Prosecution Insights
Last updated: July 17, 2026
Application No. 18/219,298

SYSTEMS, METHODS, AND APPARATUSES FOR DETECTING CYBERSECURITY EVENTS USING CENTRALIZED DATA AGGREGATION AND DYNAMIC CONSTRAINT SPECIFICATION TEMPLATES IN AN ELECTRONIC ENVIRONMENT

Non-Final OA §102
Filed
Jul 07, 2023
Examiner
REYNOLDS, DEBORAH J
Art Unit
2499
Tech Center
2400 — Computer Networks
Assignee
Bank of America Corporation
OA Round
3 (Non-Final)
66%
Grant Probability
Favorable
3-4
OA Rounds
0m
Est. Remaining
80%
With Interview

Examiner Intelligence

Grants 66% — above average
66%
Career Allowance Rate
109 granted / 164 resolved
+8.5% vs TC avg
Moderate +14% lift
Without
With
+13.8%
Interview Lift
resolved cases with interview
Typical timeline
2y 8m
Avg Prosecution
18 currently pending
Career history
187
Total Applications
across all art units

Statute-Specific Performance

§101
5.6%
-34.4% vs TC avg
§103
72.5%
+32.5% vs TC avg
§102
10.6%
-29.4% vs TC avg
§112
7.1%
-32.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 164 resolved cases

