DETAILED ACTION
Remarks
1. Pending claims for consideration are claims 1, 3-8, 11-15, and 17-24. Claims 1, 8, 15, and 22 have been amended. Claims 2, 9-10, and 16 have been cancelled. Claim 24 is new.
Response to Arguments
2. Applicant's arguments filed 11/19/2025 are moot in view of grounds of new rejection
In the remarks, applicant argues in substance:
That- Applicant submits Medalion does not disclose or suggest an ML model that " includes multiple decision trees with each decision tree constructed using different multi-dimensional features extracted from different historical PII data elements and Medalion does not disclose or suggest multiple decision trees with each decision tree constructed using different multi-dimensional features extracted from different historical PII data elements.
In response to applicants argument – It is the combination of Medelion Lefever that teaches the claimed language, neither Madalion or Lafever alone. Mumcuyan teaches extracting distinct groups of historical user and identity attributes (e.g. demographic data, device characteristic, transaction behavior, and prior authentication outcomes) and forming corresponding feature vectors for training different machine learning models, including decision trees and ensemble methods such as random forests (Mumcuyan [par.0034-0042], Mumcuyan [0055-0063], Mumcuyan [0074-0081]). Mumcuyan further explains that different classifiers are trained using different subsets and dimensions of these features to improve classification accuracy and risk assessment (Mumcuyan [par.0064-0069]), which inherently results in multiple decision trees each built from different multi0dimensional feature inputs extracted from different historical PII data elements.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
3. Claims 1, 3-8, 11-15, and 17-24 are rejected under 35 U.S.C. 103 as being unpatentable over Pub.No.: US 2021/0125615 A1 to MEDALION et al (hereafter referenced as Medalion) in view of Patent No.: US 10,043,035 B2 to LaFever et al (hereafter referenced as Lafever), in further view of Pub.No.: US 2021/0287069 A1 to Mumcuyan et al(hereafter referenced as Mumcuyan.
Regarding claim 1, Medalion discloses “a method comprising: receiving, by a computing device, a data access event, wherein the data access event relates to a data element (receiving output from the BILSTM Neural network model, the output indicating one or more text data elements [Fig.4/item 406]) ; “determining, by the computing device, whether the data element is a personally identifiable information (PII) data element (The BiLSTM neural network models described herein are trained on labelled datasets including PII to identify the PII both directly and by context [par.0034]) ; “responsive to a determination that the data element is a PII data element: predicting, by the computing device using a machine learning (ML) model”(PI detection and removal system [Fig.1/item 100]).
Medalion does not explicitly disclose “a PII protection policy appropriate for the PII data element, and applying, by the computing device, the PII protection policy to the PII data element to modify or alter the PII data element into an obfuscated state as specified by the applied PII protection policy to anonymize the PII data element; and returning, by the computing device, the data access event including the PII data element in the obfuscated state with the PII protection policy”
However, Lafever in an analogous art discloses “a PII protection policy appropriate for the PII data element” (policy engine Lafever[Fig.1r]); “and applying, by the computing device, the PII protection policy to the PII data element to modify or alter the PII data element into an obfuscated state (data and transmission is encrypted and obfuscated during transmission Lafever [Col.25/lines 48-50]) as specified by the applied PII protection policy to anonymize the PII data element;” In Step ( 2 ) , based at least in part on the determined DLDs , the data 30 elements may be dynamically anonymized by means of Disassociation Lafever[Col.54/lines 28-31]), “returning, by the computing device, the data access event including the PII data element in the obfuscated state with the PII protection policy applied”( Policy external to the system would determine which information may be relevant for different incidents and stages of incidents, as well as what level of obfuscation/transparency is appropriate at different times so not all information would be released at once and so that irrelevant but sensitive information would not be released without cause Lafever [Col.57/lines 4-10]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Medalion’s Machine learning based detection and removal of personally identifiable information with Lafever’s Policy enforcement utilizing PII in order to provide additional security. One of ordinary skill would have been motivated to combine because Medalion discloses a learning-based detection and removal of personally identifiable information, LaFever teaches a policy enforcement process utilizing obfuscation PII data and both are from the same field of endeavor.
Niether Medalion, Lafever explicitly discloses “wherein the ML model includes decision trees with each decision constructed using different multi-dimensional features extracted from different historical PII data elements.”
