]; and
transmit to the user device, the response including the obfuscated software code [Zhao, paragraph: 0038, lines 4 – 5, Unlike Obfuscated Target Code 408 which is rendered by a browser and presented to a user, Decoy Code 412 is not presented to a user.].
Zhao does not clearly teach the claim limitations of
“..wherein the request comprises the set of parameters associated with processing of the data interaction;”
“..that are included in the request and……”
“…wherein determining comprises:
compare an actual value of a first parameter of the set of parameters associated with the data interaction to an expected value of the first parameter;”
“..in response to detecting that the actual value of the first parameter of the set of parameters is same as the expected value of the first parameter, determine that no anomalous activity has occurred relating to processing the data interaction;”
However, Zhou does teach the claim limitations of:
“..wherein the request comprises the set of parameters associated with processing of the data interaction [paragraph: 0103, lines 1 – 9, In an example, a user provides a request [i.e. applicant’s request] to transfer funds from one account to a second account. The user is accessing the account via a website instead of an application on the user computing device 110. The machine learning system 153 accesses any details [i.e. applicant’s parameters] related to the user, the request, the user computing device 110, the user account, the account to which the funds are being transferred, the location of the user, and any other suitable details related to the interaction.];”
“..that are included in the request [paragraph: 0103, lines 1 – 9] and……”
“…wherein determining comprises:
compare an actual value of a first parameter of the set of parameters associated with the data interaction to an expected value of the first parameter [paragraph: 0103, 9 – 14, The machine learning system 153 compares the details [i.e. applicant’s set or parameters – first parameter] to the models or algorithms that are constructed to monitor fraud in similar interactions. For example, the machine learning system 153 enters the details [i.e. applicant’s first parameter] into an algorithm that models fraudulent activities for account fund transfers];”
“..in response to detecting that the actual value of the first parameter of the set of parameters is same as the expected value of the first parameter, determine that no anomalous activity has occurred relating to processing the data interaction [paragraph: 0091, lines 1 – 6, In the example, a rule may be developed that verifies if a user location is the same for multiple interactions that are occurring simultaneously. If the locations of the interactions are different, then the rule may identify at least one of the interactions as being fraudulent ];”
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Zhao and Zhou in order for the protection of the requested webpage by the client – user thru obfuscation of the vulnerable webpage programming code from malware attack of Zhao to include a fraud system with modeling system of Zhou. This would allow for the request for the webpage to be analyzed in real time for determination of a fraudulent request for the client is allowed to access the requested webpage. See paragraph: 0065 of Zhou.
As per claim 2. Zhao does teach the system of Claim 1, wherein the obfuscated code is configured to be decoded and executed by the user device to present at least the portion of the response on the display associated with the user device [Zhao, paragraph: 0038, lines 4 – 5, Unlike Obfuscated Target Code 408 which is rendered by a browser and presented to a user….etc.].
As per claim 5. Zhao does teach the system of Claim 1, wherein the processor is further configured to obfuscate the software code comprised in the response using one or more code obfuscation methods comprising name obfuscation, control flow obfuscation, string obfuscation, code splitting, code merging, dead code insertion, control flow flattening, code substitution, function inlining, context-aware string obfuscation, polymorphic code generation [Zhao, paragraph: 0034, In one example of the obfuscation of Target Code 400, the field names of a form could be changed through a polymorphic transformation. Polymorphic transformation of web page code involves dynamically altering the ordinarily static source code associated with a web page. This makes the source code more difficult to exploit from the perspective of code-injecting malware while leaving web content viewable to the human user apparently unchanged. It should be noted that there are a number of ways to transform web page source code without changing the web page's appearance to a user], or a combination thereof.
As per method claim 8 that includes the same or similar claim limitations as system claim 1, and is similarly rejected.
As per method claim 9 that includes the same or similar claim limitations as system claim 2, and is similarly rejected.
As per method claim 12 that includes the same or similar claim limitations as system claim 5, and is similarly rejected.
