DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/31/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

Claims 1-3, 5, 11-13, 15-17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2020/0117523 to Morrison et al. (hereinafter, “Morrison”) in view of US 2012/0192016 to Gotesdyner et al. (hereinafter, “Gotesdyner”).
As per claim 1: Morrison discloses: An apparatus comprising: at least one processing platform comprising a plurality of processing devices; said at least one processing platform being configured (a computerized system that includes a processor [Morrison, ¶0025]): to monitor and log a plurality of transactions between one or more clients and an application programming interface gateway (an API gateway provides a single entry point into a system of services provided by API servers [Morrison, ¶0018]; messages are received from a user of an API client at the API gateway, such as depicted in the system of Fig. 1 [Morrison, ¶0056]); to analyze data corresponding to the plurality of transactions using one or more machine learning techniques (a model corresponding to a usage pattern of an API server by the user is utilized by the API gateway [Morrison, ¶0061]); to determine, based on the analyzing, one or more issues corresponding to one or more application programming interfaces associated with the application programming interface gateway and resulting from one or more of the plurality of transactions (the model is used to detect attacks or fraud on the API server based on usage patterns [Morrison, ¶0053, 0061]); .
Morrison does not disclose performing “one or more corrective actions to address the one or more issues”. For example, an “issue” may be an attack on the API server as disclosed in [Morrison, ¶0053]. However, Gotesdyner is directed to analogous art of determining potential to perform one or more corrective actions to address the one or more issues (a future trend may be used to determine whether the trend may cause an undesirable event; for example, if the future trend for bandwidth consumption continues to be on a rise, then one or more preventative actions are recommended once a value in the future trend in a predetermined time interval exceeds a threshold [Gotesdyner, ¶0131]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to implement a pro-active approach to managing cyber-attacks in the system of Morrison. This form of approach would have prevented any damage by predicting an incoming attack over a reactive approach after an attack has happened. In the case of Morrison, a common network attack would have been distributed denial of service (DDoS), which would have been detected in the early stages using the techniques of Gotesdyner to identify increasing bandwidth usage.

As per claim 2: Morrison in view of Gotesdyner disclose all limitations of claim 1. Furthermore, the same motivation for incorporating Gotesdyner with Morrison in claim 1 is also applicable to claim 2. Therefore, Morrison in view of Gotesdyner disclose: wherein the one or more issues comprise a determination that a rate limit for a given application programming interface of the one or more application programming interfaces will be exceeded (a future trend may be used to determine whether the trend may cause an undesirable event; for example, if the future trend for bandwidth consumption continues to be on a rise, then one or 

As per claim 3: Morrison in view of Gotesdyner disclose all limitations of claim 2. Furthermore, the same motivation for incorporating Gotesdyner with Morrison in claim 1 is also applicable to claim 3. Therefore, Morrison in view of Gotesdyner disclose: wherein, in performing the one or more corrective actions, said at least one processing platform is configured to transmit a message to an owner of the given application programming interface indicating that the rate limit will be exceeded (preventive actions are recommended to a network administrator [Gotesdyner, ¶0094, 0098]).

As per claim 5: Morrison in view of Gotesdyner disclose all limitations of claim 2. Furthermore, the same motivation for incorporating Gotesdyner with Morrison in claim 1 is also applicable to claim 5. Therefore, Morrison in view of Gotesdyner disclose: wherein the determination that the rate limit will be exceeded is based on an analysis of the one or more of the plurality of transactions over a given time period to determine a trend (analyzing a set of absolute value changes for measurement data, defined within a set of particular time intervals, the system may determine whether the value change is consistent within the set of the particular time intervals; thereby a trend is established [Gotesdyner, ¶0128-0130]).

As per claim 11: Morrison in view of Gotesdyner disclose all limitations of claim 1. Furthermore, the same motivation for incorporating Gotesdyner with Morrison in claim 1 is also wherein, in determining the one or more issues, said at least one processing platform is configured to identify one or more anomalies by specifying a threshold value in a contamination parameter (a threshold [Gotesdyner, ¶0131]).

