DETAILED ACTION

This communication is in response to Application No. 17/062,903 filed on 10/5/2020. Claims 1-20 have been examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/5/2020, 1/21/2022, and 8/26/2022 is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 18-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
The claims do not fall within at least one of the four categories of patent eligible subject matter because they recite a "computer-readable storage media storing computer executable instructions." During patent Examination, pending claims must be interpreted as broadly as their terms reasonably allow. The broadest reasonable interpretation of a claim drawn to a computer readable medium (also called machine readable medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of computer readable media. When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 US.C. § 101 as covering non-statutory subject matter. See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter) and Interim Examination Instructions for Evaluating Subject Matter Eligibility under35 U.S.C. § 101, Aug. 24, 2009; p. 2.
Examiner suggests amending the claims to cover only statutory embodiments to avoid a rejection under 35 U.S.C. § 101 by adding the limitation "non-transitory" to the claims.

Claim Rejections - 35 USC § 112
The following is a quotation of the second paragraph of 35 U.S.C. 112:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 

Claim 2 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 2 recites the limitation "the selected portion" in line 4.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Subbarayan et al. (hereinafter Subbarayan)(US 2018/0115523).
Regarding claim 1, Subbarayan teaches as follows:
a method for securing an application (an exemplary method for implementing decoy API based API/application security, see, para. [0113] and figure 9), the method comprising: 
retrieving an application programing interface (API) endpoint for an application (step 904 involves extracting information identifying a target API from the received message, see, para. [0114] and figure 9); 
automatically modifying the endpoint to create a deceptive endpoint for the application (the invention allows creation of decoy APIs (equivalent to deceptive endpoint) which to a hacker or malicious device would appear to consist of a normal API path to create a deception environment. In context API consists of a decoy API created as a list of URLs within a real API. The URLs are mixed with URLs of real API paths see, para. [0116]-[0117]), wherein the deceptive endpoint is not a valid endpoint for the application (in context API consists of a decoy API created as a list of URLs within a real API. The URLs are mixed with URLs of real API paths, but each path is unique and does not lead to the protected server backend, see, para. [0117]), and wherein a requesting computing device accessing the deceptive endpoint indicates a malicious action (the information received by the decoy API may be analyzed for detecting and identifying one or more attack patterns (equivalent to applicant’s malicious action). The attack patterns may thereafter by added to a library of attack patterns or a library of indicators of compromise, see, para. [0124]); and 
deploying the deceptive endpoint (step 908 thereafter comprises initiating network communication between the decoy API and the client terminal, for the purposes of interacting with attackers and obtaining more information about the attackers and the attack patterns, see, para. [0114] and figure 9).
Subbarayan does not explicitly teach that the deceptive endpoint is not a valid endpoint for the application but teaches of creating unique path for each decoy API does not lead to the protected server backend.	
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Subbarayan to include creating decoy API path which is not a valid path in order to protect accessing the protected server backend for the application.
Regarding claim 2, Subbarayan teaches as follows:
wherein automatically modifying the endpoint (responding to attackers who are found to be probing an unused API path, by automatically generating a decoy API corresponding to that unused API path and having the name of the API path that the attacker has probed, see, para. [0128]) comprises: 
identifying a portion of the endpoint (interpreted as URL) to modify (in context API: consists of a decoy API created as a list of URLs within a real API. The URLs are mixed with URLs of real API paths, see, para. [0119]); 
creating one or more candidate deceptive endpoints in which the selected portion is modified (in an embodiment of the invention, one or more decoy APIs (equivalent to one or more candidate deceptive endpoints) can be dynamically created based on the API path names that the attacker tries on the system, see, para. [0126]); and 
selecting at least one of the candidate deceptive endpoints as the deceptive endpoint (decoy API names may be selected to avoid overlap with names of genuine/functional APIs implemented on the API server backend, see, para. [0111]).
Regarding claim 3, Subbarayan teaches as follows:
wherein the portion of the endpoint to modify is a path of the endpoint (in context API: consists of a decoy API created as a list of URLs within a real API. The URLs are mixed with URLs of real API paths, see, para. [0119]).
Regarding claim 5, Subbarayan teaches as follows:
wherein the deceptive endpoint is deployed at a proxy between a requesting device and the application (an exemplary system 1100 comprising API proxy 1104 disposed as a network intermediate between one or more instances of client(s) 1102  and a server backend 1106 comprising a plurality of servers. API proxy 1104 comprises routing controller 1108 and deception environment 1110, see, para. [0130] and figure 11).
Regarding claim 6, Subbarayan teaches as follows:
upon determining that the deceptive endpoint has been accessed, generating an alert indicating that a user, account, or computing device associated with the access is malicious (decoy APIs 1110a may be configured to interact with attackers using real or fake data to get various levels of insight into attackers' methods and devices used which are not limited to user agents, time of access, volume of traffic, etc. The system may be configured stores and shares all the IP addresses, and any additional information identifying the suspicious connections in decoy traffic historian 1110c. Such information may be used by systems to drop those connections immediately, continue observing the hacker's activities with respect to those decoy APIs, report those connections via alerts, email and other means of communications, display information dashboards, provide comprehensive reports, see, para. [0132] and figure 11).

