Office Action Predictor
Application No. 17/556,279

MACHINE LEARNING-BASED SECURITY ALERT ISSUANCE BASED ON ACTIONABILITY METRICS

Final Rejection §103
Filed
Dec 20, 2021
Examiner
FARAMARZI, GITA
Art Unit
2496
Tech Center
2400 — Computer Networks
Assignee
Microsoft Technology Licensing, LLC
OA Round
4 (Final)
54%
Grant Probability
Moderate
5-6
OA Rounds
3y 4m
To Grant
90%
With Interview

Examiner Intelligence

54%
Career Allow Rate
40 granted / 74 resolved
Without
With
+35.8%
Interview Lift
avg trend
3y 4m
Avg Prosecution
34 pending
108
Total Applications
career history

Statute-Specific Performance

§101
8.1%
-31.9% vs TC avg
§103
56.6%
+16.6% vs TC avg
§102
5.0%
-35.0% vs TC avg
§112
29.4%
-10.6% vs TC avg
Black line = Tech Center average estimate • Based on career data

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims The Amendment filed on 06/27/2025 has been entered. Claims 1, 8, and 19 were amended. As a result, claims 1-20 are pending, of which claims 1, 8, and 19 are in independent form. Response to Amendment Applicant’s amendment regarding the claim 19 obviates the rejection under 35 U.S.C. 101. Therefore, the 101 rejection is withdrawn. Response to Arguments Applicant’s arguments with respect to claim(s) are rejected, under 35 USC 103(a), have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter. On Pages 9-11 of remarks, Applicant argues that Moran fails to teach or suggest "a label generator to label the first log data on which the first alert is based as suspicious activity based on the actionability metric having a first value indicating a first level of user interaction with the alert or as benign activity based on the actionability metric having a second value indicating a second level of user interaction with the alert," as recited by the amended claims 1, 8 and 19. Based on the newly amended independent claims Applicant’s arguments, with respect to the rejection(s) of claim(s) 1, 8 and 19 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Sopan (US 11,637,862 B1). As to the dependent claims 2-7, 9-18 and 20, these claims remain rejected by virtue of dependency to their independent claims. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, 6-11, 13-15, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chor (US 2019/0334764 A1), hereinafter Chor in view of SRIVASTAV et al. (US 2022/0103578 A1), hereinafter SRIVASTAV and further in view of Sopan (US 11,637,862 B1), hereinafter Sopan. Regarding claim 1, Chor discloses a system, comprising: at least one processor circuit (Chor, Para. 0409, digital signal processors (DSPs), mobile application processors, microcontrollers, special purpose logic circuitry, e.g., a field programmable gate array (FPGA) or an application specific integrated circuit (ASIC), or the like, or a combination of such devices); and at least one memory that stores program code configured to be executed by the at least one processor circuit, the program code comprising (Chor, Para. 0419, the memory (e.g., memory device 9154) can be supplemented by, or incorporated in, special purpose logic circuitry): an alert generator configured to provide a first alert to a computing device associated with a user (Chor, Para. 0379, The alert message with invokable action content created by the processing of block 2444 is transmitted to support communications device processing location 2450 as indicated by arrow 2478), an activity tracker configured to: track activity performed by the user with respect to the first alert (Chor, Para. 0399, invoke action button 2630 identifies an available invokable action and enables a user to indicate that the identified invokable action should indeed be invoked); and generate an actionability metric for the first alert based on the tracked activity (Chor, Para. 0321, metrics analysis workspace built into product; in-application collection guidance; self-service, and easy deployment) and (Chor, Paras. 0396-0397, the color of header 2610 is determined by a state or severity of a metric or key performance indicator, and the text of header 2610 identifies the state or severity, “CRITICAL,” in this example. In one embodiment, the determinative metric or key performance indicator information may be included within the information source for the notable event instance associated with the actionable alert definition instance used to construct the interactive alert message giving rise to display 2600… In one embodiment, timestamp 2612 shows the date and time the related IAM was received at the service communication device. “Assign” interactive element 2614 enables a user to indicate a desire to assign the incident associated with the alert message to someone else. User interaction with assign interactive element 2614 may incite processing to effect such an assignment), the actionability metric indicating a level of interaction between the user and the first alert (Chor, Para. 0399, an action invocation message is sent to a remedial action