DETAILED ACTION
Authorization for Internet Communications
The examiner encourages Applicant to submit an authorization to communicate with the examiner via the Internet by making the following statement (from MPEP 502.03):
“Recognizing that Internet communications are not secure, I hereby authorize the USPTO to communicate with the undersigned and practitioners in accordance with 37 CFR 1.33 and 37 CFR 1.34 concerning any subject matter of this application by video conferencing, instant messaging, or electronic mail. I understand that a copy of these communications will be made of record in the application file.”

Please note that the above statement can only be submitted via Central Fax (not Examiner's Fax), Regular postal mail, or EFS Web using PTO/SB/439.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/07/2021 and 03/09/2022 are being considered by the examiner.

Specification
The abstract of the disclosure is objected to because 
The first occurrence of the acronyms “HTTP/TLS”, “HTP” should be spelled out.
Further, the abstract refers to purported merits or speculative applications of the invention and compares the invention with the prior art.
Correction is required.  See MPEP § 608.01(b).
The disclosure is objected to because of the following informalities: 
Page 2, para 0002; there appears to be a typographical error “(API (scanning service” of -- (API) scanning service --.
Page 2, para 0004; the first occurrence of the acronym “SOAP” should be spelled out.
Page 3, para 0007; the first occurrence of the acronym “HTTP/TLS” should be spelled out.  
Appropriate correction is required.

Claim Objections
Claims 1 – 20 are objected to because of the following informalities:  
Regarding claims 1, 8 and 15, the first occurrence of the acronym “API” should be spelled out.
Claims 2 – 7, 9 – 14 and 16 - 20 are dependent claims and thus also objected.  
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1 – 7 are rejected under 35 U.S.C. 101 because the claims are directed to non-statutory subject matter.
Claims 1 - 7 are directed to a “system”. However, in light of the specification [page 14, paragraph 0079], the claimed system could be merely software per se which is non-statutory subject matter.
The Examiner suggesting to amend the claim to recite -- a system for…, comprising: a memory storing instructions; and at least one hardware processor to execute the instructions to:… -- to overcome the 101 rejection.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 2, 8, 9, 15 and 16 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by the prior art of record, Kuykendall et al., (US 2014/0123295 A1) (hereinafter “Kuykendall”).