Claims 4, 8-10, and 12-16 are rejected under 35 U.S.C. 103 as being unpatentable over Subbarayan et al. (hereinafter Subbarayan)(US 2018/0115523) in view of Xue et al. (hereinafter Xue)(US 2014/0298460).
Regarding claim 4, Subbarayan teaches as follows:
one or more decoy APIs can be dynamically created based on the API path names that the attacker tries on the system (see, para. [0126]); and
decoy API names may be selected to avoid overlap with names of genuine/functional APIs implemented on the API server backend (see, para. [0111]).
 Subbarayan teaches of selecting one or more candidate deceptive endpoints not to overlap with valid endpoints but does not teach of scoring based on similarity.
Xue teaches as follows:
malicious URL detection is aided by determining a degree of difference between a deceptive brand name string and a real brand name string. One of the lexical features 224 extracted by the feature extraction module 216 is brand name edit distance. An edit distance is a minimum number of corrections performed at the character level to bring a string or substring of text into exact alignment with a real brand name used by an authentic entity or an authentic resource that is the target of the malicious URL (see, para. [0046]); and
equations (1) and (2) provided above are able to determine the brand name edit distance between one or more substrings in a potential malicious URL and a complete set of brand names associated with one or more legitimate entities or an authentic resources (see, para. [0050]).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Subbarayan with Xue to include the malicious URL detection of determining a degree of difference between a deceptive brand name string and a real brand name string as taught by Xue in order to efficiently select candidate deceptive endpoints not overlapping with the valid (existing) endpoints. 
Regarding claim 8, Subbarayan teaches all limitations as presented above except for removing the deceptive endpoint.
Subbarayan in view of Xue teaches of selecting candidate deceptive endpoints not overlapping with the valid endpoints as presented above.
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Subbarayan with Xue to include removing outdated deceptive endpoint after updating of valid endpoints in order not to overlap with the updated valid endpoints.  
Regarding claim 9, Subbarayan in view of Xue teaches similar limitations as presented above in the rejections regarding claims 1, 4, and 6. Therefore, it is rejected for similar reason as presented above. 
Regarding claim 10, Xue teaches as follows:
wherein whether a candidate deceptive endpoint meets the similarity threshold is determined through a distance calculation (equations (1) and (2) provided above are able to determine the brand name edit distance between one or more substrings in a potential malicious URL and a complete set of brand names associated with one or more legitimate entities or an authentic resources, see, para. [0050]). The equations are equivalent to applicant’s distance calculation.
Therefore, it is rejected for similar reason as presented above. 
Regarding claim 12, Subbarayan teaches as follows:
wherein automatically modifying the endpoints comprises flattening the extracted endpoints to create endpoint entries for different combinations of components of the respective endpoints (in context API consists of a decoy API created as a list of URLs within a real API. The URLs are mixed with URLs of real API paths, see, para. [0116]-[0117]).
Regarding claim 13, Subbarayan teaches as follows:
the automatically modifying comprises changing a path of the endpoint entries (in context API: consists of a decoy API created as a list of URLs within a real API. The URLs are mixed with URLs of real API paths, see, para. [0119]).
Regarding claims 14-16, Subbarayan teaches as follows:
 decoy API names may be selected to avoid overlap with names of genuine/functional APIs implemented on the API server backend (see, para. [0111]).
Subbarayan in view of Xue does not explicitly teach of changing path or parameter of endpoint entries.
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Subbarayan in view of Xue to include substituting a synonym or a numeral in the path in order to efficiently name decoy APIs not to overlap with functional APIs (equivalent to valid endpoints). 
  
