SYSTEMS AND METHODS FOR IDENTIFYING RANSOMWARE ACTORS IN DIGITAL CURRENCY NETWORKS

§101 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims This is the first office action on the merits in response to the application filed on 05/15/2023. Claims 1-20 are currently pending and have been examined. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Subject Matter Eligibility Criteria – Step 1: Claims 1-12 are directed to a method, claims 13-19 are directed to a system, and claim 20 is directed an article of manufacture. Therefore, these claims fall within the four statutory categories of invention. Subject Matter Eligibility Criteria – Step 2A – Prong One: Regarding Prong One of Step 2A of the Alice/Mayo test, the claim limitations are to be analyzed to determine whether, under their broadest reasonable interpretation, they “recite” a judicial exception or in other words whether a judicial exception is “set forth” or “described” in the claims. MPEP 2106.04(II)(A)(1). An “abstract idea” judicial exception is subject matter that falls within at least one of the following groups: a) certain methods of organizing human activity, b) mental processes, and/or c) mathematical concepts. MPEP 2106.04(a). Representative independents claims 1, 13, and 20 include limitations that recite at least one abstract idea. Claims 1, 13, and 20 are directed to the abstract idea of “obtaining one or more blockchains of transaction blocks for transactions involving digital currency; deriving from the one or more blockchains of transaction blocks a transaction graph of sequential transactions; applying clustering processing to the transaction graph to generate resultant one or more entity graphs representative of likely chains of digital currency transfers by respective one or more entities; extracting graph feature data based on the resultant one or more entity graphs; and applying classification processing to the extracted graph feature data to identify a suspected malicious entity from the one or more entities associated with the one or more entity graphs.” Under its broadest reasonable interpretation, this claim is detecting of illegal or suspicious digital currency transactions, and hence falls under organizing human activity (i.e., as fundamental economic practices). Dependent Claims: Claims 2 and 14 recites: wherein applying the classification processing comprises: applying a machine learning classification process to the extracted graph feature data to determine the suspected malicious entity; further describes the abstract idea of organizing human activity (i.e., as fundamental economic practices). Claims 3 and 15 recites: wherein applying the classification processing comprises: applying a machine learning classification process to data derived based on the one or more entity graphs; wherein the machine learning classification process is trained using initial address data comprising one or more digital currency addresses associated with one or more rogue transactions; further describes the abstract idea of organizing human activity (i.e., as fundamental economic practices). Claims 4 and 16 recites: wherein applying the machine learning classification process comprises: applying an ensemble of independent classification processes to the data derived based on the one or more entity graphs to separately determine, by the independent classification processes, respective classifications for one of the one or more entities; and determining a composite classification for the one or more entities based on the separate classifications determined by the independent classification processes; further describes the abstract idea of organizing human activity (i.e., as fundamental economic practices). Claim 5 recites: wherein the transaction graph includes one or more starting nodes corresponding to the one or more digital currency addresses; further describes the abstract idea of organizing human activity (i.e., as fundamental economic practices). Claims 6 and 17 recites: wherein extracting graph feature data comprises: determining from the one or more entity graphs one or more subgraphs; and computing for a subgraph, from the one or more determined subgraphs, one or more graph centralities, including one or more of: number of graph vertices, number of graph edges, total value of digital currency corresponding to the graph, number of graph loops, graph degree, graph neighborhood size, normalized closeness for one or more nodes of the graph, betweenness measure for the one or more nodes of the graph, a Page rank measure for the one or more nodes, cluster measure for the one or more nodes, coreness measure for the one or more nodes, or hub and authority measure for the one or more nodes; further describes the abstract idea of organizing human activity (i.e., as fundamental economic practices). Claim 7 recites: wherein determining the one or more subgraphs comprises determining at least one of: an ego graph, or a simple graph; further describes the abstract idea of organizing human activity (i.e., as fundamental economic practices). Claims 8 recites: wherein the transaction graph comprises transaction nodes in which a first transaction node specifies an output address associated with a second transaction node to which the first transaction node is connected; further describes the abstract idea of organizing human activity (i.e., as fundamental economic practices). Claims 9 recites: wherein applying clustering processing to the transaction graph comprises applying the clustering processing to local areas of the transaction graph; further describes the abstract idea of organizing human activity (i.e., as fundamental economic practices). Claims 10 and 18 recites: wherein applying clustering processing to the transaction