Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10-31-2019 was in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 20 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites upon receiving a client’s token validation request, verifying if the token configuration parameters conform to the valid token and determining a breach attempt if it does not conform.
Step 1: The claims 1, 10, 18, 19 and 20 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 10, 18, 19 and 20 recites: upon receiving a client’s token validation request, verifying if the token configuration parameters conform to the valid token and determining a breach attempt if it does not conform, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human mind and / or with pen and paper without a generic computer. Except for words ‘system with memory and processors’, there is nothing in the claim element precludes the step from practically being performed in human mind and/or with pen and paper. For example, checking smart card or token validity and obtaining various information, in any office or campus can also be perceived to be done manually by human in an orderly fashion. In the context of these claims encompasses assigning scores, taking remedial measures accordingly. 
Dependent claims 2 – 9 and 11 – 17 which in turn recite checking token parameters for conformity, generating valid token response, enabling user-defined parameters and facilitating authentication is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in a human mind but for the recitation of generic computer components, then it falls within the “mental processes” grouping of abstract ideas and can be done manually. Accordingly, the claim recites an abstract idea.
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: upon receiving a client’s token validation request, verifying if the token configuration parameters conform to the valid token and determining a breach attempt if it does not conform. The steps are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (figs. 11 and 12) such that it amounts to no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea.
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, upon receiving a client’s token validation request, verifying if the token configuration parameters conform to the valid token and determining a breach attempt if it does not conform amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot provide an inventive concept. The claims is / are not patent eligible. Therefore all the corresponding dependent claims 2 – 9 and 11 – 17 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 17 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fitzpatrick (US 8973118), hereafter Fitz and Kilian-Kehr (US 7865731), hereafter Kil.
Claim 1: Fitz teaches a method of using access tokens for identification of breach attempts in a client- server communication, the method comprising: receiving, by a server system, a token validation request for validation of a token from an Application Programming Interface (API) server, the token sent from a client device to the API server in one or more API calls of an API session; (C2L36-40: a request message, received at the server hosting the web service, requesting access to a particular function from among a plurality of functions offered by a web service is received from a client at a user device, (C3L5-24) such functionality of the web service provided to client(s) via an interface such as the Web Services Description Language (WSDL));
verifying, by the server system, whether the token conforms to the one or more token configuration parameters associated with the valid token; (C2L43-45: security token is validated based on token validation information included within the security token and the function identifier and Fig. 3: based on access list etc.);
and determining, by the server system, a breach attempt associated with the token if the token does not conform to the one or more token configuration parameters. (C14L48-51, Fig. 3: the validation false message is returned, indicating the token failed proper validation and hence, the client will be denied access to the requested function).
Fitz is silent on accessing, by the server system, one or more token configuration parameters associated with a valid token for the client, the one or more token configuration parameters comprising one or more of a number of allowable access attempts using the valid token in the API session, and a range of frequency of allowable access attempts using the valid token in the API session;
But analogous art Kil teaches accessing, by the server system, one or more token configuration parameters associated with a valid token for the client, the one or more token configuration parameters comprising one or more of a number of allowable access attempts using the valid token in the API session, and a range of frequency of allowable access attempts using the valid token in the API session; (C4L18-23: the security token is configured to lock itself down after a predetermined number of failed access attempts. The security token also includes an internal clock and configured to lock down after a predetermined number of failed access attempts within a predetermined period of time);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Fitz to include the idea of token configuration with frequency and number of attempts as taught by Kil to secure access to the application service secure storage and/or secure execution (C3L2-3, 8-9).
Claim 10: Fitz teaches a server system for using access tokens for identification of breach attempts in a client-server communication, the server system comprising: a memory comprising stored instructions; and a processor configured to execute the stored instructions and thereby cause the server system to perform at least (Summary): receiving a token validation request for validation of a token from an Application Programming Interface (API) server, the token sent from a client device to the API server in one or more API calls of an API session, verifying whether the token conforms to the one or more token configuration parameters associated with the valid token, and determining a breach attempt associated with the token if the token does not conform to the one or more token configuration parameters. (C2L36-40: a request message, received at the server hosting the web service, requesting access to a particular function from among a plurality of functions offered by a web service is received from a client at a user device (C2L40-43) the request message includes a function identifier identifying the particular function and further includes a security token comprising (C8L2-6) various authentication attributes/parameters are incorporated into the security token and associated with the client, (C3L5-24) such functionality of the web service provided to client(s) via an interface such as the Web Services Description Language (WSDL) and where (C3L60-61) the security token that is generated by the web service (C5L52-53) for the client is used by the client. C2L43-45: security token is validated based on token validation information included within the security token and the function identifier and Fig. 3: based on access list etc. C14L48-51, Fig. 3: the validation false message is returned, indicating the token failed proper validation and hence, the client will be denied access to the requested function);
Fitz is silent on accessing one or more token configuration parameters associated with a valid token for the client, the one or more token configuration parameters comprising one or more of a number of allowable access attempts using the valid token in the API session, and a range of frequency of allowable access attempts using the valid token in the API session.