target for the incitation of processing leading to the quarantine of the malware. Ignore action button 2632 enables a user to indicate a desire to ignore the alert message of 2600. In one embodiment, user interaction with ignore button 2632 causes processing on the support communications device that dismisses the display of the alert message of 2600. In one embodiment, user interaction with ignore button 2632 causes processing on the support communications device to signal the IAM sender, such as the remediate function of the monitoring system, that the user has indicated the intent and desire to ignore the alert message); and Chor does not explicitly disclose the first alert being based on first log data generated by an application associated with the user and indicating that suspicious activity has been detected with respect to at least one of the application or a resource associated with the user; and the labeled first log data including a log of a plurality of logs, the at least one processor circuit providing the labeled first log data as training data to a supervised machine learning algorithm to generate a machine learning model, the machine learning model generated to issue second alerts based on second log data provided thereto. However, SRIVASTAV teaches the first alert being based on first log data generated by an application associated with the user and indicating that suspicious activity has been detected with respect to at least one of the application (SRIVASTAV, Para. 0048, the anomaly event is graphically displayed on a display. Further, in accordance with detecting the anomaly event, an origin of the anomaly event may be identified. The origin of the anomaly event may be identified based on the information provided in the historical connections data log (e.g., IP address range, server location, etc.)) or a resource associated with the user (SRIVASTAV, Para. 0048); the labeled first log data including a log of a plurality of logs (SRIVASTAV, Para. 0035, during the training phase, the model generator 205 may train the prediction model 206 using historical malicious and benign connection log files or records), the at least one processor circuit providing the labeled first log data as training data to a supervised machine learning algorithm to generate a machine learning model (SRIVASTAV, Para. 0044, the sampled or extracted connection log data may contain labeled malicious and/or benign files or records. The sampled connection log data may be filtered and normalized by a filtering module (e.g., filtering module 305) to expedite the training. In step 503, the model generator 501 may, for example, build an anomaly prediction model (e.g., prediction model 206 or 310) using the machine learning techniques), the machine learning model generated to issue second alerts based on second log data provided thereto (SRIVASTAV, Para. 0045, if the anomaly prediction model detects an anomaly in the received incoming packets, the end-user system 504 may generate an alert message or automatically block the incoming packets in step 511) and (SRIVASTAV, Para. 0020, The intrusion detection system utilizing the cloud-based anomaly prediction model may provide alerts and/or reports when anomalies are detected in the real-time or stored network traffic data). Chor and SRIVASTAV are both considered to be analogous to the claim invention because they are in the same field of generating alerts based on log data generated from an application. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chor to incorporate the teachings of SRIVASTAV to include the first alert being based on first log data generated by an application associated with the user and indicating that suspicious activity has been detected with respect to at least one of the application (SRIVASTAV, Para. 0048); the labeled first log data including a log of a plurality of logs (SRIVASTAV, Para. 0035), at least one processor circuit providing the labeled first log data as training data to a supervised machine learning algorithm to generate a machine learning model (SRIVASTAV, Para. 0044), the machine learning model generated to issue second alerts based on second log data provided thereto (SRIVASTAV, Para. 0045) and (SRIVASTAV, Para. 0020). Doing so would aid to provide the intelligent, connected vehicle network traffic monitoring capabilities utilizing cloud-based anomaly prediction model in accordance with the present disclosure will result in improvements in connected vehicle cybersecurity technology in various aspects (SRIVASTAV, Para. 0021). Chor and SRIVASTAV do not explicitly teach a label generator to label the first log data on which the first alert is based as being indicative of one of suspicious activity based on the actionability metric having a first value indicating a first level of user interaction with the or benign activity based on the actionability metric having a second level of user interaction with the alert, However, Sopan