As per non – transitory computer readable medium claim 15, that includes the same or similar claim limitations as system claim 1, and is similarly rejected.
As per non – transitory computer readable medium claim 16, that includes the same or similar claim limitations as system claim 2, and is similarly rejected.
As per non – transitory computer readable medium claim 19, that includes the same or similar claim limitations as system claim 5, and is similarly rejected.
Claim(s) 3, 10, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhao et al. [US PGPUB # 2019/0327265] in view of Zhou et al. [US PGPUB # 2025/0150472], as applied in the rejection of claim # 1 above, further in view of Ray et al. [US PGPUB # 2017/0310686]
As per claim 3. Zhao and Zhou do teach what is taught in the rejection of claim 1 above.
Zhao and Zhou do not clearly teach the system of Claim 1, wherein the set of parameters associated with the processing of the requested data interaction comprises one or more request parameters associated with the request, memory access patterns during the processing of the data interaction, delays incurred during the processing of the data interaction, network activity during the processing of the data interaction, or a combination thereof.
However, Ray does teach the system of Claim 1, wherein the set of parameters associated with the processing of the requested data interaction comprises one or more request parameters associated with the request, memory access patterns during the processing of the data interaction, delays incurred during the processing of the data interaction, network activity during the processing of the data interaction [Figure # 7, and paragraph: 0168, The threat monitor 720 may include any suitable threat monitoring, malware detection, antivirus program or the like suitable for monitoring and reporting on a security state of an endpoint or individual processes 704 executing thereon. This may include local threat monitoring using, e.g., behavioral analysis or static analysis. The threat monitor 720 may also or instead use reputation to evaluate the security state of processes 704 based on the processes 704 themselves, source files or executable code for the processes 704, or network activity initiated by the processes 704. For example, if a process 704 requests data from a remote URL that is known to have a bad reputation, this information may be used to infer a compromised security state of the endpoint.], or a combination thereof.
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Zhao as modified and Ray in order for the protection of the requested webpage by the client – user thru obfuscation of the vulnerable webpage programming code from malware attack of Zhao as modified to include the vetting of the source or author of the webpage programming code of Ray. This would allow for a gateway or firewall to vet the webpage for malware before the webpage is sent to the requesting user. See paragraph: 0005 of Ray.
As per method claim 10 that includes the same or similar claim limitations as system claim 3, and is similarly rejected.
As per non – transitory computer readable medium claim 17, that includes the same or similar claim limitations as system claim 3, and is similarly rejected.
Claim(s) 4, 11, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhao et al. [US PGPUB # 2019/0327265] in view of Zhou et al. [US PGPUB # 2025/0150472], as applied in the rejection of claim # 1 above, further in view of Hasan et al. [US PGPUB 2017/0214701]
As per claim 4. Zhao and Zhou do teach what is taught in the rejection of claim 1 above.
Zhao and Zhou do not clearly teach the system of Claim 1, wherein the processor is further configured to detect that an anomalous activity has occurred relating to processing of the data interaction in response to detecting one or more of:
one or more unusual request parameters received as part of the request;
the processing of the data interaction takes longer than expected;
unusual memory access patterns during the processing of the data interaction;
or multiple requests for the data interaction are received within a pre-configured time period.
