DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is made non-final.
Claims 1-20 are pending. Claims 1, 19 and 20 are independent claims.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Regarding claim 1:
Step 1: This part of the eligibility analysis evaluates whether the claim falls within any statutory category. See MPEP 2106.03. Claim 1 recites: A method performed by a computer system, the method comprising… Claim 1 is directed to a method (Step 1: YES).
Step 2A prong 1: Does the claim recite a judicial exception? Claim 1 recites: identifying one or more input time gaps within the input data set (identifying a time gap in an input data set is a mental process); for each input time gap of the one or more input time gaps, determining a corresponding set of input pre-gap features and a corresponding set of input post-gap features (determining features for time periods before and after a specified time period is a mental process, and/or can involve mathematical calculations); and classifying each of the one or more input time gaps as normal or anomalous… thereby determining one or more classifications, each classification of the one or more classifications indicating whether a corresponding input time gap of the one or more input time gaps is classified as normal or anomalous (classifying time periods as normal or anomalous based on features captured before and after the time period is a mental process). These steps can be performed mentally or are mathematical calculations (Step 2A prong 1: YES).
Step 2A prong 2: Does the claim recite additional elements? Do those additional elements, considered individually and in combination, integrate the judicial exception into a practical application? Claim 1 recites: obtaining a plurality of training data samples, each training data sample of the plurality of training data samples providing: (1) a training time gap between two training network events, each corresponding to a respective network resource, (2) a training label indicating whether the training time gap comprises a normal time gap or an anomalous time gap, (3) a set of pre-gap features corresponding to training network events that took place before the training time gap, and (4) a set of post-gap features corresponding to training network events that took place after the training time gap; training, using the plurality of training data samples, a machine learning model to classify time gaps as normal or anomalous based on sets of input pre-gap features and sets of input post-gap features; retrieving an input data set comprising a plurality of network event data records corresponding to a first network resource… by inputting each corresponding set of input pre-gap features and each corresponding set of input post-gap features into the machine learning model… Obtaining training data samples that provide a time gap, label, pre-gap and post-gap features is insignificant extra-solution activity of data gathering (See, e.g., CyberSource v. Retail Decisions and Electric Power Group, LLC v. Alstom S.A., both of which were found to merely perform data gathering or selecting a particular data source or type of data to be manipulated). Training the machine learning model using the selected data, and then inputting input data to obtain a classification result is an attempt to use the neural network model by merely applying the abstract idea (i.e., perform the mental processes) without placing any limits on how the neural network model operates. Further, the claim omits any details as to how the neural network model solves a technical problem and instead recites only the idea of a solution or outcome. See MPEP 2106.05(f). Thus, the limitation represents no more than mere instructions to implement the abstract idea which is equivalent to adding the words “apply it” to the recited judicial exception (Step 2A prong 2: NO).
Step 2B: These elements are recited at such a high level of generality that they fail to integrate the abstract idea into a practical application, since they only amount to data gathering or other insignificant extra-solution activity without significantly more (MPEP 2106.05(g)) or provide nothing more than mere instructions to implement an abstract idea on a generic computer (MPEP 2106.05(f)). These limitations, taken either alone or in combination, fail to provide an inventive concept (Step 2B: NO). Thus, the claim is not patent eligible.
Regarding claims 2-18, they recite limitations which further narrow the abstract idea by specifying more details of the mental and mathematical process that occurs (Claim 2, specifying that the model is a gradient boosted decision tree model or a neural network is still an attempt to apply the abstract idea on a generic computer; Claim 3, defining the pre-gap and post-gap features is still insignificant extra-solution activity of data gathering, or selecting a particular data source or type of data to be manipulated; Claim 4, defining input time gaps by using a difference between timestamps is a mental process or mathematical calculation; Claim 5, identifying pre/post gap data records is a mental process, and extracting features from the identified records is a mental process and/or involves mathematical calculations; Claim 6, specifying that the pre/post gap records come from specific time ranges is insignificant extra-solution activity of selecting a particular data source or type of data to be manipulated; Claim 7, specifying that the network events are access requests for a resource and that the access data includes requestor information is limiting the field of use without significantly more; Claim 8, specifying that the network is for resource access control for one or more resource providers and multiple requestors, and that the requests correspond to authorization requests, is also limiting the field of use without significantly more; Claim 9, retrieving data from a database is insignificant extra-solution activity of data gathering; Claim 10, specifying the requestor information includes a credential or identifier is selecting a particular data source or type of data to be manipulated; Claim 11, retrieving training data records is insignificant extra-solution activity of data gathering, while identifying gaps between events, determining labels for gaps and identifying pre and post gap data records are mental processes; Claim 12, determining if a data record is pre-gap based on a chronological ordering of records is a mental process; Claim 13, determining if a data record is post-gap based on a chronological ordering of records is a mental process; Claim 14, defining the pre and post gap time ranges or defining a predetermined number of pre- and post- gap records are selecting a particular data source or type of data to be manipulated; Claim 15, sorting records based on timestamps or time values is a mental process; Claim 16, determining an anomalous label based on if there is an anomalous record contained within a set of normal records is a mental process; Claim 17, including one or more normal and one or more anomalous data samples is selecting a particular data source or type of data to be manipulated, while applying the normal/anomalous labels to access requests made from a within/outside a specified geographic region is limiting the field of use without significantly more; Claim 18, applying the method to user account access requests and using normal/anomalous classifications to represent requests made from within/outside a geographic region is limiting the field of use without significantly more).
Regarding claim 19:
Step 1: This part of the eligibility analysis evaluates whether the claim falls within any statutory category. See MPEP 2106.03. Claim 19 recites: A method performed by one or more processors of a computer system, the method comprising… Claim 19 is directed to a method (Step 1: YES).
