Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to RCE filed on 2/22/2021. Claims 1, 12 and 18 are independents. Claims 1, 12, 16, 18, and 22 are amended. Claims 1-23 are currently pending.

RESPONSE TO ARGUMENTS
Applicant’s argument with respect to rejection under 35 U.S.C. 103 have
been fully considered. The amendment overcomes the prior art of record and the argument is persuasive. However, a new rejection is given upon a new round of search. 
.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to 
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 1-5, 12-15 and 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over Katta et al. (US 20170161973 A1), hereinafter Katta, in view of Abdelaziz et al. (US 8082491 B1), hereinafter Abdelaziz, further in view of Murphy et al. (US 20070094260 A1), hereinafter Murphy, additionally, in view of Li (CN 109284584 A).

Regarding claim 1, Katta teaches an apparatus, comprising:
an API transaction management computer device comprising processor circuitry and a memory, comprising: a transaction request receiver configured to receive an API request (para. 0017, receiving a system access request including an access token (e.g., an API key) and a vehicle identifier (e.g., provided by an OEM platform) from a third party application (e.g., associated with a client identifier such as a client URI identifying a third party application));

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta and Abdelaziz because this will provide a way to improve API quality of service (Abdelaziz: col18, ln48 - col19, ln16).
The combination of Katta and Abdelaziz does not explicitly disclose a transaction request processor configured to generate an assessment score based on information about a digital identity associated with the API request and match the assessment score to an actions rule, wherein the assessment score represents a level of confidence in the API request. However, in an analogous art, Murphy teaches a transaction request processor configured to generate an assessment score based on information about a digital identity associated with the API request and match the assessment score to an actions rule, wherein the assessment score represents a level of confidence in the API request (para. 0085-0086, trust indicia are used to establish trustworthiness. Confidence in identity for an extensibility module is determined based upon one or more identifiers; para. 0062, variety of other scales of relative reputation are contemplated such as a letter grade, a percent recommended, a number, and so forth). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta, Abdelaziz and Murphy because this functionality will provide enhanced security for API services through improvements of establishing confidence in digital identity to determine trustworthiness (Murphy: Para. [0002], [0085]-[0086]).
	The combination of Katta, Abdelaziz and Murphy does not explicitly disclose wherein the transaction request processor generates the assessment score based on geographic location of a requestor transmitting the API request and whether the requestor comprises a software application running automated tasks. However, in analogous art, Li teaches wherein the transaction request processor generates the assessment score based on geographic location of a requestor transmitting the API request and whether the requestor comprises a software application running automated tasks (pp. 1/15 (claim 5), 5/15 lines 11-20 and 8/15 steps 204-205, geographical location is taken into consideration as a factor of calculating risk index [risk score]; pp. 3/15 last paragraphs, 7/15 lines 56-59 and 8/15 lines 21-24, batch processing [automation] is taken into consideration as a factor of calculating risk index. Specifically, Li teaches using risk index to measure risk level of user and computer program (p1/15 Abstract). The request aggregation degree or risk index of user are used interchangeably (p. 7/15 ln14-20 and ln34-38). In the last but one paragraph of p. 7/15 and para. 8 of p. 8/15, Li teaches aggregation degree of IP address and the corresponding geographical location of IP address, under automatic batch login, batch registration, batch request situation. So, as indicated above, the risk index or aggregation degree is based on the batch process and geographic location.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta, Abdelaziz, Murphy and Li because it would provide a way of recognizing if a person present or network attack happening (p. 3/15).

Regarding claims 12 and 18, Katta teaches an API transaction management computing device comprising processor circuitry and a memory and configured to receive an API request from a source node and obtain an API response from a destination node, comprising: 
a transaction request receiver configured to receive the API request from the source node (para. 0017, receiving a system access request including an access token (e.g., an API key) and a vehicle identifier (e.g., provided by an OEM platform) from a third party application (e.g., associated with a client identifier such as a client URI identifying a third party application));
Katta does not explicitly disclose an actions rule comprising controlling deliverability, messaging, and content of the API request; and a transmission module configured to perform actions of the actions rule by controlling deliverability, messaging, and content of the API request to a destination node and the API response to a transmitting source node. However, in analogous art, Abdelaziz teaches an actions rule comprising controlling deliverability, messaging, and content of the API request; and a transmission module configured to perform actions of the actions rule by controlling deliverability, messaging, and content of the API request to a destination node and the API response to a transmitting source node (col18 ln48-col19 ln4, basic message gate may implement an API to send and receive messages; API moves data (e.g. XML messages) in and out of the gate; generated gate code verifies messages based upon the XML schema. The gate may verify correct message types and/or content through the message API).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta and Abdelaziz because this will provide a way to improve API quality of service (Abdelaziz: col18, ln48 - col19, ln16).
The combination of Katta and Abdelaziz does not explicitly disclose Timothy Arvanites, et al.Page 4 a transaction request processor configured to determine an assessment score representing a level of confidence in the API request, the assessment score based on information about a digital identity associated with the API request, and further configured to match the assessment score to an actions rule comprising controlling deliverability, messaging, and content of the API request. However, in an analogous art, Murphy teaches a transaction request processor configured to determine an assessment score representing a level of confidence in the API request, the assessment score based on information about a digital identity associated with the API request (para. 0085-0086, trust indicia are used to establish trustworthiness. Confidence in identity for an extensibility module is determined based upon one or more identifiers; para. 0062, variety of other scales of relative reputation are contemplated such as a letter grade, a percent recommended, a number, and so forth), and further configured to match the assessment score to an actions rule comprising controlling deliverability, messaging, and content of the API request (para. 0082-0087, 0091 and 0092, a policy is examined that defines permissible access to an application module based upon the trustworthiness of an extensibility module attempting to access the application module).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta, Abdelaziz and Murphy because this functionality will provide enhanced security for API services through improvements of establishing confidence in digital identity to determine trustworthiness (Murphy: Para. [0002], [0085]-[0086]).
Li teaches wherein the transaction request processor generates the assessment score based on geographic location of the source node and whether the source node comprises a software application running automated tasks as shown in claim 1.
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta, Abdelaziz, Murphy and Li because it would provide a way of recognizing if a person present or network attack happening (p. 3/15).


