DETAILED ACTION

Claims 1-22 are pending. Claims 1, 2, 5, 7-10, 13, 14, 17-20 and 22 have been amended.

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This final office action is in response to the applicant’s response received on 07/21/2022, for the non-final office action mailed on 04/22/2022.

Examiner’s Notes

Examiner has cited particular columns and line numbers, paragraph numbers, or figures in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant, in preparing the responses, to fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.


Response to Arguments
Applicant's arguments filed 07/21/2022 have been fully considered but they are not persuasive.
 Applicant argues the claims are not directed to an abstract idea, see applicant’s remarks pp. 10-13. Examiner respectfully disagrees as the claims recite “determining response” and “determining a subset based on the response and input data” which are steps that can be performed by a programmer in the mind. Furthermore, the steps of receiving analytic data and outputting a subset do not add significantly more to the claims and are mere computer instructions to collect data and output data.
 Applicant also argues Djosic does not teach “determining a subset of the at least two API flows based on the response data and input data representing at least one of a priority level or risk level of the at least two API flows,” see applicant’s remarks pp. 14-15. Examiner respectfully disagrees as Djosic teaches analyzing the API traffic to determine a risk level and see whether there is malicious intent. Djosic teaches in FIG.3B receiving API traffic from two users (i.e., 352 and 354), these API traffic is analyzing thru risk assessment module to make sure and prevent any malicious or unauthorized access to back end services.  
 Examiner respectfully withdraw rejection made under 35 U.S.C. § 112 in view of applicant’s amendments.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.  

Statutory Category: Claims 1, 13 and 22 recites receiving analytic data associated with at least two application programming interface (API) flow, wherein an API flow of the at least two API flows comprises at least one API; determining response data of the at least one API by inputting the analytic data to a prediction model determined based on a first machine learning technique; determining a subset of the at least two API flows based on the response data and input data representing at least one of a priority level or a risk level of the at least two API flows; and outputting the subset of the at least two API flows for execution.
Step 2A – Prong 1: Claims 1, 13 and 22 recites determining response data of the at least one API by inputting the analytic data to a prediction model determined based on a first machine learning technique; determining a subset of the at least two API flows based on the response data and input data representing at least one of a priority level or a risk level of the at least two API flows. These limitations as drafted, is a process that, under their broadest reasonable interpretation, covers abstract idea such as performance of the limitation in the mind. That is, other than “non-transitory computer-readable medium,” nothing in the claim elements precludes the steps from practically being performed mentally. For example, determining a subset of the at least two API flows based on the response data and input data representing at least one of a priority level or a risk level of the at least two API flows, can be viewed as a developer determining whether an API flow is a risk based on the response data. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the [category of abstract idea (i.e., mental process)] grouping of abstract idea. Accordingly, the claim recites an abstract idea under step 2A prong 1.
Step 2A-Prong 2: Independent claim 1, 13 and 22 recites receiving analytic data associated with at least two application programming interface (API) flows, wherein an API flow of the at least two API flows comprises at least one API; and outputting the subset of the at least two API flows for execution. The concept described in claims 1, 13 and 22 are not meaningfully different than those concepts found by the courts to be abstract ideas. These limitations are merely pre and post activity solution using generic computer components without integrating to the practical solution. Dependent claims 2-12 dependent on claim 1 and dependent claims 14-21 dependent on claim 13 do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements amount to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Therefore, the claim is not patent eligible.
	Step 2B: As discussed with respect to step 2A prong 2, the additional elements in the claim amounts to no more than mere instructions to apply the exception. The same analysis applies here in step 2B, i.e., mere instructions to apply an exception cannot integrate a judicial exception into a practical application at step 2A or provide an inventive concept in step 2B. The claim in ineligible.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 7-9, 13-19 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Subbarayan et al. (US-PGPUB-NO: 2019/0114417 A1) hereinafter Subbarayan, in further view of Djosic et al. (US-PGPUB-NO: 2021/0152555 A1) hereinafter Djosic.

