13429993 (P.T.A.B. Mar. 18, 2016)

Ex Parte AMIT et al

Patent Trial and Appeal BoardMar 18, 2016

13429993 (P.T.A.B. Mar. 18, 2016)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE FIRST NAMED INVENTOR 13/429,993 03/26/2012 YAIRAMIT 52021 7590 03/22/2016 Cuenot, Forsythe & Kim, LLC 20283 State Road 7 Ste. 300 Boca Raton, FL 33498 UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. IL920100130US2_8150-0208 9800 EXAMINER POWERS, WILLIAMS ART UNIT PAPER NUMBER 2434 NOTIFICATION DATE DELIVERY MODE 03/22/2016 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address( es): ibmptomail@iplawpro.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte YAIR AMIT, ALEXANDER LANDA, and OMER TRIPP Appeal2014-007325 Application 13/429,993 Technology Center 2400 Before CAROLYN D. THOMAS, JOSEPH P. LENTIVECH, and KARA L. SZPONDOWSKI, Administrative Patent Judges. THOMAS, Administrative Patent Judge. DECISION ON APPEAL Appellants seek our review under 35 U.S.C. Â§ 134(a) of the Examiner finally rejecting claims 5-16, all the pending claims in the present application. Claims 1--4 and 17-25 are canceled (App. Br. 2). We have jurisdiction over the appeal under 35 U.S.C. Â§ 6(b). We AFFIRM-IN-PART. The present invention relates generally to a system for detecting security vulnerabilities in web applications. See Abstract. Appeal2014-007325 Application 13/429,993 Claim 5 is illustrative: 5. A method for detecting security vulnerabilities in web applications, the method comprising: providing a payload to a web application during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier; detecting the identifier within the payload received during an interaction with the web application subsequent to the first interaction; and determining, responsive to detecting the identifier within the payload, whether the payload instruction underwent a security check prior to execution of the payload instruction. Appellants appeal the following rejections: RI. Claims 5 and 9-11 are rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over E. Galan, et al., A Multi-agent Scanner to Detect Stored- XSS Vulnerabilities, University Carlos III of Madrid, UC3M, Leganes, Spain (hereinafter "MultiScanner"), in view of Gordon Chiu, et al., ECEJ 776F: Project Proposal: A Client-Side Browser-Integrated Solution for Detecting and Preventing Cross Site Scripting (XSS) Attacks, University of Toronto Faculty of Engineering, September 25, 2006 (hereinafter "ClientSide"); R2. Claims 6 and 14--16 are rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over over MultiScanner and ClientSide, in further view of Misganaw Tadesse Gebre, A Robust Defense Against Content-Sniffing XSS Attacks, Graduate School of Info and Comm, Digital Vaccine and Immune Sys Lab, Ajou University, Suwon, Korea (hereinafter "RobustXSS"); R3. Claim 7 is rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over MultiScanner, ClientSide, and RobustXSS, in further view 2 Appeal2014-007325 Application 13/429,993 of Fangqi Sun, Client-Side Detection ofXSS Worms by Monitoring Payload Propagation, Department of Computer Science, University of California, Davis (hereinafter "PayloadPropagation"); R4. Claim 8 is rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over MultiScanner and ClientSide, in further view of Williams (US 2011/0231936 Al; pub. Sept. 22, 2011); R5. Claim 12 is rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over MultiScanner and ClientSide, in further view of Weisman (US 2010/0050263 Al; pub. Feb. 25, 2010); and R6. Claim 13 is rejected under 35 U.S.C. Â§ 103(a) as being unpatentable over MultiScanner and ClientSide, in further view of Gallagher (US 7,343,626 Bl; iss. Mar. 11, 2008). RELATED DECISION Appeal No. 2014-007324 (Application No. 13/217,418), mailed March 18, 2016 (Examiner Affirmed). Appellants direct our attention to essentially the same or similar evidence relied upon in the above-noted related case. Therefore, we adopt and incorporate herein by reference the Board's related decision to the extent it applies to the similar arguments and evidence made herein. 