Step 2A prong 1: Does the claim recite a judicial exception? Claim 19 recites: identifying a plurality of time periods in the historical access requests for when the historical access requests are made from devices outside of a specified geographic region (given a request dataset, identifying periods that contain requests that originate from outside a geographic region is a mental process)… generating a training set of the historical access requests that occur before and after each time period of the plurality of time periods (generating a set of requests that occur before and after time periods is a mental process); extracting a set of features from the access data of the training set of the historical access requests (extracting features from training data is a mental process and/or involves mathematical calculations)… extracting a plurality of first features from the first access data of the first set of access requests (extracting features from access data is a mental process and/or involves mathematical calculations); and determining… whether one or more of the time gaps occurred when the requestor was outside of the specified geographic region (determining if a requestor is inside or outside a region during a time gap given access data is a mental process). These steps can be performed mentally or are mathematical calculations (Step 2A prong 1: YES).
Step 2A prong 2: Does the claim recite additional elements? Do those additional elements, considered individually and in combination, integrate the judicial exception into a practical application? Claim 19 recites: receiving historical access requests for a set of resources managed by a network, each historical access request including access data identifying a resource of the set of resources and including requestor information of a requestor… training, using the set of features, a machine learning model to predict the time period when access requests occur from outside the specified geographic region based on a pattern of the training set of the historical access requests that occur before and after the time periods; receiving a first set of access requests for one or more first resources corresponding to a first requestor and managed by the network, the first set of access requests including first access data identifying a first resource of the one or more first resources and including first requestor information of the first requestor, wherein the first set of access requests include time gaps when no access requests occur… by inputting the plurality of first features into the machine learning model… Receiving historical access requests for resources, including requestor information, and receiving other access data that includes the resource that a requestor is attempting to access, as well as requestor information are insignificant extra-solution activity of data gathering or selecting a particular data source or type of data to be manipulated (See, e.g., CyberSource v. Retail Decisions and Electric Power Group, LLC v. Alstom S.A.). Including time gaps in the set of access requests where no access requests occur is similarly insignificant extra-solution activity of selecting a particular data source or type of data to be manipulated. Training the machine learning model using features from the historical data, and then inputting input feature data to obtain a classification result is an attempt to use the neural network model by merely applying the abstract idea (i.e., perform the mental processes) without placing any limits on how the neural network model operates. Further, the claim omits any details as to how the neural network model solves a technical problem and instead recites only the idea of a solution or outcome. See MPEP 2106.05(f). Thus, the limitation represents no more than mere instructions to implement the abstract idea which is equivalent to adding the words “apply it” to the recited judicial exception (Step 2A prong 2: NO).
Step 2B: These elements are recited at such a high level of generality that they fail to integrate the abstract idea into a practical application, since they only amount to data gathering or other insignificant extra-solution activity without significantly more (MPEP 2106.05(g)) or provide nothing more than mere instructions to implement an abstract idea on a generic computer (MPEP 2106.05(f)). These limitations, taken either alone or in combination, fail to provide an inventive concept (Step 2B: NO). Thus, the claim is not patent eligible.
Regarding claim 20, it is an apparatus that implements the method of claim 1 and is rejected on the same grounds – see above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-15 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gaddam et al. (WO 2020005263 A1), herein Gaddam, in view of Manolache et al. (US 20220327108 A1), herein Manolache, Sharma et al. (US 20240376813 A1), herein Sharma 813 and Carmichael et al. (US 11170295 B1), herein Carmichael.
Regarding claim 1, Gaddam teaches: A method performed by a computer system, the method comprising: obtaining a plurality of training data samples, each training data sample of the plurality of training data samples providing (¶98, The machine learning model may be trained using historical database access requests collected by the database server over the course of the requesting entity profile’s existence. These historical database access requests may be stored as feature vectors in a feature store): (1) a training event…, each corresponding to a respective network resource (¶98, trained using historical database access requests), (2) a training label indicating whether the training event comprises a normal event or an anomalous event (¶65, Feature vectors stored in feature store 110 may have corresponding labels, such as normal or anomalous), training, using the plurality of training data samples, a machine learning model to classify events as normal or anomalous (¶98, The machine learning model may be trained using historical database access requests) retrieving an input data set comprising a plurality of network event data records corresponding to a first network resource; identifying one or more input events within the input data set (Abstract, A method and system for protecting access to remote systems, such as resource databases containing sensitive resources, such as cryptographic keys or personally identifying information, is disclosed. A server can receive a plurality of access requests from a requesting entity – the access requests are events input into the model); and classifying each of the one or more input events as normal or anomalous by inputting… features into the machine learning model, thereby determining one or more classifications, each classification of the one or more classifications indicating whether a corresponding input event of the one or more input events is classified as normal or anomalous (¶7, The system can use the one or more classification thresholds to determine a current access classification for providing access to the current resource. The system can process the current access request in accordance with the current access classification to provide a specified access to the current resource – and – ¶13, These machine learning models accept database access requests or sequences of database access requests (referred to as “access sequences”) as feature vectors and produce anomaly scores. The anomaly scores can classify database access requests or access sequences as normal or anomalous).
Gaddam fails to explicitly teach: time gap between two training network events… time gaps.
However, in the same field of endeavor, Manolache teaches: time gap between two training network events… time gaps (¶77, In some embodiments, periods of inactivity, i.e., time gaps between events and/or time intervals when the respective client system is idle, registers no user activity, or carries out only internal system tasks, may also qualify as events). The interpretation of “event” to include time gaps or periods between events will also be applied to the rejections of dependent claims 2-18 below. Gaddam also discloses classifying feature vectors that correspond to event sequences, which contain time gaps.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to consider time gaps between events as events themselves as disclosed by Manolache in the method disclosed by Gaddam to enable adaptation to a variety of different event types (¶77, the systems and methods described herein may be adapted to analyzing other kinds of events, such as events related to a user's activity on social media, a user's browsing history, and a user's gaming activity, among others).