However, Mumcuyan in an analogous art discloses “wherein the ML model includes decision trees with each decision constructed using different multi-dimensional features extracted from different historical PII data elements” (Mumcuyan explains that different classifiers are trained using different subsets and dimensions of these features to improve classification accuracy and risk assessment Mumcuyan [par.0064-0072] aso see (after collecting such a dataset with true / false positives , binary classifier model 320 is built using a Booster classifier , such as the CatBoost , that uses gradient boosting on decision trees Mumcuyan [par.0060]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Medalion’s Machine learning based detection and removal of personally identifiable information and LaFever’s Policy enforcement utilizing PII with Mumcuyan’s classifier model utilized in its machine learning system in order to provide additional security. One of ordinary skill would have been motivated to combine because Medalion discloses a learning-based detection and removal of personally identifiable information, LaFever teaches a policy enforcement process utilizing PII, Mumcuyan discloses a CatBoost classifier model utilized in its machine learning system and all are from the same field of endeavor.
Regarding claim 3 in view of claim 1, neither Medalion nor Lafever explicitly discloses “wherein the ML model includes a CatBoost classifier” (after collecting such a dataset with true / false positives , binary classifier model 320 is built using a Booster classifier , such as the CatBoost , that uses gradient boosting on decision trees Mumcuyan [par.0060]).
Regarding claim 4 in view of claim 1, the references combined disclose “wherein the ML model (machine learning model Medalion[Fig.1/item 108]) is trained with training data comprising historical PII protection data” (To generate even more training data , variations of PII redactions may be introduced Medalion[par.0044]).
Regarding claim 5 in view of claim 1, the references combined disclose “further comprising, responsive to a determination that the data element is not a PII data element, returning, by the computing device, the data access event” (unsupervised and supervised machine learning Medalion[par.0024-par.0025]).
Regarding claim 6 in view of claim 1, the references combined disclose “wherein determining whether the data element is a PII data element includes querying a PII metadata repository, wherein the PII metadata repository maintains PII data of an organization”( algorithms to analyze the schemata , metadata , structure , etc . , of a data set to determine algorithmic actions LaFever[Col.20/lines 3-9]).
Regarding claim 7 in view of claim 1, the references combined disclose “wherein the data access event is from another computing device” (i/o devices /interfaces Medalion[Fig.5/item 504]).
Regarding claim 8, Medalion discloses “a computing device comprising: one or more non-transitory machine-readable mediums configured to store instructions; and one or more processors configured to execute the instructions stored on the one or more non-transitory machine-readable mediums, wherein execution of the instructions causes the one or more processors to carry out a process comprising: receiving a data access event, wherein the data access event relates to a data element” (receiving output from the BILSTM Neural network model, the output indicating one or more text data elements [Fig.4/item 406]); determining whether the data element is a personally identifiable information (PII) data element” (The BiLSTM neural network models described herein are trained on labelled datasets including PII to identify the PII both directly and by context [par.0034]); responsive to a determination that the data element is a PIT data element: predicting, using a machine learning (ML) model” (PI detection and removal system [Fig.1/item 100])
Medalion does not explicitly disclose “a PII protection policy appropriate for the PII data element; and applying the PII protection policy to the PII data element to modify or alter the PII data element into an obfuscated state as specified by the applied PII protection policy to anonymize the PII data element; and returning the data access event including the PII data element into an obfuscated state with the PII protection policy applied.”
However, Lafever in an analogous art discloses “a PII protection policy appropriate for the PII data element” (policy engine Lafever[Fig.1r]);; “and applying the PII protection policy to the PII data element to modify or alter the PII data element into an obfuscated state(data and transmission is encrypted and obfuscated during transmission Lafever [Col.25/lines 48-50]) as specified by the applied PII protection policy to anonymize the PII data element;” In Step ( 2 ) , based at least in part on the determined DLDs , the data 30 elements may be dynamically anonymized by means of Disassociation Lafever[Col.54/lines 28-31]), “and returning the data access event including the PII data element into an obfuscated state with the PII protection policy applied” ( Policy external to the system would determine which information may be relevant for different incidents and stages of incidents, as well as what level of obfuscation/transparency is appropriate at different times so not all information would be released at once and so that irrelevant but sensitive information would not be released without cause Lafever[Col.57/lines 4-10]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Medalion’s Machine learning based detection and removal of personally identifiable information with LaFever’s Policy enforcement utilizing PII in order to provide additional security. One of ordinary skill would have been motivated to combine because Medalion discloses a learning-based detection and removal of personally identifiable information, LaFever teaches a policy enforcement process utilizing obfuscation PII data and both are from the same field of endeavor.