graph comprises applying localized and/or temporal clustering processing to form clusters according to set of rules applied to input and output addresses of each transaction node in the transaction graph; further describes the abstract idea of organizing human activity (i.e., as fundamental economic practices). Claims 11 and 19 recites: wherein deriving the transaction graph of sequential transactions comprises: identifying a particular address associated with a particular transaction; and generating a restricted transaction graph from the transaction graph that extends n transaction blocks upstream and downstream from the identified particular transaction with the identified particular address; further describes the abstract idea of organizing human activity (i.e., as fundamental economic practices). Claim 12 recites: further comprising: removing transaction blocks from the restricted transaction graph that are determined to be associated with addresses of gambling or exchange sites; further describes the abstract idea of organizing human activity (i.e., as fundamental economic practices). Subject Matter Eligibility Criteria – Step 2A – Prong Two: Claim 1, 13, and 20 recites to a generic computer as an additional element to the judicial exception in the preamble. Viewed individually and in combination, this additional element to the identified judicial exception of Step 2A.1, amounts to no more than mere instructions for detecting of illegal or suspicious digital currency transactions on a generic computer. Therefore, at Step 2A.2, these additional elements do not act in combination to integrate the abstract idea into a practical application. The additional elements of claims 1, 13, and 20 considered both individually and as an ordered combination, do not amount to significantly more than the judicial exception because the additional element of a generic computer does no more than “[s]imply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception, e.g., a claim to an abstract idea requiring no more than a generic computer to perform generic computer functions that are well-understood, routine and conventional activities previously known to the industry.” See MPEP 2106.05 (citing to Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 573 U.S. 208, 225 (2014)). Therefore claims 1, 13, and 20 is found ineligible under 35 U.S.C. 101. Step 2B: Viewed as a whole, instructions/method claims recite the concept of “organizing human activity” (i.e., as fundamental economic practices) in detecting of illegal or suspicious digital currency transactions are performed by a generic computer. The method claims do not, for example, purport to improve the functioning of the computer itself. Nor do they effect an improvement in any other technology or technical field. Instead, the claims at issue amount to nothing significantly more than an instruction to apply the abstract idea using some unspecified, generic computer. See Alice Corp. Pty. Ltd., 573 U.S. 208. Mere instructions to apply the exception using a generic computer component and limitations to a particular field of use or technological environment cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. The use of a computer server is to merely automate and/or implement the abstract idea cannot provide significantly more than the abstract idea itself (MPEP 2106.05(I)(A)(f) & (h)). Therefore, the claim is not patent eligible. Claim Rejections - 35 USC § 103 5. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Xie et al. (US 10009358 B1) in view of Lee et al. (US 11316874 B2). 7. Regarding claim 1, 13, and 20, Xie discloses method for identifying illegal digital currency transactions, (system to identify illegal digital currency transactions comprising: one or more memory devices to store processor-executable instructions and data; and a processor-based controller, coupled to the one or more memory devices, configured, a non-transitory computer readable media comprising computer instructions executable on a processor-based device), (Column 3/line 16)), obtaining one or more blockchains of transaction blocks for transactions involving digital currency, (Column 2/line 8, In general, one innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of generating a collection of hypergraphs representing user events across a collection of users; and Column 3/line 5, Generating the collection of hypergraphs includes obtaining event log data associated with the collection of users including one or more of login logs, signup logs, or transaction logs. Using the group of malicious user accounts or account activities as training data for a machine learning system that generates one or more classifiers further includes obtaining additional user accounts or account activities to use as good training data. The good training data and group of malicious user accounts or account activities are used to derive a set of rich features used to generate the one or more classifiers. The method further includes using the output additional malicious user accounts or account activities to derive a set of signals to combine with the one or more classifiers to provide real-time detection of future user events or user accounts.) applying clustering processing to the transaction graph to generate resultant one or more entity graphs representative of likely chains of digital currency transfers by respective one or more entities, (Column 2/line 32, The foregoing and other embodiments can each optionally include one or more of the following features, alone or in combination. In particular, one embodiment includes all the following features in combination. Each hypergraph includes nodes corresponding to a feature profile associated with user accounts or events and edges