Prosecution Insights
Last updated: July 17, 2026
Application No. 18/153,706

PREVENTING INSIDER THREAT UTILIZING MACHINE LEARNING

Non-Final OA §103
Filed
Jan 12, 2023
Examiner
DHAKAD, RUPALI
Art Unit
2437
Tech Center
2400 — Computer Networks
Assignee
Saudi Arabian Oil Company
OA Round
4 (Non-Final)
37%
Grant Probability
At Risk
4-5
OA Rounds
0m
Est. Remaining
67%
With Interview

Examiner Intelligence

Grants only 37% of cases
37%
Career Allowance Rate
13 granted / 35 resolved
-20.9% vs TC avg
Strong +30% interview lift
Without
With
+30.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 5m
Avg Prosecution
27 currently pending
Career history
74
Total Applications
across all art units

Statute-Specific Performance

§101
0.8%
-39.2% vs TC avg
§103
94.0%
+54.0% vs TC avg
§102
3.8%
-36.2% vs TC avg
§112
1.1%
-38.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 35 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1, 3-8, 10-15, 17-20 are pending. Claims 2, 9 and 16 were cancelled. Claims 1, 8 and 15 are amended. Claims 21-23 are newly added. Response to Arguments Applicant’s arguments filed on 02/18/2026 with respect to claim(s) 1, 7-8, 14-15 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim amendments of 02/18/2026 does not overcome with 112(f) claim interpretation. Therefore, examiner maintains 112(f) claim interpretation. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: account (Claim 1, 8 and 15). “a machine learning module configured to: retrieve…initial USB logs…; generate…a trained ML model…; record subsequent USB activities of the user…; retrieve…the subsequent logs; analyze….the subsequent USB logs…; perform…a mitigation task; revoking…USB access of the user account in claims 15. Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 7-8, 14-15 and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over “Tian, Zhihong, et al. "User and entity behavior analysis under urban big data." ACM Transactions on Data Science 1.3 (2020): 1-19” (hereinafter “User and Entity Behavior Analysis under Urban Big Data”) in view of Siva Kumar et al. (U. S. PGPub. No. 2016/0088000 A1) (hereinafter: “Siva Kumar”) and Lim (U. S. Pat. No. 9,311,503 B2) (hereinafter “Lim”) Regarding Claim 1, “User and Entity Behavior Analysis under Urban Big Data” teaches: A method for mitigating insider threat to an organization, comprising (“User and Entity Behavior Analysis under Urban Big Data”: [Page 16:2, Section 1: Introduction, para 1, lines 7-9], there is an urgent need to prevent leakage of private data under urban big data scenarios. In urban big data security, threats from organization insiders are much more threatening; [Page 16, para 1, lines 5-6], In this article, we investigate the task of detecting insiders’ anomalous behaviors to prevent urban big data leakage): retrieving, from a database stored on a computing system of the organization, initial Universal Serial Bus (USB) logs recording initial USB activities of users of the organization (“User and Entity Behavior Analysis under Urban Big Data”: [page 16:5, Section 3.2 Feature extraction] and table 1 “thumb drives”, Therefore, we extract action features, action sequences, social features, and role features through data that are aggregated from different sources. Action features, where every instance is converted into a fixed-length vector, and action sequences are the most widely used in user behavior anomaly detection, while role features and social features are missing dimensions of users’ anomalous behavior detection); generating, based on at least a time attribute, a device ID attribute, and a data movement size attribute of the initial USB activities in the initial USB logs and using a machine learning (ML) module of an insider threat mitigation system, a trained ML model (“User and Entity Behavior Analysis under Urban Big Data”: [Page 16:4], para 1, lines 3-12], Similar to Refs [ 23 ] and [ 24 ], we use deep learning algorithms. [Page 16:17], Section 5: Conclusion], In this article, we examined the problem of detecting abnormal behaviors from insiders by considering four perspectives: action features, action sequence, social features, and role features. Our main contribution is the development and evaluation of a novel system that takes advantage of multiple models to learn a user’s normal pattern of behaviors to identify anomalous behaviors), wherein the time attribute indicates whether the initial USB activities occurred during working hours of the organization (“User and Entity Behavior Analysis under Urban Big Data”: [Page 16: 9, Table 1, Action features], Weekday log on/log off (users logged on or logged off during working time); After-working log on (users logged on or logged off beyond working time), wherein the device ID attribute indicates whether the initial USB activities involved any known malicious device ID (“User and Entity Behavior Analysis under Urban Big Data”: [Page 16: 9, Table 1, Action features], Num. device (number of thumb drives used)), wherein the data movement size attribute indicates size of data moved to USB devices of the organization (“User and Entity Behavior Analysis under Urban Big Data”: [Page 16: 9, Table 1, Action features], Files exe copy (users copied exe files to thumb drives) Files jpg copy (users copied jpg files to thumb drives, Files txt/doc/pdf copy (users copied txt/doc/pdf files to thumb drives) Files zip copy (users copied zip files to thumb drives)); recording subsequent USB activities of the