Prosecution Insights
Last updated: July 17, 2026
Application No. 18/227,515

CONTINUOUS API-BASED FRAUD DETECTION USING SEQUENCES

Final Rejection §103
Filed
Jul 28, 2023
Priority
Dec 07, 2022 — provisional 63/431,011
Examiner
DAILEY, THOMAS J
Art Unit
2458
Tech Center
2400 — Computer Networks
Assignee
Harness Inc.
OA Round
4 (Final)
81%
Grant Probability
Favorable
5-6
OA Rounds
3m
Est. Remaining
96%
With Interview

Examiner Intelligence

Grants 81% — above average
81%
Career Allowance Rate
703 granted / 869 resolved
+22.9% vs TC avg
Moderate +15% lift
Without
With
+15.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 2m
Avg Prosecution
20 currently pending
Career history
892
Total Applications
across all art units

Statute-Specific Performance

§101
1.6%
-38.4% vs TC avg
§103
82.9%
+42.9% vs TC avg
§102
8.7%
-31.3% vs TC avg
§112
4.1%
-35.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 869 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Claims 1-20 are pending. Response to Arguments Applicant's arguments filed 3/23/2026 with respect to the prior art rejections have been fully considered but they are not persuasive. The applicant argues Djosic does not disclose identifying a first sequence from the plurality of sequences, wherein the first sequence includes a first plurality of states in the claimed fashion because the states as claimed are associated with a user action in association of an API in the claimed fashion and Djosic is directed to user behavior that occurs before the authentication step and is therefore Not associated with a user action in association of an API. The examiner disagrees. Djosic discloses: continuously intercepting API traffic between a client and a server, the API traffic associated with a plurality of sequences, wherein each sequence of the plurality of sequences includes a plurality of states, wherein a state of the plurality of states is associated with a user action in association of an API (Fig. 1 and [0033]-[0035]; particularly, “The API traffic comes to the gateway form different sources, such as mobile applications, desktop applications, Internet of Things (IoT) etc. Along with regular traffic, the attempt to access API service may come from malicious users, hackers, automated robots, and the goal of protection service is to block such traffic…While, many existing API cybercheck protection systems deploy the protection service either at the API gateway or at some firewall/Web Application Firewall (WAF), in some embodiments described herein, there is provided a multilayer approach, where in addition to the protection service at gateway, the protection service is deployed before and after a gateway, providing early warning, continuous and incremental protection services.” “multilayer” reading on “multiple sequence of stages”); identifying a first sequence from the plurality of sequences, wherein the first sequence includes a first plurality of states ([0037]-[0039]; particularly “The first layer, or alpha 220, calculates risk score 222 by using the user's IP and device information as the identifiers. At this level a user's credentials 202, ID and password, are not known. The system calculates the score at this level mostly based on retrieved information from a user's fraud 224 and activity profile 226. During this process, the system should be capable to recognize some typical boot behaviour or create a default user's profile for a first-time end user based on the aforementioned boot behaviour. This layer may be seen as an early warning system.” At least “activity profile” and “boot behaviour” reading on “the first sequence includes a first plurality of states a plurality of states”). The applicant’s arguments are flawed and misdirected as the claim recites, “a state of the plurality of states is associated with a user action in association of an API.” That is, user authentication is not recite in the claim and even if Djosic’s user behavior is before a user authentication, how does such user behavior not read on “a user action in association of an API”? In other words, the claim has one user action and one defined state among the plurality of states and limits the user action only as associated with an API when the claim recites, “a plurality of states, wherein a state of the plurality of states is associated with a user action in association of an API.” A user “attempt to access API service” as described in Djosic [0033]-[0035] would clearly read on a user action in association of an API. In sum, the applicant’s conclusionary statement, “Djosic is directed to user behavior that occurs before the authentication step and is therefore Not associated with a user action in association of an API,” is clearly erroneous and lacks logic because, again, why would an attempt by user to access an API service not be considered a user action associated with an API? It clearly would be and therefore the claim limitations are disclosed by Djosic. The applicant further argues Spiers fails to teach or suggest, detecting whether the first sequence is associated with a fraudulent event based on ordering of states of the first