DETAILED ACTION
	Claims 1-20 are presented on 05/08/2020 for examination on merits.  Claims 1, 10, and 19 are independent base claims. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Information Disclosure Statement
The information disclosure statement (IDS) submitted for examination on merits is compliant with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Claim Objections
Claim 3, 11, and 19 are objected to because of the following informalities: 
Claims 3 and 11 each recite “the 3rd party” which is inconsistent with the spelling used in independent claims.  For formality reasons, the Examiner suggests using “the third party.”
then risk threshold” deficiently in the second if-clause.  It appears to be an typographic error.  
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claims 1, 10, and 19 each recite the limitation “the risk assessment policies" in the applying step.  There is insufficient antecedent basis for this limitation in the claim.  It should be noted that Applicant introduces an optional limitation “one or more risk assessment policies” in the applying step in each of the claims, meaning that there may be only one risk assessment policy, thus causing the recitation of “the risk assessment policies" indefinite.
Claims 4-5 and 13-14 also recite the limitation “the risk assessment policies" lacking sufficient antecedent basis for this limitation in the claims, respectively.
the risk threshold” in the first if-clause lacking sufficient antecedent basis for this limitation in the claims, respectively.

Claims 2-9, 11-18, and 20 are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, because they depend from the rejected base claims 1, 8, and 15, respectively.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-4, 6, 8-13, 15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Arvanites (US 20190334943 A1; hereinafter “Arva”) in view of Lee (US 20210336983 A1; The provisional application 63/014421 is relied on for the date of reference).

As per claim 1, Arva teaches a computer-implemented risk assessment method in an authentication service (Arva, par. 0001 and 0032-0034: providing application programming interface (API) management, and more specifically, to reducing risk associated with API transactions; risk assessment), the method comprising: 
receiving an authorization request from a third party application calling an Application Programming Interface (Arva, par. 0034: an application that generates an API transaction request at point 200; As shown in FIG. 1 shows, the API client may be of many different types of digital identities including automobiles 100y, which is evidently a third-party application); 
applying one or more risk assessment policies to the authorization request, the risk assessment policies pertaining to behavioral characteristics, to obtain a risk assessment score (Arva, par. 0036: an action rule set. The action rule set may be any action associated with obtaining an API response; par. 0037: if the risk assessment is high, such as above a certain threshold, the system may issue a warning or indication to the user that the API response will not be delivered, may rewrite the request to a honeypot, or may drop the request completely); 
if the risk assessment score exceeds a risk threshold, then executing remedial action for an account associated with the third party application (Arva, par. 0037-0038: if the risk assessment is high, such as above a certain threshold, the system may issue a warning or indication to the user that the API response will not be delivered, may rewrite the request to a honeypot, or may drop the request completely).  
Arva does not explicitly disclose a step of sending an authorization message in response to the authorization request if the risk assessment score does not exceed the risk threshold.  This aspect of the claim is identified as a difference.
In a related art, Lee teaches:
if the risk assessment score does not exceed the risk threshold, then sending an authorization message in response to the authorization request (Lee, par. 0098-0110: classify vendors as being “low,” “medium,” or “high” risk, or the threat detection platform may quantify the risk of vendors using a predefined scale (e.g., 1-5, 1-10, or 1-100); if the risk in communicating with the vendor is low, the communication is allowed or authorized) 
Arva and Lee are analogous art, because they are in a similar field of endeavor in improving risk analysis and assessment of network communications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Arva with Lee to include Lee’s the risk assessment techniques and risk classification with one or more thresholds for authorizing the request. For this combination, the motivation would have been to improve the level of security with reduced risks.

As per claim 2, the references as combined above teach the risk assessment method of Claim 1, where the behavioral characteristics include at least one of (Note that optional limitations are recited herein)
a usage pattern of calls to the API during a previous session of calling the API (Arva, par. 0029: previous interactions with the system including but not limited to authentication success and failure history, rate of interaction history, location history); and 
a history of delegation of permissions by the third party application (Arva, par. 0029-0030: failure history, rate of interaction history, location history).  

As per claim 3, the references as combined above teach the risk assessment method of Claim 1, wherein: 
a separate trusted security application is associated with the 3rd party application calling the API (Arva, par. 0030: acceptable level of trust based upon previous interactions with the system); and 
the remedial action comprises calling the trusted security application via a separate channel from the API (Arva, par. 0036: determining further information about the requester or requesting device, storing information available, modifying data within the request or the response, querying a data source for more information, performing a messaging function like sending a log, electronic message, a separate API call, or returning a status or any other action appropriate under the circumstances).  