users in subsequent USB logs (“User and Entity Behavior Analysis under Urban Big Data”: [page 16:8, Section 4.1, para 1, lines 6-9 and Page 16:9, para 1, lines 1-5] and Table 1], generates several kinds of logs (log on.csv, email.csv, device.csv, http.csv, file.csv, psychometric.csv) to characterize users’ daily activities consisting of normal behaviors and anomalous activities in one day…); further retrieving, from the database the subsequent USB logs (“User and Entity Behavior Analysis under Urban Big Data”: [Page 16:5, Section 3.2, para 1 lines 1-12], 3.2 Feature extraction: we extract action features, action sequences, social features, and role features through data that are aggregated from different sources. Action features, where every instance is converted into a fixed-length vector, and action sequences are the most widely used in user behavior anomaly detection, while role features and social features are missing dimensions of users’ anomalous behavior detection…); analyzing, based on the trained ML model and using an ML algorithm, the subsequent USB logs to detect an abnormal user activity as the insider threat (“User and Entity Behavior Analysis under Urban Big Data”: [Page 16:6, Section 3.3. Deep learning strategy: The MBS is devised to employ several kinds of deep learning techniques to control scale and detect whether these entries, such login and logout files, network traffic packets, or file access logs, show suspicious behaviors. It is a general assumption that observable changes in these files (e.g., changes in frequencies of sensitive file access and thumb drive uses) are indicative of anomalous behaviors that may cause data leakage); “User and Entity Behavior Analysis under Urban Big Data” does not explicitly disclose below claim limitation, generating….a Windows event ID, and performing, in response to the detected abnormal user activity and using a revoke access module of the insider threat mitigation system, a mitigation task of the computing system; wherein the insider threat is a user with authorized access to the USB devices of the organization and wherein the mitigation task comprises revoking, in response to the detected abnormal user activity, USB access of a user account associated with the detected abnormal user activity. However, in an analogous art, Siva Kumar teaches: generating…. a windows event ID (Siva Kumar: [0028], Security events may be generated in response to various types of activities including, without limitation: account logon/logoff activity, authentication activity, account management activity, process creation/termination activity, directory service activity, object access activity, application activity, file sharing activity, policy change activity, privileged use activity, system event activity, and so forth…[0029], exemplary security events, security event identifiers (windows event ID), and security event data that may be generated by one or more of user machines 110, server machines 120, and/or domain machines 130.) It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify “User and Entity Behavior Analysis under Urban Big Data’s method of detecting insiders’ anomalous behaviors to prevent urban big data leakage by applying Siva Kumar’s method of generating security events in order to detect the lateral movement of an attacker as soon as possible so that the scope of a breach can be determined and appropriate containment and remediation can be performed (Siva Kumar: [0004]). The “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar does not explicitly disclose: and performing, in response to the detected abnormal user activity and using a revoke access module of the insider threat mitigation system, a mitigation task of the computing system; wherein the insider threat is a user with authorized access to the USB devices of the organization and wherein the mitigation task comprises revoking, in response to the detected abnormal user activity, USB access of a user account associated with the detected abnormal user activity. However, in an analogous art, Lim teaches: (Lim: [Col 11, lines 31-42], An analysis tool 504 interacts with the intelligence server 510 to perform data analysis which includes trend analysis, resource utilization analysis, workforce productivity analysis, analyze effectiveness of policies, event correlation, anomaly detection, signature (or pattern) detection, threshold violation detection, detect information misuse, or fraud detection.) and performing, (Lim: . [Col 22, lines 35-39], (144) The remediation handler, 910 and 1010 (=revoke access module), is very similar in function to the obligation handler except it performs different functions. Remediation means additional actions taken that are different from what is being intercepted. Such actions are introduced solely by policies defined to “remediate), wherein the insider threat is a user with authorized access to the USB devices of the organization (Lim: [Col 59, lines 33-45], (410) Remediation refers to tasks not directly related to current trigger ought to be carried out. Remediation tasks can be just about anything. For example, common remediation tasks include: A user has change job within a company recently. The documents that a user was authorized to access may not be appropriate in the new job anymore (=user is authorized to access)…) and wherein the mitigation task comprises revoking, in response to the detected abnormal user activity, USB access of a user account