Gaddam in view of Manolache fails to teach: using (3) a set of pre-event features corresponding to training network events that took place before the training event, and (4) a set of post-event features corresponding to training network events that took place after the training event.
However, in the same field of endeavor, Sharma 813 teaches: using (3) a set of pre-event features corresponding to training… events that took place before the training event, and (4) a set of post-event features corresponding to training… events that took place after the training event (¶71, a tagging process can be performed that assigns labels to the portion of the data set that can be considered “healthy” to train the ML model. To accomplish this tagging process, the ESP log data can be processed by assigning a window of a fixed number of days before and after each event – and – ¶72, sliding windows can be defined and used to calculate feature data (e.g., mean, variance, and coefficient of variation) that captures temporal characteristics of the time-series operational data in the training set – i.e., using features extracted from a time period surrounding the event in question).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to train the model used in the method disclosed by Gaddam in view of Manolache using data taken from a time period before and a time period after an event as disclosed by Sharma 813 to provide context for the training process (¶71, The portion of the window prior to the event defines a zone of influence where the precursors to the event may be observable. The portion of the window after the event accounts for any inaccuracies in reported failure time and any potential changes in ESP behavior right after the event).
Gaddam in view of Manolache and Sharma 813 fails to teach: based on sets of input pre-event features and sets of input post-event features; for each input event of the one or more input events, determining a corresponding set of input pre-event features and a corresponding set of input post-event features… each corresponding set of input pre-event features and each corresponding set of input post-event features (Although Sharma 813 discloses using events taken from pre-event and post-event time periods in training, it does not disclose using those events on data after training).
However, in the same field of endeavor, Carmichael discloses classifying: based on sets of input pre-event features and sets of input post-event features; for each input event of the one or more input events, determining a corresponding set of input pre-event features and a corresponding set of input post-event features… and using each corresponding set of input pre-event features and each corresponding set of input post-event features in classification (Col. 11, line 12, For example, extracting processed sensor data that was collected within one-second of the occurrence of a suspect event (e.g., within a time window, which in this case is a little more than two-seconds—the time span of the suspect event plus one second for each side of the suspect event) and disregarding the other processed sensor data that were generated from raw sensor data collected before or after the time window (hereinafter simply “window”). Note that the ML learning windows may be any number of seconds including small windows from one to two seconds to 10 to 30 seconds or more. Also, using lookbacks (retaining state from previously processed windows) can help with accurate detection of anomalies – the processed sensor data, i.e., features). The consideration of other events preceding/ensuing the potentially anomalous event will also be applied to the rejections of dependent claims 2-18 below.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use data from before and after an event is detected as disclosed by Carmichael in the method disclosed by Gaddam in view of Manolache and Sharma 813 to provide context for more effective anomaly detection (Col. 13, line 43, if sensor data collected after the anomalous event indicates or suggests that the user 22 was walking after the occurrence of the anomalous event, then it may be concluded that the anomalous event was in fact a non-fall event. On the other hand, if the user 22 is detected as laying on the ground and not moving for more than, for example, 15 seconds after the occurrence of the anomalous event, then it may be concluded that the anomalous event is in fact a fall even – although Carmichael discloses anomaly detection for falls and not network events, similar logic applies of context being useful).
Regarding claim 2, Gaddam further teaches: The method of claim 1, wherein the machine learning model comprises a gradient boosted decision tree model or a neural network (¶36, Examples of machine learning models include support vector machines, models that classifies data by establishing a gap or boundary between inputs of different classifications, as well as neural networks).
Regarding claim 3, Gaddam further teaches: The method of claim 1, wherein each set of pre-gap features and the one or more sets of input pre-gap features include one or more of the following: a pre-gap day of a week corresponding to a pre-gap network event data record, an pre-gap industry identifier corresponding to a resource provider associated with a pre-gap network event data record, a pre-gap category identifier corresponding to a resource provider associated with a pre-gap network event data record, a pre-gap time of day corresponding to a pre-gap network event data record (¶33, Database access requests may also include data or metadata about the database access request, such as where the request originated from, a timestamp corresponding to the request), a first cumulative amount corresponding to one or more pre-gap network event data records or one or more pre-gap training network event data records corresponding to a week long time period, a second cumulative amount corresponding to one or more pre-gap network event data records or one or more pre-gap training network event data records corresponding to a six month long time period, and a ratio of the first cumulative amount and the second cumulative amount; and wherein each set of post-gap features and the one or more sets of input post-gap features include one or more of the following: a post-gap day of a week corresponding to a post-gap network event data record, a post-gap industry identifier corresponding to a resource provider associated with a post-gap network event data record, a post-gap category identifier corresponding to a resource provider associated with a post-gap network event data record, a post-gap time of day corresponding to a post-gap network event data record (¶33, Database access requests may also include data or metadata about the database access request, such as where the request originated from, a timestamp corresponding to the request), and a third cumulative amount corresponding to one or more post-gap network event data records or one or more post-gap training network event data records corresponding to a two day time period.
Regarding claim 4, Gaddam in view of Sharma 813 and Carmichael fails to explicitly teach: The method of claim 1, wherein each input time gap is defined based on a difference between a first timestamp or first time value associated with a first input network event data records and a second timestamp or second time value associated with a second input network event data record.
However, in the same field of endeavor, Manolache teaches: wherein each input time gap is defined based on a difference between a first timestamp or first time value associated with a first input network event data records and a second timestamp or second time value associated with a second input network event data record (¶77, In some embodiments, periods of inactivity, i.e., time gaps between events and/or time intervals when the respective client system is idle, registers no user activity, or carries out only internal system tasks, may also qualify as events – and – ¶78, Event logging tools typically generate a list of event descriptors including a timestamp for each event – time gaps are between events, which are associated with timestamps).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to evaluate time gaps that are defined as time elapsed between events as disclosed by Manolache in the method disclosed by Gaddam in view of Sharma 813 and Carmichael to enable adaptation to a variety of different event types (¶77, the systems and methods described herein may be adapted to analyzing other kinds of events, such as events related to a user's activity on social media, a user's browsing history, and a user's gaming activity, among others).