As per claim 4, the references as combined above teach the risk assessment method of Claim 1, where one or more of the risk assessment policies are applied to data corresponding to reputation data for the account, reputation data for the third party application, and a class of use of the third party application (Lee, par. 0067: bad reputations and have malicious payloads (e.g., links or attachments). With vendor account compromise, however, the emails are legitimate—with valid domains, valid sender infrastructure, valid email authentication (e.g., SPF, DKIM, or DMARC), and valid payload. Instead, the focus of the attack is to exploit trust and steal money, merchandise, or information; par. 0070-0072: discover instances of vendor account compromise and discover instances of vendor impersonation).  

As per claim 6, the references as combined above teach the risk assessment method of Claim 1, where the method includes: 

the step of applying one or more risk assessment policies to the authorization request includes determining whether activity associated with the third party application is consistent with the activity profile for the class of the third party application (Lee, par. 0131: Whether the determination of a risk level was made based on information from several days, weeks, or months ago may impact how much individuals rely on that risk level. Moreover, the list view may include a threat summary that indicates, at a high level, why vendors were classified as risky. As an example, Prolia Systems has been classified as high risk because its recent activities were indicative of compromise and spoofing).  

As per claim 8, the references as combined above teach the risk assessment method of Claim 1, where the remedial action comprises applying a lower rate limit to a number of calls to the Application Programming Interface (Arva, par. 0026: evaluate the risk of a number of digital identities, the application, device, and user, making an API call to determine risk and may refrain from delivering the API; par. 0040 and 0044: restrict or limit delivery of the API response).  

As per claim 9, the references as combined above teach the risk assessment method of Claim 1, where the remedial action comprises at least one of (Note that optional limitations are recited herein) suspension of the account, restricting at least one action for the account, sending a notification to an owner of the account, or control usage of the account (Arva, par. 0053: A score of 75% causes the system to execute action set 605, wherein the system rewrites the destination endpoint to a “honeypot,” and the request passes unaltered, while a score of 90% in 

As per claim 10, Arva teaches a system for risk assessment in an authentication service, the system comprising: 
one or more processors (Arva, par. 0011-0012); and 
one or more memory devices in communication with the one or more processors, the memory devices having computer-readable instructions stored thereupon that, when executed by the processors, cause the processors to perform a method for risk assessment in an authentication service (Arva, par. 0028-0029), 
the method comprising: 
receiving an authorization request from a third party application calling an Application Programming Interface (API) (Arva, par. 0034: an application that generates an API transaction request at point 200; As shown in FIG. 1 shows, the API client may be of many different types of digital identities including automobiles 100y, which is evidently a third-party application); 
applying one or more risk assessment policies to the authorization request, the risk assessment policies pertaining to behavioral characteristics, to obtain a risk assessment score (Arva, par. 0036: an action rule set. The action rule set may be any action associated with obtaining an API response; par. 0037: if the risk assessment is high, such as above a certain threshold, the system may issue a warning or indication to the user that the API response will not be delivered, may rewrite the request to a honeypot, or may drop the request completely); 
if the risk assessment score exceeds a risk threshold, then executing remedial action for an account associated with the third party application (Arva, par. 0037-0038: if the risk assessment is high, such as above a certain t3hreshold, the system may issue a warning or indication to the user that the API response will not be delivered, may rewrite the request to a honeypot, or may drop the request completely); and 
Arva does not explicitly disclose a step of sending an authorization message in response to the authorization request if the risk assessment score does not exceed the risk threshold.  This aspect of the claim is identified as a difference.
In a related art, Lee teaches:
if the risk assessment score does not exceed the risk threshold, then sending an authorization message in response to the authorization request (Lee, par. 0098-0110: classify vendors as being “low,” “medium,” or “high” risk, or the threat detection platform may quantify the risk of vendors using a predefined scale (e.g., 1-5, 1-10, or 1-100); if the risk in communicating with the vendor is low, the communication is allowed or authorized) 
Arva and Lee are analogous art, because they are in a similar field of endeavor in improving risk analysis and assessment of network communications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Arva with Lee to include Lee’s the risk assessment techniques and risk classification with one or more thresholds for authorizing the request. For this combination, the motivation would have been to improve the level of security with reduced risks.

