DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 12-15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.


Claims 12 recites “…response to a definition in the specification triggering a specific rule of the plurality”. There is insufficient antecedent basis for this limitation in the claim. Appropriate correction is required.

Claim 14 recites “…taking a corresponding security action, response to a definition in the specification triggering a specific rule of the plurality…”. There is insufficient antecedent basis for this limitation in the claim. Appropriate correction is required.




Examiner Note
Claim 20 limitations reciting various “module” (e.g. “a call detecting module…being configured to, an identifying module…being configured to…”; have been interpreted under 35 U.S.C. 112, sixth paragraph, because the limitation(s) uses a non-structural term (“module”) coupled with functional language without reciting sufficient structure to achieve the function.  Furthermore, the non-structural term is not preceded by a structural modifier.
Since this claim limitation invokes 35 U.S.C. 112, sixth paragraph, claim(s) are interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.  
A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112, sixth paragraph limitation.
If applicant wishes to provide further explanation or dispute the examiner’s interpretation of the corresponding structure, applicant must identify the corresponding structure with reference to the specification by page and line number, and to the drawing, if any, by reference characters in response to this Office action. 
If applicant does not wish to have the claim limitation treated under 35 U.S.C. 112, sixth paragraph, applicant may amend the claim so that it will clearly not invoke 35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claim recites sufficient structure, material, or acts for performing the claimed function to preclude application of 35 U.S.C. 112, sixth paragraph.
For more information, see Supplementary Examination Guidelines for Determining Compliance with 35 U.S.C. § 112 and for Treatment of Related Issues in Patent Applications, 76 FR 7162, 7167 (Feb. 9, 2011).



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Dykes (Pub. No. US 2019/0213326).

As per claim 1, Dykes discloses a computer implemented method for dynamically enforcing a dynamic application programming interface (“API”) security policy at runtime, the method comprising: detecting a running computer program making a call to an API (see par. 21, 23, 24); identifying a data object used by the API, at runtime (see par. 26); assigning specific data labels to specific fields of the data object used by the API, at runtime, the specific data labels consistently identifying data fields of specific types (…the data field classification process for classifying the API call may operates to add labels/ annotations to various data fields in the API call data…see par. 67-70); tracking a flow of execution initiated by the API, at runtime (…the application security microscope or the local data receptor can be deployed at multiple segments of the applications activity flow…API calls that are made in all segments of an application activity flow can be monitored and secured…see par. 46, 54); detecting, at runtime, an action in the tracked flow of execution that violates the dynamic API security policy, the dynamic API security policy using the specific data labels to consistently identify data fields of specific types (…the application security microscope is applied to track real-time API calls in heterogenous application environments…the API data classifier learns the constructs of the API and generates an API specification…the API spec is then used by the App security policy action module to implement appropriate security policy such as to detect anomalies…see par. 50-51); executing a security action at runtime, in response to detecting the violation of the dynamic API security policy (…see par. 85-87).


As per claim 16, Dykes discloses at least one non-transitory computer-readable storage medium for dynamically enforcing a dynamic application programming interface (“API”) security policy at runtime (see par. 21), the at least one non-transitory computer-readable storage medium storing computer executable instructions that, when loaded into computer memory and executed by at least one processor of a computing device (see 23-24, 29), cause the computing device to perform the following steps: detecting a running computer program making a call to an API (see par. 23-24); identifying a data object used by the API, at runtime (see par. 26); assigning specific data labels to specific fields of the data object used by the API, at runtime, the specific data labels consistently identifying data fields of specific types (…the data field classification process for classifying the API call may operates to add labels/ annotations to various data fields in the API call data…see par. 67-70); tracking a flow of execution initiated by the API, at runtime (…the application security microscope or the local data receptor can be deployed at multiple segments of the applications activity flow…API calls that are made in all segments of an application activity flow can be monitored and secured…see par. 46, 54); detecting, at runtime, an action in the tracked flow of execution that violates the dynamic API security policy, the dynamic API security policy using the specific data labels to consistently identify data fields of specific types (…the application security microscope is applied to track real-time API calls in heterogenous application environments…the API data classifier learns the constructs of the API and generates an API specification…the API spec is then used by the App security policy action module to implement appropriate security policy such as to detect anomalies…see par. 50-51); executing a security action at runtime, in response to detecting the violation of the dynamic API security policy (…see par. 85-87).


As per claim 20, Dykes discloses a computer system for dynamically enforcing a dynamic application programming interface (“API”) security policy at runtime, the computer system comprising: at least one processor (see par. 21, 23-24); system memory (see par. 28-29); a call detecting module residing in the system memory, the call detecting module being configured to detect a running computer program making a call to an API (see par. 23-24, 29); an identifying module residing in the system memory (see par. 28-29), the identifying module being configured to identify a data object used by the API, at runtime (see par. 26, 29); an assigning module residing in the system memory, the assigning module being configured to assign specific data labels to specific fields of the data object used by the API, at runtime, the specific data labels consistently identifying data fields of specific types (…the data field classification process for classifying the API call may operates to add labels/ annotations to various data fields in the API call data…see par. 67-70); a tracking module residing in the system memory, the tracking module being configured to track a flow of execution initiated by the API, at runtime (…the application security microscope or the local data receptor can be deployed at multiple segments of the applications activity flow…API calls that are made in all segments of an application activity flow can be monitored and secured…see par. 46, 54); an action detecting module residing in the system memory, the action detecting module being configured to detect, at runtime, an action in the tracked flow of execution that violates the dynamic API security policy, the dynamic API security policy using the specific data labels to consistently identify data fields of specific types (…the application security microscope is applied to track real-time API calls in heterogenous application environments…the API data classifier learns the constructs of the API and generates an API specification…the API spec is then used by the App security policy action module to implement appropriate security policy such as to detect anomalies…see par. 50-51); an action executing module residing in the system memory, the action executing module being configured execute a security action at runtime, in response to detecting the violation of the dynamic API security policy (…see par. 85-87).