indicating a relationship between nodes. Analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities includes: applying one or more community detection techniques to the hyper graphs to identify suspicious sub-graph components; determining that the nodes associated with the suspicious sub-graph components are suspicious; and outputting accounts or events associated with the suspicious sub-graph components as candidate malicious accounts or events. The method further includes examining the candidate accounts or events using a set of one or more rules or a whitelist to filter potential false positive accounts or events.) extracting graph feature data based on the resultant one or more entity graphs; and applying classification processing to the extracted graph feature data to identify a suspected malicious entity from the one or more entities associated with the one or more entity graphs, (Column 2/line 49, Analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities includes: assigning a suspiciousness score to each node of the hypergraphs, wherein each node corresponds to a feature profile associated with user accounts or events; applying one or more graph diffusion techniques to the hyper graphs; and selecting a set of one or more nodes with high suspiciousness scores as candidate malicious accounts or events. Generating the collection of hypergraphs includes obtaining event log data associated with the collection of users including one or more of login logs, signup logs, or transaction logs. Using the group of malicious user accounts or account activities as training data for a machine learning system that generates one or more classifiers further includes obtaining additional user accounts or account activities to use as good training data. The good training data and group of malicious user accounts or account activities are used to derive a set of rich features used to generate the one or more classifiers. The method further includes using the output additional malicious user accounts or account activities to derive a set of signals to combine with the one or more classifiers to provide real-time detection of future user events or user accounts.) Xie does not explicitly disclose deriving from the one or more blockchains of transaction blocks a transaction graph of sequential transactions. However, Lee teaches deriving from the one or more blockchains of transaction blocks a transaction graph of sequential transactions, (Abstract Section, Aspects discussed herein relate to the storage of data in graph databases and detecting fraudulent behavior in the stored data. Fraud detection systems may use graph databases to store data, allowing for querying the graph database to obtain data using a variety of graph semantics such as nodes, edges, and properties. Graph databases in accordance with embodiments of the invention may include account nodes and attribute nodes, where nodes of the same type are not directly linked to each other. When a particular node is updated, an updated node may be created with a higher version number than the existing node. Each node may include an indication of the node being associated with fraudulent activity. Fraud indicators may be calculated based on the relationships between the nodes and fraud indicators for the nodes.; and Column 2/line 1, Fraud may be detected by identifying situations where a fraudster is reusing permutations of (possibly stolen) credentials to open new accounts or to perform account takeovers. For example, a fraudster may use the same mailing address to open multiple accounts and/or take over an existing account by changing the mailing address on file to a fraudulent address in order to receive a new card in the mail. When the request to update the mailing address node for the account is received, the existing address node may be replicated and the new version of the address node may be created with the fraudulent mailing address. The account node may be connected to previous versions of the address nodes by an immutable linking feature, such as account number, such that the account node is associated with each version of the address nodes.) One of ordinary skill in the art would have recognized that applying the known technique of Xie to the known invention of Lee would have been recognized that the application of the technique would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate authorization process features into a similar invention. Further, it would have been recognized by those of ordinary skill in the art that modifying the method to include deriving from the one or more blockchains of transaction blocks a transaction graph of sequential transactions result in an improved invention because applying said technique will ensure that transaction data are ordered in a sequential graph to view the relationship between transfers, thus improving the overall performance of the invention. Regarding claims 2 and 14, Xie discloses wherein applying the classification processing comprises: applying a machine learning classification process to the extracted graph feature data to determine the suspected malicious entity, (Column 2/line 60, Using the group of malicious user accounts or account activities as training data for a machine learning system that generates one or more classifiers further includes obtaining additional user accounts or account activities to use as good training data. The good training data and group of malicious user accounts or account activities are used to derive a set of rich features used to generate the one or more classifiers. The method further includes using the output additional malicious user accounts or account activities to derive a set of signals to combine with the one or more classifiers to provide real-time detection of future user events or user accounts.; and Column 3/line 5, In general, one innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of receiving input data, the input data including event logs for a collection of users; processing the input data according to each of: an IP-stat process, wherein the IP-stat process generate a set of IP address properties from the input data; and a user-stat process, wherein the IP-stat process generates a set of statistics and features for each user of the collection of users from the input data; and providing the processed input data to one or more detection modules that analyze the processed input data to perform attack detection.) 