DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
In response to communications filed on 10 April 2025, claims 1-20 are presently pending in the application, of which, claims 1, 10 and 19 are presented in independent form.
Drawings
The drawings, filed 10 April 2025, have been reviewed and accepted by the Examiner.
Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Priority
The Examiner acknowledges the instant application claims priority to U.S. Provisional Application No. 63/646,155, filed 13 May 2024, and has been accorded the earliest effective file date.
Claim Rejections - 35 USC § 101
Regarding claims 1-20, under Step 2A claims 1-7 recite a judicial exception (abstract idea) that is not integrated into a practical application and does not provide significantly more.
Under Step 2A (prong 1), and taking claim 1 as representative, claim 1 recites:
building an injection query using the extracted data;
adding a cross-reference element to the injection query, the cross-reference element including a provider object identifier for the compromised provider object;
initiating creation of a clean provider object using the extracted data and the cross- reference element;
forcing creation of the clean provider object;
notifying third party systems of a provider object identifier for the created clean provider object;.
These limitations recite mental processes, such as concepts performed in the human mind (see: 2019 PEG, p. 52). This is because the each of the limitations above recite a series of steps that may be mentally performed by which an evaluation is made for an abstract data. For example, the limitations of ‘building an injection query using the extracted data; adding a cross-reference element to the injection query, the cross-reference element including a provider object identifier for the compromised provider object; initiating creation of a clean provider object using the extracted data and the cross- reference element; forcing creation of the clean provider object; notifying third party systems of a provider object identifier for the created clean provider object;’ illustrate a judgement being performed to find matching results and does not perform any technical operation. This represents a judgement or decision which are concepts performed in the human mind and falls under certain methods of mental processes. Accordingly, under step 2A (prong 1) the claim recites an abstract idea because the claim recites limitations that fall within the “Certain methods of mental processes” grouping of abstract ideas (see again: 2019 PEG, p. 52).
Under Step 2A (prong 2), the abstract idea is not integrated into a practical application. The Examiner acknowledges that representative claim 1 does recite additional elements, including hardware processing circuitry, such as edge device.
Although reciting these additional elements, taken alone or in combination these elements are not sufficient to integrate the abstract idea into a practical application. This is because the additional elements of claim 1 are recited at a high level of generality (i.e. as generic computing hardware) such that they amount to nothing more than the mere instructions to implement or apply the abstract idea on generic computing hardware (or, merely uses a computer as a tool to perform an abstract idea). Further, the additional elements do no more than generally link the use of a judicial exception to a particular technological environment or field of use (such as the Internet or computing networks).
Secondly, the additional elements are insufficient to integrate the abstract idea into a practical application because the claim fails to (i) reflect an improvement in the functioning of a computer, or an improvement to other technology or technical field, (ii) implement the judicial exception with, or use the judicial exception in conjunction with, a particular machine or manufacture that is integral to the claim, (iii) effect a transformation or reduction of a particular article to a different state or thing, or (iv) applies or uses the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment.
In view of the above, under Step 2A (prong 2), claim 1 does not integrate the recited exception into a practical application (see again: 2019 Revised Patent Subject Matter Eligibility Guidance).
Under Step 2B, examiners should evaluate additional elements individually and in combination to determine whether they provide an inventive concept (i.e., whether the additional elements amount to significantly more than the exception itself). In this case, the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. That is, the limitations of ‘extracting data from a compromised provider object,’ and deactivating the compromised provider object,’ are additional elements that are insignificant extra solution activities that that do not amount to significantly more than the judicial exception.
Returning to representative claim 1, taken individually or as a whole the additional elements of claim 1 do not provide an inventive concept (i.e. they do not amount to “significantly more” than the exception itself). As discussed above with respect to the integration of the abstract idea into a practical application, the additional elements used to perform the claimed process amount to no more than the mere instructions to apply the exception using a generic computer and/or no more than a general link to a technological environment.
Furthermore, the additional elements fail to provide significantly more also because the claim simply appends well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception. For example, the additional elements of claim 1 utilize operations the courts have held to be well-understood, routine, and conventional (see: MPEP 2106.05(d)(lI)), including at least:
• receiving or transmitting data over a network, and/or
• storing and retrieving information in memory
• performing repetitive calculations
Even considered as an ordered combination (as a whole), the additional elements of claim 1 do not add anything further than when they are considered individually.
