(Case# 2339) Final

Surcouf (Cisco): see above & Para [0028] Line 4 – 13: (a) a security agent (i.e. an enforcement agent) receives an API call request during the communcations of application service(s) (or micro-services as one type of applications supported in a cloud system)) so as to analyze a compliance of associated security policies

    PNG
    media_image1.png
    230
    462
    media_image1.png
    Greyscale
  [Wingdings font/0xE8] (MUST) copy CISCO’0665 [0041]
---------------------------------------------------------------------------------------------------------------------------




DETAILED ACTION

Currently pending claims are 1 – 20.


Response to Arguments
Applicant's arguments with respect to instant claims have been fully considered but are moot in view of the new ground(s) of rejection necessitated by Applicant's amendment – please see the following section for the detail of rationale to make the corresponding prior-art(s) rejections as set forth below. 
As per claim 1, Applicant asserts prior-art(s) does not teach “wherein the policy comprise data obtained by matching parameters that can be inserted into the API to be subject to the policy with a value indicating whether to allow the parameters, and wherein the parameters comprises a user's address used in the decentralized network, a transaction address used in the decentralized network, an address of a smart contract in the decentralized network, or a combination thereof” (Remarks: Page 9 – 10).  Examiner respectfully disagrees with the following rationale.
(a) Pruter teaches providing a security policy, associated with API (Application Programming Interface), that inclides policy data indicating whether a client is permitted (allowed) to receive a digital content from a particular network address and such a policy data can be retrieved from a set of matched parameters included (inserted) in the associated API (Pruter: Para [0048] Line 1 – 4), wherein the parameters included in the API can be such as:
(b) the digital content to be permitted or denied by the security policy, which can be pay-per-view (PPV), video-on-demand (VOD) and etc. (i.e. one type of transaction data) (Pruter: Para [0023]) and the parameter of the (particular) network address can be associated with a plurality of DSLAM access networks decentralized from an internet backbone infrastructure (Pruter: Para [0035]) as one type of corresponding transaction addresses from a decentralized network and as such Applicant's arguments are respectfully traversed.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 6, 8 – 16 & 18 – 20 are rejected under 35 U.S.C.103 as being unpatentable over Surcouf et al. (U.S. Patent 2019/0020665), and in view of Pruter et al. (U.S. Patent 2009/0313666),.  


As per claim 1 & 11, Surcouf teaches an electronic device comprising: 
a communication module (Surcouf: Figure 4 & 3); 
a memory for storing instructions (Surcouf: Figure 4 & 3); and 
at least one processor operably connected to the communication module and the memory, wherein the at least one processor is, by executing the instructions (Surcouf: Figure 4 & 3), configured to:
receive a request for execution of an application programming interface (API) from an application while driving the application (Surcouf: see above & Para [0028] Line 4 – 13: (a) a security agent (i.e. an enforcement agent) receives an API call request during the communcations of application service(s) (or micro-services as one type of applications)) so as to analyze a compliance of associated security policies), 
identify a policy for the API based on data received from a decentralized network through the communication module (Surcouf: see above & Para [0031] Line 9 – 12, Para [0024] and Para [0047] / [0048]: the enforcement agent identifies and determines a security policy for the associated API call request based upon a receiving whitelist (i.e. a list of of allowed/permitted API calls requests), which can be obtained from a de-centralized (distributed) blockchain system (replacing as an alternative of a container orcheschtration engine)), and 
determine whether to execute the API, based on the identified policy for the API (Surcouf: see above & Para [0043] / [0046]: if API is not allowed, the API call is denied and as such, to permit or deny the API call request according to a security policy), wherein the policy comprise data obtained by matching parameters that can be inserted into the API to be subject to the policy with a value indicating whether to allow the parameters, and wherein the parameters comprises a user's address used in the decentralized network, a transaction address used in the decentralized network, an address of a smart contract in the decentralized network, or a combination thereof (Pruter: Para [0048] Line 1 – 4, Para [0023] and Para [0035]:
(a) Pruter teaches providing a security policy, associated with API (Application Programming Interface), that inclides policy data indicating whether a client is permitted (allowed) to receive a digital content from a particular network address and such a policy data can be retrieved from a set of matched parameters included (inserted) in the associated API (Pruter: Para [0048] Line 1 – 4), wherein the parameters included in the API can be such as:
(b) the digital content to be permitted or denied by the security policy, which can be pay-per-view (PPV), video-on-demand (VOD) and etc. (i.e. one type of transaction data) (Pruter: Para [0023]) and the parameter of the (particular) network address can be associated with a plurality of DSLAM access networks decentralized from an internet backbone infrastructure (Pruter: Para [0035]) as one type of corresponding transaction addresses from a decentralized network and as such Applicant's arguments are respectfully traversed.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of the policy comprising data obtained by matching parameters that can be inserted into the API and the parameters comprising a transaction address used in the decentralized network because Pruter teaches to alternatively, effectively and securely provide a security policy, associated with API (Application Programming Interface), that inclides policy data indicating whether a client is permitted (allowed) to receive a digital content from a particular network address and such a policy data can be retrieved from the matched parameters included (inserted) in the associated API and and the digital content to be permitted or denied by the security policy can be pay-per-view (PPV), video-on-demand (VOD) and etc. (i.e. one type of transaction data) (Pruter: Para [0023]) and the parameter of the (particular) network address can be associated with a plurality of DSLAM access networks decentralized from an internet backbone infrastructure (see above) within the Surcouf’s system of using an enforcement agent to identify and determine a security policy for an associated API call request based upon a receiving whitelist (i.e. a list of of allowed/permitted API calls requests) and to permit or deny the API call request according to the security policy (see above). 