9. Regarding claims 3 and 15, Xie discloses wherein applying the classification processing comprises: applying a machine learning classification process to data derived based on the one or more entity graphs; wherein the machine learning classification process is trained using initial address data comprising one or more digital currency addresses associated with one or more rogue transactions, (Column 1/line 45, The set of detected high-confidence malicious accounts and activities are then used as self-generated training data to feed into machine learning components to derive a set of risk models or a set of classifiers. Finally, these newly generated risk models or classifiers can be used to detect the remaining set of undetected user accounts or account activities. In this framework, the graph analysis bootstraps the system to automatically generate training data on demand, without relying on historical training data obtained from manual labels or external detection components. As such, early detection of malicious users and user activities in an un-supervised manner can be achieved. The input to the system includes Web logs that are readily available from services. Example inputs can include sign-in and sign-up logs. Other example inputs can include e-commerce transaction logs, online purchase logs, comment or review post logs, e.g., commonly available for social sites. The system can be implemented on commonly available computer systems without the need of special hardware. The system can be deployed in a cloud-computing environment, whereas it receives events or event logs from other service providers or end users directly… In general, one innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of generating a collection of hypergraphs representing user events across a collection of users; analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities satisfying a threshold confidence; using the group of malicious user accounts or account activities as training data for a machine learning system that generates one or more classifiers; and using the one or more generated classifiers to output additional malicious user accounts or account activities. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.) 10. Regarding claims 4 and 16, Xie discloses wherein applying the machine learning classification process comprises: applying an ensemble of independent classification processes to the data derived based on the one or more entity graphs to separately determine, by the independent classification processes, respective classifications for one of the one or more entities; and determining a composite classification for the one or more entities based on the separate classifications determined by the independent classification processes, (Column 6/line 21, The IP stat process builds a rich set of IP (Internet Protocol) address properties, such as user population size and proxy information. The user stat process computes a set of statistics and features regarding each user, such as the user's registration age, the number of logins, the number of failed logins, the login velocity or rate of login over a specified time period, and user's predictable IP ranges, etc. Given the IP stats and the user stats, one or more detection modules 406 further analyzes the output IP and user statistics/features to perform attack detection. There can be different types of detection modules. The simplest type of detection module is a rule-based detection module. More advanced detection modules can be machine-learning based or graph-based modules that work alone or in combination. The output detection results 408 can be fed to the online service directly or fed to the frontend realtime detection engines. In addition, the output results 408 can also be fed back to the IP stat process module and user stat process module to update the computed states. As an example, the IP-stat process module 402 records how many detected bad users/events for each related IP address and IP address range. The user-stats process module 404 records the set of users that are detected as malicious accounts or compromised accounts.) 11. Regarding claim 5, Xie does not explicitly disclose wherein the transaction graph includes one or more starting nodes corresponding to the one or more digital currency addresses. However, Lee teaches wherein the transaction graph includes one or more starting nodes corresponding to the one or more digital currency addresses, (Column 2/line 66, Fraud detection systems may use graph databases to store data, allowing for querying the graph database to obtain data using a variety of graph semantics such as nodes, edges, and properties. Graph databases in accordance with embodiments of the invention may include account nodes and attribute nodes, where nodes of the same type are not directly linked to each other. That is, account nodes are not linked to other account nodes and attribute notes are not linked to other attribute nodes. When a particular node is updated, an updated node may be created with a higher version