DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with SO KO (Reg. No. 78801) on July 28, 2022.

Election/Restrictions
Restriction to one of the following inventions is required under 35 U.S.C. 121:
I. Claims 1-8, drawn to identifying anomalous API calls, H04L63/1425.	
II. Claims 9-14, drawn to obtaining a first model that is trained, G06N3/08. 
III. Claims 15-20, drawn to receiving feedback from user device, H04L67/535.

The inventions are independent or distinct, each from the other because:
Inventions I, II, and III are related as combination and subcombination.  Inventions in this relationship are distinct if it can be shown that (1) the combination as claimed does not require the particulars of the subcombination as claimed for patentability, and (2) that the subcombination has utility by itself or in other combinations (MPEP § 806.05(c)).  
The combination in claims 1-8 has utility such as traffic logging, e.g. anomaly detection. 
In the instant case, the combination as claimed does not require the particulars of the subcombination as claimed in claims 9-14 because obtaining a first model that is trained in the claimed subcombination are not required by the claimed combination. The subcombination in claims 9-14 has separate utility such as learning methods. 
In the instant case, the combination as claimed does not require the particulars of the subcombination as claimed in claims 15-20 because receiving feedback from user device in the claimed subcombination are not required by the claimed combination. The subcombination in claims 15-20 has separate utility such as tracking the activity of the user. 

The examiner has required restriction between combination and subcombination inventions. Where applicant elects a subcombination, and claims thereto are subsequently found allowable, any claim(s) depending from or otherwise requiring all the limitations of the allowable subcombination will be examined for patentability in accordance with 37 CFR 1.104.  See MPEP § 821.04(a).  Applicant is advised that if any claim presented in a continuation or divisional application is anticipated by, or includes all the limitations of, a claim that is allowable in the present application, such claim may be subject to provisional statutory and/or nonstatutory double patenting rejections over the claims of the instant application. 

Restriction for examination purposes as indicated is proper because all the inventions listed in this action are independent or distinct for the reasons given above and there would be a serious search and/or examination burden if restriction were not required because one or more of the following reasons apply:
the inventions have acquired a separate status in the art in view of their different classification; 
the inventions have acquired a separate status in the art due to their recognized divergent subject matter;
the inventions require a different field of search (e.g., searching different classes/subclasses or electronic resources, or employing different search strategies or search queries);
the prior art applicable to one invention would not likely be applicable to another invention;
the inventions are likely to raise different non-prior art issues under 35 U.S.C. 101 and/or 35 U.S.C. 112, first paragraph.
Applicant is advised that the reply to this requirement to be complete must include (i) an election of a invention to be examined even though the requirement may be traversed (37 CFR 1.143) and (ii) identification of the claims encompassing the elected invention. 
The election of an invention may be made with or without traverse. To reserve a right to petition, the election must be made with traverse. If the reply does not distinctly and specifically point out supposed errors in the restriction requirement, the election shall be treated as an election without traverse. Traversal must be presented at the time of election in order to be considered timely. Failure to timely traverse the requirement will result in the loss of right to petition under 37 CFR 1.144. If claims are added after the election, applicant must indicate which of these claims are readable upon the elected invention.
Should applicant traverse on the ground that the inventions are not patentably distinct, applicant should submit evidence or identify such evidence now of record showing the inventions to be obvious variants or clearly admit on the record that this is the case. In either instance, if the examiner finds one of the inventions unpatentable over the prior art, the evidence or admission may be used in a rejection under 35 U.S.C. 103 or pre-AIA  35 U.S.C. 103(a) of the other invention.
Applicant is reminded that upon the cancellation of claims to a non-elected invention, the inventorship must be corrected in compliance with  37 CFR 1.48(a) if one or more of the currently named inventors is no longer an inventor of at least one claim remaining in the application. A request to correct inventorship under 37 CFR 1.48(a) must be accompanied by an application data sheet in accordance with 37 CFR 1.76 that identifies each inventor by his or her legal name and by the processing fee required under 37 CFR 1.17(i).
During a telephone conversation with SO KO (Reg. No. 78801) on July 28, 2022 a provisional election was made without traverse to prosecute the invention of I, claims 1-8.  Affirmation of this election must be made by applicant in replying to this Office action.  Claims 9-20 are withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/27/2021 filed is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The formal drawings received on 12/29/2020 have been entered.

The application has been amended as follows:
WHAT IS CLAIMED IS:
(Currently Amended) A system for detecting anomalous access to a service platform, the system comprising:
one or more memories; and
one or more processors, communicatively coupled to the one or more memories, configured to:
obtain service usage training data associated with one or more devices of a client system providing application programming interface (API) calls to one or more APIs associated with an API gateway;
train, based on the service usage training data, a first model to identify feature data associated with the client system using the one or more APIs, wherein the feature data includes a service usage pattern of the client system and source data associated with the one or more devices,
wherein the first model comprises an unsupervised machine learning model that is trained according to a cosine similarity analysis;
train, based on the feature data, a second model to identify anomalous API calls that include a client identifier of the client system,
wherein the second model comprises a supervised machine learning model that is trained according to a decision tree associated with the feature data;
receive an API call associated with an acting device accessing an API of the API gateway, wherein the API call includes the client identifier;
process the API call to identify access information associated with the acting device providing the API call;
determine, based on the access information and using the second model, that the API call is a potential unauthorized API call;
obtain, from a verification device, a verification that the API call is unauthorized; and
perform, based on obtaining the verification, an action associated with the acting device.