However, Hasan does teach the system of Claim 1, wherein the processor is further configured to detect that an anomalous activity has occurred relating to processing of the data interaction in response to detecting one or more of:
one or more unusual request parameters received as part of the request [Figure # 62, 63 and paragraph: 0267, lines1 – 21, FIGS. 62 and 63 shows Data Recall Tracking 399 keeps track of all information uploaded from and downloaded to the Suspicious Entity 415. This is done to mitigate the security risk of sensitive information being potentially transferred to Malware. This security check also mitigates the logistical problems of a legitimate enterprise process receiving Mock Data 400. In the case that Mock Data had been sent to a (now known to be) legitimate enterprise entity, a “callback” is performed which calls back all of the Mock Data, and the Real Data (that was originally requested) is sent as a replacement. A callback trigger is implemented so that a legitimate enterprise entity will hold back on acting on certain information until there is a confirmation that the data is not fake. If real data had been transferred to the malware inside a virtual mixed environment, the entire environment container is securely destroyed with the Malware 385 inside. An alert is placed systemwide for any unusual activity concerning the data that was known to be in the malware's possession before it was destroyed. This concept is manifested at Systemwide Monitoring 405. If the entity that received partial real data turns out to be malware (upon analyzing behavior patterns), then the virtual environment (including the malware) is securely destroyed, & the enterprise-wide network is monitored for unusual activity of the tagged real data. This way any potential information leaks are contained];
the processing of the data interaction takes longer than expected;
unusual memory access patterns during the processing of the data interaction;
or multiple requests for the data interaction are received within a pre-configured time period.
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Zhao as modified and Hasan in order for the protection of the requested webpage by the client – user thru obfuscation of the vulnerable webpage programming code from malware attack of Zhao as modified to include dynamic encrypting operations over the vulnerable webpage programming code of Hasan. This would prevent the malware from finding and using the webpage programming code is encrypted. See paragraph: 0265, lines 1 – 8 of Hasan.
As per method claim 11 that includes the same or similar claim limitations as system claim 4, and is similarly rejected.
As per non – transitory computer readable medium claim 18, that includes the same or similar claim limitations as system claim 4, and is similarly rejected.
Claim(s) 6, 13, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhao et al. [US PGPUB # 2019/0327265] in view of Zhou et al. [US PGPUB # 2025/0150472], as rejected over claim 1 above, further in view of Sanders et al. [US PAT # 9165142]
As per claim 6. Zhao and Zhou do teach what is taught in the rejection of claim # 1 above.
Zhao and Zhou do not clearly teach the system of Claim 1, wherein the processor is further configured to: in response to determining that an anomalous activity has occurred relating to processing of the data interaction:
generate a first hash key value based on a first set of data values received as part of the request, wherein the first set of data values are associated with a plurality of parameters configured to define a digital identity of the first user;
compare the first hash key value to a verified second hash key value associated with the first user, wherein the verified second hash key value is generated based on a verified second set of data values associated with the plurality of parameters;
in response to detecting, based on the comparing, that the first hash key value does not match with the second hash key value:
determine that the digital identity of the first user is not authenticated;
stop processing of the requested data interaction; and
generate an alert indicating that the digital identity of the first user is not authenticated.
However, Sanders does teach the system of Claim 1, wherein the processor is further configured to:
in response to determining that an anomalous activity has occurred relating to processing of the data interaction [Figure # 6, steps # 606, 610, and col. 11, lines 23 – 29, Whether the potential malware sample is a known sample (e.g., has been previously analyzed and results of that prior analysis have been cached or stored by the security cloud service) is determined at 606. ]:
generate a first hash key value based on a first set of data values received as part of the request, wherein the first set of data values are associated with a plurality of parameters configured to define a digital identity of the first user [col. 11, lines 23 – 29, Whether the potential malware sample is a known sample (e.g., has been previously analyzed and results of that prior analysis have been cached or stored by the security cloud service) is determined at 606. For example, files can be matched by various comparison techniques (e.g., using hashes, such as an MD5 based hash or other hashing or file comparison techniques).];