Regarding claim 5, Gaddam in view of Manolache and Sharma 813 fails to teach: The method of claim 1, wherein determining the corresponding set of input pre-gap features and the corresponding set of input post-gap features for each input time gap comprises: identifying one or more pre-gap network event data records from the input data set, the one or more pre-gap network event data records corresponding to network events that occurred before the input time gap; identifying one or more post-gap network event data records from the input data set, the one or more post-gap network event data records corresponding to network events that occurred after the input time gap; extracting the corresponding set of input pre-gap features from the one or more pre-gap network event data records; and extracting the corresponding set of input post-gap features from the one or more post-gap network event data records.
However, in the same field of endeavor, Carmichael teaches: wherein determining the corresponding set of input pre-gap features and the corresponding set of input post-gap features for each input time gap comprises: identifying one or more pre-gap network event data records from the input data set, the one or more pre-gap network event data records corresponding to network events that occurred before the input time gap; identifying one or more post-gap network event data records from the input data set, the one or more post-gap network event data records corresponding to network events that occurred after the input time gap (Col. 11, line 12, For example, extracting processed sensor data that was collected within one-second of the occurrence of a suspect event (e.g., within a time window, which in this case is a little more than two-seconds—the time span of the suspect event plus one second for each side of the suspect event) and disregarding the other processed sensor data that were generated from raw sensor data collected before or after the time window); extracting the corresponding set of input pre-gap features from the one or more pre-gap network event data records; and extracting the corresponding set of input post-gap features from the one or more post-gap network event data records (Col. 2, line 53, operations to extract relevant data from the sensor data to provide windowed data, calculate feature values on the windowed data, and train the personalized ML model using the calculated feature values).
Regarding claim 6, Gaddam in view of Manolache and Sharma 813 fails to teach: The method of claim 5, wherein the one or more pre-gap network event data records comprise a predetermined pre-gap number of pre-gap network event data records or are defined by a pre-gap time range, wherein the one or more post-gap network event data records comprise a predetermined post-gap number of post-gap network event data records or are defined by a post-gap time range, wherein the pre-gap time range is less than or equal to a year, and wherein the post-gap time range is less than or equal to a year.
However, in the same field of endeavor, Carmichael teaches: wherein the one or more pre-gap network event data records comprise a predetermined pre-gap number of pre-gap network event data records or are defined by a pre-gap time range, wherein the one or more post-gap network event data records comprise a predetermined post-gap number of post-gap network event data records or are defined by a post-gap time range, wherein the pre-gap time range is less than or equal to a year, and wherein the post-gap time range is less than or equal to a year (Col. 11, line 12, For example, extracting processed sensor data that was collected within one-second of the occurrence of a suspect event (e.g., within a time window, which in this case is a little more than two-seconds—the time span of the suspect event plus one second for each side of the suspect event) and disregarding the other processed sensor data that were generated from raw sensor data collected before or after the time window (hereinafter simply “window”). Note that the ML learning windows may be any number of seconds including small windows from one to two seconds to 10 to 30 seconds or more).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize time ranges before and after the event that are less than a year as disclosed by Carmichael in the method disclosed by Gaddam in view of Manolache and Sharma 813 to provide relevant context for more effective anomaly detection (Col. 13, line 43, if sensor data collected after the anomalous event indicates or suggests that the user 22 was walking after the occurrence of the anomalous event, then it may be concluded that the anomalous event was in fact a non-fall event. On the other hand, if the user 22 is detected as laying on the ground and not moving for more than, for example, 15 seconds after the occurrence of the anomalous event, then it may be concluded that the anomalous event is in fact a fall even).
Regarding claim 7, Gaddam further teaches: The method of claim 1, wherein: the plurality of training data samples are derived from a plurality of training network events comprising a plurality of historical access requests for a set of resources managed by a network (¶98, The machine learning model may be trained using historical database access requests collected by the database server over the course of the requesting entity profile’s existence), each historical access request of the plurality of historical access requests including historical access data identifying a corresponding resource of the set of resources (¶94, These database access requests may include, for example, requests to query the database (also referred to as database read requests). For a resource database implemented as a relational database, this may include SQL or SQL-like statements such as “SELECT ‘keys’ FROM ‘secrets,’” a request to retrieve the ‘keys’ records from the ‘secrets’ table – the ‘secrets’ table name is an identification of a resource of the set of resources) and including requestor information of a corresponding requestor (¶33, Database access requests may also include data or metadata about the database access request, such as where the request originated from, a timestamp corresponding to the request, the API through which the request was made, a credential of a requesting entity making the request); and the plurality of network event data records comprise a plurality of access requests for a plurality of resources from the set of resources managed by the network (¶94, These database access requests may include, for example, requests to query the database (also referred to as database read requests). For a resource database implemented as a relational database, this may include SQL or SQL-like statements such as “SELECT ‘keys’ FROM ‘secrets,’” a request to retrieve the ‘keys’ records from the ‘secrets’ table), the plurality of network event data records including access data identifying the plurality of resources from the set of resources managed by the network, each access request including access data identifying a resource of the set of resources and including requestor information of a requestor (¶33, Database access requests may also include data or metadata about the database access request, such as where the request originated from, a timestamp corresponding to the request, the API through which the request was made, a credential of a requesting entity making the request).