In view of the above, representative claim 1 does not provide an inventive concept (“significantly more”) under Step 2B, and is therefore ineligible for patenting.
Dependent claim 2 also does not integrate the abstract idea into a practical application. Notably, claim 2 recites ‘wherein before extracting the data the provider objects are filtered to identify provider objects that are eligible to be duplicated,’ all which are more complexities descriptive of the abstract idea itself. Such complexities do not themselves provide further additional elements in addition to the abstract ideas themselves. Further, claim 2 relies upon at least similar additional elements that are mere instructions to implement the abstract idea or other exception on a computer. Considered both individually and as a whole, claim 2 does not integrate the recited exception into a practical application for at least similar reasons as discussed above.
Considered individually or as a whole, claim 2 also fail to result in “significantly more” than the abstract idea under step 2B. This is again because the claims merely recite additional elements that are insignificant extra-solution activity that apply the exception on generic computing hardware, generally link the exception to a technological environment, and append well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception (see discussion above).
Even when viewed as an ordered combination (as a whole), the additional elements of the dependent claims do not add anything further than when they are considered individually.
In view of the above, claim 2 do not provide an inventive concept (“significantly more”) under Step 2B, and are therefore ineligible for patenting.
Dependent claim 3 also does not integrate the abstract idea into a practical application. Notably, claim 3 recites ‘wherein building the injection query comprises converting at least some of the data from a format-specific format to a standard format; and adding the data to the injection query in the standard format,’ all which are more complexities descriptive of the abstract idea itself. Such complexities do not themselves provide further additional elements in addition to the abstract ideas themselves. Further, claim 3 relies upon at least similar additional elements that are mere instructions to implement the abstract idea or other exception on a computer. Considered both individually and as a whole, claim 3 does not integrate the recited exception into a practical application for at least similar reasons as discussed above.
Considered individually or as a whole, claim 3 also fail to result in “significantly more” than the abstract idea under step 2B. This is again because the claims merely recite additional elements that are insignificant extra-solution activity that apply the exception on generic computing hardware, generally link the exception to a technological environment, and append well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception (see discussion above).
Even when viewed as an ordered combination (as a whole), the additional elements of the dependent claims do not add anything further than when they are considered individually.
In view of the above, claim 3 do not provide an inventive concept (“significantly more”) under Step 2B, and are therefore ineligible for patenting.
Dependent claim 4 also does not integrate the abstract idea into a practical application. Notably, claim 4 recites ‘wherein building the injection query comprises adding at least some of the data to the injection query without converting the format of the data,’ all which are more complexities descriptive of the abstract idea itself. Such complexities do not themselves provide further additional elements in addition to the abstract ideas themselves. Further, claim 4 relies upon at least similar additional elements that are mere instructions to implement the abstract idea or other exception on a computer. Considered both individually and as a whole, claim 4 does not integrate the recited exception into a practical application for at least similar reasons as discussed above.
Considered individually or as a whole, claim 4 also fail to result in “significantly more” than the abstract idea under step 2B. This is again because the claims merely recite additional elements that are insignificant extra-solution activity that apply the exception on generic computing hardware, generally link the exception to a technological environment, and append well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception (see discussion above).
Even when viewed as an ordered combination (as a whole), the additional elements of the dependent claims do not add anything further than when they are considered individually. In view of the above, claim 4 do not provide an inventive concept (“significantly more”) under Step 2B, and are therefore ineligible for patenting.
Dependent claim 5 also does not integrate the abstract idea into a practical application. Notably, claim 5 recites ‘wherein the injection query includes a replicated use case to indicate that the requested provider object is going to be a duplicate of a compromised provider object,’ all which are more complexities descriptive of the abstract idea itself. Such complexities do not themselves provide further additional elements in addition to the abstract ideas themselves. Further, claim 5 relies upon at least similar additional elements that are mere instructions to implement the abstract idea or other exception on a computer. Considered both individually and as a whole, claim 5 does not integrate the recited exception into a practical application for at least similar reasons as discussed above.