number than the existing node. The updated node may then be linked while preserving the previous version(s) of the node. Each node may include an indication of the node being associated with fraudulent activity. Fraud proximity scores (and other fraud indicators) may be calculated based on the relationships between the attribute nodes, address nodes, and fraud indicators within the graph database.; and Column 8/line 57, At step 510, a graph database may be obtained. The graph database may be obtained from any of a variety of computing devices as described herein. The graph database may contain data for a variety of accounts, stored using a set of account nodes and attribute nodes as described herein. The graph database may be queried to determine features within the graph database. For example, a graph database may be queried to determine a number of unique account attributes (e.g. account numbers, social security numbers, etc.) stored in the graph database, the size of the graph database, and any of a variety of other queries. In several embodiments, a graph database may be queried to calculate a fraud proximity score for a particular account.) One of ordinary skill in the art would have recognized that applying the known technique of Xie to the known invention of Lee would have been recognized that the application of the technique would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate fraud detection features into a similar invention. Further, it would have been recognized by those of ordinary skill in the art that modifying the method to include wherein the transaction graph includes one or more starting nodes corresponding to the one or more digital currency addresses result in an improved invention because applying said technique will ensure that all transactions can be traced and tracked, thus improving the overall performance of the invention. 12. Regarding claims 6 and 17, Xie discloses wherein extracting graph feature data comprises: determining from the one or more entity graphs one or more subgraphs; and computing for a subgraph, from the one or more determined subgraphs, one or more graph centralities, including one or more of: number of graph vertices, number of graph edges, total value of digital currency corresponding to the graph, number of graph loops, graph degree, graph neighborhood size, normalized closeness for one or more nodes of the graph, betweenness measure for the one or more nodes of the graph, a Page rank measure for the one or more nodes, cluster measure for the one or more nodes, coreness measure for the one or more nodes, or hub and authority measure for the one or more nodes, (Column 2/line 1, Through big-data analysis, the system automatically generates a set of malicious fake accounts, compromised accounts, and malicious account activities (e.g., spam, phishing, fraudulent transactions or payments). In addition, the system can also generate a set of risk models or classifiers to detect future events or user accounts either in real time or through periodic offline batch analysis. In general, one innovative aspect of the subject matter described in this specification can be embodied in methods that include the actions of generating a collection of hypergraphs representing user events across a collection of users; analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities satisfying a threshold confidence; using the group of malicious user accounts or account activities as training data for a machine learning system that generates one or more classifiers; and using the one or more generated classifiers to output additional malicious user accounts or account activities. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods. For a system of one or more computers to be configured to perform particular operations or actions means that the system has installed on it software, firmware, hardware, or a combination of them that in operation cause the system to perform the operations or actions. For one or more computer programs to be configured to perform particular operations or actions means that the one or more programs include instructions that, when executed by data processing apparatus, cause the apparatus to perform the operations or actions…The foregoing and other embodiments can each optionally include one or more of the following features, alone or in combination. In particular, one embodiment includes all the following features in combination. Each hypergraph includes nodes corresponding to a feature profile associated with user accounts or events and edges indicating a relationship between nodes. Analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities includes: applying one or more community detection techniques to the hyper graphs to identify suspicious sub-graph components; determining that the nodes associated with the suspicious sub-graph components are suspicious; and outputting accounts or events associated with the suspicious sub-graph components as candidate malicious accounts or events. The method further includes examining the candidate accounts or events using a set of one or more rules or a whitelist to filter potential false positive accounts or events. Analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities includes: assigning a suspiciousness score to each node of the hypergraphs, wherein each node corresponds to a feature profile associated with user accounts or events; applying one or more graph diffusion techniques to the hyper graphs; and selecting a set of one or more nodes with high suspiciousness scores as candidate malicious accounts or events. Generating the collection of hypergraphs includes obtaining event log data associated with the collection of users including one or more of login logs, signup logs, or transaction logs.) 13. Regarding claim 7, Xie discloses wherein determining the one or more subgraphs comprises determining at least one of: an ego graph, or a simple graph, (Column 2/line 10, include the actions of generating a collection of hypergraphs representing user events across a collection of users; analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities satisfying a threshold confidence; using the group of malicious user accounts or account activities as training data for a machine learning system that generates one or more classifiers; and using the one or more generated classifiers to output additional malicious user accounts or account activities. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods. For a system of one or more computers to be configured to perform particular operations or actions means that the system has installed on it software, firmware, hardware, or a combination of them that in operation cause the system to perform the operations or actions. For one or more computer programs to be configured to perform particular operations or actions means that the one or more programs include instructions that, when executed by data processing apparatus, cause the apparatus to perform the operations or actions.; and Column 2/line 32, The foregoing and other embodiments can each optionally include one or more of the following features, alone or in combination. In particular, one embodiment includes all the following features in combination. Each hypergraph includes nodes corresponding to a feature profile associated with user accounts or events and edges indicating a relationship between nodes. Analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities includes: applying one or more community detection techniques to the hyper graphs to identify suspicious sub-graph components; determining that the nodes associated with the suspicious sub-graph components are suspicious; and outputting accounts or events associated with the suspicious sub-graph components as candidate malicious accounts or events. The method further includes examining the candidate accounts or events using a set of one or more rules or a whitelist to filter potential false positive accounts or events. Analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities includes: assigning a suspiciousness score to each node of the hypergraphs, wherein each node corresponds to a feature profile associated with user accounts or events; applying one or more graph diffusion techniques to the hyper graphs; and selecting a set of one or more nodes with high suspiciousness scores as candidate malicious accounts or events. Generating the collection of hypergraphs includes obtaining event log data associated with the collection of users including one or more of login logs, signup logs, or transaction logs.) 14. Regarding claim 8, Xie does not explicitly disclose wherein the transaction graph comprises transaction nodes in which a first transaction node specifies an output address associated with a second transaction node to which the first transaction node is connected. However, Lee teaches wherein the transaction graph comprises transaction nodes in which a first transaction node specifies an output address associated with a second transaction node to which the first transaction node is connected, (Column 8/line 18, At step 416, edge data may be generated. The generated edge data may indicate the relationship between the account node indicated in the updated data and the updated node. The generated edge data may have a label corresponding to the class of data indicated in the updated data. The generated edge data may have a weight determined based on the label of the edge data and/or any other criteria, such as the difference in time between when the previous node was created and the updated data was received. For example, a recent change to a particular attribute of an account may be indicative of fraud, and more recently created edges may be given a greater weight in determining a fraud proximity score for an account. In several embodiments, the updated node includes an account node and the generated edge data may link the updated account node to a query node associated with the account node. In this way, a query node may link to every version of an account node, thereby facilitating the querying of different versions of an account stored within a graph database.; and Column 2/line 66, Fraud detection systems may use graph databases to store data, allowing for querying the graph database to obtain data using a variety of graph semantics such as nodes, edges, and properties. Graph databases in accordance with embodiments of the invention may include account nodes and attribute nodes, where nodes of the same type are not directly linked to each other. That is, account nodes are not linked to other account nodes and attribute notes are not linked to other attribute nodes. When a particular node is updated, an updated node may be created with a higher version number than the existing node. The updated node may then be linked while preserving the previous version(s) of the node. Each node may include an indication of the node being associated with fraudulent activity. Fraud proximity scores (and other fraud indicators) may be calculated based on the relationships between the attribute nodes, address nodes, and fraud indicators within the graph database.) One of ordinary skill in the art would have recognized that applying the known technique of Xie to the known invention of Lee would have been recognized that the application of the technique would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate fraud detection features into a similar invention. Further, it would have been recognized by those of ordinary skill in the art that modifying the method to include wherein the transaction graph includes one or more starting nodes corresponding to the one or more digital currency addresses result in an improved invention because applying said technique will ensure that the relationship of nodes are established during a transaction, thus improving the overall performance of the invention. 