But analogous art Kil teaches accessing one or more token configuration parameters associated with a valid token for the client, the one or more token configuration parameters comprising one or more of a number of allowable access attempts using the valid token in the API session, and a range of frequency of allowable access attempts using the valid token in the API session. (C4L18-23: the security token is configured to lock itself down after a predetermined number of failed access attempts. The security token also includes an internal clock and configured to lock down after a predetermined number of failed access attempts within a predetermined period of time);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Fitz to include the idea of token configuration with frequency and number of attempts as taught by Kil to secure access to the application service secure storage and/or secure execution (C3L2-3, 8-9).
Claim 20: Fitz teaches a method of using access tokens for identification of breach attempts in a client- server communication, the method comprising: receiving, by an Application Programming Interface (API) server, an API request for client-server communication, the API request comprising a token, the token received by the API server from a client device in one or more API calls of an API session; sending, by the API server, a token validation request for validation of the token to a server system; and receiving verification information corresponding to whether the token conforms to one or more token configuration parameters, wherein the one or more token configuration parameters are associated with a valid token generated by the token server upon receiving a token generation request from the client device (C2L36-40: a request message, received at the server hosting the web service, requesting access to a particular function from among a plurality of functions offered by a web service is received from a client at a user device (C2L40-43) the request message includes a function identifier identifying the particular function and further includes a security token comprising (C8L2-6) various authentication attributes/parameters are incorporated into the security token and associated with the client, (C3L5-24) such functionality of the web service provided to client(s) via an interface such as the Web Services Description Language (WSDL) and where (C3L60-61) the security token that is generated by the web service (C5L52-53) for the client is used by the client. C2L43-45: security token is validated based on token validation information included within the security token and the function identifier);
Fitz is silent on wherein the one or more token configuration parameters comprise one or more of a number of allowable access attempts using the valid token in the API session, and a range of frequency of allowable access attempts using the valid token in the API session.
But analogous art Kil teaches wherein the one or more token configuration parameters comprise one or more of a number of allowable access attempts using the valid token in the API session, and a range of frequency of allowable access attempts using the valid token in the API session. (C4L18-23: the security token is configured to lock itself down after a predetermined number of failed access attempts. The security token also includes an internal clock and configured to lock down after a predetermined number of failed access attempts within a predetermined period of time);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Fitz to include the idea of token configuration with frequency and number of attempts as taught by Kil to secure access to the application service secure storage and/or secure execution (C3L2-3, 8-9).
Claim 2: the combination of Fitz and Kil teaches the method as claimed in claim 1, wherein the token validation request comprises the token and at least an information of a number of access attempts using the valid token during the API session; and a frequency of access attempts using the valid token during the API session. (Kil: C4L18-23: the security token is configured to lock itself down after a predetermined number of failed access attempts. The security token also includes an internal clock and configured to lock down after a predetermined number of failed access attempts within a predetermined period of time).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Fitz to include the idea of token configuration with frequency and number of attempts as taught by Kil to secure access to the application service secure storage and/or secure execution (C3L2-3, 8-9).
Claim 3: the combination of Fitz and Kil teaches the method as claimed in claim 1, wherein the one or more token configuration parameters further comprise an allowed access pattern associated with the valid token. (Fitz: C13L40-45: includes performing a lookup operation to find the requested function name or other identifier using a list of allowed functions and the list of functions are used to control the individual functions of the service that the particular client is authorized to access).
Claim 4: the combination of Fitz and Kil teaches the method as claimed in claim 3, wherein the allowed access pattern is determined based on historical access patterns of the valid token in a pre-defined time period. (Fitz: C9L51-67: the web service is configured such that all request messages requesting access to functions of the service sent in the form of XML or SOAP messages and include the security token that was previously assigned and made available by the service provider to the registered client (Fig. 4) along with token expiration flag).
Claim 5: the combination of Fitz and Kil teaches the method as claimed in claim 1, wherein verifying whether the token conforms to the one or more token configuration parameters comprises: determining whether a number of times the token validation request is received from the API server during the API session conforms to the number of allowable access attempts using the valid token; and determining whether a frequency at which the token validation request is received from the API server during the API session conforms to the range of frequency of allowable access attempts using the valid token. (Kil: C4L18-23: the security token is configured to lock itself down after a predetermined number of failed access attempts. The security token also includes an internal clock and configured to lock down after a predetermined number of failed access attempts within a predetermined period of time).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Fitz to include the idea of token configuration with frequency and number of attempts as taught by Kil to secure access to the application service secure storage and/or secure execution (C3L2-3, 8-9).
