DETAILED ACTION
This communication is in responsive to amendment for Application 17/102030 filed on 4/14/2022. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims:
		Claims 1-20 are presented for examination.

Response to Arguments
3.	Examiner statements in the mailed Non-Final with respect to obvious limitations including common knowledge or well-known in the art are taken to be admitted prior art because applicant failed to traverse the Examiner’s assertion, see MPEP 2144.03 C. 

4.	Applicant’s arguments in the amendment filed on 4/14/2022 regarding claim rejection under 35 USC § 103 with respect to Claims 1-20 have been considered and found unpersuasive because the cited art still teaches the claimed limitation.
	a.	applicant argues that the cited art does not teach “…routing service…” (Remarks p. 7-9). Examiner disagrees because the cited art still teaches the claimed limitation.
	Examiner is puzzled with by this argument because a basic reading to the cited paragraphs by PHOSITA reveals that API GATEWAY receives routing information from the whitelist operation services “routing service” before routing. For example, Joyce teaches “…[t]he API gateway 150 will invoke whitelisting validation service to determine if the received client API request is valid before routing the client request to one or more microservices 182 …[t]he whitelisting validation operations are configured to allow known and permitted API requests to be forwarded by the API gateway 150 to target microservices 182, while detecting and rejecting invalid, and non-permitted client API requests. In addition, the whitelisting validation service can be configured to track rejected or failed requests in a centralized location for further analysis to determine if such requests are associated with intentional malicious attacks, etc.” see ¶0027.
	Thus, Examiner maintains his rejection and interpretation. 
	
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 4-7, 9-11, 14-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ries et al. (hereinafter Ries) US 2021/0067553 A1 in view of Joyce et al. (hereinafter Joyce) US 2021/0042207 A1. 
Regarding Claim 1, Ries teaches a method of routing requests in an application programming interface (API) gateway, the method comprising: 
receiving a request from a client at the API gateway (Fig. 3 & ¶0078; In the embodiment depicted in FIG. 3, these API requests are received and processed by API gateway server 340. API gateway server 340 may be configured to read the request, potentially authenticate the request, and then forward the request to a backend component of data center 302 for processing the request); 
requesting routing information for the request from a routing service associated with the request (Fig. 3 & ¶0075; dummy server 338 or decoy server 336 provides routing information as a response to that API call that is being handled by API server gateway 340. See also Figs. 3-4 & ¶0080; API gateway server 340 may also use information regarding the port number over which a request is received to determine if the request is from an attacker. For example, as previously described, ports such as SSH port 22 and FTP port 21 are commonly used to orchestrate attacks. Accordingly, requests and API calls received via these ports may be tagged as requests from attackers. For example, in certain embodiments, API gateway server 340 knows, based upon the port of connection and based upon the dummy credentials, that the request is not legitimate and is instead a request from a bad actor or attacker); 
receiving the requested routing information at the API gateway from the routing service (Fig. 3 & ¶0075; dummy server 338 or decoy server 336 provides routing information as a response to that API call that is being handled by API server gateway 340), the routing information determined based at least in part on the request and a client state associated with the request (Figs. 3-4 & ¶0097; Request interpreter subsystem 406 is configured to receive and interpret requests received from an attacker. For example, in certain embodiments, upon determining that a request or API call is from an attacker, API gateway server 340 selects a particular honeypot from honeynet 306 (e.g., as shown in FIG. 3) and forwards the request to the selected honeypot. At the honeypot, the request is received by request interpreter subsystem 406. Upon receiving a request, request interpreter subsystem 406 is configured to interpret the request and determine a set of one or more actions to be performed corresponding to the request); 
and forwarding, from the API gateway, the request to a destination based on the routing information (Fig. 3 & ¶0079-¶0083; forward the request to appropriate backend component for handling).
	Ries does not expressly teach “requesting routing information for the request from a routing service associated with the request.”
Joyce teaches requesting routing information for the request from a routing service associated with the request (Fig. 1 & ¶0022-¶0046; obtaining a whitelist from a configuration service 170 where the API gateway 150 functions as a reverse proxy to redirect or route requests from client applications to target endpoints of the microservices 182. In this instance, the API gateway 150 provides a single endpoint or Uniform Resource Locator (URL) to receive requests from client applications for access to services of the application platform 180, and internally maps client requests to one or more of the microservices 182).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to incorporate the teachings of Joyce into the system of Ries in order to reduce the “attack vectors” of the application platform and the cloud computing platform (¶0024). Utilizing such teachings enable the system to perform whitelisting operations on API requests that are received from client applications (¶0027). The API gateway will invoke whitelisting validation service to determine if the received client API request is valid before routing the client request to one or more microservices. Id. In particular, the whitelisting validation service performs a whitelisting validation operation which comprises comparing an API endpoint of the client API request to the whitelist of permitted API endpoints of registered microservices of the application to determine whether the API endpoint of the client API request comprises a permitted API endpoint in the whitelist. Id. 