plurality of states and a duration associated with each state of the first plurality of states, as claimed. Specifically, the applicant alleges Spiers only considers if the amount time exceeds a threshold and in contrast, the instant application anticipates a situation where "sequence 2 is suspicious7 sequence" where "the typical time between logic and entering transfer details, as shown in sequence 1, is 2:45" and where "in sequence two, the time between logic and entering transfer details is eight seconds", thereby not exceeding a threshold but by being below a typical time. The examiner disagrees. Spiers discloses: detecting whether a first sequence is associated with a fraudulent event based on ordering of states and a duration associated with each state of a plurality of states ([0154], particularly, “For example, if a given phase (e.g., create phase, boot phase, unlock phase, connect phase, etc.) doesn't finish within a predetermined threshold (e.g., a time duration threshold), then the cloud orchestrator 318 (or secure boot server 1204) may determine that an anomalous event has occurred and abort the process (e.g., sending instructions to abort the process, deleting/designating the reservation as void, denying the request for components, and/or other cautionary actions). In one example involving the create phase, the start of the phase may be triggered by the recording of the first token in association with a reservation, and the end of the phase may be triggered by the receipt of the first token from cloud DMZ 306. If the time duration of the create phase exceeds the threshold, an entry may be recorded in a log file (e.g., recording the identity of the source, destination, time, date, and other information) and the process aborted to prevent possibly malicious activity.”) The applicant has failed to appreciate the broadest reasonable interpretation of the claim and has failed to provide an accurate interpretation in their remarks. That is, the applicant has given a specific example from the instant specification to illustrate an isolated situation that Spiers may not suggest, but that is clearly not the broadest reasonable interpretation of the limitations as limitations from the specification are not read into the claims. The applicant even states this baldly in arguing, “the instant application anticipates a situation where…” That is, the applicant is not even arguing the claim language but rather, “the instant application…” In sum, Spiers discloses both a specific ordering of phases (“states”) and time durations tied to those phases and detecting fraudulent events therefrom as discussed above. The applicant’s failure to provide an accurate broadest reasonable interpretation of the instant claim limitation enabled the applicant to reach a flawed and inaccurate conclusion with regard to Spiers’s disclosure with respect to the instant claim. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1-5,7, 9-13,15, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Djosic et al (US Pub. No. 2021/0152555), hereafter, “Djosic,” in view of Spiers et al (US Pub. No. 2012/0266231), hereafter, “Spiers.” As to claim 1, Djosic discloses a method for performing continuous API-based fraud detection based on sequences (Abstract), comprising: continuously intercepting API traffic between a client and a server, the API traffic associated with a plurality of sequences, wherein each sequence of the plurality of sequences includes a plurality of states, wherein a state of the plurality of states is associated with a user action in association of an API (Fig. 1 and [0033]-[0035]; particularly, “The API traffic comes to the gateway form different sources, such as mobile applications, desktop applications, Internet of Things (IoT) etc. Along with regular traffic, the attempt to access API service may come from malicious users, hackers, automated robots, and the goal of protection service is to block such traffic…While, many existing API cybercheck protection systems deploy the protection service either at the API gateway or at some firewall/Web Application Firewall (WAF), in some embodiments described herein, there is provided a multilayer approach, where in addition to the protection service at gateway, the protection service is deployed before and after a gateway, providing early warning, continuous and incremental protection services.” “multilayer” reading on “multiple sequence of stages”); identifying a first sequence from the plurality of sequences, wherein the first sequence includes a first plurality of states ([0037]-[0039]; particularly “The first layer, or alpha 220, calculates risk score 222 by using the user's IP and device information as the identifiers. At this level a user's credentials 202, ID and password, are not known. The system calculates the score at this level mostly based on retrieved information from a user's fraud 224 and activity profile 226. During this process, the system should be capable to recognize some typical boot behaviour or create a default user's profile for a first-time end user based on the aforementioned boot behaviour. This layer may be