(Original) The system of claim 1, wherein the service usage pattern identifies at least one of:
time patterns associated with receiving corresponding API calls to the one or more APIs; or
frequencies of receiving corresponding API calls to the one or more APIs during a time period.

(Original) The system of claim 1, wherein the source data identifies at least one of:
corresponding source addresses of the one or more devices;
client location information that identifies corresponding locations of the one or more devices; or
corresponding user information associated with the one or more devices using the one or more APIs.

(Original) The system of claim 1, wherein the one or more processors, when determining that the API call is a potential unauthorized API call, are configured to:
 cause the second model, based on the access information, to determine whether the acting device is associated with the client system based on at least one of:
a comparison of client location information identified in the source data and device location information, of the access information, that identifies a location of the acting device; or
a comparison of client addresses identified in the source data and a device address of the acting device that is identified in the access information.

(Original) The system of claim 1, wherein the one or more processors, when determining that the API call is a potential unauthorized API call, are configured to:
compare the access information and the feature data;
determine, based on comparing characteristics of the access information with corresponding characteristics of the feature data, a probability that the acting device is not authorized by the client system to access the API;
determine that the probability satisfies a threshold probability associated with unauthorized access of the API in association with the client identifier; and
determine, based on the probability satisfying the threshold probability, that the acting device accessing the API corresponds to potential anomalous activity. 

(Original) The system of claim 1, wherein the one or more processors, when obtaining the verification, are configured to:
send, to the verification device, a request for a user input that indicates whether the acting device is authorized to access the API; and
receive the user input from the verification device,
wherein the verification is included within the user input.

(Canceled Herein)

(Original) The system of claim 1, wherein the one or more processors, when performing the action, are configured to at least one of:
prevent the acting device from further accessing the API gateway;
transmit, to a management device, a notification that indicates that the acting device provided an anomalous API call;
storing, in a data structure, the API call in association with an indication that the acting device provided an anomalous API call; or
retrain the second model based on the API call.

9-20.	(Canceled Herein)

(New) A non-transitory computer-readable medium storing a set of instructions, the set of instructions comprising:
one or more instructions that, when executed by one or more processors of a system, cause the system to:
obtain service usage training data associated with one or more devices of a client system providing application programming interface (API) calls to one or more APIs associated with an API gateway;
train, based on the service usage training data, a first model to identify feature data associated with the client system using the one or more APIs, wherein the feature data includes a service usage pattern of the client system and source data associated with the one or more devices,
wherein the first model comprises an unsupervised machine learning model that is trained according to a cosine similarity analysis;
train, based on the feature data, a second model to identify anomalous API calls that include a client identifier of the client system,
wherein the second model comprises a supervised machine learning model that is trained according to a decision tree associated with the feature data;
receive an API call associated with an acting device accessing an API of the API gateway, wherein the API call includes the client identifier;
process the API call to identify access information associated with the acting device providing the API call;
determine, based on the access information and using the second model, that the API call is a potential unauthorized API call;
obtain, from a verification device, a verification that the API call is unauthorized; and
perform, based on obtaining the verification, an action associated with the acting device.

(New) The non-transitory computer-readable medium of claim 21, wherein the service usage pattern identifies at least one of:
time patterns associated with receiving corresponding API calls to the one or more APIs; or
frequencies of receiving corresponding API calls to the one or more APIs during a time period.

(New) The non-transitory computer-readable medium of claim 21, wherein the source data identifies at least one of:
corresponding source addresses of the one or more devices;
client location information that identifies corresponding locations of the one or more devices; or
corresponding user information associated with the one or more devices using the one or more APIs.

(New) The non-transitory computer-readable medium of claim 21, wherein the one or more instructions, that cause the system to determine that the API call is a potential unauthorized API call, cause the system to:
cause the second model, based on the access information, to determine whether the acting device is associated with the client system based on at least one of:
a comparison of client location information identified in the source data and device location information, of the access information, that identifies a location of the acting device; or
a comparison of client addresses identified in the source data and a device address of the acting device that is identified in the access information.

(New) The non-transitory computer-readable medium of claim 21, wherein the one or more instructions, that cause the system to determine that the API call is a potential unauthorized API call, cause the system to:
compare the access information and the feature data;
determine, based on comparing characteristics of the access information with corresponding characteristics of the feature data, a probability that the acting device is not authorized by the client system to access the API;
determine that the probability satisfies a threshold probability associated with unauthorized access of the API in association with the client identifier; and
determine, based on the probability satisfying the threshold probability, that the acting device accessing the API corresponds to potential anomalous activity.