15. Regarding claim 9, Xie discloses wherein applying clustering processing to the transaction graph comprises applying the clustering processing to local areas of the transaction graph, (Column 6/line 46, A key component of the detection engine is graph analysis, where the system constructs activity graphs and identifies suspicious graph components. The graph analysis process allows the system to derive a global view of the correlations among user activities and various seemingly unrelated events, so that the system can detect stealthy attack patterns that may be difficult to identify when they are examined in isolation.; and Column 2/line 38, Analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities includes: applying one or more community detection techniques to the hyper graphs to identify suspicious sub-graph components; determining that the nodes associated with the suspicious sub-graph components are suspicious; and outputting accounts or events associated with the suspicious sub-graph components as candidate malicious accounts or events. The method further includes examining the candidate accounts or events using a set of one or more rules or a whitelist to filter potential false positive accounts or events. Analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities includes: assigning a suspiciousness score to each node of the hypergraphs, wherein each node corresponds to a feature profile associated with user accounts or events; applying one or more graph diffusion techniques to the hyper graphs; and selecting a set of one or more nodes with high suspiciousness scores as candidate malicious accounts or events. Generating the collection of hypergraphs includes obtaining event log data associated with the collection of users including one or more of login logs, signup logs, or transaction logs. Using the group of malicious user accounts or account activities as training data for a machine learning system that generates one or more classifiers further includes obtaining additional user accounts or account activities to use as good training data.) 16. Regarding claims 10 and 18, Xie discloses wherein applying clustering processing to the transaction graph comprises applying localized and/or temporal clustering processing to form clusters according to set of rules applied to input and output addresses of each transaction node in the transaction graph, (Column 6/line 46, A key component of the detection engine is graph analysis, where the system constructs activity graphs and identifies suspicious graph components. The graph analysis process allows the system to derive a global view of the correlations among user activities and various seemingly unrelated events, so that the system can detect stealthy attack patterns that may be difficult to identify when they are examined in isolation.; and Column 2/line 38, Analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities includes: applying one or more community detection techniques to the hyper graphs to identify suspicious sub-graph components; determining that the nodes associated with the suspicious sub-graph components are suspicious; and outputting accounts or events associated with the suspicious sub-graph components as candidate malicious accounts or events. The method further includes examining the candidate accounts or events using a set of one or more rules or a whitelist to filter potential false positive accounts or events. Analyzing the collection of hypergraphs to determine a group of malicious user accounts or account activities includes: assigning a suspiciousness score to each node of the hypergraphs, wherein each node corresponds to a feature profile associated with user accounts or events; applying one or more graph diffusion techniques to the hyper graphs; and selecting a set of one or more nodes with high suspiciousness scores as candidate malicious accounts or events. Generating the collection of hypergraphs includes obtaining event log data associated with the collection of users including one or more of login logs, signup logs, or transaction logs.) 17. Regarding claims 11 and 19, Xie does not explicitly disclose wherein deriving the transaction graph of sequential transactions comprises: identifying a particular address associated with a particular transaction; and generating a restricted transaction graph from the transaction graph that extends n transaction blocks upstream and downstream from the identified particular transaction with the identified particular address. However, Lee teaches wherein deriving the transaction graph of sequential transactions comprises: identifying a particular address associated with a particular transaction; and generating a restricted transaction graph from the transaction graph that extends n transaction blocks upstream and downstream from the identified particular transaction with the identified particular address, (Column 2/line 1, Fraud may be detected by identifying situations where a fraudster is reusing permutations of (possibly stolen) credentials to open new accounts or to perform account takeovers. For example, a fraudster may use the same mailing address to open multiple accounts and/or take over an existing account by changing the mailing address on file to a fraudulent address in order to receive a new card in the mail. When the request to update the