Regarding claim 8, Gaddam further teaches: The method of claim 7, wherein the network comprises a resource access control network, wherein the set of resources correspond to one or more resource providers, and wherein the plurality of historical access requests (¶98, The machine learning model may be trained using historical database access requests collected by the database server over the course of the requesting entity profile’s existence) correspond to a plurality of historical authorization requests (¶93, one or more database access requests of the plurality of database access requests may include an entity credential. The entity credential may prove that the requesting entity is authorized to access the database), the plurality of historical authorization requests requesting authorization for a plurality of interactions between a plurality of requestors and the one or more resource providers (¶75, These requesting entity credentials may comprise, for example, username-password pairs or API keys used by requesting entities to access APIs and communicate with database server 200 – requesting entities, i.e., a plurality of requestors – also see: ¶65, Additionally, database servers 112 and 114 may write database access requests received from requesting entities 124 and 126 via APIs 116, 118, 120, and 122 to feature store 110).
Regarding claim 9, Gaddam further teaches: The method of claim 7, wherein the step of retrieving or generating the plurality of training data samples includes retrieving the plurality of historical access requests from a historical access request database (¶98, The machine learning model may be trained using historical database access requests collected by the database server over the course of the requesting entity profile’s existence. These historical database access requests may be stored as feature vectors in a feature store – and – ¶65, The feature vectors in feature store 110 may be used by database servers 112 and 114 to train machine learning models).
Regarding claim 10, Gaddam further teaches: The method of claim 7, wherein the requestor information includes a requestor credential associated with the requestor or a requestor identifier associated with the requestor (¶75, These requesting entity credentials may comprise, for example, username-password pairs or API keys used by requesting entities to access APIs and communicate with database server 200).
Regarding claim 11, Gaddam further teaches: The method of claim 1, wherein retrieving or generating the plurality of training data samples comprises: retrieving a plurality of training network event data records; identifying a plurality of training events (¶65, The feature vectors in feature store 110 may be used by database servers 112 and 114 to train machine learning models – and – ¶13, These machine learning models accept database access requests or sequences of database access requests (referred to as “access sequences”) as feature vectors and produce anomaly scores) determining a training label corresponding to the training event (¶65, Feature vectors stored in feature store 1 10 may have corresponding labels, such as normal or anomalous)… and generating a training data sample comprising the training event… the training label… thereby generating the plurality of training data samples (¶65, The feature vectors in feature store 110 may be used by database servers 112 and 114 to train machine learning models).
Gaddam fails to explicitly teach: a plurality of training time gaps, each training time gap being between a respective first training network event corresponding to a first training network event data record of the plurality of training network event data records and a respective second training network event corresponding to a second training network event data record of the plurality of training network event data records.
However, in the same field of endeavor, Manolache teaches: a plurality of training time gaps, each training time gap being between a respective first training network event corresponding to a first training network event data record of the plurality of training network event data records and a respective second training network event corresponding to a second training network event data record of the plurality of training network event data records (¶77, In some embodiments, periods of inactivity, i.e., time gaps between events and/or time intervals when the respective client system is idle, registers no user activity, or carries out only internal system tasks, may also qualify as events).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to consider time gaps between events as events themselves as disclosed by Manolache in the method disclosed by Gaddam and Sharma 813 to enable adaptation to a variety of different event types (¶77, the systems and methods described herein may be adapted to analyzing other kinds of events, such as events related to a user's activity on social media, a user's browsing history, and a user's gaming activity, among others).
Gaddam in view of Manolache fails to teach: and for each training time gap of the plurality of training time gaps… time gap, identifying one or more pre-gap training network event data records of the plurality of training network event data records, the one or more pre-gap training network event data records corresponding to training network events that occurred before the training time gap, identifying one or more post-gap training network event data records of the plurality of training network event data records, the one or more post-gap training network event data records corresponding to training network events that occurred after the training time gap,
extracting a set of pre-gap features from the one or more pre-gap training network event data records, extracting a set of post-gap features from the one or more post-gap training network event data records… time gap… the set of pre-gap features, and the set of post-gap features.
However, in the same field of endeavor, Sharma A. teaches: and for each training time gap of the plurality of training time gaps… time gap, identifying one or more pre-gap training network event data records of the plurality of training network event data records, the one or more pre-gap training network event data records corresponding to training network events that occurred before the training time gap, identifying one or more post-gap training network event data records of the plurality of training network event data records, the one or more post-gap training network event data records corresponding to training network events that occurred after the training time gap (¶71, a tagging process can be performed that assigns labels to the portion of the data set that can be considered “healthy” to train the ML model. To accomplish this tagging process, the ESP log data can be processed by assigning a window of a fixed number of days before and after each event), extracting a set of pre-gap features from the one or more pre-gap training network event data records, extracting a set of post-gap features from the one or more post-gap training network event data records… time gap… the set of pre-gap features, and the set of post-gap features (¶72, sliding windows can be defined and used to calculate feature data (e.g., mean, variance, and coefficient of variation) that captures temporal characteristics of the time-series operational data in the training set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to train the model used in the method disclosed by Gaddam in view of Manolache and Carmichael using data taken from a time period before and a time period after an event as disclosed by Sharma 813 to provide context for the training process (¶71, The portion of the window prior to the event defines a zone of influence where the precursors to the event may be observable. The portion of the window after the event accounts for any inaccuracies in reported failure time and any potential changes in ESP behavior right after the event).
Regarding claim 12, Gaddam further discloses: The method of claim 11, wherein identifying the one or more pre-gap training network event data records comprises determining the one or more pre-gap training network event data records based on a chronological ordering of a plurality of training network event data records (¶12, Access sequences may be ordered chronologically, for example, via timestamps corresponding to the database access requests. An access sequence may be used as a feature vector input to a machine learning model, in order for the machine learning model to produce an anomaly score output – and -- ¶65, The feature vectors in feature store 110 may be used by database servers 112 and 114 to train machine learning models), wherein the one or more pre-gap training network event data records comprise training network event data records corresponding to training network events that occurred before the first respective training network event based on the chronological ordering (¶12, Access sequences may be ordered chronologically). The selection of pre-gap records discussed in the claim 11 rejection already involves an implicit consideration of the chronological ordering of event records, i.e., records taken from before an event – see above.