Regarding Claim 4, Joyce in view of Ries teach the method of claim 1, Ries further teaches wherein the client state is based on one or more of a user associated with the request, a region associated with the request, or a storefront associated with the request (¶0029-¶0038; The data captured or recorded by a honeynet can then be used to uniquely identify specific attackers and classes of attackers and find patterns with respect to their attacks).

Regarding Claim 5, Joyce in view of Ries teach the method of claim 1, Ries further teaches wherein the client state is based on a group of users associated with the request (¶0029-¶0038; The data captured or recorded by a honeynet can then be used to uniquely identify specific attackers and classes of attackers and find patterns with respect to their attacks).

Regarding Claim 6, Joyce in view of Ries teach the method of claim 5, Ries further teaches wherein the routing information is determined based at least in part on one or more partitions assigned to the group of users (¶0029-¶0038; The data captured or recorded by a honeynet can then be used to uniquely identify specific attackers and classes of attackers and find patterns with respect to their attacks. Also see Figs. 3-4 & ¶0097; API gateway server 340 selects a particular honeypot from honeynet 306 (e.g., as shown in FIG. 3) “partitions”).
Regarding Claim 7, Joyce in view of Ries teach the method of claim 1, Ries further teaches wherein determining the routing information for the request comprises determining that the destination comprising a test server (Figs. 3-4 & ¶0097; Request interpreter subsystem 406 is configured to receive and interpret requests received from an attacker. For example, in certain embodiments, upon determining that a request or API call is from an attacker, API gateway server 340 selects a particular honeypot from honeynet 306 (e.g., as shown in FIG. 3) “test server” and forwards the request to the selected honeypot. At the honeypot, the request is received by request interpreter subsystem 406. Upon receiving a request, request interpreter subsystem 406 is configured to interpret the request and determine a set of one or more actions to be performed corresponding to the request).

Regarding Claim 9, Joyce in view of Ries teach the method of claim 1, Joyce further teaches further comprising verifying, at the API gateway, that the destination is within a whitelist of authorized destinations (¶0024-¶0026; see API whitelisting configuration service that generates a whitelist for authorized destinations).

Regarding Claim 10, Joyce in view of Ries teach the method of claim 9, Joyce further teaches wherein the whitelist comprises a domain of authorized destinations (¶0024-¶0026; see API whitelisting configuration service that generates a whitelist for authorized destinations).

	Claims 11, 14-16 and 18-20 are substantially similar to the above claims, thus the same rationale applies. 

Claims 2-3 and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Ries in view of Joyce and further in view of Yeddula et al. (hereinafter Yeddula) US 2020/0336553 A1. 