Office Action

§102
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Detailed Action The following is a final office action in response to communications received 03/18/2026. Claims 1, 11 and 16 have been amended. Claim 2 is canceled. Therefore, claims 1, 3-20 are pending and addressed below. Response to Arguments Applicant's arguments filed 03/18/2026 have been fully considered but they are not persuasive for the following reasons: Applicant’s arguments with respect to the rejections of amended claims 1, 11 and 16 under 35 U.S.C 102(a)(1) have been fully considered but are moot because additional citations from the same prior art (Dherange et al: US PG-PUB No. 20220224702 A1) are added to support the examiner’s response. (see below rejection details) Therefore, claims 1, 11 and 16 are rejected under 35 U.S.C 102(a)(1). As claims 3-10 are dependent directly or indirectly on claim 1, claims 12-15 are dependent directly or indirectly on claim 11, claims 17-20 are dependent directly or indirectly on claim 16, applicant’s argument with respect to the rejections of claim 3-10, 12-15 and 17-20 are moot. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1, 3-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Dherange et al. (US PG-PUB No. 20220224702 A1). Regarding claim 1, 11 and 16, Dherange et al, hereinafter Dherange, teaches a system, a computer program product and a computer implemented method for detecting cybersecurity events using centralized data aggregation and dynamic constraint specification templates in an electronic environment (Abstract: “Techniques for building and maintaining cyber security threat detection models are described. The techniques include data selection, algorithm selection, risk score algorithm selection, model outcome selection, and model automation (centralized data aggregation)”; “Subsequently, a matrix (dynamic constraint specification templates) is formed with the vector, selected algorithm, and parameters of the data that were analyzed. The matrix is then stored for application with future data based on a predetermined rule.”), the system comprising: a memory device with computer-readable program code stored thereon; at least one processing device, wherein executing the computer- readable code is configured to cause the at least one processing device to perform the following operations (Paragraph [0051]: “Model creation module 302 can be implemented on a processor, device, and/or system capable of receiving data (e.g., wirelessly), processing data, accessing memory, and updating the memory”): identify at least one of a malfeasant event or a potential malfeasant event, wherein the malfeasant event or the potential malfeasant event comprises data (Paragraph [0047]: “At block 202, data can be input into the system from various sources. In some embodiments, the data (e.g., event logs from applications) can include different data structures that can be classified as features. The features can be retained for further analysis during the anomaly detection process (identify malfeasant or a potential malfeasant event which comprises data).”); parse the data of the malfeasant event or the potential malfeasant event (Paragraph [0048]: “At block 204, the system can tokenize the data as vectors containing KVPs (parse the data).”); generate a primary dynamic constraint specification template comprising a base set of parameters and at least one rule for evaluating the likelihood of a malfeasant event based on the base set of parameters, wherein the base set of parameters are based on the parsed data of the malfeasant event or the potential malfeasant event (Paragraph [0036]: “The system can also input feature values as filter parameters so as to help restrict the data during analysis or filter data to exclude certain data from analysis. In other words, a user can limit the analysis to only the selected parameters. Using these inputs, the system can create a model configuration matrix (generate a primary dynamic constraint specification template) with the vector representation of features and feature data selected as input (comprising base set of parameters which are based on the parsed data of the malfeasant event or the potential malfeasant event). The inputs can be, for example, represented as vector {right arrow over (K)}, model {right arrow over (M)}, and model parameters {right arrow over (P)}.”; Paragraph [0037]: “During risk scoring algorithm(s) and parameter(s) (base set of parameters) selection 106, the system allows a user to select of one or more risk scoring algorithms. For instance, one risk scoring algorithm may apply a first set rules to designate a risk score, while another risk scoring algorithm may apply a second set of rules, which are harsher than the first (at least one rule for evaluating the likelihood of a malfeasant event based on the base set of parameters).”; Paragraph [0006]: The method further comprises applying, by the processor, a model configuration matrix to the new vector, the model configuration matrix including a vector representation of the threat detection model, the new vector, and a parameter vector; updating, by the processor, a risk profile based on an output from the applying of the model configuration matrix, wherein the output is indicative of similarities between the subsequent data vector and the new vector, and wherein the risk profile is directly related to the similarities; and scheduling, by the processor, reapplication of the model configuration matrix based on a predetermined rule (after updating the risk profile with the evaluation rules applied, then scheduling reapplication of the model configuration matrix based on a predetermined rule. Therefore, the updated model configuration matrix includes the rules to evaluate the likelihood of malfeasant event based on the base set of parameters)); automatically store the primary dynamic constraint specification template in a long term data storage (Paragraph [0069]: “The model configuration matrix (dynamic constraint specification template) can include a vector representation of a threat detection algorithm, the new vector, and a parameter vector (primary dynamic constraint specification). The parameter vector can be representative of a parameter that is used to initialize the threat detection model (e.g., time of day). Paragraph [0025]: “The newly created vector can then be stored as a KVP in the event store and the preexisting database (long term data storage) can be updated.”). identify at least one secondary malfeasant event or at least one secondary potential malfeasant event, wherein the at least one secondary malfeasant event or the at least one secondary potential malfeasant event comprises secondary data; parse the secondary data of the least one secondary malfeasant event or the at least one secondary potential malfeasant event; and generate at least one secondary dynamic constraint specification template comprising a