teaches a label generator to label the first log data on which the first alert is based as being indicative of one of suspicious activity based on the actionability metric having a first value indicating a first level of user interaction with the alert (Sopan, Col. 2, Lines 15-19, a received cyber-security alert received by the system and analyzed by the AAAS may classify the alert as “malicious” with a 17% confidence level, “non-malicious” with an 89% confidence level, and “misconfiguration” with a 91% confidence level) and (Sopan, Col. 3, Lines 24-30, the application of a predictive model to a received alert may generate one or more labels and/or courses of actions, each associated with a confidence level. The confidence levels are correlated with a likelihood of the alert being associated with the label and/or course of action) and (Sopan, Col. 7, Lines 30-36, an alert may be associated with, or triggered by, any of a variety of computing activities, for example: a granting or denial of administrative rights or escalation of privileges, an unauthorized access of an access-restricted compute device, detection of a new device on a restricted network, multiple different user login(s) made by a single compute device, an unexpected/unusual login of a user, detection of an internal vulnerability, etc.) or benign activity based on the actionability metric having a second level of user interaction with the alert (Sopan, Col. 2, Lines 15-19, a received cyber-security alert received by the system and analyzed by the AAAS may classify the alert as “malicious” with a 17% confidence level, “non-malicious” with an 89% confidence level, and “misconfiguration” with a 91% confidence level) and (Sopan, Col. 3, Lines 24-30, the application of a predictive model to a received alert may generate one or more labels and/or courses of actions, each associated with a confidence level. The confidence levels are correlated with a likelihood of the alert being associated with the label and/or course of action) and (Sopan, Col. 7, Lines 30-36, an alert may be associated with, or triggered by, any of a variety of computing activities, for example: a granting or denial of administrative rights or escalation of privileges, an unauthorized access of an access-restricted compute device, detection of a new device on a restricted network, multiple different user login(s) made by a single compute device, an unexpected/unusual login of a user, detection of an internal vulnerability, etc.), Chor, SRIVASTAV and Sopan are all considered to be analogous to the claim invention because they are in the same field of generating alerts based on log data generated from an application. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chor and SRIVASTAV to incorporate the teachings of Sopan to include a label generator to label the first log data on which the first alert is based as being indicative of one of suspicious activity based on the actionability metric having a first value indicating a first level of user interaction with the alert (Sopan, Col. 2, Lines 15-19) and (Sopan, Col. 3, Lines 24-30) and (Sopan, Col. 7, Lines 30-36) or benign activity based on the actionability metric having a second level of user interaction with the alert (Sopan, Col. 2, Lines 15-19) and (Sopan, Col. 3, Lines 24-30) and (Sopan, Col. 7, Lines 30-36). Doing so would aid to aid a cyber-security automated analyst alerting system receives one or more cyber-security alerts, the alerts are analyzed by an alert recommendation engine which automatically determines a recommended course of action related to the one or more received cyber-security alerts by application of a predictive machine learning model generated by a predictive machine learning logic (or predictive model generation logic) (Sopan, Col. 1, Lines 45-52). Regarding claim 2, the combination of Chor and SRIVASTAV in view of Sopan teaches the system of claim 1, wherein the first alert is generated by an unsupervised machine learning model (SRIVASTAV, Para. 0034, the machine learning techniques of the present disclosure may include deep learning algorithms or techniques). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chor and Sopan to incorporate the teachings of SRIVASTAV to include wherein the first alert is generated by an unsupervised machine learning model (SRIVASTAV, Para. 0034). Doing so would aid to provide the intelligent, connected vehicle network traffic monitoring capabilities utilizing cloud-based anomaly prediction model in accordance with the present disclosure will result in improvements in connected vehicle cybersecurity technology in various aspects (SRIVASTAV, Para. 0021). Regarding claim 3, the combination of Chor and SRIVASTAV in view of Sopan teaches the system of claim 1, wherein the first alert comprises at least one of an identifier of the application, an identifier of the resource, or a uniform resource identifier of a web-based portal, the web-based portal enabling