Regarding Claim 2, Joyce in view of Ries teach the method of claim 1, but does not expressly teach wherein requesting the routing information further comprises determining whether or not the API gateway stores cached routing information for the request.
Yeddula teaches  wherein requesting the routing information further comprises determining whether or not the API gateway stores cached routing information for the request (¶0058; The customizable router 404 includes a router engine 406 and a local cache 408. The local cache 408 communicates with a datastore 410 in which rules for routing microservice requests are stored. The rules may be updated, changed, implemented, added, deleted, etc. by an administrator 414 using an administrator electronic device 412. In this way, multiple instances of the customizable router, each having its own local cache, may be continuously updated with any new and/or changed rules made by the administrator to the datastore which stores all the rules. Note that customizable router is an API gateway e.g. ¶0089; A microservice request (3) from the experience app 606 is routed through an API router instance 608 to a domain app 610 as microservice request (4). The API router instance 608 may use the session (76) number to determine which domain app to rout request (4) to (or if the API router instance 608 has never seen that session number before, it can route according to another rule or randomly). The session number (76) in the cookie is kept with the requests (6), (7), and (8) all the way back to the browser/client 602 so that it can be stored as a cookie in the browser/client 602. In this way, if the browser/client 602 makes another request, the request may include the cookie with the session number (76) and be routed the same way at multiple levels to both the experience app 606 and the domain app 610, providing a consistent experience for a user across multiple levels of microservice apps. In such a subsequent request, no new session number is generated, because one is already associated with the browser/client 602).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to incorporate the teachings of Yeddula into the system of Ries- Joyce in order to associate multiple resources with a request pattern/service and choose how much traffic is routed to each version. This may be useful for a variety of purposes, including load balancing, testing new versions of a developed software, etc. (¶0066). Utilizing such teachings enable the system to improve overall website availability and response times, as well as provide a quick fix for when there are errors and/or availability issues (¶0086). For example, since all microservice requests and responses are routed through a customizable router as described herein, the customizable routers may be used to detect issues (errors such as no response from a microservice app, slow response times, etc.) and alert an administrator electronic device quickly if, for example, a newly introduced feature/revision has an error rate that exceeds a predefined threshold (e.g., a default threshold or one set by an administrator). Id. This advantageously provides for fast fault detection and notification with appropriate remediation that makes the experience of using a website seamless to the end users. Id. 

Regarding Claim 3, Joyce in view of Ries and Yeddula teach the method of claim 2, Yeddula further teaches further comprising forwarding the request to the destination based on the cached routing information when the API gateway is determined to store the cached routing information (as stated above in ¶0058 & ¶0089; also, customizable router acting like an API gateway determines to store cash for routes or not based on administrator and other policies and factors).

Claims 12-13 are substantially similar to the above claims, thus the same rationale applies. 

Claims 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over 
Ries in view of Joyce and further in view of Lan US 2013/0073699 A1. 

Regarding Claim 8, Joyce in view of Ries teach the method of claim 1, but do not expressly teach wherein the routing information comprises temporary routing information corresponding to the request during a maintenance interval, the temporary routing information different from the routing information corresponding to the request outside of the maintenance interval.
Lan teaches wherein the routing information comprises temporary routing information corresponding to the request during a maintenance interval, the temporary routing information different from the routing information corresponding to the request outside of the maintenance interval (¶0079 & ¶0084; After the RHCP+DHCP client obtains the formal maintenance IP address, the RHCP+DHCP client may release the temporary maintenance IP address, and a server having an RHCP function may recover the temporary maintenance IP address, so that the temporary maintenance IP address may still be used subsequently).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to incorporate the teachings of Lan into the system of Ries- Joyce in order to remotely and automatically obtain the IP address, which thereby facilitates the networking (¶0143). In addition, local configuration of the IP address may be prevented at the base station, which lowers the cost. Moreover, compared with the local configuration of the IP address at the base station, the remote and automatic obtaining of the IP address also improves the network security. Id. 

Claim 17 is substantially similar to the above claims, thus the same rationale applies. 
	
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHRAN ABU ROUMI whose telephone number is (469)295-9170. The examiner can normally be reached Monday-Thursday 6AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached on 571-272-3865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MAHRAN ABU ROUMI
Primary Examiner
Art Unit 2455



/MAHRAN Y ABU ROUMI/Primary Examiner, Art Unit 2455