Niether Medalion nor Lafever explicitly discloses “wherein the ML model includes decision trees with each decision constructed using different multi-dimensional features extracted from different historical PII data elements”
However, Mumcuyan in an analogous art discloses “wherein the ML model includes decision trees with each decision constructed using different multi-dimensional features extracted from different historical PII data elements” (Mumcuyan explains that different classifiers are trained using different subsets and dimensions of these features to improve classification accuracy and risk assessment Mumcuyan [par.0064-0072] aso see (after collecting such a dataset with true / false positives , binary classifier model 320 is built using a Booster classifier , such as the CatBoost , that uses gradient boosting on decision trees Mumcuyan [par.0060]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Medalion’s Machine learning based detection and removal of personally identifiable information and LaFever’s Policy enforcement utilizing PII with Mumcuyan’s classifier model utilized in its machine learning system in order to provide additional security. One of ordinary skill would have been motivated to combine because Medalion discloses a learning-based detection and removal of personally identifiable information, LaFever teaches a policy enforcement process utilizing PII, Mumcuyan discloses a CatBoost classifier model utilized in its machine learning system and all are from the same field of endeavor.
Regarding claim 11 in view of claim 8, the reference combined disclose “wherein the ML model(machine learning model Medalion[Fig.1/item 108]) is trained with training data comprising historical PII protection data” (To generate even more training data , variations of PII redactions may be introduced Medalion[par.0044]).
Regarding claim 12 in view of claim 8, the reference combined disclose “wherein the process further comprises, responsive to a determination that the data element is not a PII data element, returning the data access event” (unsupervised and supervised machine learning Medalion[par.0024-par.0025]).
Regarding claim 13 in view of claim 8, the reference combined disclose “wherein determining whether the data element is a PII data element includes querying a PII metadata repository, wherein the PII metadata repository maintains PII data of an organization” ( algorithms to analyze the schemata , metadata , structure , etc . , of a data set to determine algorithmic actions LaFever[Col.20/lines 3-9]).
Regarding claim 14 in view of claim 8, the reference combined disclose “wherein the data access event is from another computing device” (i/o devices /interfaces Medalion[Fig.5/item 504]).
Regarding claim 15, Medalion discloses “a non-transitory machine-readable medium encoding instructions that when executed by one or more processors cause a process to be carried out, the process including: receiving a data access event, wherein the data access event relates to a data element” (receiving output from the BILSTM Neural network model, the output indicating one or more text data elements [Fig.4/item 406]); “determining whether the data element is a personally identifiable information (PII) data element (PI detection and removal system [Fig.1/item 100]). “responsive to a determination that the data element is a PII data element” (PI detection and removal system [Fig.1/item 100]).
Medalion does not explicitly disclose “predicting, using a machine learning (ML) model, a PII protection policy appropriate for the PII data element; and applying the PII protection policy to the PII data element to modify or alter the PII data element into an obfuscated state as specified by the applied PII protection policy to anonymize the PII data element; and returning the data access event including the PII data element in the obfuscated state with the PII protection policy applied.
However, Lafever in an analogous art discloses ““predicting, using a machine learning (ML) model, a PII protection policy appropriate for the PII data element” (policy engine Lafever[Fig.1r]); “and applying the PII protection policy to the PII data element to modify or alter the PII data element into an obfuscated state (data and transmission is encrypted and obfuscated during transmission Lafever [Col.25/lines 48-50]) as specified by the applied PII protection policy to anonymize the PII data element” In Step ( 2 ) , based at least in part on the determined DLDs , the data 30 elements may be dynamically anonymized by means of Disassociation Lafever[Col.54/lines 28-31]), “and returning the data access event including the PII data element in the obfuscated state with the PII protection policy applied to anonymize the PII data element as specified by the applied PII protection policy.” ( Policy external to the system would determine which information may be relevant for different incidents and stages of incidents, as well as what level of obfuscation/transparency is appropriate at different times so not all information would be released at once and so that irrelevant but sensitive information would not be released without cause Lafever[Col.57/lines 4-10]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Medalion’s Machine learning based detection and removal of personally identifiable information with LaFever’s Policy enforcement utilizing PII in order to provide additional security. One of ordinary skill would have been motivated to combine because Medalion discloses a learning-based detection and removal of personally identifiable information, LaFever teaches a policy enforcement process utilizing obfuscation PII data and both are from the same field of endeavor.
