DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claim Objections
	Claim 1 is objected to because of the following informality: 
	Line 9, “the client device” should read “a client device”.
	Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

	Claims 1-5, 7, 10-14 and 16-20 are rejected under 35 U.S.C. 102(a)(1)(a)(2) as being anticipated by US-PGPUB No. 20190114417 A1to Subbarayan et al. (hereinafter “Subbarayan”)
Regarding claim 1:
Subbarayan discloses:
A system comprising (¶31: “… Outlier Detection system 100′ …”, see FIG. 1B. Note: ¶31: “… the OD system 100′ can include two devices, the API gateway 120a and the Analysis Server 120b, as illustrated in FIG. 1B, that can be configured to perform functions analogous to the Proxy Server 120 of the OD system 100 in FIG. 1A.”. The Outlier Detection system 100′ and the Outlier Detection system 100 are equivalent except that the Proxy Server 120 of the OD system 100 is split into API Gateway 120a and Analysis Server 120b. Therefor, Proxy Server 120 can be used in place of Analysis Server 120b, and Processor 122 can be used in place of Processor 122b.):5
a first server (¶31: “… Analysis Server 120b …”, see FIG. 1B, note: “Analysis Server 120b” can be “Proxy Server 120” as explained above) comprising one or more processors (¶33: “The Analysis Server 120b includes a processor 122b …”) configured to identify one or more patterns of malicious activity based, at least in part, on event information associated with a request and at least one of a plurality of custom parameters (¶05: “… consistency score …”) (p33: “The Analysis Server 120b can be configured to perform various analyses on the information related to the API traffic … to identify outliers in API calls included in the API traffic that may be indicative of potentially malicious actions.”, ¶05: “… based on the consistency score for each pair of API calls from the set of API calls that the client device is operating in a malicious manner; and restrict API calls received from the client device based on identifying that the client device is operating in the malicious manner.”); 
a second server (¶14: “… Destination Server 130 …”) comprising one or more processors (¶24: “The Destination Server 130 can include a processor 132 …”) configured to host an application accessed by the client device (¶14: “… compute device 110 …”) (¶25: “… the processor 132 of the destination server 130 can be configured to host one or more web servers with a specified functionality. The web servers can include or access programs executed on the processor 132, the programs being configured to receive requests from client devices such as the compute device 110 …”), wherein the first server is coupled between the 10 client device and the second server and is configured to handle requests between the client device and the second server (see FIG. 1B for the arrangement of compute device 110, Analysis Sever 120b and Destination Server 130, ¶14: “The OD system 100 includes a compute device 110 connected, via a Proxy Server 120, to a Destination Server 130 through a communication network 140 …”); and
a database system (¶20: “… database server …”) configured to store application data associated with the application and the client device (¶20: “The memory 104 can store … one or more software modules and/or code that can include instructions to cause the processor 102 to perform one or more processes, functions, and/or the like (e.g., the execution of one or more software applications, the generation of API calls directed to a destination server, the receiving of information from the destination server, etc.) … a remote database server can serve as a memory and be operatively coupled to the compute device.”). 15 
Regarding claim 2: 
Subbarayan discloses:
The system of claim 1, wherein the one or more patterns of malicious activity are identified based on patterns of requests made by the client device (¶05: “… based on the consistency score for each pair of API calls from the set of API calls that the client device is operating in a malicious manner …”, ¶49: “A potentially malicious pattern of activity can generate either a new sequence of symbols or a combination of new sequences of symbols of API transactions that can be identified as an outlier and be flagged as being indicative of malicious activity.”).  
Regarding claim 3: 
Subbarayan discloses:
The system of claim 2, wherein the one or more patterns of malicious activity are further identified based on user parameters and metadata associated with the requests (¶44: “… parse real-time API traffic received from one or more compute devices … by extracting data associated with a predetermined set of data parameters stored in the memory 224. … the data may be extracted … from data packets corresponding to real-time API traffic that is being received, using metadata formats …”).20  
Regarding claim 4:
Subbarayan discloses:
The system of claim 1, wherein the first server (¶60: “… the proxy server 120”) is further configured to generate a corrective action based, at least in part, on the identified one or more patterns of malicious activity (¶60: “… the method involves receiving, at a processor of a server (e.g., … the proxy server 120), a first set of API calls … the method includes receiving at the processor of the server, a second set of API calls … the method includes the processor comparing the predicted sequence and the sequence of the second set of API calls. … the method includes the processor sending a signal to implement a remedial action based on the second set of API calls being indicative of maliciousness.”). 25  
Regarding claim 5:
Subbarayan discloses:
The system of claim 4, wherein the corrective action comprises at least one modification to a user request (¶62: “… remedial actions can include blocking all further API traffic associated with the source of the second set of API calls being indicative of maliciousness, setting restrictive filters for receiving and/or transmitting further API calls associated with the source of the second set of API calls being indicative of maliciousness”).
