Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.  This action is in response to the amendment filed 6/2/2022.
2.  Claims 21-40 have been examined and are pending in the application.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

3.  Claims 21-40 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Shin U.S Publication No. 2018/0278635. 
As to claim 21, Shin teaches a non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor (paragraphs 0111-0113 pages 5-6) to:
receive, at a first time, a first application programming interface (API) call in a sequence of API calls, the first API call addressed to an API; receive, at a second time, a second API call in the sequence of API calls (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3);
predict a predicted time period between the first API call and the second API call; compare the predicted time period with an actual time period between the first time and the second time to generate a consistency score (…the control unit 220 may cluster a machine learning model as a malicious or benign category, and may determine a classification according to clustering of the target network program by applying the generated machine learning model to the target network program…, paragraph 0067 page 3); and
perform a remedial action associated with the sequence of API calls when the consistency score does not meet a criterion (…detecting malware in a software defined network, by which installation and execution of malware may be prevented by detecting malware without changing a traditional SDN system structure…, paragraph 0016 page 1).
As to claim 22, Shin further teaches route the first API call to a server associated with the API when the consistency score meets the criterion (data flows from one host to another host, Fig. 1 and associated specification).
As to claim 23, Shin further teaches predict the predicted time period by providing a representation of at least one of the first API call or the second API call as an input to a machine learning model to identify the predicted time period (…the control unit 220 may cluster a machine learning model as a malicious or benign category, and may determine a classification according to clustering of the target network program by applying the generated machine learning model to the target network program…, paragraph 0067 page 3).
As to claim 24, Shin further teaches the second API call in the sequence of API calls is addressed to the API (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3).
As to claim 25, Shin further teaches the API from the plurality of APIs is a first API and the second API call in the sequence of API calls is addressed to a second API different from the first API (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3).
As to claim 26, Shin further teaches the remedial action includes at least one of preventing the first API call from being sent to a server associated with the API, blocking API calls associated with a source of the first API call (…detecting malware in a software defined network, by which installation and execution of malware may be prevented by detecting malware without changing a traditional SDN system structure…, paragraph 0016 page 1).
As to claim 27, Shin further teaches the first API call is received from a first client device and the second API call is received from a second client device different from the first client device (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3).
As to claim 28, Shin teaches a method, comprising:
receiving, at an application programming interface (API) gateway (…the control unit 220 may characterize a frequency and a sequence of security-sensitive API calls, and a northbound interaction of a controller and the target network program in the software defined network…, paragraph 0060 page 3) and from a client device (…the important asset may include an application, a controller, a device, a flow, a host, an intent, a link, an open flow, a packet, routing, a topology, and a user..., paragraph 0053 page 3), a set of API calls having a sequence and addressed to an API from a plurality of APIs associated with the API gateway (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3);
predicting a predicted proximity between a first API call from the set of API calls and a second API call from the set of API calls; generating a consistency score by comparing the predicted proximity with an actual proximity in the sequence between the first API call and the second API call (…the control unit 220 may cluster a machine learning model as a malicious or benign category, and may determine a classification according to clustering of the target network program by applying the generated machine learning model to the target network program…, paragraph 0067 page 3); and
sending the set of API calls to a server associated with the API when the consistency score meets a criterion (data flows from one host to another host, Fig. 1 and associated specification).
As to claim 29, Shin further teaches providing as an input to a machine learning model a representation of the first API call; and receiving, as an output from the machine learning model, an indication of the predicted proximity between the first API call and the second API call (…The control unit 220 may cluster a target network program located in any one of a malicious reference cluster model and a benign reference cluster model by applying machining learning to the target network program…, paragraph 0069 page 3).
As to claim 30, Shin further teaches preventing the set of API calls from being sent to the server when the consistency score does not meet the criterion (…detecting malware in a software defined network, by which installation and execution of malware may be prevented by detecting malware without changing a traditional SDN system structure…, paragraph 0016 page 1).
As to claim 31, Shin further teaches the actual proximity is a number of API calls in the sequence between the first API call and the second API call (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3).
As to claim 32, Shin further teaches the actual proximity is a time period in the sequence between the first API call and the second API call (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3).