associated with the detected abnormal user activity (Lim: [Col 16, lines 41-44], If the policy evaluation results in the requested event being denied, the PEP typically terminates the request and returns an error status that indicates access is denied (=revoking access) or the requested action cannot be performed. [Col 69, lines 32-67], (498) FIG. 19 shows blocking sending of a confidential document outside the company….The policy server decides not to grant approval 1812 to the send operation. The policy enforcer implements the decision by blocking the confidential message from being sent by the first user) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar by applying the well-known technique as disclosed by Lim’s method of performing remediation task by applying the policy evaluation results in the requested event being denied, the PEP typically terminates the request and returns an error status that indicates access is denied (=revoking access) or the requested action cannot be performed. The motivation is preventing unauthorized information usage When a particular pattern or anomaly is detected, a system may send a notification or perform a particular task (Lim: [Col 2, lines 64-65]). Regarding Claim 7, the “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar and Lim teaches: The method of claim 1 (see rejection of claim 1 above), sending, using a reporting module of the insider threat mitigation system, a report of the detected abnormal user activity to an incident response team of the organization for further analysis (Tim: [Col 11, lines 31-52], A reporting module 503 allows policy author and policy administrator to query and view document access activity, information usage activity and policy enforcement activity…Policy author and policy administrator can use the capabilities offered by the reporting and analysis module 502 to analyze effectiveness of a policy, analyze document access and information usage activity on a document or on a server, analyze policy enforcement activity, investigate cases of potential information misuse, detect information fraud…) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar and Lim by applying the well-known technique as disclosed by Lim’s method of providing report and results to intelligence server to further investigate potential misuse, information fraud, etc. The motivation is preventing unauthorized information usage When a particular pattern or anomaly is detected, a system may send a notification or perform a particular task (Lim: [Col 2, lines 64-65]). Regarding claim 8, “User and Entity Behavior Analysis under Urban Big Data” teaches: An insider threat mitigation system, comprising (“User and Entity Behavior Analysis under Urban Big Data”: [Page 16:2, Section 1: Introduction, para 1, lines 7-9], there is an urgent need to prevent leakage of private data under urban big data scenarios. In urban big data security, threats from organization insiders are much more threatening; [Page 16, para 1, lines 5-6], In this article, we investigate the task of detecting insiders’ anomalous behaviors to prevent urban big data leakage): a computer processor and memory storing instructions executable by the computer processor to perform insider threat mitigation, the instructions comprise (Lim: [Col 6, lines 34-43], A computer-readable medium may include any medium that participates in providing instructions to one or more processors for execution. Such a medium may take many forms including, but not limited to, nonvolatile, volatile, and transmission media. Nonvolatile media includes, for example, flash memory, or optical or magnetic disks. Volatile media includes static or dynamic memory, such as cache memory or RAM): This claim contains identical limitations found within that of claim 1 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 8. Regarding claim 14, this claim contains identical limitations found within that of claim 7 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 14. Regarding claim 15, “User and Entity Behavior Analysis under Urban Big Data” teaches: a machine learning (ML) module configured to (“User and Entity Behavior Analysis under Urban Big Data”: [Page 16:3, Section 2: Related Work, Para 3, lines 1-3], Machine learning and deep learning techniques have made considerable progress in many fields Machine learning and deep learning are increasingly applied to detect anomalous behaviors from inside organizations.): A system, comprising: a computing system of an organization; and an insider threat mitigation system comprising (“User and Entity Behavior Analysis under Urban Big Data”: [Page 16:4, Section 3.1: MBS design, para 1, lines 5-12], We designed this system by considering that users who are in the same group always have the same jobs, and role features can be extracted from these groups through their daily jobs, behaviors, and other data to justify detection to some extent. For instance, workers in the human resources sector are inclined to read resumes, send emails, and make phone calls throughout their working hours; if one employee seldom sends emails and makes phone calls but suddenly accesses some files that he or she never accessed before and begins frequently using removable drives when there are no major events in the company, this employee’s behavior is suspicious, and security officers should be vigilant): This claim contains identical limitations found within that of claim 1 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 