As per claim 11, the references as combined above teach the risk assessment system of Claim 10, where the behavioral characteristics include at least one of: 
a usage pattern of calls to the API during a previous session of calling the API; and 
a history of delegation of permissions by the third party application.  

As per claim 12, the references as combined above teach the risk assessment system of Claim 10, wherein:  
a separate trusted security application is associated with the 3rd party application calling the API (Arva, par. 0029: previous interactions with the system including but not limited to authentication success and failure history, rate of interaction history, location history); and 
Arva, par. 0029-0030: failure history, rate of interaction history, location history).  

As per claim 13, the references as combined above teach the risk assessment system of Claim 10, where one or more of the risk assessment policies are applied to data corresponding to reputation data for the account, reputation data for the third party application, and a class of use of the third party application (Lee, par. 0067: bad reputations and have malicious payloads (e.g., links or attachments). With vendor account compromise, however, the emails are legitimate—with valid domains, valid sender infrastructure, valid email authentication (e.g., SPF, DKIM, or DMARC), and valid payload. Instead, the focus of the attack is to exploit trust and steal money, merchandise, or information; par. 0070-0072: discover instances of vendor account compromise and discover instances of vendor impersonation).  

As per claim 15, the references as combined above teach the risk assessment system of Claim 10, where the method includes: 
classifying the third party application as one of a plurality of classes, each class having an associated activity profile (Lee, par. 0098 and 0124: classify vendors as being “low,” “medium,” or “high” risk, or the threat detection platform may quantify the risk of vendors); and 
the step of applying one or more risk assessment policies to the authorization request includes determining whether activity associated with the third party application is consistent with the activity profile for the class of the third party application (Lee, par. 0131: Whether the determination of a risk level was made based on information from several days, weeks, or months ago may impact how much individuals rely on that risk level. Moreover, the list view may include a threat summary that indicates, at a high level, why vendors were classified as risky. As 

As per claim 17, the references as combined above teach the risk assessment system of Claim 10, where the remedial action comprises applying a lower rate limit to a number of calls to the Application Programming Interface.  

As per claim 18, the references as combined above teach the risk assessment system of Claim 10, where the remedial action comprises at least one of (Note that optional limitations are recited herein) suspension of the account, restricting at least one action for the account, sending a notification to an owner of the account, or control usage of the account (Arva, par. 0053: A score of 75% causes the system to execute action set 605, wherein the system rewrites the destination endpoint to a “honeypot,” and the request passes unaltered, while a score of 90% in this example causes the system to execute action set 606, with the system blocking the request and returning a status error, or status 401, to the requesting device.).  
  
As per claim 19, Arva teaches one or more computer storage media having computer executable instructions stored thereon which, when executed by one or more processors, cause the processors to execute a risk assessment method in an authentication service (Arva, par. 0028-0029), the method comprising: 
receiving an authorization request from a third party application calling an Application Programming Interface (API) (Arva, par. 0034: an application that generates an API transaction request at point 200; As shown in FIG. 1 shows, the API client may be of many different types of digital identities including automobiles 100y, which is evidently a third-party application); 
applying one or more risk assessment policies to the authorization request, the risk assessment policies pertaining to behavioral characteristics, to obtain a risk assessment score Arva, par. 0036: an action rule set. The action rule set may be any action associated with obtaining an API response; par. 0037: if the risk assessment is high, such as above a certain threshold, the system may issue a warning or indication to the user that the API response will not be delivered, may rewrite the request to a honeypot, or may drop the request completely); 
if the risk assessment score exceeds the[n] risk threshold, then executing remedial action for an account associated with the third party application (Arva, par. 0037-0038: if the risk assessment is high, such as above a certain t3hreshold, the system may issue a warning or indication to the user that the API response will not be delivered, may rewrite the request to a honeypot, or may drop the request completely).  
However, Arva does not explicitly disclose a step of sending an authorization message in response to the authorization request if the risk assessment score does not exceed the risk threshold.  This aspect of the claim is identified as a difference.
In a related art, Lee teaches:
if the risk assessment score does not exceed a risk threshold, then sending an authorization message in response to the authorization request (Lee, par. 0098-0110: classify vendors as being “low,” “medium,” or “high” risk, or the threat detection platform may quantify the risk of vendors using a predefined scale (e.g., 1-5, 1-10, or 1-100); if the risk in communicating with the vendor is low, the communication is allowed or authorized) 
Arva and Lee are analogous art, because they are in a similar field of endeavor in improving risk analysis and assessment of network communications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Arva with Lee to include Lee’s the risk assessment techniques and risk classification with one or more thresholds for authorizing the request. For this combination, the motivation would have been to improve the level of security with reduced risks.