secondary set of parameters, wherein the secondary set of parameters are based on the parsed secondary data, and wherein the at least one secondary dynamic constraint specification template is a modification of the primary dynamic constraint specification template (Paragraph [0046]: “During automation parameter(s) selection 110, the system executes the model in the background such that the model is automatically reapplied to data based on a predetermined rule (the system repeats the previous process to identify secondary malfeasant event which comprises secondary data, parse the secondary data and generate secondary dynamic constraint specification template).”, Paragraph [0048]: “At block 206, the tokenized vector is compared with vectors within a preexisting database on vectors. The vectors within the preexisting database can include previously seen or known vectors. At block 208, the system performs a vector comparison to determine if the vector is identifiable based on prior observations. If the vector is identifiable based on one or more of the preexisting vectors, the system moves to block 212. If the vector is not identifiable, then the system, at block 210, creates a new vector in KVP format. The new vector includes information of the raw event data. At block 212, the system updates the preexisting vector database (modification of the previous dynamic constraint specification template which comprises set of parameters of parsed data) such that future vectors with similar patterns can be detected based on either the new vector created at block 210, or the vector that was determined to be similar to the preexisting vectors at block 208.”). automatically store, in response to the generation of the at least one secondary dynamic constraint specification template, the at least one secondary dynamic constraint specification template to a temporary storage (Paragraph [0006]: “reapplication of the model configuration matrix (generation of the at least one secondary dynamic constraint specification template) based on a predetermined rule”; (abstract): “Subsequently, a matrix is formed with the vector, selected algorithm, and parameters of the data that were analyzed. The matrix is then stored for application with future data based on a predetermined rule.”; Paragraph [0067]: “The model’s module can include functions to, for example, tokenize the data, applying a KVP, update the matrix (update the model configuration matrix), etc. In some embodiments, the MC (Model Creation) module can include a reapplication module which is configured to determine whether to reapply the model to data based on, for example, a predetermined schedule (here, the reapplied model configuration matrix is the secondary dynamic constraint specification template, and thus storing the matrix implies storing the matrix in the temporary storage so that later the matrix can be updated by the reapplication process).”); identify at least one current malfeasant event or at least one current potential malfeasant event comprising current data; determine at least one change between the at least one current malfeasant event or the at least one current potential malfeasant event and the least one secondary malfeasant event or the at least one secondary potential malfeasant event; generate at least one current dynamic constraint specification template in response to the at least one change (Paragraph [0068]: “The method depicted in flowchart 800 can be implemented to create a threat detection model. The method can begin at block 810 by determining raw data to be input into the threat detection model. Doing so can further comprises receiving the raw data (current data) at block 812, from one or more sources such a security system, email gate application, and/or others (identify at least one current malfeasant event or at least one current potential malfeasant event comprising current data). The data can subsequently tokenized, at block 814, into a raw data vector. The raw data vector can be in KVP format which includes information such as a feature of the data and/or structure of the data. At block 816, the raw data vector is compared to a preexisting vector. If the comparison indicates that the two vectors are equal, the raw data vector can be stored in a database. Conversely, if the comparison indicates that the two vectors are not equal (at least one change is determined), a new vector is created, in KVP format, of the unequal data.”; Paragraph [0069]: “At block 820, the method can include applies a model configuration matrix to the new vector (generate at least one current dynamic constraint specification template in response to the at least one change).”); and delete, in response to the generation of the at least one current dynamic constraint specification template, the at least one secondary dynamic constraint specification template from the temporary storage and store the at least one current dynamic constraint specification template in the temporary storage (Paragraph [0067]: “The models module can include functions to, for example, tokenize the data, applying a KVP, update the matrix (replace the secondary dynamic constraint specification template with the current dynamic constraint specification template, this replacement operation automatically deletes the secondary dynamic constraint specification template and stores the current dynamic constraint specification template in the temporary storage), etc.”; Paragraph [0025] further discloses: “If the two vectors are not similar (e.g., vector {right arrow over (A)}≠{right arrow over (V)}) (determine at least one change between the two events), the system can then create a new vector (e.g., vector {right arrow over (X)}). The newly created vector can then be stored as a KVP in the event store and the preexisting database can be updated. By doing so, another anomaly is stored for future comparisons.”). Regarding claim 3, 12 and 17, Dherange teaches all of the features with respect to claim 1, 11 and 16 as outlined above. Dherange further teaches system further comprising: apply a machine learning (ML) model to at least one of the primary dynamic constraint specification template or the at least one secondary dynamic constraint specification template (Paragraph [0034]: “Different algorithm(s) can be selected during algorithm(s) selection 104. For example, the three main categories of ML/Al based techniques include supervised, unsupervised, and deep learning/neural network. These techniques are commonly applied during development of different cyber security models.”; [0069]: “At block 820, the method can include applies a model configuration matrix (dynamic constraint specification template) to the new vector. The model configuration matrix can include a vector representation of a threat detection algorithm, the new vector, and a parameter vector. The threat detection algorithm can include any of a supervised learning algorithm, an