Regarding claim 13, Gaddam further teaches: The method of claim 11, wherein identifying the one or more post-gap training network event data records comprises determining the one or more post-gap training network event data records based on a chronological ordering of a plurality of training network event data records (¶12, Access sequences may be ordered chronologically, for example, via timestamps corresponding to the database access requests. An access sequence may be used as a feature vector input to a machine learning model, in order for the machine learning model to produce an anomaly score output – and -- ¶65, The feature vectors in feature store 110 may be used by database servers 112 and 114 to train machine learning models), wherein the one or more post-gap training network event data records comprise training network event data records corresponding to training network events that occurred after the second respective training network event based on the chronological ordering (¶12, Access sequences may be ordered chronologically). The selection of post-gap records discussed in the claim 11 rejection already involves an implicit consideration of the chronological ordering of event records, i.e., records taken from after an event – see above.
Regarding claim 14, Gaddam in view of Manolache and Carmichael fails to teach: The method of claim 11, wherein the one or more pre-gap training network event data records comprise a predetermined pre-gap training number of pre-gap training network event data records or are defined by a pre-gap training time range, wherein the one or more post-gap training network event data records comprise a predetermined post-gap training number of post-gap training network event data records or are defined by a post-gap training time range, wherein the pre-gap training time range is less than or equal to a year, and wherein the post-gap training time range is less than or equal to a year.
However, in the same field of endeavor, Sharma 813 teaches: wherein the one or more pre-gap training network event data records comprise a predetermined pre-gap training number of pre-gap training network event data records or are defined by a pre-gap training time range, wherein the one or more post-gap training network event data records comprise a predetermined post-gap training number of post-gap training network event data records or are defined by a post-gap training time range, wherein the pre-gap training time range is less than or equal to a year, and wherein the post-gap training time range is less than or equal to a year (¶71, a tagging process can be performed that assigns labels to the portion of the data set that can be considered “healthy” to train the ML model. To accomplish this tagging process, the ESP log data can be processed by assigning a window of a fixed number of days before and after each event – the pre and post event time ranges are less than or equal to a year).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to train the model used in the method disclosed by Gaddam in view of Manolache and Carmichael using data taken from a time period before and a time period after an event as disclosed by Sharma 813 to provide context for the training process (¶71, The portion of the window prior to the event defines a zone of influence where the precursors to the event may be observable. The portion of the window after the event accounts for any inaccuracies in reported failure time and any potential changes in ESP behavior right after the event).
Regarding claim 15, Gaddam further teaches: The method of claim 11, further comprising chronologically sorting the plurality of training network event data records based on a plurality of timestamps or a plurality of time values corresponding to the plurality of training network event data records (¶12, Access sequences may be ordered chronologically, for example, via timestamps corresponding to the database access requests. An access sequence may be used as a feature vector input to a machine learning model, in order for the machine learning model to produce an anomaly score output).
Regarding claim 20, it is a system that recites similar limitations to the method of claim 1, and is rejected on the same grounds – see above.
Claim(s) 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gaddam in view of Manolache, Sharma 813 and Carmichael as applied to claim 11 above, and further in view of Peng et al. (US 20200226735 A1), herein Peng.
Regarding claim 16, Gaddam in view of Manolache, Sharma 813 and Carmichael fails to teach: The method of claim 11, wherein the first training network event data record comprises a first normal training network event data record, wherein the second training network event data record comprises a second normal training network event data record, and wherein determining a training label comprises: determining if there are one or more intervening anomalous training network event data records between the first normal training network event data record and the second normal training network event data record; and if there are one or more intervening anomalous training network event data records between the first normal training network event data record and the second normal training network event data record, determining the training label as an anomalous training label, otherwise determining the training label as a normal training label.
However, in the same field of endeavor, Peng teaches: wherein the first training… data record comprises a first normal training… data record, wherein the second training… data record comprises a second normal training… data record, and wherein determining a training label comprises: determining if there are one or more intervening anomalous training… data records between the first normal training… data record and the second normal training… data record; and if there are one or more intervening anomalous training… data records between the first normal training… data record and the second normal training… data record, determining the training label as an anomalous training label, otherwise determining the training label as a normal training label.(¶16, A binary label may be defined for the entire training image based on the presence of any anomalous parts in an image, which can be easily obtained in real-time without extensive labeling effort. The anomalous regions in the training images need not be defined, segmented or outlined. An adequate training image may be defined as having at least one anomalous pixel. Each training image may be labeled or annotated as and stored prior to training of the classifier 110. For example, a training image having an anomalous regions may be annotated as “positive” and a training image having no anomalous region may be annotated as “negative” – while Peng applies to images, the idea of classifying a group of related items as anomalous if one part is anomalous is applicable to non-image fields).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to classify sequences as anomalous if one or more part(s) is anomalous as disclosed by Peng in the method disclosed by Gaddam in view of Manolache, Sharma 813 and Carmichael to make the training process more efficient (¶16, By the application of image-level based annotation, the training process is greatly streamlined and can be completed with reduced effort)
Claim(s) 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gaddam in view of Manolache, Sharma 813 and Carmichael as applied to claim 1 above, and further in view of Sharma (US 20190197549 A1), herein Sharma 549.
Regarding claim 17, Gaddam teaches: The method of claim 1, wherein the plurality of training data samples are derived from a plurality of training network event data records, wherein the plurality of training data samples comprise one or more normal training data samples and one or more anomalous training data samples, wherein the plurality of training network event data records comprise one or more normal training network event data records and one or more anomalous training network event data records (¶65, The feature vectors in feature store 110 may comprise database access requests… Feature vectors stored in feature store 110 may have corresponding labels, such as normal or anomalous… feature vectors in feature store 110 may be used by database servers 112 and 114 to train machine learning models).