As per claim 12: Morrison in view of Gotesdyner disclose all limitations of claim 1. Furthermore, the same motivation for incorporating Gotesdyner with Morrison in claim 1 is also applicable to claim 12. Therefore, Morrison in view of Gotesdyner disclose: wherein, in determining the one or more issues, said at least one processing platform is configured to predict one or more patterns over a future time period based on historical data (a future trend may be used to determine whether the trend may cause an undesirable event; for example, if the future trend for bandwidth consumption continues to be on a rise, then one or more preventative actions are recommended once a value in the future trend in a predetermined time interval exceeds a threshold [Gotesdyner, ¶0131]).

As per claim 13: Morrison in view of Gotesdyner disclose all limitations of claim 1. Furthermore, Morrison discloses: wherein the one or more machine learning techniques comprise at least one of an isolation forest model, a weighted moving average method, an artificial neural network, a support vector machine, a K-means method, a decision tree, a multilayer perceptron, a naïve Bayes classifier, a Bayesian network and instance based learning (the machine learning component utilizes one or more machine learning algorithms, 

As per claim 15: Morrison in view of Gotesdyner disclose all limitations of claim 1. Furthermore, Morrison discloses: wherein the plurality of transactions comprise requests by the one or more clients to access the one or more application programming interfaces associated with the application programming interface gateway (the user of an API client makes requests or API calls to the API server for functionality provided by an application using said API server; the API gateway brokers these calls and responses between the API client and the API server [Morrison, ¶0015]).

As per claim 16: Claim 16 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 16 is directed to a method corresponding to the functions performed by the processing platform in the apparatus of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 16.

As per claim 17: Claim 17 incorporates all limitations of claim 16 and is a method corresponding to the functions performed by the processing platform in the apparatus of claim 2. Therefore, the arguments set forth above with respect to claims 2 and 16 are equally applicable to claim 17 and rejected for the same reasons.

As per claim 19: Claim 19 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 19 is directed to a computer program product comprising program code corresponding to the functions of the processing platform in the apparatus of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 19.

As per claim 20: Claim 20 incorporates all limitations of claim 19 and is a computer program product comprising program code corresponding to the functions of the processing platform in the apparatus of claim 2. Therefore, the arguments set forth above with respect to claims 2 and 19 are equally applicable to claim 20 and rejected for the same reasons.

Claim 4 are rejected under 35 U.S.C. 103 as being unpatentable over Morrison in view of Gotesdyner in further view of US 2017/0289307 to Thompson et al. (hereinafter, “Thompson”).
As per claim 4: Morrison in view of Gotesdyner disclose all limitations of claim 2. Morrison and Gotesdyner do not disclose the elements of claim 4. However, Thompson is directed to analogous art of analyzing metadata of API requests within an API gateway to scale an endpoint service [Thompson, ¶0013]. Therefore, Thompson discloses: wherein, in performing the one or more corrective actions, said at least one processing platform is configured to perform an automated platform scaling to compensate for the rate limit being exceeded (auto scaling for a service because of a change in an API request load [Thompson, ¶0020]).
.

Claim 6-10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Morrison in view of Gotesdyner in further view of US 2018/0288091 to Doron et al. (hereinafter, “Doron”).
As per claim 6: Morrison in view of Gotesdyner disclose all limitations of claim 1. Morrison and Gotesdyner do not disclose the elements of claim 6. However, Doron is directed to analogous art of a defense platform for protecting against excessive utilization of cloud services [Doron, ¶0015]. Cloud services include APIs [Doron, ¶0052]. Therefore, Doron discloses: wherein the one or more issues comprise at least one spike in one or more errors (telemetries related to network traffic are collected, include error rate and the number of errors [Doron, ¶0034, 0054]; features are extracted from telemetries to detect DDoS attacks or anomalies using a machine learning based classifier [Doron, ¶0055]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to identify any type of attributes, such as the number errors in Morrison, for a traffic pattern model to classify an attack on an API client. The amount of errors would have been a significant attribute/feature to collect in detecting a DDoS attack [Doron, ¶0045].

