Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are pending.
Response to Arguments
Applicant's arguments filed 4/28/2025 with respect to the prior art rejections have been fully considered but they are not persuasive.
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/5/2025 has been entered.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-5,7, 9-13,15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Djosic et al (US Pub. No. 2021/0152555), hereafter, “Djosic,” in view of Spiers et al (US Pub. No. 2012/0266231), hereafter, “Spiers.”
As to claim 1, Djosic discloses a method for performing continuous API-based fraud detection based on sequences (Abstract), comprising:
continuously intercepting API traffic between a client and a server, the API traffic associated with a plurality of sequences, wherein each sequence of the plurality of sequences includes a plurality of states, wherein a state of the plurality of states is associated with a user action in association of an API (Fig. 1 and [0033]-[0035]; particularly, “The API traffic comes to the gateway form different sources, such as mobile applications, desktop applications, Internet of Things (IoT) etc. Along with regular traffic, the attempt to access API service may come from malicious users, hackers, automated robots, and the goal of protection service is to block such traffic…While, many existing API cybercheck protection systems deploy the protection service either at the API gateway or at some firewall/Web Application Firewall (WAF), in some embodiments described herein, there is provided a multilayer approach, where in addition to the protection service at gateway, the protection service is deployed before and after a gateway, providing early warning, continuous and incremental protection services.” “multilayer” reading on “multiple sequence of stages”);
identifying a first sequence from the plurality of sequences, wherein the first sequence includes a first plurality of states ([0037]-[0039]; particularly “The first layer, or alpha 220, calculates risk score 222 by using the user's IP and device information as the identifiers. At this level a user's credentials 202, ID and password, are not known. The system calculates the score at this level mostly based on retrieved information from a user's fraud 224 and activity profile 226. During this process, the system should be capable to recognize some typical boot behaviour or create a default user's profile for a first-time end user based on the aforementioned boot behaviour. This layer may be seen as an early warning system.” At least “activity profile” and “boot behaviour” reading on “the first sequence includes a first plurality of states a plurality of states”);
detecting whether the first sequence is associated with a fraudulent event based on ordering of states of the first plurality states ([0037]-[0039]; particularly “During this process, the system should be capable to recognize some typical boot behaviour or create a default user's profile for a first-time end user based on the aforementioned boot behaviour. This layer may be seen as an early warning system.” See also [0058], particularly, “The user behavior may pertain to interface interactive pattern (e.g., mouse movement, keyboard stroke), and the end user access pattern (time pattern, behavior pattern). Based on this information an API-EWIS can signal the warning before a user's authentication about a potential distributed denial of service (DDoS), stacking, malicious bot traffic, and fraudulent accesses. It should be noted that web application firewall (WAF) filter do not have user behavior information.” “pattern” reading on “ordering of states”); and
reporting an alert based on the detection of the fraudulent event ([0037]-[0039]; particularly “During this process, the system should be capable to recognize some typical boot behaviour or create a default user's profile for a first-time end user based on the aforementioned boot behaviour. This layer may be seen as an early warning system.” See also [0058]-[0060], particularly, “The user behavior may pertain to interface interactive pattern (e.g., mouse movement, keyboard stroke), and the end user access pattern (time pattern, behavior pattern). Based on this information an API-EWIS can signal the warning before a user's authentication about a potential distributed denial of service (DDoS), stacking, malicious bot traffic, and fraudulent accesses. It should be noted that web application firewall (WAF) filter do not have user behavior information.”)
However, Djosic does not explicitly disclose a duration associated with each state of the plurality of states.
But, Spiers discloses detecting whether a first sequence is associated with a fraudulent event based on ordering of states and a duration associated with each state of a plurality of states ([0154], particularly, “For example, if a given phase (e.g., create phase, boot phase, unlock phase, connect phase, etc.) doesn't finish within a predetermined threshold (e.g., a time duration threshold), then the cloud orchestrator 318 (or secure boot server 1204) may determine that an anomalous event has occurred and abort the process (e.g., sending instructions to abort the process, deleting/designating the reservation as void, denying the request for components, and/or other cautionary actions). In one example involving the create phase, the start of the phase may be triggered by the recording of the first token in association with a reservation, and the end of the phase may be triggered by the receipt of the first token from cloud DMZ 306. If the time duration of the create phase exceeds the threshold, an entry may be recorded in a log file (e.g., recording the identity of the source, destination, time, date, and other information) and the process aborted to prevent possibly malicious activity.”)
Therefore it would be obvious to one of ordinary skill prior to the effective filing date of the application to combine the teachings of Djosic and Spiers as a means to more effectively identify and prevent fraudulent and malicious activities.
As to claim 9 and 17, they are rejected by a similar rationale to that set forth in claim 1’s rejection.
As to claims 2, 10, and 18, the teachings of Djosic and Spiers as combined for the same reasons set forth in claim 1’s rejection further disclose each of state of plurality of stages is associated with an API request and response (Djosic, [0038]-[0041]).
As to claims 3, 11, and 19, the teachings of Djosic and Spiers as combined for the same reasons set forth in claim 1’s rejection further disclose detecting a fraudulent event includes applying API data to a prediction model, the API data generated based on the intercepted API traffic (Djosic, [0038]-[0041], particularly, “The system calculates the score at this level mostly based on retrieved information from a user's fraud 224 and activity profile 226. During this process, the system should be capable to recognize some typical boot behaviour or create a default user's profile for a first-time end user based on the aforementioned boot behaviour. This layer may be seen as an early warning system.” See also [0049] describing the model).
As to claims 4, 12, and 20, the teachings of Djosic and Spiers as combined for the same reasons set forth in claim 1’s rejection further disclose detecting a fraudulent event includes identifying a fraudulent event associated with a selected state within the first sequence (Djosic, [0038]-[0041]).
As to claims 5 and 13, the teachings of Djosic and Spiers as combined for the same reasons set forth in claim 1’s rejection further disclose detecting a fraudulent event includes clustering a plurality of identified sequences (Djosic, [0038]-[0041], see [0031] and [0080] describing the clustering).
As to claims 7 and 15, the teachings of Djosic and Spiers as combined for the same reasons set forth in claim 1’s rejection further disclose generating a severity score for the fraudulent event based at least in part on a frequency of sequence-based fraudulent events (Djosic, [0038]-[0041]).
Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Djosic and Spiers in view of Shivamoggi et al (US. Pub. No. 2019/0141066).
As to claims 6 and 14, Djosic and Spiers disclose the parent claim but does not disclose reporting includes providing data regarding a fraudulent ring associated with more user accounts than user email addresses. However, Shivamoggi discloses identifying outlier clusters generated by the clustering process ([0008]).
Therefore it would be obvious to one of ordinary skill prior to the effective filing date of the application to combine the teachings of Djosic and Spiers with Shivamoggi as a means identify and sort the clusters more effectively.
Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Djosic and Spiers in view of Mityagin (US. Pub. No. 2020/0228514).
As to claims 8 and 16, Djosic and Spiers disclose the parent claim but does not disclose reporting includes providing data regarding a fraudulent ring associated with more user accounts than user email addresses. However, Shivamoggi discloses reporting includes providing data regarding a fraudulent ring associated with more user accounts than user email addresses ([0051]-[0052]).
Therefore it would be obvious to one of ordinary skill prior to the effective filing date of the application to combine the teachings of Djosic and Spiers with Shivamoggi as a means identify and prevent malicious actions more effectively.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246. The examiner can normally be reached on 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THOMAS J DAILEY/ Primary Examiner, Art Unit 2458