As per claim 2 – 3 & 12 – 13, Surcouf as modified teaches in case that a request for execution of the application is received, request the data indicating the policy for the API from the decentralized network, and receive the data indicating the policy for the API from the decentralized network (Surcouf: see above & Para [0041] / [0042] and Para [0047] / [0048]: as an alternative, requesting the data indicating the policy for the API from a block-chain network system (i.e. a decentralized network). 

As per claim 4 & 14, Surcouf as modified teaches- 33 -0202-1749 (GM-201909-023-1-US0, SP20198-USIP) in case that a request for execution of the API is received from the application, identify whether the API is a predesignated API (Surcouf: see above & Para [0043] / [0041]: an API request is received from a container application, wherein an API call, that have certain characteristics are acceptable, constitutes a predesignated API for example, regarding its expirary status of the available / valid time period (i.e. whether expired or has not yet expired) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0075]), and 
in response to the identifying of the API as the predesignated API, request the data indicating the policy for the API from the decentralized network (Surcouf: see above & Para [0043] / [0041] / [0042] and Para [0047] / [0048]: requesting the data indicating the policy for the API, from a block-chain network system (i.e. a decentralized network), wherein the data was stored at the local container policy storage).  

As per claim 5 & 15, Surcouf as modified teaches- 33 -0202-1749 (GM-201909-023-1-US0, SP20198-USIP) in case that the API is not identified as the predesignated API, identify, based on data received from the decentralized network before the request for execution of the API, the policy for the execution-requested API (Surcouf: see above & Para [0043] / [0041] / [0042] and Para [0047] / [0048]: as an alternative, if API is not identified as the predesignated API, identify requesting the data indicating the policy for the API, from a block-chain network system (i.e. a decentralized network), wherein the data is subsequently stored at the local container policy storage for later use before the API available / valid time period expired).  

As per claim 6 & 16, Surcouf as modified teaches- 33 -0202-1749 (GM-201909-023-1-US0, SP20198-USIP) data received from the decentralized network based on the request for execution of the application; data received from the decentralized network based on a previous request for execution of the API, received before the request for execution of the API; or a combination thereof (Surcouf: see above & Para [0043] / [0041] / [0042] and Para [0047] / [0048]: (a) based on a previous request since the API available / valid time period has not yet expired and the requesting the data indicating the policy for the API, from a block-chain network system (i.e. a decentralized network), wherein the data was already stored at the local container policy storage by the precious request).  

As per claim 8 & 18, Surcouf as modified teaches- 33 -0202-1749 (GM-201909-023-1-US0, SP20198-USIP) wherein the data received from the decentralized network is based on a result of execution of a smart contract recorded in the decentralized network (Surcouf: see above & Para [0055] Last sentence, Para [0031] and Para [0054]: the enforcement agent can contact the block-chain of the (distributed) decentralized network to activate and execute a smart contract to obtain the data associated with the security policy).  

As per claim 9 & 19, Surcouf as modified teaches- 33 -0202-1749 (GM-201909-023-1-US0, SP20198-USIP) based on the data received from the decentralized network, identify a policy for an address included in the execution-requested API, and determine whether to execute the execution-requested API, based on the identified policy for the address included in the API (Surcouf: see above & Para [0024] and Para [0042]: the authorized API call ID includes the associated IP address, name, or other identifiers).  

As per claim(s) 10 & 20, the claims contain(s) similar limitations to claim(s) 1 – 9 and thus is/are rejected with the same rationale.


Claims 7 & 17 are rejected under 35 U.S.C.103 as being unpatentable over Surcouf et al. (U.S. Patent 2019/0020665), in view of Pruter et al. (U.S. Patent 2009/0313666), and in view of O’Doherty et al. (U.S. Patent 7,743,149).  

As per claim 7 & 17, Surcouf as modified teaches- 33 -0202-1749 (GM-201909-023-1-US0, SP20198-USIP) based on the identified policy for the API, identify whether execution of the execution-requested API is allowed, in case that it is identified that execution of the execution-requested API is allowed, execute the execution-requested API, and in case that it is identified that execution of the execution-requested API is not allowed, output a notification indicating that the execution-requested API is not executed, through the display (Surcouf: see above & Para [0043] / [0046]: if API is not allowed, the API call is denied). 
However, Surcouf does not disclose expressly displaying a “disallowed” notification.
 O’Doherty teaches displaying a dis-allowed notification on the display (O’Doherty: Col. 10 Line 21 – 25: executing a security mechanism method If the result of the security mechanism method is "permitted" then continue – otherwise, displaying a security “disallowed” message on the display screen). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of displaying a dis-allowed notification on the display because O’Doherty teaches to alternatively, effectively and securely execute a security mechanism method If the result of the security mechanism method is "permitted" then continue – otherwise, displaying a security “disallowed” message on the display screen (see above) within the Surcouf’s system of using an enforcement agent to identify and determine a security policy for an associated API call request based upon a receiving whitelist (i.e. a list of of allowed/permitted API calls requests) and to permit or deny the 
API call request according to the security policy (see above). 


Conclusion

THIS ACTION IS MADE FINAL.  See MPEP § 609.04(b).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2339 – 2022
---------------------------------------------------