Gaddam in view of Manolache, Sharma 813 and Carmichael fails to teach: wherein a normal training network event data record comprises a network event data record corresponding to an access request made by a training user from within a specified geographic region, and wherein an anomalous training network event data record corresponds to an access request made by a training user from outside the specified geographic region.
However, in the same field of endeavor, Sharma 549 teaches: wherein a normal training network event data record comprises a network event data record corresponding to an access request made by a training user from within a specified geographic region, and wherein an anomalous training network event data record corresponds to an access request made by a training user from outside the specified geographic region (¶49, one may determine that the IP address of a source device that initiates the request is relevant in detecting fraudulent transaction request because an IP address corresponding to a geographical region that is far away from the IP address normally used by the user account may be indicative that the user account is being accessed by an unauthorized user).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to label access requests made from unusual locations as anomalous as disclosed by Sharma 549 in the method disclosed by Gaddam in view of Manolache, Sharma 813 and Carmichael because access request location may be useful feature in determining possible fraudulent activity (¶49, many data types related to a request may be inspected to determine if the data is relevant in detecting a possible fraudulent transaction request).
Claim(s) 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gaddam in view of Manolache, Sharma 813, Carmichael, and Sharma 549 as applied to claim 17 above, and further in view of Zhou et al. (US 10320846 B2), herein Zhou.
Regarding claim 18, Gaddam further teaches: The method of claim 17, wherein: each training data sample of the plurality of training data samples corresponds to a corresponding training user and a corresponding training network resource (¶75, These requesting entity credentials may comprise, for example, username-password pairs or API keys used by requesting entities to access APIs and communicate with database server 200 – requesting entities are users, and the APIs/database data are network resources)
Gaddam in view of Manolache, Sharma 813, Carmichael and Sharma 549 fails to teach: wherein the corresponding training network resource comprises a corresponding training user account, the first network resource corresponding to the plurality of network event data records of the input data set comprises a first user account associated with a user.
However, in the same field of endeavor, Zhou teaches: wherein the corresponding training network resource comprises a corresponding training user account (Col. 7, line 9, In order to evaluate the performance of the access rules, the resource computer 110 may store access request information for each of the access requests that it receives. The access request information may include the parameters of each of the access requests and an indication of the access request outcome for the access request – and – Col. 2, line 18, the resource may be an electronic resource (e.g., stored data, received data, a computer account, a network-based account, an email inbox) – Col. 2, line 25, The term “access request” generally refers to a request to access a resource… The access request may include authorization information, such as a user name, account number, or password. The access request may also include and access request parameters – i.e., storing network event records for access requests possibly involving accessing a user account with authorization information), the first network resource corresponding to the plurality of network event data records of the input data set comprises a first user account associated with a user (Col. 2, line 18, the resource may be an electronic resource (e.g., stored data, received data, a computer account, a network-based account, an email inbox) – Col. 2, line 25, The term “access request” generally refers to a request to access a resource… The access request may include authorization information, such as a user name, account number, or password).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to update a system for access control using past user account access attempt information as disclosed by Zhou in the system used in the method disclosed by Gaddam in view of Manolache, Sharma 813, Carmichael and Sharma 549 to ensure that the system is up-to-date and accurate (Col. 7, line 49, The access rule generation system 130 may then re-generate the candidate access rules 134 based on the new or updated access request information and validity information. As such, the candidate access rules 134 may be based on the most recent patterns of fraudulent resource use and the most recent patterns of legitimate resource use).
Gaddam in view of Manolache, Sharma 813, Carmichael and Zhou fails to teach: a normal training label provided by a corresponding training data sample indicates that a corresponding training time gap comprises a time period during which no historical access requests were made by the corresponding training user of the corresponding training user account from outside the specified geographic region, an anomalous training label provided by a corresponding training data sample indicates that a corresponding training time gap comprises a time period during which one or more historical access requests were made by the corresponding training user of the corresponding training user account from outside the specified geographic region, a normal classification of the one or more classifications corresponding to the input data set indicates a prediction that the corresponding input time gap comprises a time period during which no access requests were made by the user from outside the specified geographic region, and an anomalous classification of the one or more classifications corresponding to the input data set indicates a prediction that the corresponding input time gap comprises a time period during which one or more access requests to one or more other resources were made by the user from outside the specified geographic region.
However, in the same field of endeavor, Sharma 549 teaches: a normal training label provided by a corresponding training data sample indicates that a corresponding training time gap comprises a time period during which no historical access requests were made by the corresponding training user of the corresponding training user account from outside the specified geographic region, an anomalous training label provided by a corresponding training data sample indicates that a corresponding training time gap comprises a time period during which one or more historical access requests were made by the corresponding training user of the corresponding training user account from outside the specified geographic region, a normal classification of the one or more classifications corresponding to the input data set indicates a prediction that the corresponding input time gap comprises a time period during which no access requests were made by the user from outside the specified geographic region, and an anomalous classification of the one or more classifications corresponding to the input data set indicates a prediction that the corresponding input time gap comprises a time period during which one or more access requests to one or more other resources were made by the user from outside the specified geographic region (¶49, one may determine that the IP address of a source device that initiates the request is relevant in detecting fraudulent transaction request because an IP address corresponding to a geographical region that is far away from the IP address normally used by the user account may be indicative that the user account is being accessed by an unauthorized user – i.e., labeling a transaction as fraudulent based on the unusual geographical location of the originating device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to label access requests made from unusual locations as anomalous as disclosed by Sharma 549 in the method disclosed by Gaddam in view of Manolache, Sharma 813, Carmichael, and Zhou because location may be useful feature in determining possible fraudulent activity (¶49, many data types related to a request may be inspected to determine if the data is relevant in detecting a possible fraudulent transaction request).
Claim(s) 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gaddam in view of Carmichael, Manolache and Sharma 549.