15. Regarding Claim 21, the “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar and Lim teaches: The method of claim 1 (see rejection of claim 1 above), The “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar and and Lim does not explicitly disclose below claim limitation, however, in an analogous art, Siva Kumar teaches: wherein the Windows event ID comprises at least one selected from the group consisting of a Windows event ID 4688, a Windows event ID 4663, a Windows event ID 4656, and a Windows event ID 4658 (Siva Kumar: TABLE 1 provides for Security Event, Security Event ID, Security Event Data as “A new process has been created- 4688-Security ID”, “An attempt was made to access an object- 4663- Security ID, “ A handle to an object was requested-4656 Security ID”, “ The handle to an object was closed- 4658 Security ID). Regarding Claim 22, This claim contains identical limitations found within that of claim 21 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 22. Regarding Claim 23, This claim contains identical limitations found within that of claim 21 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 23. Claim(s) 3-4, 10-11, 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over “Tian, Zhihong, et al. "User and entity behavior analysis under urban big data." ACM Transactions on Data Science 1.3 (2020): 1-19” (hereinafter “User and Entity Behavior Analysis under Urban Big Data”) in view of Siva Kumar et al. (U. S. PGPub. No. 2016/0088000 A1) (hereinafter: “Siva Kumar”) and Lim (U. S. Pat. No. 9,311,503 B2) (hereinafter “Lim”); and further in view of MISRA et al. (U. S. PGPub. No. 2019/0089577 A1) (hereinafter “Misra”). Regarding Claim 3, the “User and Entity Behavior Analysis under Urban Big Data” in view of Lim teaches: The method of claim 1 (see rejection of claim 1 above): The combination of the “User and Entity Behavior Analysis under Urban Big Data” in view of Lim does not explicitly disclose: retrieving, from the database, verified historical security incidence data records of the organization, wherein generating the trained ML model is further based on the verified historical security incidence data records. However, in an analogous art, Misra teaches: retrieving, from the database, verified historical security incidence data records of the organization (Misra: [0045] Referring to FIG. 2, in order to identify (non-linear) graphical sequence of actions, at 200, the log data receiver 102 is to receive as input historical incident (=verified security incidence) or defect log data (hereinafter also referred to as historical log data 104) with resolution notes and/or step, or steps to reproduce a defect. Further, the log data receiver 102 is to receive as input new incident or defect details (e.g., the new incident or defect 122)), wherein generating the trained ML model is further based on the verified historical security incidence data records (Misra: [0048], the training data for the machine learning model 118 may include features extracted from defect/incident details in the log (=verified security incidence) as inputs and incident action graphs as expected outputs. The trained machine learning model 118 may learn the latent patterns underlying ticket resolutions (or reproductions). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar and Lim by applying the well-known technique as disclosed by Misra of receiving historical incident in order to train the ML model. The motivation is to reproduce an incident (or defect), identification of a root cause of the incident (or defect), and/or resolution of the incident (or defect) (Misra: [0030]). Regarding Claim 4, the “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar, Lim and Misra teaches: The method of claim (see rejection of claim 3 above): generating, based on the initial USB logs and the verified historical security incidence data records, a training data set (Misra: [0054], With respect to training data (illustrated as Defect-1 to Defect-5), the training data may include historical log data 104 as training samples consisting of past ticket details and their corresponding resolutions consisting of sequences of actions), wherein the trained ML model is generated by the ML module using an ML algorithm based on the training data set (Misra: [0048], As disclosed herein, the training data for the machine learning model 118 may include features extracted from defect/incident details in the log as inputs and incident action graphs as expected outputs. [0050], If the ticket details are updated, training may again be performed by the machine learning model generator 116 using the modified data set) . A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar and Lim by applying the well-known technique as disclosed by Misra of using historical incident (also called as historical log data) as a training data set in order to train the ML model. The motivation is to reproduce an incident (or defect), identification of a root cause of the incident (or defect), and/or resolution of the incident (or defect) (Misra: [0030]). Regarding claim 10, this claim contains identical limitations found within that of claim 3 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 10. Regarding claim 11, this claim contains identical limitations found within that of claim 4 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 11. Regarding claim 17, this claim contains identical limitations found within that of claim 3 