Claim 6: the combination of Fitz and Kil teaches the method as claimed in claim 1, further comprising: generating, by the server system, the valid token in response to a token generation request from a client device; and storing the one or more token configuration parameters. (Fitz: C3L60-63: security token that is generated by a provider of the web service for one or more clients that have requested access to the functions of the service and (C7L53-55) expected values of the security token are stored in one or more access lists used by the web service).
enabling the user to define the one or more token configuration parameters associated with the valid token; (Kil: C10L16-24: user provides an instruction to the application service which generates a command C and communicates C to the smart card which executes the command C and generates a response R'... The application service communicates R' to the proximity token);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Fitz to include the idea of token configuration with frequency and number of attempts as taught by Kil to secure access to the application service secure storage and/or secure execution (C3L2-3, 8-9).
Claim 7: the combination of Fitz and Kil teaches the method as claimed in claim 1, further comprising: generating, by the server system, the valid token in response to a token generation request from a client device; defining the one or more token configuration parameters associated with the valid token; and storing the one or more token configuration parameters. (Fitz: C3L60-63: security token that is generated by a provider of the web service for one or more clients that have requested access to the functions of the service and (C7L39-43, 63-64) the token is used to designate which resources of the service the client will be able to access. Additional authentication information are assigned for the token depending on the particular client or computing environment and values for each of the required parameters for a particular client are defined in the security token and (C7L53-55) expected values of the security token are stored in one or more access lists used by the web service).
Claim 8: the combination of Fitz and Kil teaches the method as claimed in claim 1, further comprising validating the token upon verification that the token is the valid token that conforms to the one or more token configuration parameters. (Fitz: C2L43-45: security token is validated based on token validation information included within the security token and the function identifier).
Claim 9: the combination of Fitz and Kil teaches the method as claimed in claim 8, further comprising facilitating authentication of the client device by the API server upon successful validation. (Fitz: C2L47-56: authentication information for the client is extracted from the security token and used to authenticate the client. If the security token is successfully validated based on the token validation information and the function identifier and if the client is successfully authenticated in accordance with the authentication information extracted from the security token, access is provided).
Claim 11: the combination of Fitz and Kil teaches the server system as claimed in claim 10, wherein the token validation request comprises the token and at least an information of a number of access attempts using the token during the valid API session; and a frequency of access attempts using the token during the valid API session. (Kil: C4L18-23: the security token is configured to lock itself down after a predetermined number of failed access attempts. The security token also includes an internal clock and configured to lock down after a predetermined number of failed access attempts within a predetermined period of time).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Fitz to include the idea of token configuration with frequency and number of attempts as taught by Kil to secure access to the application service secure storage and/or secure execution (C3L2-3, 8-9).
Claim 12: the combination of Fitz and Kil teaches the server system as claimed in claim 10, wherein the one or more token configuration parameters further comprise an allowed access pattern associated with the valid token. (Fitz: C13L40-45: includes performing a lookup operation to find the requested function name or other identifier using a list of allowed functions and the list of functions are used to control the individual functions of the service that the particular client is authorized to access).
Claim 13: the combination of Fitz and Kil teaches the server system as claimed in claim 12, wherein the allowed access pattern for the API session is determined based on historical access patterns of the valid token in a pre-defined time period. (Fitz: C9L51-67: the web service is configured such that all request messages requesting access to functions of the service sent in the form of XML or SOAP messages and include the security token that was previously assigned and made available by the service provider to the registered client (Fig. 4) along with token expiration flag).
Claim 14: the combination of Fitz and Kil teaches the server system as claimed in claim 10, wherein the server system is caused to perform: generating the valid token in response to a token generation request from a client device; enabling the user to define the one or more token configuration parameters associated with the valid token; and storing the one or more token configuration parameters. (Fitz: C3L60-63: security token that is generated by a provider of the web service for one or more clients that have requested access to the functions of the service and (C7L53-55) expected values of the security token are stored in one or more access lists used by the web service).
enabling the user to define the one or more token configuration parameters associated with the valid token; (Kil: C10L16-24: user provides an instruction to the application service which generates a command C and communicates C to the smart card which executes the command C and generates a response R'... The application service communicates R' to the proximity token);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Fitz to include the idea of token configuration with frequency and number of attempts as taught by Kil to secure access to the application service secure storage and/or secure execution (C3L2-3, 8-9).
Claim 15: the combination of Fitz and Kil teaches the server system as claimed in claim 10, wherein the server system is caused to perform: generating the valid token in response to a token generation request from a client device; defining the one or more token configuration parameters associated with the valid token; and storing the one or more token configuration parameters. (Fitz: C3L60-63: security token that is generated by a provider of the web service for one or more clients that have requested access to the functions of the service and (C7L39-43, 63-64) the token is used to designate which resources of the service the client will be able to access. Additional authentication information are assigned for the token depending on the particular client or computing environment and values for each of the required parameters for a particular client are defined in the security token and (C7L53-55) expected values of the security token are stored in one or more access lists used by the web service).