3 Appeal2014-007325 Application 13/429,993 ANALYSIS Rejections underÂ§ 103(a) Issue: Did the Examiner err in finding that the combined teachings of MultiScanner and ClientSide teach and/or suggest responsive to detecting the identifier within the payload, determining whether the payload instruction underwent a security check, as set forth in the claims? Appellants contend that they "have been unable to identify any teaching of the claimed 'identifier' or where Galan [(MultiScanner)] teaches that an execution engine determines whether the payload instruction underwent a security check" (App. Br. 15). Appellants further contend that "[n]owhere does Chiu [(ClientSide)] teach an execution engine determining whether a payload instruction underwent a security check prior to execution of the payload instruction" (App. Br. 16). The Examiner finds that "[a]lthough Galan [(MultiScanner)] does not explicitly recite an identifier in addition to the payload, there is inherent evidence that the attack vectors are identifiable. The verificator agent ... crawls through the web application identifying each of the attacks" (Ans. 10-11). The Examiner further finds that "[t]he verificator agent has to identify the vector first, before the security check is conducted on the payload of the vector" (id. at 12). We agree with the Examiner. In other words, the Examiner finds that MultiScanner discloses identifying the vector (i.e., an identifier) first and then performs a security check (i.e., looking for injected code). Specifically, MultiScanner discloses that the attack vector has a name (i.e., identifier) (see Table 2) and that "[t]he third and last agent of the proposed system takes as input the list of 4 Appeal2014-007325 Application 13/429,993 performed attacks, which was produced by the script injector agent, and looks for those attacks in the analyzed web application" (see section 3.3). The Examiner further finds that ClientSide "checks for potential attacks before execution in order to protect the system/device from cross-site scripting attacks" (Ans. 11 ). For example, ClientSide discloses "to perform a comparison of the executable portions of JavaScript code embedded in the page with the original requested URL ... after JavaScript has been parsed but prior to execution" (see section 2.0). Thus, we find that Appellants' arguments do not take into account what the collective teachings of the prior art would have suggested to one of ordinary skill in the art and are therefore ineffective to rebut the Examiner's prima facie case of obviousness. See In re Keller, 642 F.2d 413, 425 (CCPA 1981 )("The test for obviousness is not whether the features of a secondary reference may be bodily incorporated into the structure of the primary reference; nor is it that the claimed invention must be expressly suggested in any one or all of the references. Rather, the test is what the combined teachings of the references would have suggested to those of ordinary skill in the art.") (citations omitted). This reasoning is applicable here as Multi Scanner teaches that the payload includes an identifier and responsive to detecting the identifier, performing some function, whereas ClientSide teaches a security check prior to execution. In view of the above discussion, we are of the opinion that the proposed combination of MultiScanner and ClientSide, set forth by the Examiner, does support the obviousness rejection. Accordingly, we sustain theÂ§ 103(a) rejections of claims 5-10, 14, and 15. 5 Appeal2014-007325 Application 13/429,993 Claims 11-13 and 16 Appellants contend that in the Examiner's cited portion of Galan (MultiScanner) there is "no mention of the claimed ... determines that the payload instruction did not undergo a security check" (App. Br. 18) (emphasis omitted). In response, the Examiner finds that MultiScanner "sees every web application as vulnerable to attack as evidenced by the use of a vulnerability scanner" (Ans. 12). Although we agree with the Examiner that MultiScanner seeks to detect vulnerabilities in web applications, we note that the Examiner's findings fail to address the specific limitations in claim 11 (and claim 16) regarding "reporting that the web application is vulnerable ... and where the payload instruction did not undergo a security check prior to the execution of the payload instruction" (see claim 11 ). We are therefore constrained by the record before us to find that the Examiner erred in rejecting claim 11 (and claims 12 and 13 which are dependent on claim 11), and claim 16 for similar reasons. DECISION We affirm the Examiner'sÂ§ 103(a) rejections of claims 5-10, 14, and 15. We reverse the Examiner'sÂ§ 103(a) rejection of claims 11-13 and 16. No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. Â§ 1.136(a)(l )(iv). AFFIRMED-IN-PART 6