the user to perform at least one of view details regarding the first alert; or perform an action to mitigate the suspicious activity (Chor, Para. 0366, action invocation message (AIM) target address interactive component 2250 is illustrated as an interactive text box labeled “Target Address:” and having “http: [followed immediately by] //it.acmeco.com/” as its contents, as may have been entered by a user to indicate an identification, address, location, or such that identifies the desired AIM target/recipient in a networking or other communications scheme or system. As suggested by the illustrated contents of the text box of 2250, an embodiment may enable the user to specify a Uniform Resource Locator (URL) as target address information. In one embodiment, any Uniform Resource Identifier (URI) may be specified by the user). Regarding claim 4, the combination of Chor and SRIVASTAV in view of Sopan teaches the system of claim 3, wherein the activity tracker: receive an indication that the user has engaged with the alert (Chor, Para. 0370, user interaction with save button 2208 of interface 2200); and responsive to receiving the indication (Chor, Para. 0370, User interaction with save button 2208 of interface 2200 of FIG. 22 may cause processing to format and store an actionable alert definition in computer storage that reflects the information presented by display interface 2200): monitor an amount of time the user has spent on the web portal (Chor, Para. 0353, the “5 minutes” entry of sublist 2136 is highlighted indicating it as the current selection corresponding to the displayed content of timing interactive component 2130); and determine whether the user has performed the action to mitigate the suspicious activity (Chor, Para. 0399, the legend on invokable action button 2630, “Quarantine,” indicates that the user may invoke an action to quarantine the detected malware by interacting with button). Regarding claim 6, the combination of Chor and SRIVASTAV in view of Sopan teaches the system of claim 4, wherein the indication is received responsive to at least one of a determination that the user has logged into the web portal; a determination that the user has interacted with at least one of the application or the resource identified by the alert; or a determination that the user has performed the action to mitigate the suspicious activity (Chor, Para. 0399, the legend on invokable action button 2630, “Quarantine,” indicates that the user may invoke an action to quarantine the detected malware by interacting with button). Regarding claim 7, the combination of Chor and SRIVASTAV in view of Sopan teaches the system of claim 4, wherein the activity tracker: determine that a length of time between receiving the indication and when the user performs the action to mitigate the suspicious activity is below a predetermined threshold (Chor, Para. 0360, timeout period interactive component 2230 is illustrated as a drop down combo selection box labeled “Times out after:” and having “5 minutes” as its contents. Timeout interactive component 2230, and one embodiment, enables a user to specify a maximum time to wait for a user response to an instance of an actionable alert message of the present definition before expiring); and responsive to a determination that the length of time is below the predetermined threshold (Chor, Para. 0321, in a further embodiment, the lower-tier applications are single team focused and provide simple tagging and grouping, reliability scoring on entities and groups anomaly detection and adaptive thresholding for easy tuning; 24 hours of alerts and notifications with ability to mute alerts; metrics analysis workspace built into product), generate the actionability metric for the first alert, the actionability metric indicating a first level of interaction (Chor, Para. 0321, metrics analysis workspace built into product; in-application collection guidance; self-service, and easy deployment). Regarding claim 8, the claim 8 is similarly analyzed and rejected as the system claim 1. Regarding claim 9, the combination of Chor and SRIVASTAV in view of Sopan teaches the method of claim 8, wherein the first alert is generated by an unsupervised machine learning model (SRIVASTAV, Para. 0034, the machine learning techniques of the present disclosure may include deep learning algorithms or techniques). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chor and Sopan to incorporate the teachings of SRIVASTAV to include wherein the first alert is generated by an unsupervised machine learning model (SRIVASTAV, Para. 0034). Doing so would aid to provide the intelligent, connected vehicle network traffic monitoring capabilities utilizing cloud-based anomaly prediction model in accordance with the present disclosure will result in improvements in connected vehicle cybersecurity technology in various aspects (SRIVASTAV, Para. 0021). Regarding claim 10, the combination of Chor and SRIVASTAV in view of Sopan teaches the method of claim 8, wherein the first alert comprises at least one of an identifier of the application, an identifier of the resource, or a uniform resource identifier of a web-based portal, the web-based portal enabling the user to perform at least one of: view details regarding the first alert; or perform an action to mitigate the suspicious activity (Chor, Para. 0366, action invocation message (AIM) target addresses interactive component 2250 is illustrated as an interactive text box labeled “Target Address:” and having “http: [followed immediately by] //it.acmeco.com/” as its contents, as may have been entered by a user to indicate an identification, address, location, or such that identifies the desired AIM target/recipient in a networking or other communications scheme or system. As suggested by the illustrated contents of the text box of 2250, an embodiment may enable the user to specify a Uniform Resource Locator (URL) as target address information. In one embodiment, any Uniform Resource Identifier (URI) may be specified by the user). Regarding claim 11, the combination of Chor and SRIVASTAV in view of Sopan teaches the method of claim 10, wherein said tracking comprises: receiving an indication that the user has engaged with the alert (Chor, Para. 0370, user interaction with save button 2208 of interface 2200); and responsive to receiving the indication (Chor, Para. 0370, User interaction with save button 2208 of interface 2200 of FIG. 22 may cause processing to format and store an actionable alert definition in computer storage that reflects the information presented by display interface 2200): monitoring an amount of time the user has spent on the web portal (Chor, Para. 0353, the “5 minutes” entry of sublist 2136 is highlighted indicating it as the current selection corresponding to the displayed content of timing interactive component 2130); and determining whether the user has performed the action to mitigate the suspicious activity (Chor, Para. 0399, the legend on invokable action button 2630, “Quarantine,” indicates that the user may invoke an action to quarantine the detected malware by interacting with button). Regarding claim 13, the combination of Chor and SRIVASTAV in view of Sopan teaches the method of claim 11, wherein the indication is received responsive to at least one of determining that the user has logged into the web portal; determining that the user has interacted with at least one of the application or the resource identified by the alert; or determining that the user has performed the action to mitigate the suspicious activity (Chor, Para. 0399, the legend on invokable action button 2630, “Quarantine,” indicates that the user may invoke an action to quarantine the detected malware by interacting with button). Regarding claim 14, the combination of Chor and SRIVASTAV in view of Sopan teaches the method of claim 11, wherein generating the actionability metric comprises: determining that a length of time between receiving the indication and when the user performs the action to mitigate the suspicious activity is below a predetermined threshold; and responsive to determining that the length of time is below the predetermined threshold (Chor, Para. 0321, in a further embodiment, the lower-tier applications are single team focused and provide simple tagging and grouping, reliability scoring on entities and groups anomaly detection and adaptive thresholding for easy tuning; 24 hours of alerts and notifications with ability to mute alerts; metrics analysis workspace built into product), generating the actionability metric for the first alert, the actionability metric indicating a first level of interaction (Chor, Para. 0321, metrics analysis workspace built into product; in-application collection guidance; self-service, and easy deployment). Regarding claim 15, the combination of Chor and SRIVASTAV in view of Sopan teaches the method of claim 14, wherein generating the actionability metric comprises: determining at least one of: that the amount of time the user has spent on the web portal exceeds a predetermined threshold (Chor, Para. 0360, timeout period interactive component 2230 is illustrated as a drop-down combo selection box labeled “Times out after:” and having “5 minutes” as its contents. Timeout interactive component 2230, and one embodiment, enables a user to specify a maximum time to wait for a user response to an instance of an actionable alert message of the present definition before expiring); or that the user has not performed the action to mitigate the suspicious activity within a predetermined period of time; and responsive to at least one of determining that the amount of time exceeds the predetermined threshold or determining that the user has not performed the action within the predetermined period of time (Chor, Para. 0361, timeout options interactive components 2232 and 2234 are depicted as mutually exclusive, interactive radio