As per claim 20, the references as combined above teach the computer storage media of Claim 19, where: the behavioral characteristics include at least one of (Note that optional limitations are recited in the following): 
a usage pattern of calls to the API during a previous session of calling the API (Arva, par. 0029: previous interactions with the system including but not limited to authentication success and failure history, rate of interaction history, location history), and 
a history of delegation of permissions by the third party application (Arva, par. 0029-0030: failure history, rate of interaction history, location history); and 
the remedial action includes at least one of (Note that optional limitations are recited in the following): 
applying a lower rate limit to a number of calls to the API, calling a trusted security application via a separate channel from the API, suspension of the account, restricting at least one action for the account, sending a notification to an owner of the account, and  control usage of the account (Arva, par. 0026: evaluate the risk of a number of digital identities, the application, device, and user; par. 0036: determining further information about the requester or requesting device, storing information available, modifying data within the request or the response, querying a data source for more information, performing a messaging function like sending a log, electronic message, a separate API call, or returning a status or any other action appropriate under the circumstances).

Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Arva and Lee, as applied in claim 1, and further in view of Etler (US 11178068 B1).

As per claim 5, the references Arva and Lee as combined above teach the risk assessment method of Claim 1, but do not explicitly disclose collecting behavioral data pertaining to applications associated with the developer account which is the account 
In a related art, Etler teaches:
where the account associated with the third party application comprises a developer account (Etler, col. 8, lines 32-44: the account; linked to the customer account) and the method includes: 
collecting behavioral data pertaining to applications associated with the developer account (Etler, col. 8, lines 32-44: For example, a feature vector may be constructed using destination data 112, customer data 116, call history data 114, and/or other data linked to the customer account, and the feature vector may be submitted to the machine learning model 130 to generate trust score classifications (allowed or denied) for connection requests associated with the customer account); and 
determining the risk assessment policies by applying machine learning to the collected behavioral data (Etler, col. 7, lines 25-36: The pattern of historical voice connections (or call pattern 128) may indicate customer behavior for calling high risk or high cost destination endpoints).  
Etler is analogous art to the claimed invention in a similar field of endeavor in improving risk analysis and assessment of network communications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Arva-Lee system with Etler to collect behavioral data pertaining to applications. For this combination, the motivation would have been to improve the risk analysis be determining the patterns of customer behaviors.

As per claim 14, the references as combined above teach the risk assessment system of Claim 10, but do not explicitly disclose collecting behavioral data pertaining to applications 
In a related art, Etler teaches:
where the account associated with the third party application comprises a developer account (Etler, col. 8, lines 32-44: the account; linked to the customer account)and the method includes: 
collecting behavioral data pertaining to applications associated with the developer account (Etler, col. 8, lines 32-44: For example, a feature vector may be constructed using destination data 112, customer data 116, call history data 114, and/or other data linked to the customer account, and the feature vector may be submitted to the machine learning model 130 to generate trust score classifications (allowed or denied) for connection requests associated with the customer account); and 
determining the risk assessment policies by applying machine learning to the collected behavioral data (Etler, col. 7, lines 25-36: The pattern of historical voice connections (or call pattern 128) may indicate customer behavior for calling high risk or high cost destination endpoints).  
Etler is analogous art to the claimed invention in a similar field of endeavor in improving risk analysis and assessment of network communications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the Arva-Lee system with Etler to collect behavioral data pertaining to applications. For this combination, the motivation would have been to improve the risk analysis be determining the patterns of customer behaviors.


Allowable Subject Matter
Claim 7 and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The claims 7 and 16 each recite elements of “reclassifying the 3d party application based on machine learning applied to the activity associated with the 3d party application”.  These elements, in combination with the other limitations in the claims 1, 6, 10, and 16, are not anticipated by, nor made obvious over the prior art of record.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        03/21/2022