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 17. Regarding claim 18, this claim contains identical limitations found within that of claim 4 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 18. Claim(s) 5 and 12, 19 are rejected under 35 U.S.C. 103 as being unpatentable over “Tian, Zhihong, et al. "User and entity behavior analysis under urban big data." ACM Transactions on Data Science 1.3 (2020): 1-19” (hereinafter “User and Entity Behavior Analysis under Urban Big Data”) in view of Siva Kumar et al. (U. S. PGPub. No. 2016/0088000 A1) (hereinafter: “Siva Kumar”) and Lim (U. S. Pat. No. 9,311,503 B2) (hereinafter “Lim”) and MISRA et al. (U. S. PGPub. No. 2019/0089577 A1) (hereinafter “Misra”); and further in view of KOCSIS et al. (U. S. PGPub. No. 2022/0030031 A1) (hereinafter “Kocsis”) Regarding Claim 5, the “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar and Lim and Misra teaches: The method of claim 4 (see rejection of claim 4 above): wherein generating the training data set comprises (Misra: [0054], With respect to training data (illustrated as Defect-1 to Defect-5), the training data may include historical log data 104 as training samples consisting of past ticket details and their corresponding resolutions consisting of sequences of actions): generating labeled training data of the training data set based on a portion of the initial USB logs that are correlated with the verified historical security incidence data records (Misra: [0066] These incident action graphs may be labelled as outputs in the training data for the machine learning model generator 116 as disclosed herein, where other ticket details (e.g., brief description, detailed description, etc.) may be used as input features) The combination of the “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar, Lim and Misra does not explicitly disclose: However, In an analogous art, Kocsis teaches: and generating unlabeled training data of the training data set based on a remaining portion of the initial USB logs that are not correlated with the verified historical security incidence data records (Kocsis: [0007], The most common one is incomplete supervision. Incomplete supervision assumes training data is mostly unlabeled and only a small subset of it is annotated. The second one is semi-supervised learning (SSL) which combines supervised learning and unsupervised learning together…[0022], generating a data set having both labelled and unlabeled data). wherein the ML algorithm comprises a semi-supervised machine learning algorithm (Kocsis: [0082], “hybrid semi-supervision machine learning,” which exploits domain knowledge to enable accurate results even in the presence of limited labeled data. Since labeled data expensive and limited, the manner in which the unlabeled data is utilized in semi-supervised learning models, will dramatically influence the quality of learned model. One method is to generate pseudo labels for unlabeled data which in turn helps to enlarge the training dataset. Another way is to utilize domain knowledge to supervise both labeled and unlabeled data). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar, Lim and Misra by applying the well-known technique as disclosed by Kocsis of semi-supervised machine learning by using small amount of labeled data and a large amount of unlabeled data in order to train a model and achieving high accuracy, significantly cheaper and easier to acquire. The motivation is to ensuring the integrity of a control commands and optimizing performance and security using the blockchain secured, software-defined network and monitoring system (Kocsis: [Abstract]). Regarding claim 12, this claim contains identical limitations found within that of claim 5 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 12. Regarding claim 19, this claim contains identical limitations found within that of claim 5 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 19. Claim(s) 6, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over “Tian, Zhihong, et al. "User and entity behavior analysis under urban big data." ACM Transactions on Data Science 1.3 (2020): 1-19” (hereinafter “User and Entity Behavior Analysis under Urban Big Data”) in view of Siva Kumar et al. (U. S. PGPub. No. 2016/0088000 A1) (hereinafter: “Siva Kumar”), Lim (U. S. Pat. No. 9,311,503 B2) (hereinafter “Lim”), MISRA et al. (U. S. PGPub. No. 2019/0089577 A1) (hereinafter “Misra”) and KOCSIS et al. (U. S. PGPub. No. 2022/0030031 A1) (hereinafter “Kocsis”); and further in view of Bailey et al. (U. S. PGPub. No. 2022/0094703 A1) (hereinafter “Bailey”) Regarding Claim 6, the “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar, Lim, Misra and Kocsis teaches: The method of claim 5 (see rejection of claim 5 above): The combination of “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar, Lim, Misra and Kocsis does not explicitly disclose: wherein the initial USB logs and subsequent USB logs are generated by an Event Tracing for Windows (ETW) mechanism executing on the computing system, and wherein the verified historical security incidence data records are generated by an Endpoint Detection and Response (EDR) tool executing on the computing system. However, in an analogous art, Bailey teaches: wherein the USB logs are generated by an Event Tracing for Windows (ETW) mechanism executing on the computer system (Bailey: [0034] For example, as illustrated in FIG. 1A, enhanced endpoint agent 100 has a new event tracing source