mailing address node for the account is received, the existing address node may be replicated and the new version of the address node may be created with the fraudulent mailing address. The account node may be connected to previous versions of the address nodes by an immutable linking feature, such as account number, such that the account node is associated with each version of the address nodes. Particular versions of the address node, such as the updated version inserted by the fraudster in this example, may be marked as fraudulent. In this way, accounts associated with the fraudulent versions of the address node may be identified. Additionally, when the account is recovered and a non-fraudulent address is associated with the account, the previously fraudulent address attribute node may be maintained as a historical record of the fraudulent activity.; and Column 2/line 66, Fraud detection systems may use graph databases to store data, allowing for querying the graph database to obtain data using a variety of graph semantics such as nodes, edges, and properties. Graph databases in accordance with embodiments of the invention may include account nodes and attribute nodes, where nodes of the same type are not directly linked to each other. That is, account nodes are not linked to other account nodes and attribute notes are not linked to other attribute nodes. When a particular node is updated, an updated node may be created with a higher version number than the existing node. The updated node may then be linked while preserving the previous version(s) of the node. Each node may include an indication of the node being associated with fraudulent activity. Fraud proximity scores (and other fraud indicators) may be calculated based on the relationships between the attribute nodes, address nodes, and fraud indicators within the graph database.) One of ordinary skill in the art would have recognized that applying the known technique of Xie to the known invention of Lee would have been recognized that the application of the technique would have yielded predictable results because the level of ordinary skill in the art demonstrated by the references applied shows the ability to incorporate fraud detection features into a similar invention. Further, it would have been recognized by those of ordinary skill in the art that modifying the method to include wherein deriving the transaction graph of sequential transactions comprises: identifying a particular address associated with a particular transaction; and generating a restricted transaction graph from the transaction graph that extends n transaction blocks upstream and downstream from the identified particular transaction with the identified particular address result in an improved invention because applying said technique will ensure that only a fixed amount of transactions are chosen for fraud detection, thus improving the overall efficiency of the invention. 18. Regarding claim 12, Xie discloses further comprising: removing transaction blocks from the restricted transaction graph that are determined to be associated with addresses of gambling or exchange sites, (Column 7/line 18, Another technique for detecting an initial list of malicious accounts or events from the hypergraphs is to assign a suspiciousness score to each node, and then to apply one or more graph diffusion techniques. The graph diffusion process will infer a suspiciousness score for each graph node according to the graph structure, based on the set of nodes with pre-assigned scores. After performing graph diffusion, the system can pick the set of nodes with high suspiciousness scores to output as candidates for further examination. Finally, these identified suspicious candidate accounts or events may be further examined using a set of one or more rules or a whitelist to filter potential false positive accounts or events. For example, one rule could be to examine whether an output suspicious account is (1) an old user, and (2) the account has a feature profile does not fit well with the feature profile of the suspicious graph node (since a node's feature profile may be computed from a set of users). If a suspicious account matches this rule, the account may be a false positive case.) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Systems And Methods For Detecting And Protecting Against Malicious Software (US 10846405 B1) teaches computer-implemented method for detecting and protecting against malicious software may include loading an untrusted application having a defined entry point into an emulated computing environment, executing a first instance of the untrusted application in the emulated computing environment beginning at the defined entry point, executing a second instance of the untrusted application beginning at a second entry point downstream from the defined entry point so as to bypass at least a portion of the untrusted application executed in the first instance, identifying the untrusted application as a potential threat based on information extracted from the second instance of the untrusted application, and performing a security action to protect against the untrusted application identified as a threat. Various other methods, systems, and computer-readable media are also disclosed. In addition to the foregoing, other aspects are described in the claims, drawings, and text. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Davida L. King whose telephone number is (571) 272-4724. The examiner can normally be reached M-F 8am-5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neha Patel can be reached on (571) 270-1492. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /D.L.K./Examiner, Art Unit 3699 /NEHA PATEL/Supervisory Patent Examiner, Art Unit 3699