unsupervised learning algorithm, a deep learning algorithm, or any combination thereof (apply ML model).”); and determine, by the ML model, at least one primary pattern of the data of the primary dynamic constraint specification template and at least one secondary pattern of the secondary data of the at least one secondary dynamic constraint specification template (Paragraph [0004]: “to better secure themselves against cyber security attacks, organizations have begun to adopt machine learning and/or artificial intelligence (ML/Al) based algorithms. These algorithms can support the SOCs to analyze and identify patterns on anomalous behavior.”). Regarding claim 4, 13 and 18, Dherange teaches all of the features with respect to claim 3, 12 and 17 as outlined above. Dherange further teaches the system further comprising: generate, by an artificial intelligence (Al) engine, at least one vulnerability vector based on the primary dynamic constraint specification template and the at least one primary pattern determined by the ML model; generate, by the Al engine, at least one secondary vulnerability vector based on at least one secondary dynamic constraint specification template and the at least one secondary pattern determined by the ML model (Abstract: “Subsequently, a matrix is formed with the vector (generate vulnerability vector based on the primary/secondary dynamic constraint specification template), selected algorithm (Al based algorithm by Al engine), and parameters of the data that were analyzed.”; Paragraph [0004]: “Further, to better secure themselves against cyber security attacks, organizations have begun to adopt machine learning and/or artificial intelligence (ML/Al) based algorithms. These algorithms can support the SOCs to analyze and identify patterns on anomalous behavior (primary/secondary pattern determined by the ML model).”); and compare, by the Al engine, the at least one primary vulnerability vector and the at least one secondary vulnerability vector; and identify at least one change between the at least one primary vulnerability vector and the at least one secondary vulnerability vector (Abstract: “The data is then tokenized into vector form and compared to preexisting vectors (compare the vectors). If the vectors are equal, the tokenized vector is saved in the database. If the vectors are not equal (identify a change between the vectors), a new vector, in key value pair format, is formed. After which, algorithms can be selected to detect anomalies within the data and assign a risk score to the data.”). Regarding claim 5, 14 and 19, Dherange teaches all of the features with respect to claim 4, 13 and 18 as outlined above. Dherange further teaches the system further comprising: generate, based on the at least one change, a vulnerability vector change interface component, wherein the vulnerability vector change interface component comprises an indication of the at least one change between the at least one primary vulnerability vector and the at least one secondary vulnerability vector, and wherein the vulnerability vector change interface component is generated immediately after the at least one change is identified (Abstract: “If the vectors are not equal (identify a change between the vectors), a new vector, in key value pair format, is formed. After which, algorithms can be selected to detect anomalies within the data and assign a risk score to the data (generate a new vulnerability vector immediately after the change is identified).”); and transmit the vulnerability vector change interface component to a user device associated with an entity associated with the at least one of the malfeasant event, the potential malfeasant event, the at least one secondary malfeasant event, or the at least one secondary potential malfeasant event, wherein the vulnerability vector change interface component is configured to configure a graphical user interface (GUI) of the user device (Paragraph [0065]: “A user interface (command line or graphical user interface) may be used for accessing/viewing the data. An alert module (vulnerability vector change interface component) in the interface layer may be used to alert users with system malfunctions or with the anomalies found as described herein. The alerts module may be set to trigger an alert at various levels of issues found in the data or system.”; Paragraph [0032]: “The system can provide the process with a graphical user interface (GUI). The GUI can be configured to display multiple screens in succession based on, for example, a selection of the user in a previous screen, as a consequence of a user-selection in a previous screen, and/or as a consequence of inputs (e.g., telemetry data). The life cycle 100 includes data selection 102, algorithm(s) selection 104, risk scoring algorithm(s) and parameter(s) selection 106, outcome model selection 108, and automation parameter(s) selection 110.”). Regarding claim 6, 15 and 20, Dherange teaches all of the features with respect to claim 3, 12 and 17 as outlined above. Dherange further teaches the system repeats the same process to identify more malfeasant event (Paragraph [0046]: “During automation parameter(s) selection 110, the system executes the model in the background such that the model is automatically reapplied to data based on a predetermined rule (the system repeats the previous process to identify secondary malfeasant event which comprises secondary data, parse the secondary data and generate secondary dynamic constraint specification template).”), the system further comprising: identify a most recent malfeasant event or a most recent potential malfeasant event, wherein the most recent malfeasant event or the most recent potential malfeasant event comprises most recent data (Paragraph [0047]: “At block 202, data can be input into the system from various sources. In some embodiments, the data (e.g., event logs from applications) can include different data structures that can be classified as features. The features can be retained for further analysis during the anomaly detection process (identify malfeasant or a potential malfeasant event which comprises data).”); parse the most recent data (Paragraph [0048]: “At block 204, the system can tokenize the data as vectors containing KVPs (parse the data).”); generate a most recent dynamic constraint specification template comprising a most recent set of parameters, wherein the most recent set of parameters are based on the parsed most recent data, and wherein the most recent dynamic constraint specification template is a modification of the primary dynamic constraint specification template (Paragraph [0048]: “At block 212, the system updates the preexisting vector database (modification of the previous dynamic constraint specification template which comprises set of parameters of parsed data) such that future vectors with similar patterns can be detected based on either the new vector created at block 