Regarding claims 2, 13 and 19, the combination of Katta, Abdelaziz Murphy and Li teaches all of the limitations of claims 1, 12 and 18, respectively, as described above. Katta further teaches wherein the transaction request receiver, the transaction request processor, and the transmission response communicator are located on a single device (para. FIG. 2, 3 modules/subsystems inside one system).

Regarding claim 3, the combination of Katta, Abdelaziz Murphy and Li teaches all of the limitations of claim 1, as described above. Katta further teaches wherein the transaction request receiver communicates with an API client using at least one protocol (para. 0024, The technology can provide a single standardized platform for conveniently granting access to a plurality of vehicle resources. For example, the method 100 can implement rules enabling the automation of operations rooted in computer technology to translate vehicle data requests from third party applications into resource queries tailored to the different data formats and different communications protocols (e.g., HTTP, Websocket, AMQP, Message Queue, MQTT, etc.) of different network-connected vehicles and/or different OEM platforms from a plurality of OEMs).

Regarding claims 4, 14 and 20, the combination of Katta, Abdelaziz Murphy and Li teaches all of the limitations of claims 1, 12 and 18, respectively, as described above. Katta further teaches wherein the transaction request processor performs a sequential series of queries and assigns action sets based on answers to the sequential series of queries (para. 0025, technology can improve the security of protected resources (e.g., vehicle data) generated, stored, and transmitted across components of the network, thereby improving the functioning of the network and the computing systems (e.g., vehicles, OEM platforms, third party applications, etc.) operating in the network. The technology can leverage the generation, verification, storage, and usage of access tokens (e.g., system access tokens for accessing the system, resource access tokens for accessing a vehicle resource) to act as a gatekeeper by verifying that third party applications have legitimate access to the requested vehicle parameters, before retrieving and providing values for the vehicle parameters).

Regarding claims 5, 15 and 21, the combination of Katta, Abdelaziz Murphy and Li teaches all of the limitations of claims 3, 14 and 20, respectively, as described above. Katta further teaches wherein the sequential series of queries comprises at least one query about a network address of the transmitting source node (para. 0045, In this variation, client access can be verified by matching an access token (e.g., a system access token received in a vehicle request) with a client identifier (e.g., a redirection URI; a URI associated with the address from which the access token was received; the address itself; a client identifier identifying the third party application from which the vehicle request was received; etc.); para. 0051, Transmitting the resource query preferably includes identifying a vehicle address (e.g., a vehicle URI, an OEM platform URI) and sending the resource query to the vehicle address, but the resource query can be otherwise transmitted).

Claims 6-11, 16, 17, 22 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Katta, Abdelaziz, Murphy and Li as applied to claims above, and further in view of Zimmermann et al. (US 20180027006 A1), hereinafter Zimmermann.

Regarding claim 6, the combination of Katta, Abdelaziz Murphy and Li teaches all of the limitations of claim 1, as described above. 
The combination of Katta, Abdelaziz, Murphy and Li does not explicitly disclose wherein the transaction request processor is configured to evaluate whether a network address of the transmitting source node is associated with an unacceptable location. However, in an analogous art, Zimmermann teaches wherein the transaction request processor is configured to evaluate whether a network address of the transmitting source node is associated with an unacceptable location (para. 0264, an activity anomaly (e.g., frequency anomalies, or access to a very sensitive item that is typically not used), a login to account from a location (for example a geoIP location, such as in a blacklist or not in a whitelist (for example, from China or Russia))).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta, Abdelaziz, Murphy, Li and Zimmermann because this will provide a safer way to protect data/resource (Zimmermann: Para. [0003], [0264]).