As per claim 1, Subbarayan teaches a system for autonomous testing of a computer application, comprising: a non-transitory computer-readable medium configured to store instructions; and at least one processor configured to execute the instructions to perform operations comprising: receiving analytic data associated with at least two application programming interface (API) flows (see Subbarayan paragraph [0033], showing analysis server analyzing API traffic and see Subbarayan paragraph [0060-0061], showing a first set of API calls and a second set of API calls), wherein an API flow of the at least two API flows comprises at least one API (see Subbarayan paragraph [0033], showing API calls which are identified within the API traffic (i.e., API flow)); determining response data of the at least one API by inputting the analytic data to a prediction model determined based on a first machine learning technique (see Subbarayan paragraph [0052], showing a machine learning model receiving an API call from the API flow and being able predict a sequence of API calls (i.e., response data) based on input received ); and outputting the subset of the at least two API flows for execution (see Subbarayan paragraph [0053], showing an outlier detector which receives output from the ML model a detects the outliers (i.e., the subset of API traffic) in the API traffic).
Subbarayan does not explicitly teach determining a subset of the at least two API flows based on the response data and input data representing at least one of a priority level or a risk level of the at least two API flows. However, Djosic teaches determining a subset of the at least two API flows based on the response data and input data representing at least one of a priority level or a risk level of the at least one API flow (see Djosic paragraph [0064], showing API traffic being fed into a risk predictor which takes the response data from the API traffic and the score/risk determined into the cyber-check protection and only lets pass (i.e., subset of an API traffic) API that is not malicious, Djosic also teaches in FIG. 3B , different users providing API traffic, (i.e., user 352 and 354).
 Subbarayan and Djosic are analogous art because they are in the same field of endeavor of software development. Therefore, it would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to modify Subbarayan’s teaching of inputting an API call to a machine learning model in order to predict anomalies with Djosic’s teaching of detecting unauthorized activity to incorporate letting a subset of API traffic pass based on a risk factor / level in prevent any security issues or malicious code/activity in a system.

As per claim 2, Subbarayan modified with Djosic teaches wherein, when the at least one API comprises two or more APIs, the at least two API flows further comprises a sequence of the at least one API (see Subbarayan paragraph [0046], showing the identification of sequences within API transactions) and a scheme for exchanging metadata between the at least one API (see Subbarayan paragraph [0045], showing API traffic data which is associated with raw data log being transmitted via an application layer protocol (i.e., scheme for exchanging metadata).

As per claim 3, Subbarayan modified with Djosic teaches wherein the analytic data comprises at least one of input- field data representing a characteristic of an input field of the at least one API (see Subbarayan paragraph [0044], showing the extraction of data regarding predetermined set data parameters for the API calls which is used to identify specific indicators associated with API traffic such as context of API calls), status data representing whether the at least one API succeeds in the execution, or validity data representing whether an internal conflict exists in the at least one API (see Subbarayan paragraph [0044], showing an indication of compromise corresponding to one or more API).

As per claim 4, Subbarayan modified with Djosic teaches wherein the response data comprises at least one of: message data representing successful or failed execution of the at least one API, error- cause data representing a cause of the failed execution of the at least one API, or error type data representing a type of the cause (see Subbarayan paragraph [0085], showing outputting results regarding errors in connection with an API which is reported in an aggregated summary).

As per claim 5, Subbarayan modified with Djosic teaches wherein the operations further comprise: training the prediction model using the analytic data and at least one API output of the at least one API of the at least two API flows (see Subbarayan paragraph [0060], showing the training of ML model using a first set of API calls to predict sequences of API calls), wherein the first machine learning technique comprises a supervised learning technique (see Subbarayan paragraph [0050], showing the ML model can be a supervised model).

As per claim 7, Subbarayan modified with Djosic teaches wherein the operations further comprise: determining the at least two API flows in response to receiving an input API flow comprising a plurality of APIs (see Subbarayan paragraph [0033], showing API calls which are identified within the API traffic (i.e., API flow)) and specification data associated with of the plurality of APIs (see Subbarayan paragraph [0044], showing the extraction of data regarding predetermined set data parameters for the API calls which is used to identify specific indicators associated with API traffic such as context of API calls), wherein the plurality of APIs comprises the at least one API (see Subbarayan paragraph [0044], showing an indication of compromise corresponding to one or more API); and outputting the at least two API flows for execution (see Subbarayan paragraph [0053], showing an outlier detector which receives output from the ML model a detects the outliers (i.e., the subset of API traffic) in the API traffic).

As per claim 8, Subbarayan modified with Djosic teaches wherein the at least two API flows comprises all API flows capable of implementing the computer application (see Subbarayan paragraph [0018], showing API calls can all be associated with a single application), and wherein each API flow of the at least two API flows has a different sequence or composition of the plurality of APIs (see Subbarayan paragraph [0018], showing sequence of API calls which can be sent to different destinations).

As per claim 9, Subbarayan modified with Djosic teaches wherein the operations further comprise: updating the at least two API flows in response to receiving data representing a change in the input API flow (see Subbarayan paragraph [0066], showing the ML model generating an update to the dictionary of symbols / API transactions arising from normal activity).