buttons under the label “after timeout:”… Interaction with radio button 2234 of the embodiment indicates the definition for the present actionable alert should contain information indicating that an actionable alert generated in accordance with the present definition should be expired without performing an automatic action invocation), generating the actionability metric for the first alert (Chor, Para. 0321, metrics analysis workspace built into product; in-application collection guidance; self-service, and easy deployment), the actionability metric indicating a second level of interaction (Chor, Para. 0399, user interaction with ignore button 2632 causes processing on the support communications device to signal the IAM sender, such as the remediate function of the monitoring system, that the user has indicated the intent and desire to ignore the alert message). Regarding claim 18, the combination of Chor and SRIVASTAV in view of Sopan teaches the method of claim 17, wherein labeling the first log data comprises one of labeling the first log data as indicative of suspicious activity based on the actionability metric indicating the first level of interaction (SRIVASTAV, Para. 0048, the anomaly event is graphically displayed on a display. Further, in accordance with detecting the anomaly event, an origin of the anomaly event may be identified. The origin of the anomaly event may be identified based on the information provided in the historical connections data log (e.g., IP address range, server location, etc.)); or labeling the first log data as indicative of benign activity based on the actionability metric indicating at least one of the second level of interaction or the third level of interaction. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chor to incorporate the teachings of SRIVASTAV to include wherein labeling the first log data comprises one of labeling the first log data as indicative of suspicious activity based on the actionability metric indicating the first level of interaction (SRIVASTAV, Para. 0048). Doing so would aid to provide the intelligent, connected vehicle network traffic monitoring capabilities utilizing cloud-based anomaly prediction model in accordance with the present disclosure will result in improvements in connected vehicle cybersecurity technology in various aspects (SRIVASTAV, Para. 0021). Regarding claim 19, the claim 19 is similarly analyzed and rejected as the system claim 1 and method claim 8. Regarding claim 20, the combination of Chor and SRIVASTAV in view of Sopan teaches the computer-readable storage medium of claim 19, wherein the first alert comprises at least one of an identifier of the application, an identifier of the resource, or a uniform resource identifier of a web-based portal, the web-based portal enabling the user to perform at least one of view details regarding the first alert; or perform an action to mitigate the suspicious activity (Chor, Para. 0366, action invocation message (AIM) target addresses interactive component 2250 is illustrated as an interactive text box labeled “Target Address:” and having “http: [followed immediately by] //it.acmeco.com/” as its contents, as may have been entered by a user to indicate an identification, address, location, or such that identifies the desired AIM target/recipient in a networking or other communications scheme or system. As suggested by the illustrated contents of the text box of 2250, an embodiment may enable the user to specify a Uniform Resource Locator (URL) as target address information. In one embodiment, any Uniform Resource Identifier (URI) may be specified by the user). Claims 5, 12, and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Chor (US 2019/0334764 A1), hereinafter Chor in view of SRIVASTAV et al. (US 2022/0103578 A1), hereinafter SRIVASTAV and in view of Sopan (US 11,637,862 B1), hereinafter Sopan and further in view of Luzader (US 96,350,27 B1), hereinafter Luzader. Regarding claim 5, the combination of Chor and SRIVASTAV in view of Sopan fails to teach the system of claim 4, wherein the indication is received responsive to a user activating the uniform resource identifier. However, Luzader teaches wherein the indication is received responsive to a user activating the uniform resource identifier (Luzader, Col. 9, Lines. 30-34, once the recipient selects the URI 404, the original text 402 will be sent either into the message being viewed, or through other means such as a second email or message, a pop-up message, an overlay that includes the message, etc.). Chor, SRIVASTAV, Sopan and Luzader are all considered to be analogous to the claim invention because they are in the same field of generating alerts based on log data generated from an application. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chor and SRIVASTAV and Sopan to incorporate the teachings of Luzader to include wherein the indication is received responsive to a user activating the uniform resource identifier (Luzader, Col. 9, Lines. 