compare the first hash key value to a verified second hash key value associated with the first user, wherein the verified second hash key value is generated based on a verified second set of data values associated with the plurality of parameters [col. 11, lines 23 – 29, Whether the potential malware sample is a known sample (e.g., has been previously analyzed and results of that prior analysis have been cached or stored by the security cloud service) is determined at 606. For example, files can be matched by various comparison techniques (e.g., using hashes, such as an MD5 based hash or other hashing or file comparison techniques).];
in response to detecting, based on the comparing, that the first hash key value does not match with the second hash key value [col. 11, lines 23 – 29, Whether the potential malware sample is a known sample (e.g., has been previously analyzed and results of that prior analysis have been cached or stored by the security cloud service) is determined at 606.]:
determine that the digital identity of the first user is not authenticated [col. 3, lines 24 – 26, However, such non-signature based approaches can fail to identify malware and/or can improperly identify legitimate software as malware (e.g., also referred to as false positives).];
stop processing of the requested data interaction [col. 11, lines 46 – 48, In some embodiments, the results for the potential malware sample are cached or stored by the security cloud service (e.g., to avoid having to repeat the analysis of a later submission of an identical malware sample from another security device and to maintain a collection of malware samples identified as associated with/members of particular malware families).]; and
generate an alert indicating that the digital identity of the first user is not authenticated [Figure # 6, step # 618, and col. 11, lines 42 – 46, At 618, an alert and/or notification (e.g., to a security vendor, IT/security admin, user, and/or other person or entity associated with the submitted potential malware sample) is generated if a profile signature match was determined.].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Zhao as modified and Sanders in order for the protection of the requested webpage from malware attack requested by the client - user of Zhao as modified to include virtual machine environment of Sanders. This would allow for the user to trick the malware in attacking a copy of the webpage in an environment that doesn’t affect the user actual client machine. See col. 4, lines 17 – 31 of Sanders.
As per method claim 13 that includes the same or similar claim limitations as system claim 6, and is similarly rejected.
As per non – transitory computer readable medium claim 20, that includes the same or similar claim limitations as system claim 6, and is similarly rejected.
Claim(s) 7, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhao et al. [US PGPUB # 2019/0327265] in view of Zhou et al. [US PGPUB # 2025/0150472] and Sanders et al. [US PAT # 9165142], as applied in the rejection of claim # 6 above, further in view of Glassco et al. [US PGPUB # 2022/0278967]
As per claim 7. Zhao and Zhou and Sanders do teach what is taught in the rejection of claim 6 above.
Zhao and Zhou and Sanders do not clearly teach the system of Claim 6, wherein the verified second hash key value is associated with a Non-Fungible Token (NFT) that uniquely identifies the digital identity of the first user.
However, Glassco does teach the system of Claim 6, wherein the verified second hash key value is associated with a Non-Fungible Token (NFT) that uniquely identifies the digital identity of the first user [paragraph: 0057, In a sixth group of embodiments, a computer or a local computer provides one or more verified personas for a distributed token (such as an NFT) of a first user. For example, the first user's identity may be known to the provider of the SVPN, such as via their account(s) with the provider of the SVPN. However, the first user may be able to define the one or more verified personas that are associated with their account(s) with the provider of the SVPN. The one or more verified personas may obfuscate the known identity of the first user when conducting one or more discrete secure transactions (such as a blockchain transaction and, more generally, a transaction associated with a cryptocurrency or the NFT) using or associated with the distributed token. Notably, the first user may associate or link the one or more verified personas with the distributed token of the first user. This may allow the first user the benefits and privacy of selectively making themselves anonymous (and controlling what information about themselves is made public), while offering the protection of being able to identify the first user when needed (such as to prevent fraudulent, unwanted, criminal or dangerous activity during the one or more discrete secure transactions.].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Zhao as modified and Glassco in order for the protection of the requested webpage by the client – user thru obfuscation of the vulnerable webpage programming code from malware attack of Zhao as modified to include dynamic encrypting operations over the vulnerable webpage programming code of Glassco. This would prevent the malware from finding and using the encrypting keys to gain access to the webpage programming code based on the webpage programming code is encrypted with different encryption keys. See paragraphs: 0009, 0010 of Glassco.
As per method claim 14 that includes the same or similar claim limitations as system claim 7, and is similarly rejected.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached at 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DANT B SHAIFER HARRIMAN/ Primary Examiner, Art Unit 2434