As per claims 13-19. These are the method claims to system claims 1-4 and 7-9, respectively. Therefore, they are rejected for the same reasons as above.

As per claim 22, this is the computer-readable medium claim to system claim 1. Therefore, it is rejected for the same reasons as above.

Claims 6, 10-12, 20 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Subbarayan (US-PGPUB-NO: 2019/0114417 A1) and Djosic (US-PGPUB-NO: 2021/0152555 A1), in further view of Arguelles et al. (US-PAT-NO: 10,452,522 B1) hereinafter Arguelles.

As per claim 6, Subbarayan modified with Djosic does not explicitly teach wherein the operations further comprise: determining, based on the response data, whether to perform a test on the at least one API; and based on a determination to perform the test on the at least one API, outputting the at least one API for performing the test. However, Arguelles teaches wherein the operations further comprise: determining, based on the response data, whether to perform a test on the at least one API and based on a determination to perform the test on the at least one API (see Arguelles [column 4, lines 66-67 and column 5, lines 1-10], showing testing parameters (i.e., response data) dictating which API calls to test), outputting the at least one API for performing the test (see Arguelles [column 5, lines 5-15], showing testing parameters invoking a single API call).
Subbarayan, Djosic and Arguelles are analogous art because they are in the same field of endeavor of software development. Therefore, it would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to modify Subbarayan’s teaching of inputting an API call to a machine learning model in order to predict anomalies and Djosic’s teaching of detecting unauthorized activity with Arguelles teaches of dynamically generating synthetic data used to test a web service to incorporate invoking an API call to test a web service or an application for better testing coverage or said web service / application.

As per claim 10, Subbarayan modified with Djosic and Arguelles teaches wherein the operations further comprise: in response to receiving the analytic data and the at least two API flows, generating test data for executing the at least two API flows (see Arguelles [column 5, lines 5-20], showing synthetic data being generated to test a sequence of API calls); and determining execution data of the at least two API flows by executing the at least two API flows using the test data (see Arguelles [column 5, lines 54-61], showing the invocation of API calls with test data based on rules to expose web services), wherein the execution data comprises an execution result of the at least two API flow and at least one API output of the at least one API of the at least two API flows (see Arguelles [column 5, lines 15-25], showing the invocation of API calls with the synthetic data).
Subbarayan, Djosic and Arguelles are analogous art because they are in the same field of endeavor of software development. Therefore, it would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to modify Subbarayan’s teaching of inputting an API call to a machine learning model in order to predict anomalies and Djosic’s teaching of detecting unauthorized activity with Arguelles teaches of dynamically generating synthetic data used to test a web service to incorporate invoking an API call to test a web service or an application for better testing coverage or said web service / application.

As per claims 11, Subbarayan modified with Djosic and Arguelles teaches wherein the operations further comprise: storing the execution data in a database (see Subbarayan paragraph [0051], showing the ML model outputting databases.

As per claim 12, Subbarayan modified with Djosic and Arguelles teaches wherein the operations further comprise: in response to receiving the execution data (see Arguelles [column 5, lines 15-25], showing the invocation of API calls with the synthetic data), determining the analytic data by inputting the execution data to a clustering model determined based on a second machine learning technique (see Subbarayan paragraph [0050], showing the use of different machine learning models such as neural network model, random forest model, Bayesian network model, a clustering model and the like).

As per claims 20 and 21, these are the method claims to system claims 10 and 12, respectively. Therefore, they are rejected for the same reasons as above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
 Lincoln et al. (US-PGPUB-NO: 2019/0243692 A1) teaches application programming interface call data analyzed for a user to identify a relationship between API input data and API output data.
 Muguda (US-PGPUB-NO: 2014/0282626 A1) teaches application programing interface traffic and caching and enabling equitable bandwidth distribution of the API traffic.
 Roy et al. (US-PAT-NO: 10,740,164 B1) teaches API assessment for a plurality of APIs and automatically healing risk identified APIs. 

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to LENIN PAULINO whose telephone number is (571)270-1734. The examiner can normally be reached Week 1: Mon-Thu 7:30am - 5:00pm Week 2: Mon-Thu 7:30am - 5:00pm and Fri 7:30am - 4:00pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on (571) 272-3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/LENIN PAULINO/Examiner, Art Unit 2193                                                                                                                                                                                                       
/Chat C Do/Supervisory Patent Examiner, Art Unit 2193