As per claim 7: Morrison in view of Gotesdyner and Doron disclose all limitations of claim 6. Furthermore, the same motivation for incorporating Doron with Morrison and Gotesdyner in claim 6 is also applicable to claim 7. Therefore, Morrison in view of Gotesdyner and Doron disclose: wherein the one or more errors comprise at least one of a bad request error and an unauthorized error (telemetries include HTTP/HTTPS response codes metrics and number of errors [Doron, ¶0034]; “bad request error” and “unauthorized error” are common and well-known HTTP response codes (e.g. see RFC 7231; they refer to standard HTTP error codes 400 and 401, respectively)).

As per claim 8: Morrison in view of Gotesdyner and Doron disclose all limitations of claim 6. Furthermore, the same motivation for incorporating Doron with Morrison and Gotesdyner in claim 6 is also applicable to claim 8. Therefore, Morrison in view of Gotesdyner and Doron disclose: wherein said at least one processing platform is further configured to determine, based on the at least one spike in errors, whether one of a distributed denial of service attack and a brute force attack is occurring (collecting telemetries and using them for detecting DDoS attacks [Doron, ¶0045-0049]).

As per claim 9: Morrison in view of Gotesdyner disclose all limitations of claim 1. Furthermore, the same motivation for incorporating Doron with Morrison and Gotesdyner in claim 6 is also applicable to claim 9. Therefore, Morrison in view of Gotesdyner and Doron disclose: wherein the one or more issues comprise an internal server error (telemetries 

As per claim 10: Morrison in view of Gotesdyner and Doron disclose all limitations of claim 9. Furthermore, the same motivation for incorporating Doron with Morrison and Gotesdyner in claim 6 is also applicable to claim 10. Therefore, Morrison in view of Gotesdyner and Doron disclose: wherein, in performing the one or more corrective actions, said at least one processing platform is configured to perform an automated remedial process to eliminate the internal server error (at least one mitigation action is performed, such as cleaning traffic, reconfiguring ACLs, or both [Doron, ¶0080]).

As per claim 18: Claim 18 incorporates all limitations of claim 16 and is a method corresponding to the functions performed by the processing platform in the apparatus of claim 6. Therefore, the arguments set forth above with respect to claims 6 and 16 are equally applicable to claim 18 and rejected for the same reasons.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Morrison in view of Gotesdyner in further view of US 7,357,301 to Bajpay et al. (hereinafter, “Bajpay”).
As per claim 14: Morrison in view of Gotesdyner disclose all limitations of claim 1. Morrison and Gotesdyner do not disclose the elements of claim 14. However, Bajpay is directed to analogous art of resolving network events generated in problem tickets [Bajpay, col. 1, line wherein, in performing the one or more corrective actions, said at least one processing platform is configured: to generate a service ticket corresponding to the one or more issues (a problem ticket is created by a system that actively monitors network facilities [Bajpay, col. 2, lines 22-25]); and to transmit the service ticket to a provider of the one or more application programming interfaces corresponding to the one or more issues (problem tickets are routed to work centers that include telecommunications network specialists who are trained to resolve problems or network events [Bajpay, col. 1, line 65 – col. 2, line 11]).
Thus, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to implement a ticketing system in the modified system of Morrison in view of Gotesdyner as one of the mitigation actions. The type of mitigation actions would have been a design choice in the modified system. Bajpay provided a way to notify specialists to resolve detected network problems via a priority-based system [Bajpay, col. 1, line 37-45]. Therefore, severe network issues would have been listed as high priority.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2020/0120122 (Discloses detecting anomalous behavior in IoT devices using previously tracked behaviors over time and managing security policies via an API gateway.)
US 2017/0237729 (Discloses management of API access that includes determining if a threshold number of errors from a log is produced from API calls.)
WO 2012/114215 (Discloses predicting a network event flood based on a current aggregated rate trend.)
Deshmukh RV, Devadkar KK. Understanding DDoS attack & its effect in cloud environment. Procedia Computer Science. 2015 Jan 1; 49:202-10. (Discloses taxonomy of DDoS attacks in the cloud.)
R. Fielding, J. Reschke. Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. Request for Comments: 7231. June 2014. (Discloses the standard HTTP response codes/statuses.)

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        3-17-2022