Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.  This action is in response to the amendment filed 9/24/2020.
2.  Claims 21-39 have been examined and are pending in the application.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

3.  Claims 28-39 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Shin U.S Publication No. 2018/0278635. 
As to claim 28, Shin teaches an apparatus, comprising: 
a memory and a processor of an application programming interface (API) gateway associated with a plurality of APIs, the processor operatively coupled to the memory (paragraphs 0111-0113 pages 5-6), the processor configured to: 
receive, at a first time and from a client device (…the important asset may include an application, a controller, a device, a flow, a host, an intent, a link, an open flow, a packet, routing, a topology, and a user..., paragraph 0053 page 3), a first API call in a sequence of API calls, the first API call addressed to an API from the plurality of APIs (…the control unit 220 may characterize a frequency and a sequence of security-sensitive API calls, and a northbound interaction of a controller and the target network program in the software defined network…, paragraph 0060 page 3); 
receive, at a second time and from the client device, a second API call in the sequence of API calls (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3); 
provide a representation of at least one of the first API call or the second API call as an input to a machine learning model to identify a predicted time period between the first API call and the second API call (…the control unit 220 may cluster a machine learning model as a malicious or benign category, and may determine a classification according to clustering of the target network program by applying the generated machine learning model to the target network program…, paragraph 0067 page 3); 
compare the predicted time period with an actual time period between the first time and the second time to generate a consistency score (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and paragraph 0062 page 3); and 
route the first API call to a server associated with the API when the consistency score meets a criterion (data flows from one host to another host, Fig. 1 and associated specification). 
As to claim 29, Shin further teaches the second API call in the sequence of API calls is addressed to the API from the plurality of APIs (…the control unit 220 may characterize a frequency and a sequence of security-sensitive API calls, and a northbound interaction of a controller and the target network program in the software defined network…, paragraph 0060 page 3). 
As to claim 30, Shin further teaches the API from the plurality of APIs is a first API from the plurality of APIs, the second API call in the sequence of API calls is addressed to a second API from the plurality of APIs and different from the first API (…a frequency and a sequence of security-sensitive API calls, and a northbound interaction of a controller and the target network program in the software defined network…, paragraph 0060 page 3). 
As to claim 31, Shin further teaches prevent the first API call from being sent to the server associated with the API when the consistency score does not meet the criterion (…detecting malware in a software defined network, by which installation and execution of malware may be prevented by detecting malware without changing a traditional SDN system structure…, paragraph 0016 page 1). 
As to claim 32, Shin further teaches the representation of the at least one of the first API call or the second API call is an n-gram representation of the at least one of the first API call or the second API call (…extract a sequence of security-sensitive API calls by allocating unique IDs to the APIs of the target network program. Thereafter, a distance table of n columns and n rows including information on a correlation between the extracted security-sensitive API call sequence and another API call sequence may be formed…, paragraph 0089 page 4). 
As to claim 33, Shin further teaches the machine learning model includes a clustering model (…the control unit 220 may cluster a machine learning model as a malicious or benign category, and may determine a classification according to clustering of the target network program by applying the generated machine learning model to the target network program…, paragraph 0067 page 3). 
As to claim 34, Shin teaches a method, comprising: 
receiving, at an application programming interface (API) gateway and from a client device (…the important asset may include an application, a controller, a device, a flow, a host, an intent, a link, an open flow, a packet, routing, a topology, and a user..., paragraph 0053 page 3), a set of API calls having a sequence and addressed to an API from a plurality of APIs associated with the API gateway (…the control unit 220 may characterize a frequency and a sequence of security-sensitive API calls, and a northbound interaction of a controller and the target network program in the software defined network…, paragraph 0060 page 3); 
providing as an input to a machine learning model a representation of a first API call from the set of API calls and a representation of a second API call from the set of API calls (…the control unit 220 may cluster a machine learning model as a malicious or benign category, and may determine a classification according to paragraph 0067 page 3); 
receiving, as an output from the machine learning model, an indication of a predicted proximity between the first API call and the second API call and comparing the predicted proximity with an actual proximity in the sequence between the first API call and the second API call to generate a consistency score (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3); and 
sending the set of API calls to a server associated with the API when the consistency score meets a criterion (data flows from one host to another host, Fig. 1 and associated specification). 
As to claim 35, Shin further teaches preventing the set of API calls from being sent to the server when the consistency score does not meet the criterion (…detecting malware in a software defined network, by which installation and execution of malware may be prevented by detecting malware without changing a traditional SDN system structure…, paragraph 0016 page 1). 
As to claim 36, Shin further teaches the actual proximity is a number of API calls in the sequence between the first API call and the second API call (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive paragraph 0062 page 3). 
As to claim 37, Shin further teaches the actual proximity is a time period in the sequence between the first API call and the second API call (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3). 
As to claim 38, Shin further teaches generating an n-gram representation of the first API call to define the representation of the first API call and generating an n-gram representation of the second API call to define the representation of the second API call (…extract a sequence of security-sensitive API calls by allocating unique IDs to the APIs of the target network program. Thereafter, a distance table of n columns and n rows including information on a correlation between the extracted security-sensitive API call sequence and another API call sequence may be formed…, paragraph 0089 page 4). 
As to claim 39, Shin further teaches the machine learning model includes a clustering model (…the control unit 220 may cluster a machine learning model as a malicious or benign category, and may determine a classification according to clustering of the target network program by applying the generated machine learning model to the target network program…, paragraph 0067 page 3).
Allowable Subject Matter
4.  Claims 21-27 are allowed.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Andy Ho whose telephone number is (571) 272-3762.  A voice mail service is also available for this number.  The examiner can normally be reached on Monday – Friday, 8:30 am – 5:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Dennis Chow can be reached on (571) 272-7767. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIM) system. Status information for published applications may be obtained from either Private PAIR or' Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Any inquiry of a general nature or relating to the status of this application or proceeding should be directed to the receptionist whose telephone number is 571-272-2100.
Any response to this action should be mailed to:
Commissioner for Patents 
P.O Box 1450
Alexandria, VA 22313-1450
	Or fax to:
AFTER-FINAL faxes must be signed and sent to (571) 273 - 8300.
OFFICAL faxes must be signed and sent to (571) 273 - 8300.
NON OFFICAL faxes should not be signed, please send to (571) 273 – 3762

/Andy Ho/
Primary Examiner
Art Unit 2194