Considered individually or as a whole, claim 5 also fail to result in “significantly more” than the abstract idea under step 2B. This is again because the claims merely recite additional elements that are insignificant extra-solution activity that apply the exception on generic computing hardware, generally link the exception to a technological environment, and append well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception (see discussion above).
Even when viewed as an ordered combination (as a whole), the additional elements of the dependent claims do not add anything further than when they are considered individually. In view of the above, claim 5 do not provide an inventive concept (“significantly more”) under Step 2B, and are therefore ineligible for patenting.
Dependent claim 6 also does not integrate the abstract idea into a practical application. Notably, claim 6 recites ‘wherein the third party systems are notified that the provider object is a clean provider object by modifying a header in a communication protocol used to communicate the message,’ all which are more complexities descriptive of the abstract idea itself. Such complexities do not themselves provide further additional elements in addition to the abstract ideas themselves. Further, claim 6 relies upon at least similar additional elements that are mere instructions to implement the abstract idea or other exception on a computer. Considered both individually and as a whole, claim 4 does not integrate the recited exception into a practical application for at least similar reasons as discussed above.
Considered individually or as a whole, claim 6 also fail to result in “significantly more” than the abstract idea under step 2B. This is again because the claims merely recite additional elements that are insignificant extra-solution activity that apply the exception on generic computing hardware, generally link the exception to a technological environment, and append well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception (see discussion above).
Even when viewed as an ordered combination (as a whole), the additional elements of the dependent claims do not add anything further than when they are considered individually. In view of the above, claim 6 do not provide an inventive concept (“significantly more”) under Step 2B, and are therefore ineligible for patenting.
Dependent claim 7 also does not integrate the abstract idea into a practical application. Notably, claim 7 recites ‘wherein deactivating the compromised provider object comprises at least one of: making the compromised provider object read only; restricting access to the compromised provider object; and password protecting the compromised provider object,’ all which are more complexities descriptive of the abstract idea itself. Such complexities do not themselves provide further additional elements in addition to the abstract ideas themselves. Further, claim 7 relies upon at least similar additional elements that are mere instructions to implement the abstract idea or other exception on a computer. Considered both individually and as a whole, claim 7 does not integrate the recited exception into a practical application for at least similar reasons as discussed above.
Considered individually or as a whole, claim 7 also fail to result in “significantly more” than the abstract idea under step 2B. This is again because the claims merely recite additional elements that are insignificant extra-solution activity that apply the exception on generic computing hardware, generally link the exception to a technological environment, and append well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception (see discussion above).
Even when viewed as an ordered combination (as a whole), the additional elements of the dependent claims do not add anything further than when they are considered individually. In view of the above, claim 7 do not provide an inventive concept (“significantly more”) under Step 2B, and are therefore ineligible for patenting.
Claims 8-14 appear to include similar subject matter as in claims 1-7 as discussed above. More specifically, independent claim 8 additionally recites ‘an intermediation server comprising a non-transitory computer readable medium storing instruction which, when executed by a processor, cause the processor…’ which is recited at a high level of generality and are recited as performing mere generic computer functions routinely used in computer applications. Generic computer components recited as performing generic computer functions that are well-understood, routine and conventional activities amount to no more than implementing the abstract idea with a computerized system in addition to merely indicating a field of use or technological environment in which the judicial exception do not amount to significantly more than the exception itself. All the comments made with respect to the rejection of claims 1-7 equally apply and therefore stand rejected.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 103 that form the basis for the rejections under this section made in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable by Gupta, Satya (U.S. 2016/0337400 and known hereinafter as Gupta) in view of Kinder, Ross, et al (U.S. 2018/0152480 and known hereinafter as Kinder).
