Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
Claim Objections
Claim 20 is objected to because of the following informalities:  
The claim is an incomplete sentence and therefore, the claim cannot be understood or prior art applied.  Appropriate correction is required before the claim can be properly interpreted to apply prior art, if applicable.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-7, 9-15 and 17-18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Zhu et al (US 2015/0128156).

Regarding claim 1, Zhu teaches a method comprising: 
obtaining application programming interface (API) request information associated with API requests to an API provider, wherein the API request information comprises API function identifiers associated with the API requests (figs.1-3, [0030] provides “The API monitor 134 may be any component that monitors API usage in the API ecosystem 106 and collects API call data 146. The API call data 146 may, inter alia, identify programmatic procedures, parameters passed to programmatic procedures, and an order in which the programmatic procedures were called.”…wherein call data is interpreted as function identifiers); 
identifying sequences of API requests based on the API request information ([0030] provides “In some examples, the API call data 146 may identify a series of programmatic procedures in the API that were invoked at an interface over time. For example, the API call data 146 may identify API Name 1, API Name 2, and API Name 3 indicating that API Name 1 was invoked at the interface first, then API Name 2 was invoked at the interface, and finally API Name 3 was invoked at the interface.”…wherein series provides for sequence); 
identifying one or more API path trends in the API requests based on the identified sequences ([0031-0033] provides “The pattern recognition module 136 may be a component that identifies API usage patterns 142 in the API call data 145 monitored by the API monitor 134…The API usage patterns 142 may identify a structure of API calls that generalizes a behavior of a series of API calls that are performed as a result of users or scripts completing a use case and/or a set of functionalities…the usage identification module 140 may determine a similarity between the API call data 146 gathered during the activity identification phase and the API usage patterns 142 determined during the initialization phase.”…wherein usage pattern provides for path trends); 
and generating a summary of the one or more API path trends ([0049] provides “The API usage patterns 142 that are frequent may be identified (230) from the API call data 146 by the pattern recognition module 136 using a Deterministic Finite Automation (DFA) graph.”…wherein a graph is interpreted as a graphical summarization of the usage patterns).

Regarding claim 2, Zhu has taught the method of claim 1, wherein the API request information further indicates an API user associated with each of the API requests ([0042] provides “Each of the API requests 120 may include a context 152, such as an API key, a session identifier, a user identifier, a transaction identifier and/or any other object that provides context for the API request or otherwise identifies the API request.”).

Regarding claim 3, Zhu has taught the method of claim 1, wherein the API request information comprises at least headers associated with the API requests ([0042] provides “Each of the API requests 120 may include a context 152, such as an API key, a session identifier, a user identifier, a transaction identifier and/or any other object that provides context for the API request or otherwise identifies the API request.”).

Regarding claim 4, Zhu has taught the method of claim 1, wherein the API requests correspond to first period, and wherein identifying the one or more API path trends in the API requests based on the identified sequences comprises: 
identifying second sequences of API requests based on API request information corresponding to a second period ([0045] provides “Each of the use cases 320 may be associated with the context 152, such as the user identifier and the transaction identifier, and a message identifier that identifies a corresponding sequence of API calls in the API call data 146.” wherein “each use case” is interpreted to provide for different periods); 

identifying a second rate of the sequence in the second sequences (fig.6 provides for a decision tree to determine a rate of API calls); 
and determining that a difference between the first rate and the second rate satisfies one or more criteria (fig.6 provides for scripting and alerts).

Regarding claim 5, Zhu has taught the method of claim 1, wherein the API requests comprise a sample set of all API requests to the API provider ([0017] provides “Each predetermined API usage pattern may identify a series of API calls performed or invoked as a result of a corresponding use case.” wherein predetermined provides for sample).

Regarding claim 6, Zhu has taught method of claim 1, wherein a first API path trend of the one or more API path trends corresponds to an API user [0042], and wherein the method further comprises: updating a first sample rate to a second sample rate for the API request information based on the first API path trend ([0043] provides “The sampling frequency may be determined through experiments and may be a parameter which can be adjusted.”).

Regarding claim 7, Zhu has taught the method of claim 1 further comprising communicating, for display, the summary to an administrator associated with the API provider ([0077], [0079], [0087]).

Regarding claim 9, this claim contains limitations found within that of claim 1, and the same rationale of rejection applies, where applicable.

Regarding claim 11, this claim contains limitations found within that of claim 3, and the same rationale of rejection applies, where applicable.
Regarding claim 12, this claim contains limitations found within that of claim 4, and the same rationale of rejection applies, where applicable.
Regarding claim 13, this claim contains limitations found within that of claim 5, and the same rationale of rejection applies, where applicable.
Regarding claim 14, this claim contains limitations found within that of claim 6, and the same rationale of rejection applies, where applicable.
Regarding claim 15, this claim contains limitations found within that of claim 7, and the same rationale of rejection applies, where applicable.
Regarding claim 17, this claim contains limitations found within that of claims 1 and 6, and the same rationale of rejection applies, where applicable.
Regarding claim 18, this claim contains limitations found within that of claim 1, and the same rationale of rejection applies, where applicable.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 8, 16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over by Zhu et al (US 2015/0128156), in view of Call et al (US 2016/0057107).

Regarding claim 8, Zhu has taught the method of claim 1 but Zhu does not explicitly teach further comprising blocking API requests from one or more API users based on the one or more API path trends. However, in a similar field of endeavor, Call teaches blocking API requests from one or more API users based on the one or more API path trends ([0010] provides “The API filtering system, also referred to herein as an API wall, includes creating a dashboard including information regarding performance indicators related to the endpoint application/device, such as monitoring a frequency, a velocity, a time of day, a geo-location, or an authentication indicator related to the API call requests. The API wall further provides a report for a security team of an enterprise or other system user such that the security team can change access permissions for the API, wherein the access permission changes include modifying the access to the API, limiting access to the API, or blocking access to the API based on many factors, including the performance indicators. The system further provides security teams the ability to change the access permissions for the API from unauthenticated access permissions to authenticated access permissions.”).
One of ordinary skill in the art before the effective filing date of Applicant’s claimed invention would be motivated to use the feature of blocking users based on API usage trends, as taught by Call, in the Zhu system because it would be increase the ability for enterprise security teams and management to maintain closer control and monitoring of their enterprise web services in a way that makes it manageable and cost effective for security teams to monitor and modify the API/web service permissions, requests, and responses (Call [0007-0008]).


Regarding claim 19, this claim contains limitations found within that of claim 8, and the same rationale of rejection applies, where applicable.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ISHRAT RASHID whose telephone number is (571)272-5372.  The examiner can normally be reached on 10AM-6PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tonia L Dollinger can be reached on 571-272-4170.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/I.R/Examiner, Art Unit 2459                                                                                                                                                                                                        
/MINH CHAU NGUYEN/Primary Examiner, Art Unit 2459