	Kuykendall discloses; 
Regarding claim 1, a system for a protected proxy for a dynamic API scanning service, comprising: 
a cloud-based infrastructure [i.e., scanner 400 used in cloud architecture i.e., SaaS version 1200 (see figures 2 and 12), (page 9, para 0200)] comprising an autonomous transaction processing (ATP) database service [i.e., database 410 in the scanner 400 (see figure 2), (page 2, para 0024] and a redirect service [i.e., scan engine/universal translator 430 (see figure 2)]; 
a user portal [i.e., the crawler 420 receives inputs (manually or automatically) (page 2, para 0025)]; and 
a database store [i.e., database 410 in the scanner 400 (see figure 2), (page 2, para 0024]; 
wherein the ATP database service receives a scan project request [i.e., the crawler 420 receives inputs (manually or automatically) (page 2, para 0025)], the scan project request being targeted to an endpoint of a client resource [i.e., device interface 450 the scanner 400 for communication with the server 100 (page 2, pare 0024), (see figure 2)]; wherein the ATP database service starts one containerized API scanners targeted to a unique identifier created by the redirect service [i.e., attach engine 440 of the scanner 400 modifies data with attack payload into modified universal parameter object (MUPO) (page 2, para 0030), (see figures 2 and 4)]; and wherein the redirect service generates mirrors of one or more requests from the one or more containerized API scanners, the mirrors being sent to the target endpoint [i.e., send the modified universal parameter object to the universal translator to re-create attack traffic and send to application (see reference 5600 of figure 4), (page 2, para 0030), (see figure 2)].  
Regarding claim 2, the system of claim 1, wherein the scan project request comprises one or more authentication tokens [i.e., session parameter is used to verify the request to determine that it belongs to a valid authenticated session (page 3, para 0058)].   
Regarding claim 8, a method for a protected proxy for a dynamic API scanning service, comprising: 
providing, at a computer comprising a microprocessor and a memory, a cloud-based infrastructure [i.e., scanner 400 used in cloud architecture i.e., SaaS version 1200 (see figures 2 and 12), (page 9, para 0200)] comprising an autonomous transaction processing (ATP) database service [i.e., database 410 in the scanner 400 (see figure 2), (page 2, para 0024] and a redirect service [i.e., scan engine/universal translator 430 (see figure 2)]; 
providing a user portal [i.e., the crawler 420 receives inputs (manually or automatically) (page 2, para 0025)]; 
providing a database store [i.e., database 410 in the scanner 400 (see figure 2), (page 2, para 0024]; 
receiving, at the ATP database service, a scan project request [i.e., the crawler 420 receives inputs (manually or automatically) (page 2, para 0025)], the scan project request being targeted to an endpoint of a client resource [i.e., device interface 450 the scanner 400 for communication with the server 100 (page 2, pare 0024), (see figure 2)]; 
starting, by the ATP database service, one or more containerized API scanners targeted to a unique identifier created by the redirect service [i.e., attach engine 440 of the scanner 400 modifies data with attack payload into modified universal parameter object (MUPO) (page 2, para 0030), (see figures 2 and 4)]; and 
generating, by the redirect service, mirrors of one or more requests from the one or more containerized API scanners, the mirrors being sent to the target endpoint [i.e., send the modified universal parameter object to the universal translator to re-create attack traffic and send to application (see reference 5600 of figure 4), (page 2, para 0030), (see figure 2)].  
Regarding claim 9, the method of claim 8, wherein the scan project request comprises one or more authentication tokens [i.e., session parameter is used to verify the request to determine that it belongs to a valid authenticated session (page 3, para 0058)].  
Regarding claim 15, a non-transitory computer readable storage medium having instructions thereon for a protected proxy for a dynamic API scanning service [i.e., (see figure 1)], which when read and executed by a computer cause the computer to perform steps comprising: 
providing, at a computer comprising a microprocessor and a memory, a cloud-based infrastructure [i.e., scanner 400 used in cloud architecture i.e., SaaS version 1200 (see figures 2 and 12), (page 9, para 0200)] comprising an autonomous transaction processing (ATP) database service [i.e., database 410 in the scanner 400 (see figure 2), (page 2, para 0024] and a redirect service [i.e., scan engine/universal translator 430 (see figure 2)]; 
providing a user portal [i.e., the crawler 420 receives inputs (manually or automatically) (page 2, para 0025)]; 
providing a database store [i.e., database 410 in the scanner 400 (see figure 2), (page 2, para 0024]; 
receiving, at the ATP database service, a scan project request [i.e., the crawler 420 receives inputs (manually or automatically) (page 2, para 0025)], the scan project request being targeted to an endpoint of a client resource [i.e., device interface 450 the scanner 400 for communication with the server 100 (page 2, pare 0024), (see figure 2)]; 
starting, by the ATP database service, one or more containerized API scanners targeted to a unique identifier created by the redirect service [i.e., attach engine 440 of the scanner 400 modifies data with attack payload into modified universal parameter object (MUPO) (page 2, para 0030), (see figures 2 and 4)]; and 
generating, by the redirect service, mirrors of one or more requests from the one or more containerized API scanners, the mirrors being sent to the target endpoint [i.e., send the modified universal parameter object to the universal translator to re-create attack traffic and send to application (see reference 5600 of figure 4), (page 2, para 0030), (see figure 2)].  
Regarding claim 16, the non-transitory computer readable storage medium having of claim 15, wherein the scan project request comprises one or more authentication tokens [i.e., session parameter is used to verify the request to determine that it belongs to a valid authenticated session (page 3, para 0058)].  

Allowable Subject Matter
Claims 10 – 14 and 17 – 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  
Regarding claim 10; 
the prior art of record, Kuykendall (US 2014/0123295 A1) discloses the method of claim 9, 
However, Rutledge do not disclose “wherein the redirect service comprises: a router service, -18-one or more redirect tables, and a domain name system (DNS) service”.
Regarding claim 14; 
the prior art of record, Kuykendall (US 2014/0123295 A1) discloses the method of claim 8, 
However, Rutledge do not disclose “wherein generating the mirrors of the one or more requests from the one or more containerized API scanners comprises copying key headers of the one or more requests from the one or more containerized API scanners to the mirrors; and copying body data of the one or more requests from the one or more containerized API scanners to the mirrors”.
Regarding claim 17; 
the prior art of record, Kuykendall (US 2014/0123295 A1) discloses the non-transitory computer readable storage medium having of claim 16, 
However, Rutledge do not disclose “wherein the redirect service comprises: a router service, one or more redirect tables, and a domain name system (DNS) service”.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Subbarayan (US 2018/0115523 A1) discloses API deception environment and API traffic control and security.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A RONI whose telephone number is (571)270-7806. The examiner can normally be reached M-F 9:00-5:00 pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Sough Hyung can be reached on (571) 272-6799. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/SYED A RONI/Primary Examiner, Art Unit 2194