Claim 16: the combination of Fitz and Kil teaches the server system as claimed in claim 10, wherein the server system is further caused to validate the token upon verification that the token is the valid token that conforms to the one or more token configuration parameters. (Fitz: C2L43-45: security token is validated based on token validation information included within the security token and the function identifier).
Claim 17: the combination of Fitz and Kil teaches the server system as claimed in claim 16, wherein the server system is further caused to facilitate authentication of the client device by the API server upon successful validation. (Fitz: C2L47-56: authentication information for the client is extracted from the security token and used to authenticate the client. If the security token is successfully validated based on the token validation information and the function identifier and if the client is successfully authenticated in accordance with the authentication information extracted from the security token, access is provided).
Claims 18 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Fitz and Kil as applied to claims above, and further in view of Fitzpatrick (US 8973118), hereafter Fitz and Caffary, JR., Robert (US 20160044040), hereafter Caf.
Claim 18: Fitz teaches a client device in use for identification of breach attempts in a client-server communication, the client device comprising: a memory comprising stored instructions; and a processor configured to execute the stored instructions and thereby cause the client device to perform at least (Summary): sending, to a server system, a token generation request comprising the one or more token configuration parameters associated with the valid token; receiving the valid token generated from the server system; and sending an API request for client-server communication to an API server using a token generated based on the one or more token configuration parameters. (C2L36-40: a request message, received at the server hosting the web service, requesting access to a particular function from among a plurality of functions offered by a web service is received from a client at a user device (C2L40-43) the request message includes a function identifier identifying the particular function and further includes a security token comprising (C8L2-6) various authentication attributes/ parameters are incorporated into the security token and associated with the client, (C3L5-24) such functionality of the web service provided to client(s) via an interface such as the Web Services Description Language (WSDL) and where (C3L60-61) the security token that is generated by a provider of the web service (C5L52-53) for the client is used by the client).
Fitz is silent on facilitating defining of one or more token configuration parameters for a valid token, the one or more token configuration parameters defined by a user of the client device;
But analogous art Caf teaches facilitating defining of one or more token configuration parameters for a valid token, the one or more token configuration parameters defined by a user of the client device; ([0008] environment-aware security tokens are configured to be user-defined, scalable and adaptive to provide a greater degree of control on accessibility of corresponding assets);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Fitz to include the idea of user-defined token configuration as taught by Caf so that security of data and other network assets is therefore increased many fold ([0008]).
Claim 19: Fitz teaches a method of using access tokens for identification of breach attempts in a client- server communication, the method comprising: sending, to a server system by the client device, a token generation request comprising the one or more token configuration parameters associated with a valid token; and receiving the valid token from the server system. (C2L36-40: a request message, received at the server hosting the web service, requesting access to a particular function from among a plurality of functions offered by a web service is received from a client at a user device (C2L40-43) the request message includes a function identifier identifying the particular function and further includes a security token comprising (C8L2-6) various authentication attributes/ parameters are incorporated into the security token and associated with the client, (C3L5-24) such functionality of the web service provided to client(s) via an interface such as the Web Services Description Language (WSDL) and where (C3L60-61) the security token that is generated by the web service (C5L52-53) for the client is used by the client).
Fitz is silent on facilitating, by a client device, defining of one or more token configuration parameters, the one or more token configuration parameters defined by a user of the client device;;
But analogous art Caf teaches facilitating, by a client device, defining of one or more token configuration parameters, the one or more token configuration parameters defined by a user of the client device; ([0008] environment-aware security tokens are configured to be user-defined, scalable and adaptive to provide a greater degree of control on accessibility of corresponding assets);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Fitz to include the idea of user-defined token configuration as taught by Caf so that security of data and other network assets is therefore increased many fold ([0008]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
1. Choi et al (US 20080280626): Method for Providing Location-Based Service Using Location Token.
2. Lewis et al (US 9219736): Application programming interface for rendering personalized related content to third party applications.
3. Camenisch et al (US 20180091520): TRAITOR TRACING FOR OBFUSCATED CREDENTIALS.
4. Rab et al (US 20180276341): SECURE PERSON IDENTIFICATION AND TOKENIZED INFORMATION SHARING.
5. Schoen et al (US 20150281225): TECHNIQUES TO OPERATE A SERVICE WITH MACHINE GENERATED AUTHENTICATION TOKENS.
6. Elson et al (US 20090076965): COUNTERACTING RANDOM GUESS ATTACKS AGAINST HUMAN INTERACTIVE PROOFS WITH TOKEN BUCKETS.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 8:30am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2438.