210, or the vector that was determined to be similar to the preexisting vectors at block 208”): apply the ML model to the most recent dynamic constraint specification template (Paragraph [0069]: “At block 820, the method can include applies a model configuration matrix (dynamic constraint specification template) to the new vector. The model configuration matrix can include a vector representation of a threat detection algorithm, the new vector, and a parameter vector. The threat detection algorithm can include any of a supervised learning algorithm, an unsupervised learning algorithm, a deep learning algorithm, or any combination thereof (apply ML model).”); determine, by the ML model, at least one most recent pattern based on the most recent dynamic constraint specification template (Paragraph [0004]: “to better secure themselves against cyber security attacks, organizations have begun to adopt machine learning and/or artificial intelligence (ML/Al) based algorithms. These algorithms can support the SOCs to analyze and identify patterns on anomalous behavior.”); compare the most recent pattern to the at least one secondary pattern; and determine whether at least one change is present between the most recent pattern and the at least one secondary pattern, wherein, in an instance where at least one change is present, replace the at least one secondary dynamic constraint specification template with the most recent dynamic constraint specification template (Paragraph [0048]: “At block 206, the tokenized vector is compared with vectors within a preexisting database on vectors. The vectors within the preexisting database can include previously seen or known vectors. At block 208, the system performs a vector comparison to determine if the vector is identifiable based on prior observations. If the vector is identifiable based on one or more of the preexisting vectors, the system moves to block 212. If the vector is not identifiable (an instance where at least one change is present), then the system, at block 210, creates a new vector in KVP format. The new vector includes information of the raw event data. At block 212, the system updates the preexisting vector database (replace the at least one secondary dynamic constraint specification template with the most recent dynamic constraint specification template) such that future vectors with similar patterns can be detected based on either the new vector created at block 210, or the vector that was determined to be similar to the preexisting vectors at block 208.”). Regarding claim 7, Dherange teaches all of the features with respect to claim 6, as Outlined above. Dherange further teaches wherein the at least one secondary dynamic constraint specification template is generated at time previous to the most recent dynamic constraint specification template and at a time after to the primary dynamic constraint specification template (Paragraph [0030]: “Once the outcome is represented by a model, the system can be automated to detect threats at a later time. For example, automation can include reapplication of the model to data received during intervals of predetermined time periods.”). Regarding claim 8, Dherange teaches all of the features with respect to claim 1, as Outlined above. Dherange further teaches wherein the primary dynamic constraint specification template and the at least one secondary dynamic specification template comprise at least one rule for the primary set of parameters or for the secondary set of parameters (Abstract: “The matrix (dynamic constraint specification template) is then stored for application with future data based on a predetermined rule.”; [0046]: “During automation parameter(s) selection 110, the system executes the model in the background such that the model is automatically reapplied to data based on a predetermined rule.”). Regarding claim 9, Dherange teaches all of the features with respect to claim 1, as Outlined above. Dherange further teaches wherein the primary set of parameters and the at least one secondary set of parameters comprise telemetry data (Paragraph [0026]: “data selection can include receiving raw data (e.g., telemetry, event data, and/or logs) from a source application.”). Regarding claim 10, Dherange teaches all of the features with respect to claim 1, as Outlined above. Dherange further teaches wherein the data of at least one malfeasant event, the at least one potential malfeasant event, the at least one secondary malfeasant event, or at least one secondary potential malfeasant event comprise at least one of an indicator of compromise (loC) data, account access data, authentication credential data, geographic data, transaction data, or transaction party data (Paragraph [0039]: “To continue the example, the system can also account for the user's other activity on the machine. For example, the system can account for the applications that are normally accessed (account access data). files that are worked on, people that are contacted (e.g., emailed), the activity of others on the network, and/or activity of others in the vicinity (e.g., in an office building). Using this data, the system can analyze the user's behavior to determine the riskiness of the user's behavior. Thus, in some embodiments, the system can create a behavior profile for entities (e.g., users) over a period. The development of behavior profiles, in addition to the risk scores, can help in detection anomalous behavior during periodic or real-time analysis.”). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. (see PTO-892 form for details) Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASMINE DAY whose telephone number is (571)272-0204. The examiner can normally be reached Monday - Friday 9:00 - 5:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /J.M.D./Examiner, Art Unit 2499 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499
Read full office action

Prosecution Timeline

Jul 07, 2023
Application Filed
Jul 11, 2025
Non-Final Rejection mailed — §102
Oct 10, 2025
Response Filed
Dec 18, 2025
Final Rejection mailed — §102
Mar 18, 2026
Request for Continued Examination
Apr 01, 2026
Response after Non-Final Action
May 07, 2026
Non-Final Rejection mailed — §102 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12666489
RADIO RESOURCE RESERVATION FOR INTER-UE COORDINATION IN NR SIDELINK MODE 2
2y 7m to grant Granted Jun 23, 2026
Patent 12634501
VIDEO CODING AND DECODING
1y 10m to grant Granted May 19, 2026
Patent 12627825
VIDEO CODING AND DECODING
1y 10m to grant Granted May 12, 2026
Patent 12534225
SATELLITE DISPENSING SYSTEM
4y 1m to grant Granted Jan 27, 2026
Patent 12441265
Mechanisms for moving a pod out of a vehicle
3y 8m to grant Granted Oct 14, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
66%
Grant Probability
80%
With Interview (+13.8%)
2y 8m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 164 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month