Regarding claim 7, the combination of Katta, Abdelaziz Murphy and Li teaches all of the limitations of claim 1, as described above. 
The combination of Katta, Abdelaziz, Murphy and Li does not explicitly disclose wherein the transaction request processor is configured to evaluate a network address threat type. However, in an analogous art, Zimmermann teaches wherein the transaction request processor is configured to evaluate a network address threat type (para. 0191, External threat intelligence data may include IP reputation data; para. 0007, these include insider threats; para. 0137, access from suspicious IP addresses).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta, Abdelaziz, Murphy, Li and Zimmermann because this will provide a safer way to protect data/resource (Zimmermann: Para. [0007]).

Regarding claims 8, 16 and 22, the combination of Katta, Abdelaziz Murphy and Li teaches all of the limitations of claims 1, 15 and 21, respectively, as described above. 
The combination of Katta, Abdelaziz, Murphy and Li does not explicitly disclose wherein the transaction request processor is configured to compare a network address of the transmitting source node against a blacklist or whitelist. However, in an analogous art, Zimmermann teaches wherein the transaction request processor is configured to compare a network address of the transmitting source node against a blacklist or whitelist (para. 0137, access from suspicious IP addresses; para. 0264, a login to account from a location (for example a geoIP location, such as in a blacklist or not in a whitelist (for example, from China or Russia))).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta, Abdelaziz, Murphy, Li and Zimmermann because this will provide a safer way to protect data/resource (Zimmermann: Para. [0003], [0264]).

Regarding claim 9, the combination of Katta, Abdelaziz Murphy and Li teaches all of the limitations of claim 1, as described above. 
The combination of Katta, Abdelaziz, Murphy and Li does not explicitly disclose wherein the transaction request processor is configured to evaluate whether the API request by at least one digital identity meets an acceptable trust level based upon previous interactions. However, in an analogous art, Zimmermann teaches wherein the transaction request processor is configured to evaluate whether the API request by at least one digital identity meets an acceptable trust level based upon previous interactions (para. 0141, access controls in response to analysis of user behavior, such as disconnecting a user session, prompting a "change password" protocol, revoking application access, stepping up levels of authentication, blocking user access, and the like; 0179, QoS functions may also be applied at the user level (such as processing one user's events faster than others if that user has a higher risk level)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta, Abdelaziz, Murphy, Li and Zimmermann because this will provide a safer way to protect data/resource (Zimmermann: Para. [0003], [0264]).

Regarding claims 10, 17 and 23, the combination of Katta, Abdelaziz Murphy and Li teaches all of the limitations of claims 1, 12 and 18, respectively, as described above. 
The combination of Katta, Abdelaziz, Murphy and Li does not explicitly disclose wherein the transaction request processor is configured to make an overall assessment of threat level based on multiple weighted factors and match the overall assessment to actions to be taken with respect to the API request. However, in an analogous art, Zimmermann teaches wherein the transaction request processor is configured to make an overall assessment of threat level based on multiple weighted factors and match the overall assessment to actions to be taken with respect to the API request (para. 0454, some of the applications used by the users of an enterprise in the cloud and on its network, along with a subset of the various types of information that may be available from the application index 2912, such as an indication of the risk level of the application (such as determined by risk rating 2930), the access risk (i.e., the level of access the application requests, such as "full data access" versus access to limited data or no data), the community trust rating for each application, the category of the application, a predictive risk level (which may reflect the probability that the application is being used, the probability that there are users who in addition to regular usage granted access to enterprise assets (e.g., OAuth-based) for the application, or the like, as well as the community trust rating, which in turn reflects the probability that the application was used, that the application was actually granted access for this enterprise, or the like), whether the application manages user data, whether the application allows access to full data, whether the application could involve impersonation, whether the application reads basic information, whether the application accesses limited data, whether the application manages devices, and the like).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta, Abdelaziz, Murphy, Li and Zimmermann because this will provide a safer way to protect data/resource (Zimmermann: Para. [0007], [0454]).

Regarding claim 11, the combination of Katta, Abdelaziz Murphy and Li teaches all of the limitations of claim 1, as described above. 
The combination of Katta, Abdelaziz, Murphy and Li does not explicitly disclose wherein the API transaction management computer device is configured to authenticate the API request. However, in an analogous art, Zimmermann teaches wherein the API transaction management computer device is configured to authenticate the API request (para. 0323, API calls is authenticated).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Katta, Abdelaziz, Murphy, Li and Zimmermann because this will provide a safer way to protect data/resource (Zimmermann: Para. [0007]).

References Cite Not Used
	 Mitchell (US 8881281 B1 ) teaches a method in part for generating risk score based on geographic location and application requested.
	Reno et al. (US 20150350174 A1)  teaches a method for API risk assement.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHU CHUN GAO whose telephone number is (571)270-5999. The examiner can normally be reached on Monday - Thursday 6:00-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KRISTINE KINCAID can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHU CHUN GAO/Examiner, Art Unit 2437 
/ALI S ABYANEH/Primary Examiner, Art Unit 2437