As per claim 1, Gupta teaches a method comprising:
extracting data from a compromised provider object (e.g. Gupta, see paragraph [0041], which discloses the instrumentation engine extracts database query information for one or more database queries.);
building an injection query using the extracted data (e.g. Gupta, see paragraph [0041], which discloses insert the extracted database query information into context data sent to one or more threads of the web server, where the information may be checked for a potential database injection attack.);
adding a cross-reference element to the injection query, the cross-reference element including a provider object identifier for the compromised provider object (e.g. Gupta, see paragraphs [0041-0042], which discloses the instrumentation engine may send some or all of the captured database query data to the analysis engine, which uses the matched information to perform deep context aware searches for detecting a database injection attack, where for example, if the database activities comprise a database request querying tables of the database, the analysis engine may match the user and session information (e.g. cross-reference elements) to corresponding information specified in the query.);
initiating creation of a clean provider object using the extracted data and the cross- reference element (e.g. Gupta, see paragraph [0075], which discloses a remedial action (e.g. clean provider object) to thwart an injection attack is to logout the offending user by removing his/her session ID from the database. Release the sockets associated with the threads on which the thread has appeared; terminate the thread on which a threat has appeared, and/or blacklist the user that caused the threat.);
notifying third party systems of a provider object identifier for the created clean provider object (e.g. Gupta, see paragraph [0077], which discloses the analysis engine lets the security monitoring agent know which remedial action to carry out. The monitoring agent then performs the action associated with the remedial action on the application and then sends a confirmation message back to the analysis engine. See further paragraph [0051], which discloses terminate the attacker session and record to alert security operations personnel.).
Gupta does not explicitly disclose forcing creation of the clean provider object; and deactivating the compromised provider object.
Kinder teaches forcing creation of the clean provider object (e.g. Kinder, see paragraph [0065, Figure 10, which discloses applying a selected repair to a detected security risk, where the repair is executed, the check s run again and information is displayed to confirm that the security risk was resolved.); and
deactivating the compromised provider object (e.g. Kinder, see paragraph [0011-0018], which discloses templates may be used to implement security risk remediation where when in the protect mode, when a repair plan is selected, the object may be deactivated until the repair is completed.).
Gupta is directed to detection of SQL injection query. Kinder is directed to reversibly remediating a security risk. Both are analogous art because they are directed to injection query attacks and therefore it would have been obvious to one of ordinary skilled in the art at the time the invention was filed to modify the teachings of Gupta with the teachings of Kinder to include the claimed features with the motivation to improve injection queries.
As per claim 8, Gupta teaches an intermediation server comprising a non-transitory computer readable medium storing instructions which, when executed by a processor (e.g. Gupta, see Figure 7A, which discloses memory, processor, and network interface.) , cause the processor to:
extracting data from a compromised provider object (e.g. Gupta, see paragraph [0041], which discloses the instrumentation engine extracts database query information for one or more database queries.);
building an injection query using the extracted data (e.g. Gupta, see paragraph [0041], which discloses insert the extracted database query information into context data sent to one or more threads of the web server, where the information may be checked for a potential database injection attack.);
adding a cross-reference element to the injection query, the cross-reference element including a provider object identifier for the compromised provider object (e.g. Gupta, see paragraphs [0041-0042], which discloses the instrumentation engine may send some or all of the captured database query data to the analysis engine, which uses the matched information to perform deep context aware searches for detecting a database injection attack, where for example, if the database activities comprise a database request querying tables of the database, the analysis engine may match the user and session information (e.g. cross-reference elements) to corresponding information specified in the query.);
initiating creation of a clean provider object using the extracted data and the cross- reference element (e.g. Gupta, see paragraph [0075], which discloses a remedial action (e.g. clean provider object) to thwart an injection attack is to logout the offending user by removing his/her session ID from the database. Release the sockets associated with the threads on which the thread has appeared; terminate the thread on which a threat has appeared, and/or blacklist the user that caused the threat.);
notifying third party systems of a provider object identifier for the created clean provider object (e.g. Gupta, see paragraph [0077], which discloses the analysis engine lets the security monitoring agent know which remedial action to carry out. The monitoring agent then performs the action associated with the remedial action on the application and then sends a confirmation message back to the analysis engine. See further paragraph [0051], which discloses terminate the attacker session and record to alert security operations personnel.).
Gupta does not explicitly disclose forcing creation of the clean provider object; and deactivating the compromised provider object.
Kinder teaches forcing creation of the clean provider object (e.g. Kinder, see paragraph [0065, Figure 10, which discloses applying a selected repair to a detected security risk, where the repair is executed, the check s run again and information is displayed to confirm that the security risk was resolved.); and
deactivating the compromised provider object (e.g. Kinder, see paragraph [0011-0018], which discloses templates may be used to implement security risk remediation where when in the protect mode, when a repair plan is selected, the object may be deactivated until the repair is completed.).