Regarding claim 19, Gaddam teaches: A method performed by one or more processors of a computer system, the method comprising: receiving historical access requests for a set of resources managed by a network (¶98, The machine learning model may be trained using historical database access requests collected by the database server over the course of the requesting entity profile’s existence. These historical database access requests may be stored as feature vectors in a feature store), each historical access request including access data identifying a resource of the set of resources (¶94, These database access requests may include, for example, requests to query the database (also referred to as database read requests). For a resource database implemented as a relational database, this may include SQL or SQL-like statements such as “SELECT ‘keys’ FROM ‘secrets,’” a request to retrieve the ‘keys’ records from the ‘secrets’ table) and including requestor information of a requestor (¶33, Database access requests may also include data or metadata about the database access request, such as where the request originated from… a credential of a requesting entity making the request); identifying a plurality of anomalous time periods in the historical access requests (¶65, The feature vectors in feature store 110 may comprise database access requests… Feature vectors stored in feature store 110 may have corresponding labels, such as normal or anomalous… feature vectors in feature store 110 may be used by database servers 112 and 114 to train machine learning models)… generating a training set of the historical access requests… extracting a set of features from the access data of the training set of the historical access requests (¶12, access sequence may be used as a feature vector input to a machine learning model, in order for the machine learning model to produce an anomaly score output); training, using the set of features, a machine learning model to predict the anomalous time period… based on a pattern of the training set of the historical access requests (¶65, feature vectors in feature store 110 may be used by database servers 112 and 114 to train machine learning models)… receiving a first set of access requests for one or more first resources corresponding to a first requestor and managed by the network, the first set of access requests including first access data identifying a first resource of the one or more first resources and including first requestor information of the first requestor (¶75, These requesting entity credentials may comprise, for example, username-password pairs or API keys used by requesting entities to access APIs and communicate with database server 200)… extracting a plurality of first features from the first access data of the first set of access requests; and determining, by inputting the plurality of first features into the machine learning model, whether one or more of the time periods are anomalous (¶13, These machine learning models accept database access requests or sequences of database access requests (referred to as “access sequences”) as feature vectors and produce anomaly scores. The anomaly scores can classify database access requests or access sequences as normal or anomalous)…
Gaddam fails to teach: that occur before and after each time period of the plurality of time periods… that occur before and after the time periods.
However, in the same field of endeavor, Carmichael teaches: that occur before and after each time period of the plurality of time periods… that occur before and after the time periods (Col. 11, line 12, For example, extracting processed sensor data that was collected within one-second of the occurrence of a suspect event (e.g., within a time window, which in this case is a little more than two-seconds—the time span of the suspect event plus one second for each side of the suspect event) and disregarding the other processed sensor data that were generated from raw sensor data collected before or after the time window (hereinafter simply “window”). Note that the ML learning windows may be any number of seconds including small windows from one to two seconds to 10 to 30 seconds or more. Also, using lookbacks (retaining state from previously processed windows) can help with accurate detection of anomalies).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use data from before and after an event is detected as disclosed by Carmichael in the method disclosed by Gaddam to provide context for more effective anomaly detection (Col. 13, line 43, if sensor data collected after the anomalous event indicates or suggests that the user 22 was walking after the occurrence of the anomalous event, then it may be concluded that the anomalous event was in fact a non-fall event. On the other hand, if the user 22 is detected as laying on the ground and not moving for more than, for example, 15 seconds after the occurrence of the anomalous event, then it may be concluded that the anomalous event is in fact a fall even).
Gaddam in view of Carmichael fails to teach: wherein the first set of access requests include time gaps when no access requests occur… time gaps.
However, in the same field of endeavor, Manolache teaches: wherein the first set of access requests include time gaps when no access requests occur… time gaps (¶77, In some embodiments, periods of inactivity, i.e., time gaps between events and/or time intervals when the respective client system is idle, registers no user activity, or carries out only internal system tasks, may also qualify as event).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to consider time gaps between events as events themselves as disclosed by Manolache in the method disclosed by Gaddam and Carmichael to enable adaptation to a variety of different event types (¶77, the systems and methods described herein may be adapted to analyzing other kinds of events, such as events related to a user's activity on social media, a user's browsing history, and a user's gaming activity, among others).
Gaddam in view of Carmichael and Manolache fails to teach: periods for when the historical access requests are made from devices outside of a specified geographic region… when access requests occur from outside the specified geographic region… occurred when the requestor was outside of the specified geographic region…
However, in the same field of endeavor, Sharma 549 teaches: periods for when the historical access requests are made from devices outside of a specified geographic region… when access requests occur from outside the specified geographic region… occurred when the requestor was outside of the specified geographic region (¶49, one may determine that the IP address of a source device that initiates the request is relevant in detecting fraudulent transaction request because an IP address corresponding to a geographical region that is far away from the IP address normally used by the user account may be indicative that the user account is being accessed by an unauthorized user – the access request from an alternative location is classified as fraudulent, or anomalous).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to predict anomalous requests, like requests that are from distant locations from a usual request location as disclosed by Sharma 549 in the method disclosed by Gaddam in view of Carmichael and Manolache because these requests may be associated with fraud (¶49, many data types related to a request may be inspected to determine if the data is relevant in detecting a possible fraudulent transaction request).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Rezaeian et al. (US 20230298371 A1), discusses using a preceding or ensuing event in the prediction of an anomalous event, Buda et al. (US 20190362245 A1), discusses using data prior to the data element being examined, and Della Penna (US 20190220011 A1) discusses detecting anomalies via data taken from periods before and after the event.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARRISON CHAN YOUNG KIM whose telephone number is (571)272-0713. The examiner can normally be reached Monday - Thursday 8:00 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CESAR PAULA can be reached at (571) 272-4128. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HARRISON C KIM/ Examiner, Art Unit 2145
/CESAR B PAULA/ Supervisory Patent Examiner, Art Unit 2145