30-34). Doing so would aid to allow two parties to communicate and exchange data securely and openly between themselves with built-in mechanisms for detection of message interception as well as assurance that messages or transactions are not stored indefinitely after being viewed (Luzader, Col. 1, Lines. 56-62). In regards to claim 12, the combination of Chor and SRIVASTAV in view of Sopan fails to teach the method of claim 11, wherein the indication is received responsive to a user activating the uniform resource identifier. However, Luzader teaches wherein the indication is received responsive to a user activating the uniform resource identifier (Luzader, Col. 9, Lines. 30-34, once the recipient selects the URI 404, the original text 402 will be sent either into the message being viewed, or through other means such as a second email or message, a pop-up message, an overlay that includes the message, etc.). Chor, SRIVASTAV, Sopan and Luzader are all considered to be analogous to the claim invention because they are in the same field of generating alerts based on log data generated from an application. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chor, SRIVASTAV and Sopan to incorporate the teachings of Luzader to include wherein the indication is received responsive to a user activating the uniform resource identifier (Luzader, Col. 9, Lines. 30-34). Doing so would aid to allow two parties to communicate and exchange data securely and openly between themselves with built-in mechanisms for detection of message interception as well as assurance that messages or transactions are not stored indefinitely after being viewed (Luzader, Col. 1, Lines. 56-62). Regarding claim 16, the combination of Chor, SRIVASTAV and Sopan in view of Luzader teaches the method of claim 15, wherein said tracking comprises: determining that the uniform resource identifier has not been activated by the user within a predetermined period of time (Luzader, Col. 7, Lines, 11-14, the user content deletion service 206 also can delete posted content and the associated URI based on expiration of a predetermined time period as well as other means determined by the system). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chor, SRIVASTAV and Sopan to incorporate the teachings of Luzader to include wherein said tracking comprises: determining that the uniform resource identifier has not been activated by the user within a predetermined period of time (Luzader, Col. 7, Lines, 11-14). Doing so would aid to allow two parties to communicate and exchange data securely and openly between themselves with built-in mechanisms for detection of message interception as well as assurance that messages or transactions are not stored indefinitely after being viewed (Luzader, Col. 1, Lines. 56-62). Regarding claim 17, the combination of Chor, SRIVASTAV and Sopan in view of Luzader teaches the method of claim 16, wherein generating the actionability metric comprises: responsive to determining that uniform resource identifier has not been activated within the predetermined period of time (Luzader, Col. 7, Lines, 11-14, the user content deletion service 206 also can delete posted content and the associated URI based on expiration of a predetermined time period as well as other means determined by the system), generating the actionability metric for the first alert (Chor, Para. 0321, metrics analysis workspace built into product; in-application collection guidance; self-service, and easy deployment), the actionability metric indicating a third level of interaction (Chor, Para. 0371, actionable alert definition 2310 is shown to include associated notable event type information 2312, recipient address/location/ID information 2320, multiple recipient scheme information 2322, time-to-live information 2324, timeout disposition information 2326, title information 2330, short description information 2332, snapshot information 2334, dynamic information 2336, invokable action information 2340, and other information 2318). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Chor, SRIVASTAV and Sopan to incorporate the teachings of Luzader to include wherein generating the actionability metric comprises: responsive to determining that uniform resource identifier has not been activated within the predetermined period of time (Luzader, Col. 7, Lines, 11-14), generating the actionability metric for the first alert (Chor, Para. 0321), the actionability metric indicating a third level of interaction (Chor, Para. 0371). Doing so would aid to allow two parties to communicate and exchange data securely and openly between themselves with built-in mechanisms for detection of message interception as well as assurance that messages or transactions are not stored indefinitely after being viewed (Luzader, Col. 1, Lines. 56-62). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Rungta (US-11863563-B1) teaches an access policy can be determined using the observed access and usage of various resources covered under that policy. Information about access requests received over a period of time can be logged, and actions represented in the log data can be mapped to the permissions of the access policy. A new access policy can be generated that includes grant permissions only for those actions that were received and/or granted during the monitored period of time. The new policy can be processed using policy logic to ensure that changes in permission comply with rules or policies for the target resources. The new policy can be at least partially implemented, or can be provided to an authorized user, who can choose to adopt or deny the new policy, or to accept some of the recommendations for modifying the current policy. Chiloyan (US-20020083228-A1) teaches a method and system for using a peripheral device identifier obtained from a peripheral device to determine a network address from a database, or generate the network address based on the identifier. Information related to the peripheral device is obtained from a remote device at the network address. The method includes automatically transferring at least one identifier from the peripheral device to a host device when the peripheral device is connected to the host device. The step of transferring is preferably done during or after enumeration of the peripheral device, such as occurs when a USB device is connected to a computer. The identifier is used as an index to automatically determine a network address from a database on the host device or a remote device, or to automatically generate a network address. Then, communication occurs between the host device and a remote device or other source of the information indicated by the network address. For example, the host device may download a device driver for the peripheral device from the remote device or from another peripheral device connected to the host device indicated by the network address. Wada (US-20150120914-A1) teaches a method detects a request higher than the baseline in baseline monitoring and stores the request in an outlier request DB. The method selects a common pattern from requests stored in the outlier request DB, differentiates between a request including the pattern and a request not including the pattern, and monitors them with different baselines as different services. MATOBA (US-20110149343-A1) teaches an image processing apparatus having a file server function and capable of using a path notification function according to the way in which the image processing apparatus is utilized by a user. The image forming apparatus does not perform a URI notification, if an image data file is stored into a storage unit of the apparatus via the file server function, or if the file is stored via the file server function from an unregistered data storage source, or if the file was not created by an MFP job, or if the file is stored via the file server function and has a registered file type. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571)272-0248. The examiner can normally be reached Monday- Friday 9:00 am- 6:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached at 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /GITA FARAMARZI/Examiner, Art Unit 2496 /SHAHRIAR ZARRINEH/Primary Examiner, Art Unit 2496
Read full office action

Prosecution Timeline

Dec 20, 2021
Application Filed
Jan 11, 2024
Non-Final Rejection — §103
Mar 19, 2024
Interview Requested
Apr 12, 2024
Applicant Interview (Telephonic)
Apr 17, 2024
Examiner Interview Summary
Apr 23, 2024
Response Filed
Jun 21, 2024
Final Rejection — §103
Sep 06, 2024
Interview Requested
Sep 19, 2024
Response after Non-Final Action
Sep 19, 2024
Notice of Allowance
Nov 13, 2024
Response after Non-Final Action
Dec 19, 2024
Request for Continued Examination
Dec 23, 2024
Response after Non-Final Action
Jan 24, 2025
Non-Final Rejection — §103
May 23, 2025
Interview Requested
Jun 10, 2025
Applicant Interview (Telephonic)
Jun 24, 2025
Examiner Interview Summary
Jun 27, 2025
Response Filed
Sep 19, 2025
Final Rejection — §103
Apr 04, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology. Study what changed to get past this examiner.

Patent 12339997
ENTITY FOCUSED NATURAL LANGUAGE GENERATION
2y 5m to grant Granted Jun 24, 2025
Patent 12316648
Data value classifier
2y 5m to grant Granted May 27, 2025
Patent 12301564
VIRTUAL SESSION ACCESS MANAGEMENT
2y 5m to grant Granted May 13, 2025
Patent 12256022
BLOCKCHAIN TRANSACTION COMPRISING RUNNABLE CODE FOR HASH-BASED VERIFICATION
2y 5m to grant Granted Mar 18, 2025
Patent 12242613
AUTOMATED EVALUATION OF MACHINE LEARNING MODELS
2y 5m to grant Granted Mar 04, 2025

AI Strategy Recommendation

Click below to generate an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

5-6
Expected OA Rounds
54%
Grant Probability
90%
With Interview (+35.8%)
3y 4m
Median Time to Grant
High
PTA Risk
Based on 74 resolved cases by this examiner