As to claim 33, Shin teaches a non-transitory processor-readable medium storing code representing instructions to be executed by a processor, the code comprising code to cause the processor (paragraphs 0111-0113 pages 5-6) to:
receive, at a proxy server (…the control unit 220 may characterize a frequency and a sequence of security-sensitive API calls, and a northbound interaction of a controller and the target network program in the software defined network…, paragraph 0060 page 3) and from a client device (…the important asset may include an application, a controller, a device, a flow, a host, an intent, a link, an open flow, a packet, routing, a topology, and a user..., paragraph 0053 page 3), a set of instructions having a sequence and addressed to a destination server from a plurality of destination servers associated with the proxy server (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3);
provide as an input to a machine learning model a representation of a first instruction from the set of instructions; receive, as an output from the machine learning model, an indication of a predicted proximity between the first instruction and a second instruction from the set of instructions (…The control unit 220 may cluster a target network program located in any one of a malicious reference cluster model and a benign reference cluster model by applying machining learning to the target network program…, paragraph 0069 page 3);
compare the predicted proximity with an actual proximity in the sequence between the first instruction and the second instruction to generate a consistency score (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3); and
perform a remedial action associated with the set of instructions when the consistency score does not meet a criterion (…detecting malware in a software defined network, by which installation and execution of malware may be prevented by detecting malware without changing a traditional SDN system structure…, paragraph 0016 page 1).
As to claim 34, Shin further teaches send the set of instructions to the destination server when the consistency score meets the criterion (data flows from one host to another host, Fig. 1 and associated specification).
As to claim 35, Shin further teaches preventing the set of instructions from being sent to the destination server, blocking instructions associated with the client device (…detecting malware in a software defined network, by which installation and execution of malware may be prevented by detecting malware without changing a traditional SDN system structure…, paragraph 0016 page 1).
As to claim 36, Shin further teaches the actual proximity is a number of instructions in the sequence between the first instruction and the second instruction (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3).
As to claim 37, Shin further teaches the actual proximity is a time period in the sequence between the first instruction and the second instruction (…the control unit 220 may derive the sequence of the security-sensitive API calls in the derived behavior graph. According to an embodiment, the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3).
As to claim 38, Shin further teaches generate an n-gram representation of the first instruction to define the representation of the first instruction (…extract a sequence of security-sensitive API calls by allocating unique IDs to the APIs of the target network program. Thereafter, a distance table of n columns and n rows including information on a correlation between the extracted security-sensitive API call sequence and another API call sequence may be formed…, paragraph 0089 page 4).
As to claim 39, Shin further teaches the machine learning model includes a clustering model (…the control unit 220 may cluster a machine learning model as a malicious or benign category, and may determine a classification according to clustering of the target network program by applying the generated machine learning model to the target network program…, paragraph 0067 page 3).
As to claim 40, Shin further teaches the first instruction is a first application programming interface (API) call and the second instruction is a second API call (…the control unit 220 may derive the sequence of API calls by measuring a correlation between an arbitrary API call sequence and another API call sequence of the security-sensitive APIs and the distance between the sequences…, paragraph 0062 page 3).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
U.S Publication No. 2018/0046475 discloses applying an API call sequence model to an API call sequence.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Andy Ho whose telephone number is (571) 272-3762.  A voice mail service is also available for this number.  The examiner can normally be reached on Monday – Friday, 8:30 am – 5:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Hyung Sough can be reached on (571) 272-6799. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIM) system. Status information for published applications may be obtained from either Private PAIR or' Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Any inquiry of a general nature or relating to the status of this application or proceeding should be directed to the receptionist whose telephone number is 571-272-2100.
Any response to this action should be mailed to:
Commissioner for Patents 
P.O Box 1450
Alexandria, VA 22313-1450
	Or fax to:
AFTER-FINAL faxes must be signed and sent to (571) 273 - 8300.
OFFICAL faxes must be signed and sent to (571) 273 - 8300.
NON OFFICAL faxes should not be signed, please send to (571) 273 – 3762

/Andy Ho/
Primary Examiner
Art Unit 2194