Niether Medalion nor Lafever explicitly disclose “wherein the ML model includes decision trees with each decision constructed using different multi-dimensional features extracted from different historical PII data elements.”
However, Mumcuyan in an analogous art discloses “wherein the ML model includes decision trees with each decision constructed using different multi-dimensional features extracted from different historical PII data elements” (Mumcuyan explains that different classifiers are trained using different subsets and dimensions of these features to improve classification accuracy and risk assessment Mumcuyan [par.0064-0072] aso see (after collecting such a dataset with true / false positives , binary classifier model 320 is built using a Booster classifier , such as the CatBoost , that uses gradient boosting on decision trees Mumcuyan [par.0060]).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Medalion’s Machine learning based detection and removal of personally identifiable information and LaFever’s Policy enforcement utilizing PII with Mumcuyan’s classifier model utilized in its machine learning system in order to provide additional security. One of ordinary skill would have been motivated to combine because Medalion discloses a learning-based detection and removal of personally identifiable information, LaFever teaches a policy enforcement process utilizing PII, Mumcuyan discloses a CatBoost classifier model utilized in its machine learning system and all are from the same field of endeavor.
Regarding claim 17 in view of claim 15, neither Medalion nor Lang explicitly disclose “wherein the ML model includes a CatBoost classifier” (after collecting such a dataset with true / false positives , binary classifier model 320 is built using a Booster classifier , such as the CatBoost , that uses gradient boosting on decision trees Mumcuyan [par.0060]).
Regarding claim 18 in view of claim 15, the references combined disclose “wherein the ML model (machine learning model Medalion[Fig.1/item 108]) is trained with training data comprising historical PIT protection data” (To generate even more training data , variations of PII redactions may be introduced Medalion[par.0044]).
Regarding claim 19 in view of claim 15, the references combined disclose “wherein the process further comprises, responsive to a determination that the data element is not a PII data element, returning the data access event” (unsupervised and supervised machine learning Medalion[par.0024-par.0025]).
Regarding claim 20 in view of claim 15, the references combined disclose “wherein determining whether the data element is a PII data element includes querying a PII metadata repository, wherein the PII metadata repository maintains PII data of an organization” ( algorithms to analyze the schemata , metadata , structure , etc . , of a data set to determine algorithmic actions LaFever[Col.20/lines 3-9]).
Regarding claim 21 in view of claim 1, the references combined disclose “wherein the ML model is trained with training data comprising historical PII data elements and PII protection policy applied to the historical PII data element to comply with enacted data protection and privacy regulations” (In some cases , pattern - based matchers 106 may be used to create training data for machine learning model ( s ) 108. The pattern - based matchers 106 may be based on regular expressions and / or dictionaries Medalion[par.0056]).
Regarding claim 22 in view of claim 3, the references combined disclose “wherein the CatBoost classifier uses the multi-class classification such that a result of the classification would be one of one or more different PII protection policies and the predicting, by the computing device using a machine learning (ML) model, a PII protection policy appropriate for the PII data element further comprises aggregating a prediction of each decision tree” ( Policy external to the system would determine which information may be relevant for different incidents and stages of incidents, as well as what level of obfuscation/transparency is appropriate at different times so not all information would be released at once and so that irrelevant but sensitive information would not be released without cause Lafever[Col.57/lines 4-10]).
Regarding claim 23 in view of claim 1, the references combined disclose “wherein the obfuscated state is an obscured state, a blurred state, or a blacked out state” ( Policy external to the system would determine which information may be relevant for different incidents and stages of incidents, as well as what level of obfuscation/transparency is appropriate at different times so not all information would be released at once and so that irrelevant but sensitive information would not be released without cause Lafever [Col.57/lines 4-10]).
Regarding claim 24 in view of claim 1, the references combined disclose wherein the multi-dimensional features comprise features extracted from a historical PII data element and a PII protection policy applied to the historical PII data element to comply with enacted data protection and privacy regulations, an element name, a data type, and an access channel” (In some cases , pattern - based matchers 106 may be used to create training data for machine learning model ( s ) 108. The pattern - based matchers 106 may be based on regular expressions and / or dictionaries Medalion[par.0056]).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached at (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL D ANDERSON/Examiner, Art Unit 2433
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433