As per claim 2, Dykes discloses wherein assigning specific data labels to specific fields the of the data object used by the API, at runtime, further comprises: programmatically analyzing the data object used by the API, at runtime; programmatically identifying specific types of data fields of the data object at runtime; and automatically assigning a data label to each one of the identified data fields, each assigned data label identifying a corresponding specific type (Dykes: see par. 67-69).


As per claim 3, Dykes discloses wherein programmatically identifying specific types of data fields of the data object at runtime further comprises: programmatically identifying specific types of data fields of the data object at runtime using heuristics (Dykes: see par. 61).


As per claim 4, Dykes discloses wherein programmatically identifying specific types of data fields of the data object at runtime further comprises: programmatically identifying specific types of data fields of the data object at runtime using a trained machine learning model (Dykes: see par. 59).


As per claim 5, Dykes discloses defining the dynamic API security policy to prohibit specific actions concerning specific types of data fields, the specific types of data fields being consistently identified by specific data labels, regardless of how the specific types of data are identified at an API specification level or at a code level (Dykes: see par. 93-96).


As per claim 6, Dykes discloses wherein identifying a data object used by the API, at runtime, further comprises: identifying, at runtime, at least one data object from a group consisting of: one or more parameters passed into the API (Dykes: see par. 69), a value returned by the API, a data object read from and/or written to by reference by the API.


As per claim 7, Dykes discloses wherein tracking a flow of execution initiated by the API, at runtime, further comprises: tracking the flow of execution into at least one subroutine called by the API, at runtime; identifying at least one data object used by the at least one subroutine, at runtime; assigning specific data labels to specific fields of the at least one data object used by the at least one subroutine, at runtime, the specific data labels providing consistent identification of data fields of specific types (Dykes: see par. 49-53); and detecting, at runtime, an action in the tracked flow of execution in the at least one subroutine that violates the dynamic API security policy (Dykes: see par. 51).


As per claim 8, Dykes discloses wherein: at least one subroutine called by the API further comprises at least one additional API (Dykes: see par. 49).


As per claim 9, Dykes discloses wherein detecting, at runtime, an action in the tracked flow of execution that violates the dynamic API security policy further comprises: detecting, at runtime, an action in the tracked flow of execution that attempts to gain access to sensitive data in violation of the dynamic API security policy (Dykes: see par. 85-87).


As per claim 10, Dykes discloses wherein executing a security action at runtime, in response to detecting the violation of the dynamic API security policy further comprises:
blocking execution of an action in the tracked flow of execution that violates the security policy (Dykes: see par. 87).


As per claim 11, Dykes discloses wherein: the method is performed without access to a specification of the API or code of the API (Dykes: see par. 35-37).


As per claim 12, Dykes discloses receiving a specification of the API; parsing the specification of the API; comparing definitions of the specification to a plurality of rules concerning API risk assessment; taking a corresponding security action, response to a definition in the specification triggering a specific rule of the plurality (Dykes: see par. 83-85).


As per claim 13, Dykes discloses taking multiple security actions, response to multiple definitions in the specification triggering specific rules (Dykes: see par. 85).


As per claim 14, Dykes discloses wherein taking a corresponding security action, response to a definition in the specification triggering a specific rule of the plurality, further comprises: adjusting a quantification of a risk assessment of the API (Dykes: see par. 84).


As per claim 15, Dykes discloses wherein: the plurality of rules concerning API risk assessment further comprise at least some organization-defined rules concerning organization-defined API risk assessment (Dykes: see par. 90-92).


As per claim 17, Dykes discloses wherein detecting, at runtime, an action in the tracked flow of execution that violates the dynamic API security policy further comprises: detecting, at runtime, an action in the tracked flow of execution that attempts to gain access to sensitive data in violation of the dynamic API security policy (Dykes: see par. 85-87).


As per claim 18, Dykes discloses wherein executing a security action at runtime, in response to detecting the violation of the dynamic API security policy further comprises: blocking execution of an action in the tracked flow of execution that violates the security policy (Dykes: see par. 87).


As per claim 19, Dykes discloses wherein: the steps are performed without access to a specification of the API or code of the API (Dykes: see par. 35-37).


Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to computer security, and more specifically to dynamic, runtime API parameter labeling, flow parameter tracking and security policy enforcement, without access to an API specification.

Kapoor et al (Pub. No. US 2014/0189783); “Policy-Based Development and Runtime Control of Mobile Applications”;
-Teaches the updated global policy might require additional actions to be taken. If, for example, the processor identifies the mobile device as being stolen, the policy might, in addition to denying the application permission to run, instruct the mobile phone to erase all its stored data, start transmit a location-tracking signal, or configure itself to stop working…see par. 98.



Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2499