Regarding claim 7: 
Subbarayan discloses:
The system of claim 1, wherein the one or more patterns of malicious activity are identified based, at least in part, on a plurality of log files based on requests received from a client device, wherein each log file is generated based (¶43: “The data logger 251 can be configured to receive a copy of incoming data from the router 250 (¶42: “… router 250 can be configured to receive requests from a client application at a compute device …”) and log the data for reference. … the data logger can generate a dictionary of API transactions that can be used by the components of the processor 222 to identify outlier data or potentially malicious actions. … In some instances, where a labeled or ground truth data may be available or used, the data logger may receive and log this ground truth data for future comparison against unknown API traffic data received from one or more compute devices …”).5 
Regarding claim 10:
Subbarayan discloses:
A method comprising (¶06: “… a method …”):
15receiving, at a first communications interface (¶30: “The Proxy Server 120 can include … a communicator 126 … “) of a first server (¶30: “… Proxy Server 120 …), a plurality of requests from a client device (¶06: “…  a method includes receiving, at a processor of a server, a first application programming interface (API) call from a client device. …”); 
generating, using a processing device of a first server (¶43: “… data logger 251 …”), a plurality of log files based on the plurality of requests received from the client device (¶43: “The data logger 251 … can be configured to receive a copy of incoming data … and log the data for reference.”, ¶34: “The proxy server 220 can be substantially similar in structure and/or function to the proxy server 120 of the OD system 100 in FIG. 1A.”); and 
In addition to the above limitations, claim 10 recites the same limitation as claim 1, therefore, it is rejected by the same rationale.  
Regarding claims 11-14:
Claims 11-14 substantially recite the same limitations as claims 2-5, respectively, in the form of a system implementing the corresponding methods, therefore they are rejected by the same rationale.
Regarding claim 16: 
A device comprising: 
10a first communications interface (¶30: “The Proxy Server 120 can include … a communicator 126 …”) communicatively coupled to a client device (¶14: “… compute device 110 connected, via a Proxy Server 120 …”); 
a processing device (¶30: “… Proxy Server 120 …”) comprising one or more processors (¶30: “The Proxy Server 120 can include … Processor 122 …”) configured to: 
In addition to the above limitations, claim 16 substantially recites the same limitations as claim 10 in the form of a device to implement the corresponding method, therefore it is rejected by the same rationale.
Regarding claims 17-20:
Claims 17-20 substantially recite the same limitations as claims 2-5, respectively, in the form of a device to realize the system, therefore they are rejected by the same rationale.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 6, 8-9 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Subbarayan and further in view of USPAT No. 8205239 B1to Satish
Regarding claim 6:
Subbarayan discloses:
The system of claim 1wherein the second server is a web server (see Subbarayan, ¶25: “… the processor 132 of the destination server 130 can be configured to host one or more web servers with a specified functionality. …”)
However, Subbarayan failed to explicitly disclose the following limitation taught by Satish: 
wherein the first server (see Satish, col 5, lines 54-55: “… enterprise name server 212 …”, FIG. 2) is implemented as part of a user system (see Satish, col 5, line 51: “… enterprise network 204 …”, FIG. 2) (see Satish, col 5, lines 51-55: “… an enterprise network 204 includes a number of computing systems 104, that are coupled to a local network 208. The local network 208 is coupled to a number of other network components, including an enterprise name server 212 …”). APPSP002 23 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Subbarayan to incorporate the configuration of the enterprise network to include the enterprise name server within the local network, as disclosed by Satish, such modification would allow the system to handle a request differently if it is directed to an enterprise site or a network site. In the event that the request is for an enterprise site, access is granted and the enterprise name server provides the network address for the enterprise site, else if the enterprise name server determines that the access request is for a site that is not an enterprise site, the request is forwarded to a secure name server.
Regarding claim 8:
Subbarayan discloses the system of claim 7, but failed to explicitly disclose the following limitation taught by Satish: 
wherein the plurality of custom parameters is configured to determine a plurality of data fields (see Satish FIG. 6, and col 8, lines 30-34: “… for each of USER(1) through USER(n) information related to site addresses is recorded, a number of times the user has attempted to access a site address is recorded, and a reputation for the site is recorded”) and a plurality of types of data values included in each log file (see Satish, FIG. 6 for data types, ‘site address’ is type string, ‘count’ is type integer (0,1,2, …), and ‘site reputation’ is type string (bad, good)). 10  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Subbarayan to incorporate the functionality of the information collecting system, to collect information  related to users and access requests generated by the users, as disclosed by Satish, such modification would allow the system to log the information (data collected) in a table form having rows (entries) and columns (fields) that simplify access to the stored logs. 
Regarding claim 9:
The system of claim 8, wherein each log file of the plurality of log files comprises at least one of: a user identifier (see Satish col 8, line 45: “… user ID …), an application identifier, a device identifier (col 8, lines 45-47: “… user ID … may also be associated with a particular computing system …”), a browser identifier, and a time stamp (see col 8, lines 43-47: “While data is illustrated in FIG. 6 as being related to a particular user, such as identified by a user ID that the user uses when logging into a computing system, such data may also be associated with a particular computing system, or a particular network address.”).
The same motivation which is applied to claim 8, applies to claim 9.
Regarding claim 15:
Claims 15 substantially recites the same limitation as claims 8 in the form of a system implementing the corresponding method, therefore it is rejected by the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Turnbull (US-PGPUB No 2013/0312097 A1)- disclosed Systems and methods are described for detecting malicious resources by analyzing communication between multiple resources coupled to a network.
Dixon et al. (US-PPGPUB No 2006/0253579-A1)- disclosed Systems and methods for providing a Web reputation service.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        
/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491