called Event Tracing for Windows (ETVV) source 130. Generally, ETW source 130 is a kernel-level event tracing facility (which is also referred to herein as an ETW provider) that can be used to log kernel or application-defined events to a log file (=USB logs). and wherein the verified historical security incidence data records are generated by an Endpoint Detection and Response (EDR) tool executing on the computing system (Bailey: [0011] In some embodiments, a method implementing the solution disclosed herein can comprising receiving, by an endpoint agent running on an endpoint, an instruction from a controller system (e.g., an EDR system, [0033], an endpoint agent 100 and its various components, including a plurality of sources of events. Different endpoint security systems, endpoint protection platforms, EDR systems, and the like may employ different endpoint agents to perform different functions). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify “User and Entity Behavior Analysis under Urban Big Data” in view of Siva Kumar, Lim, Misra, and Kocsis by applying the well-known technique as disclosed by Bailey of using Event Tracing for Windows (ETVV) in order to trace log kernel of events and receiving instruction from Endpoint Detection and Response (EDR) systems in order to proactively detect and investigate advanced threat on individual devices. The motivation is to enhance the performance of the endpoint security system (Bailey: [0010]). Regarding claim 13, this claim contains identical limitations found within that of claim 6 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 13. Regarding claim 20, this claim contains identical limitations found within that of claim 6 above albeit directed to a different statutory category (system medium). For this reason the same grounds of rejection are applied to claim 20. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant/s disclose. Refer to PTO-892, Notice of Reference Cited for a listing of analogous art. Khalil et al. (U. S. PGPub. No. 2022/0286472 A1): Autoencoder-based anomaly detection methods have been used in identifying anomalous users from large-scale enterprise logs with the assumption that adversarial activities do not follow past habitual patterns. Most existing approaches typically build models by reconstructing single-day and individual-user behaviors. However, without capturing long-term signals and group-correlation signals, the models cannot identify low-signal yet long-lasting threats, and will incorrectly report many normal users as anomalies on busy days, which, in turn, leads to a high false positive rate. A method is provided based on compound behavior, which takes into consideration long-term patterns and group behaviors. The provided method leverages a novel behavior representation and an ensemble of deep autoencoders and produces an ordered investigation list. Judson (U. S. PGPub. No. 2019/0108331 A1): An update change request that is made against attributes of a directory object causes automatically collection of customized information for an initiator of the request. A correlation identifier for the change request is generated. The changes to the attributes are processed to update the directory object and the customized information is updated to an extension attribute for the directory object. A unique audit event is raised for each changed attribute including the extension attribute and each audit event includes the correlation identifier. Jeansonne et al. (U. S. PGPub. No 2018/0232521 A1): A computer program product for providing notifications to a user of an intrusion into firmware includes, in one example, non-transitory computer readable medium including computer usable program code embodied therewith to, when executed by a processor, detect intrusion to the firmware of a computing system during runtime in a system management mode. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to RUPALI DHAKAD whose telephone number is (571)270-3743. The examiner can normally be reached M-F 8:30-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at 5712705143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /R.D./Examiner, Art Unit 2437 /ALI S ABYANEH/Primary Examiner, Art Unit 2437
Read full office action

Prosecution Timeline

Show 6 earlier events
Aug 18, 2025
Examiner Interview Summary
Sep 08, 2025
Response after Non-Final Action
Oct 07, 2025
Request for Continued Examination
Oct 10, 2025
Response after Non-Final Action
Nov 18, 2025
Non-Final Rejection mailed — §103
Feb 18, 2026
Response Filed
Apr 02, 2026
Final Rejection mailed — §103
Jun 01, 2026
Response after Non-Final Action

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12592937
Method For Protection From Cyber Attacks To A Vehicle, And Corresponding Device
3y 10m to grant Granted Mar 31, 2026
Patent 12587544
METHOD AND SYSTEM TO REMEDIATE A SECURITY ISSUE
4y 5m to grant Granted Mar 24, 2026
Patent 12513154
BLOCKCHAIN-BASED DATA DETECTION METHOD, APPARATUS, AND COMPUTER-READABLE STORAGE MEDIUM
3y 7m to grant Granted Dec 30, 2025
Patent 12495039
INTEGRATED AUTHENTICATION SYSTEM AND METHOD
3y 2m to grant Granted Dec 09, 2025
Patent 12468826
METHOD FOR OPERATING A PRINTING SYSTEM
3y 5m to grant Granted Nov 11, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

4-5
Expected OA Rounds
37%
Grant Probability
67%
With Interview (+30.0%)
3y 5m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 35 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month