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Subbarayan et al. (hereinafter Subbarayan)(US 2018/0115523) in view of Sellers (US 10,986,129).
Regarding claim 7, Subbarayan teaches similar limitations as presented above except for migrating the application session to the application clone.
Sellers teaches as follows:
once honeypot clone 150(1) is provisioned with one or more personality characteristics of protected host 140(1) which honeypot clone 150(1) is replacing, live state transition manager 135 redirects attacker data traffic of attacker 145 from protected host 140(1) to honeypot clone 150(1) and disables protected host 140(1) or access to protected host 140(1)(see, col. 4, line 64 to col. 5, line 9 and figure 1); and
to perform seamless and lossless live state transition, live state transition manager 135 monitors network 155 to generate network data flow information between the attacker and the protected host, accesses TCP session state information, and resumes the interactive session (equivalent to applicant’s session migration) between the attacker and the honeypot clone (e.g., interactive session 230 that is resumed as redirected attacker data traffic 240 as shown in FIG. 2)(see, col. 6, lines 40-48 and figure 1-2).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Subbarayan with Sellers to include the live state transition manager as taught by Sellers in order to perform seamless live state transition to the honeypot clone (equivalent to applicant’s application clone).

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Subbarayan et al. (hereinafter Subbarayan)(US 2018/0115523) in view of Xue et al. (hereinafter Xue)(US 2014/0298460), and further in view of Callahan (US 2020/0257524).
Regarding claim 11, Subbarayan in view of Xue teaches similar limitations as presented above except for extracting from documentation files.
Callahan teaches as follows:
a system 100 for generating interaction libraries according to some aspects. The system 100 includes library generation engine 121 having a number of component modules 122-126 enabling the characteristics of an application interface 150 to be determined by extracting (e.g., parsing) them from documentation (e.g., help files) related to the application interface 150 (see, para. [0016] and figure 1).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Subbarayan in view of Xue with Callahan to include extracting from documentation as taught by Callahan in order to efficiently determine characteristics of the valid API endpoints.

Claims 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Subbarayan et al. (hereinafter Subbarayan)(US 2018/0115523) in view of Xue et al. (hereinafter Xue)(US 2014/0298460), and further in view of Burke et al. (hereinafter Burke)(US 2006/0069666).
Regarding claim 17, Subbarayan in view of Xue teaches similar limitations as presented above except for changing HTTP method.
Burke teaches as follows:
the "Get" HTTP method should probably be used when URL access will not change the state of a database. On the other hand, if the URL access will cause a change in the database of the Web server, the "Post" HTTP method should be used. The major advantage in using the "Post" HTTP method over the "Get" HTTP method is that the data is not open to prying eyes. Also, via the "Get" HTTP method, one can transfer only a limited amount of data, while the "Post" HTTP method exerts no such limitations (see, para. [0072]).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Subbarayan in view of Xue with Burke to include interchanging HTTP methods between Get and Post in order to efficiently protect data from valid endpoint.
Regarding claims 18, Subbarayan in view of Xue and Burke teaches similar limitations as presented above in the rejections regarding claims 1, 4, 6, and 17. Therefore, it is rejected for similar reason as presented above.
Regarding claim 19, Subbarayan teaches as follows:
creating endpoint entries for different combinations of path (wherein automatically modifying the endpoints comprises flattening the extracted endpoints to create endpoint entries for different combinations of components of the respective endpoints (in context API consists of a decoy API created as a list of URLs within a real API. The URLs are mixed with URLs of real API paths, see, para. [0116]-[0117]).
Subbarayan in view of Xue and Burke does not teach of flattening process.
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Subbarayan in view of Xue and Burke to include flattening (simplifying) extracted endpoints to order to conveniently combine different paths. 

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Subbarayan et al. (hereinafter Subbarayan)(US 2018/0115523) in view of Xue et al. (hereinafter Xue)(US 2014/0298460) and Burke et al. (hereinafter Burke)(US 2006/0069666), and further in view of Callahan (US 2020/0257524).
Regarding claim 20, Subbarayan in view of Xue and Burke teaches similar limitations as presented above except for extracting from documentation files.
Callahan teaches as follows:
a system 100 for generating interaction libraries according to some aspects. The system 100 includes library generation engine 121 having a number of component modules 122-126 enabling the characteristics of an application interface 150 to be determined by extracting (e.g., parsing) them from documentation (e.g., help files) related to the application interface 150 (see, para. [0016] and figure 1).
	Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify Subbarayan in view of Xue and Burke with Callahan to include extracting from documentation as taught by Callahan in order to efficiently determine characteristics of the valid HTTP API endpoints.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeong S Park whose telephone number is (571)270-1597. The examiner can normally be reached Monday through Friday 8:00-4:30 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached on 571-272-3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JEONG S PARK/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        
September 8, 2022