Gupta is directed to detection of SQL injection query. Kinder is directed to reversibly remediating a security risk. Both are analogous art because they are directed to injection query attacks and therefore it would have been obvious to one of ordinary skilled in the art at the time the invention was filed to modify the teachings of Gupta with the teachings of Kinder to include the claimed features with the motivation to improve injection queries.
As per claims 2 and 9, the modified teachings of Gupta and Kinder teaches the method of claim 1 and the intermediation server of claim 8, respectively, wherein before extracting the data the provider objects are filtered to identify provider objects that are eligible to be duplicated (e.g. Gupta, see paragraphs [0054, 0062], which discloses the dynamically capturing and parsing database queries, where the parsed queries may be sent to a CMS to be replicated (e.g. duplicated) using a replicator interface, where the CMS makes a determination of whether the valid request needs to be extracted.).
As per claims 3 and 10, the modified teachings of Gupta and Kinder teaches the method of claim 1 and the intermediation server of claim 8, respectively, wherein building the injection query comprises converting at least some of the data from a format-specific format to a standard format (e.g. Gupta, see paragraph [0047], which discloses the analysis engine communicates with a validation engine to declare an injection attack, where the analysis engine analyzes context data that maps extracted database information from a server and determines the format or content of the expression parameters.); and
adding the data to the injection query in the standard format (e.g. Gupta, see paragraph [0047], which discloses the analysis engine then adds the triggered database queries into a number of expressions and outputs the database queries.).
As per claims 4 and 11, the modified teachings of Gupta and Kinder teaches the method of claim 1 and the intermediation server of claim 8, respectively wherein building the injection query comprises adding at least some of the data to the injection query without converting the format of the data (e.g. Gupta, see paragraphs [0055-0056], which discloses the instrumentation engine that may first extract the corresponding data types for the expression parameters, which then adds the expression parameters and then captures the database queries triggered from the attack.).
As per claims 5 and 12, the modified teachings of Gupta and Kinder teaches the method of claim 1 and the intermediation server of claim 8, respectively, wherein the injection query includes a replicated use case to indicate that the requested provider object is going to be a duplicate of a compromised provider object (e.g. Gupta, see paragraphs [0054, 0062], which discloses the dynamically capturing and parsing database queries, where the parsed queries may be sent to a CMS to be replicated (e.g. duplicated) using a replicator interface, where the CMS makes a determination of whether the valid request needs to be extracted.).
As per claims 6 and 13, the modified teachings of Gupta and Kinder teaches the method of claim 1 and the intermediation server of claim 8, respectively, wherein the third party systems are notified that the provider object is a clean provider object by modifying a header in a communication protocol used to communicate the message (e.g. Gupta, see paragraph [0077], which discloses the analysis engine lets the security monitoring agent know which remedial action to carry out. The monitoring agent then performs the action associated with the remedial action on the application and then sends a confirmation message back to the analysis engine. See further paragraph [0051], which discloses terminate the attacker session and record to alert security operations personnel.).
As per claims 7 and 14, the modified teachings of Gupta and Kinder teaches the method of claim 1 and the intermediation server of claim 8, respectively, wherein deactivating the compromised provider object comprises at least one of:
making the compromised provider object read only (e.g. Kinder, see paragraph [0053-0056], which discloses if the detected or identified security risk has been corrected or reversed, a change condition is determined indicating the remedial action has addressed the identified/detected risk. See additionally, Figure 6, which discloses permission setting to enable the object to be read only.);
restricting access to the compromised provider object (e.g. Kinder, see paragraph [0053-0056], which discloses if the detected or identified security risk has been corrected or reversed, a change condition is determined indicating the remedial action has addressed the identified/detected risk. See additionally, Figure 6, which discloses permission setting to enable restricted access.); and
password protecting the compromised provider object (e.g. Kinder, see Figure 6, which discloses permission settings and protected settings that limits the object.).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. See attached PTO-892 that includes additional prior art of record describing the general state of the art in which the invention is directed to.
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FARHAN M SYED whose telephone number is (571)272-7191. The examiner can normally be reached M-F 8:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Apu Mofiz can be reached at 571-272-4080. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/FARHAN M SYED/Primary Examiner, Art Unit 2161 March 12, 2026