Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is responsive to application filed on 7/31/2024. Claims 1-20 are pending.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.
Step 1: claims 1-10 are drawn to a process. Claims 11-19 are drawn to apparatus and claim 20 is drawn to a non-transitory computer-readable medium.
Step 2A, Prong One. The independent claim 1 recites, receiving a request from a chatbot user credentials; preventing the credentials from being provided; providing an instruction that credentials are locally available; making an API call using the credentials. The claim is directed to managing and controlling access to sensitive authentication information and performing an authentication transaction without disclosing the credentials. This falls within the abstract idea of access control, identity /credential management and information filtering, which falls under Certain Methods of Organizing Human Activity. The courts held that controlling access to information, authentication and security rules form an abstract idea when claimed at high functional level (Electric Power Group). The claims do not recite a specific technological improvement to any of the following: Cryptographic operations, API protocols, network architecture, credential storage mechanism or chatbot processing algorithm. But they recite a result-oriented rule, which is information management implemented on a computer.
Step 2A, prong Two. The additional elements such as a device, a chatbot (including LLM), an API call, user credentials, storing and validating credentials are recited at high level of generality and perform conventional functions of: receiving and transmitting data; filtering content; executing API call, validating credentials and storing data. The claims do not recite any of the following: a specific credential architecture; a specific hardware-based isolation boundary; a new protocol a modification tot eh internal operation of LLM; a novel network message format, a novel interception engine or any improvement to the computer functionality. The claims simply use conventional computer components to apply the abstract rule that credentials should not be shared with a chatbot.
Step 2B; The additional elements do not amount to significantly more than the abstract idea itself. Each of the recited components is generic and conventional. In conclusion, the claims are directed to abstract idea of managing and controlling access to user credentials in connection with performing authenticated API calls, and the additional elements amount to only generic computer implementation of that idea.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Rogers et al. U.S. Patent No.9,531,715 (referred to herein after as Rogers) and further in view of Chandarana et al. U.S. Patent Pub. No. 2025/0363311 (referred to hereafter as Chan).
As to claim1, Rogers teaches a method comprising:
receiving, at a device, a request from a chatbot for user credentials needed to perform an application programming interface call (see Rogers abstract and summary, Rogers teaches intercepting, by the proxy” device”, the request from the application “chatbot” to access local resources “API”);
preventing, by the device, the user credentials from being provided to the chatbot in response to the request (see Rogers claim1 and col. 12 lines 7-37; col. 13 lines 15-52, providing, by the proxy, the placeholder credential to an application.. wherein the local resource credential is not provided to the application virtual machine AVM);
providing, by the device, an instruction to the chatbot indicative of the user credentials not being shared because they are locally available (see claim 1 of Rogers and column 13 lines 15-52, providing, by the proxy, the placeholder “instruction that real credentials are locally managed by the proxy” credentials to an application that is executing in an application virtual machine); and
making, by the device, the application programming interface call based on an output of the chatbot and using the user credentials (see Rogers abstract, col.12 lines 19-36 and claim1, replacing, by the proxy, the placeholder credential in the request with the local resource credential to obtain a second request, and sending by the proxy, the second request to the local resource).
Rogers implicitly teaches the invention as mentioned above. Rogers does not explicitly teach “chatbot and API”. However, Chan teaches a mobile application fronted, a backend server, and integration with Open AI assistants API interacting with a chatbot (see paragraphs 0298 and 0346).
It would have been obvious to one of the ordinary skilled int eh art, at the time of the invention, to combine the teachings of Chan with those of Rogers to make the system more efficient and reduce application programming interface (API) usage cost and conserves data processing resources for a chatbot system.
As to claim 2, Rogers-Chan teaches the method as in claim 1, wherein the output of the chatbot comprises code to make the application programming interface call (see Chan paragraphs 0158-0160).
As to claim 3, Rogers-Chan teaches the method as in claim 1, wherein the chatbot comprises a large language model (LLM) (see Chan paragraphs 0049 and 0106).
As to claim 4, Rogers-Chan teaches the method as in claim 1, wherein the user credentials comprise a cryptographic key (see Chan paragraph 00420).
As to claim 5, Rogers-Chan teaches the method as in claim 1, further comprising: prompting a user for the user credentials, after receiving the request, when the user credentials are expired or not locally available. (see Rogers claim 12, the placeholder credentials is only valid for a finite duration).
As to claim 6, Rogers-Chan teaches the method as in claim 1, further comprising: validating, by the device, the user credentials, prior to making the application programming interface call (see Rogers claims 2, before the proxy receives and uses any credential, the device must submit integrity measurement service for validation. The management service validates those measurements and only then issues the local resource credentials that happens before credential is issued and before any resource call is made).
As to claim 7, Rogers-Chan teaches the method as in claim 1, further comprising: storing the user credentials for use to make a further application programming interface call (see Rogers at least claims 1 and 12, the proxy receives both the placeholder and the local resource credentials from the management service before any request is intercepted. These credentials are stored within the SVM and available for use across multiple application requests, not just a single call. The came same stored credentials are re-used each time the application sends a request, tit he proxy replacing the placeholder for each one which is equivalent to storing the user credentials for use to make a further API call).
As to claim 8, Rogers-Chan teaches the method as in claim 1, wherein the device is an endpoint device operated by a user associated with the user credentials (see Rogers at least abstract, claims 1 and 3, Both AM (application) and S (proxy) execute on the same computing device. The computing device is the user’s endpoint (the machine user operates). The local resource credentials are issued specifically for the application executing on the computing device, this way typing the credentials to a specific user device).
As to claim 9, Rogers-Chan teaches the method as in claim 1, wherein the device prevents the user credentials from being provided to the chatbot in response to the request by:
stripping the user credentials from a textual response issued by a user in response to the request (see Rogers claim 1, the proxy intercepts the application’s going request and replaces the placeholder credential with the real local resource credential before forwarding it. The act of replacing the placeholder by removing what the application sent and substitute it with real credentials).
As to claim10, Rogers-Chan teaches the method as in claim 1, wherein the device is an intermediate device between the chatbot and a server to which the application programming interface call is made (see abstract of Rogers, the proxy (intermediate device) is positioned between the application (chatbot) and the API (local resource server).
Claims10-20 do not teach anything above and beyond the limitations of claims 1-10 and rejected for similar reasons.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Pranam et al. U.S. Patent No. 9,998,455, Protection of Application Passwords Using secure Proxy, teaches A request is received by a proxy from a client to access a protected resource located on a target server. A secure session is initiated between the proxy and client. The access request is forwarded by the proxy to the target. A response is received from the target that is a credential form. The proxy server injects into each required credential field a credential field tag and is sent to the client computer. Target credentials mapped by the credential field tags are retrieved by the proxy server from a protected datastore. The form is completed and sent to the target. If the credentials are invalid, the target credentials are updated and stored in the protected data store without client computer intervention, and sent by the proxy server to the target. The client computer is then allowed to access the protected resource.
Karaatanassov et al. U.S. Patent No. 10,298,561, Providing Single Session experience Across Multiple Application, teaches allowing a user to log into an API proxy by supplying login credentials and to have the API proxy log into the APIs of various web-based applications on behalf of the user by using the user's login credentials, without the user needing to separately log into each application. Calls made by the user to an application and application replies are routed through the API proxy. Further, the API proxy manages session expirations, e.g., by sending dummy calls to applications that exhibit idle expiration.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARGON N NANO whose telephone number is (571)272-4007. The examiner can normally be reached 7:30 AM-3:30 PM. M.S.T..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached at 571 272 3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SARGON N NANO/Primary Examiner, Art Unit 2443