(New) The non-transitory computer-readable medium of claim 21, wherein the one or more instructions, that cause the system to obtain the verification, cause the system to:
send, to the verification device, a request for a user input that indicates whether the acting device is authorized to access the API; and
receive the user input from the verification device,
wherein the verification is included within the user input.

(New) The non-transitory computer-readable medium of claim 21, wherein the one or more instructions, that cause the system to perform the action, cause the system to:
prevent the acting device from further accessing the API gateway;
transmit, to a management device, a notification that indicates that the acting device provided an anomalous API call;
store, in a data structure, the API call in association with an indication that the acting device provided an anomalous API call; or
retrain the second model based on the API call.

(New) A method, comprising: 
obtaining, by a system, service usage training data associated with one or more devices of a client system providing application programming interface (API) calls to one or more APIs associated with an API gateway;
training, by the system and based on the service usage training data, a first model to identify feature data associated with the client system using the one or more APIs, wherein the feature data includes a service usage pattern of the client system and source data associated with the one or more devices,
wherein the first model comprises an unsupervised machine learning model that is trained according to a cosine similarity analysis;
training, by the system and based on the feature data, a second model to identify anomalous API calls that include a client identifier of the client system,
wherein the second model comprises a supervised machine learning model that is trained according to a decision tree associated with the feature data;
receiving, by the system, an API call associated with an acting device accessing an API of the API gateway, wherein the API call includes the client identifier;
processing, by the system, the API call to identify access information associated with the acting device providing the API call;
determining, based on the access information and using the second model,  that the API call is a potential unauthorized API call;
obtaining, by the system and from a verification device, a verification that the API call is unauthorized; and
performing, by the system and based on obtaining the verification, an action associated with the acting device.

(New) The method of claim 28, wherein the service usage pattern identifies at least one of:
time patterns associated with receiving corresponding API calls to the one or more APIs; or
frequencies of receiving corresponding API calls to the one or more APIs during a time period.

(New) The method of claim 28, wherein the source data identifies at least one of:
corresponding source addresses of the one or more devices;
client location information that identifies corresponding locations of the one or more devices; or
corresponding user information associated with the one or more devices using the one or more APIs.

(New) The method of claim 28, wherein determining that the API call is a potential unauthorized API call comprises:
causing the second model, based on the access information, to determine whether the acting device is associated with the client system based on at least one of:
a comparison of client location information identified in the source data and device location information, of the access information, that identifies a location of the acting device; or
a comparison of client addresses identified in the source data and a device address of the acting device that is identified in the access information.

(New) The method of claim 28, wherein determining that the API call is a potential unauthorized API call comprises: 
comparing the access information and the feature data;
determining, based on comparing characteristics of the access information with corresponding characteristics of the feature data,  a probability that the acting device is not authorized by the client system to access the API;
determining that the probability satisfies a threshold probability associated with unauthorized access of the API in association with the client identifier; and
determining, based on the probability satisfying the threshold probability,  that the acting device accessing the API corresponds to potential anomalous activity.

(New) The method of claim 28, wherein obtaining the verification comprises: 
sending, to the verification device, a request for a user input that indicates whether the acting device is authorized to access the API; and
receiving the user input from the verification device,
wherein the verification is included within the user input.


Allowable Subject Matter
Claims 1-6, 8, and 21-33 are allowed.
The following is an examiner’s statement of reasons for allowance:
Independent claims 1, 21, and 28, among other things, teach a system for detecting anomalous access to a service platform, the system comprising: one or more memories; and one or more processors, communicatively coupled to the one or more memories, configured to: obtain service usage training data associated with one or more devices of a client system providing application programming interface (API) calls to one or more APIs associated with an API gateway; train, based on the service usage training data, a first model to identify feature data associated with the client system using the one or more APIs, wherein the feature data includes a service usage pattern of the client system and source data associated with the one or more devices, wherein the first model comprises an unsupervised machine learning model that is trained according to a cosine similarity analysis; train, based on the feature data, a second model to identify anomalous API calls that include a client identifier of the client system, wherein the second model comprises a supervised machine learning model that is trained according to a decision tree associated with the feature data; receive an API call associated with an acting device accessing an API of the API gateway, wherein the API call includes the client identifier; process the API call to identify access information associated with the acting device providing the API call; determine, based on the access information and using the second model, that the API call is a potential unauthorized API call; obtain, from a verification device, a verification that the API call is unauthorized; and perform, based on obtaining the verification, an action associated with the acting device. All of the steps recited in each of the claims are required to be executed and all of the limitations in each of the claims are given patentable weight. The present invention distinguishes over the art of record in that none of the art of record discloses, individually or in reasonable combination, the recited limitations in the independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD RAZA whose telephone number is (571)272-7734. The examiner can normally be reached Monday-Friday, 7:00 A.M.-5:00 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUHAMMAD RAZA/Primary Examiner, Art Unit 2449