seen as an early warning system.” At least “activity profile” and “boot behaviour” reading on “the first sequence includes a first plurality of states a plurality of states”); detecting whether the first sequence is associated with a fraudulent event based on ordering of states of the first plurality states ([0037]-[0039]; particularly “During this process, the system should be capable to recognize some typical boot behaviour or create a default user's profile for a first-time end user based on the aforementioned boot behaviour. This layer may be seen as an early warning system.” See also [0058], particularly, “The user behavior may pertain to interface interactive pattern (e.g., mouse movement, keyboard stroke), and the end user access pattern (time pattern, behavior pattern). Based on this information an API-EWIS can signal the warning before a user's authentication about a potential distributed denial of service (DDoS), stacking, malicious bot traffic, and fraudulent accesses. It should be noted that web application firewall (WAF) filter do not have user behavior information.” “pattern” reading on “ordering of states”); and reporting an alert based on the detection of the fraudulent event ([0037]-[0039]; particularly “During this process, the system should be capable to recognize some typical boot behaviour or create a default user's profile for a first-time end user based on the aforementioned boot behaviour. This layer may be seen as an early warning system.” See also [0058]-[0060], particularly, “The user behavior may pertain to interface interactive pattern (e.g., mouse movement, keyboard stroke), and the end user access pattern (time pattern, behavior pattern). Based on this information an API-EWIS can signal the warning before a user's authentication about a potential distributed denial of service (DDoS), stacking, malicious bot traffic, and fraudulent accesses. It should be noted that web application firewall (WAF) filter do not have user behavior information.”) However, Djosic does not explicitly disclose a duration associated with each state of the plurality of states. But, Spiers discloses detecting whether a first sequence is associated with a fraudulent event based on ordering of states and a duration associated with each state of a plurality of states ([0154], particularly, “For example, if a given phase (e.g., create phase, boot phase, unlock phase, connect phase, etc.) doesn't finish within a predetermined threshold (e.g., a time duration threshold), then the cloud orchestrator 318 (or secure boot server 1204) may determine that an anomalous event has occurred and abort the process (e.g., sending instructions to abort the process, deleting/designating the reservation as void, denying the request for components, and/or other cautionary actions). In one example involving the create phase, the start of the phase may be triggered by the recording of the first token in association with a reservation, and the end of the phase may be triggered by the receipt of the first token from cloud DMZ 306. If the time duration of the create phase exceeds the threshold, an entry may be recorded in a log file (e.g., recording the identity of the source, destination, time, date, and other information) and the process aborted to prevent possibly malicious activity.”) Therefore it would be obvious to one of ordinary skill prior to the effective filing date of the application to combine the teachings of Djosic and Spiers as a means to more effectively identify and prevent fraudulent and malicious activities. As to claim 9 and 17, they are rejected by a similar rationale to that set forth in claim 1’s rejection. As to claims 2, 10, and 18, the teachings of Djosic and Spiers as combined for the same reasons set forth in claim 1’s rejection further disclose each of state of plurality of stages is associated with an API request and response (Djosic, [0038]-[0041]). As to claims 3, 11, and 19, the teachings of Djosic and Spiers as combined for the same reasons set forth in claim 1’s rejection further disclose detecting a fraudulent event includes applying API data to a prediction model, the API data generated based on the intercepted API traffic (Djosic, [0038]-[0041], particularly, “The system calculates the score at this level mostly based on retrieved information from a user's fraud 224 and activity profile 226. During this process, the system should be capable to recognize some typical boot behaviour or create a default user's profile for a first-time end user based on the aforementioned boot behaviour. This layer may be seen as an early warning system.” See also [0049] describing the model). As to claims 4, 12, and 20, the teachings of Djosic and Spiers as combined for the same reasons set forth in claim 1’s rejection further disclose detecting a fraudulent event includes identifying a fraudulent event associated with a selected state within the first sequence (Djosic, [0038]-[0041]). As to claims 5 and 13, the teachings of Djosic and Spiers as combined for the same reasons set forth in claim 1’s rejection further disclose detecting a fraudulent event includes clustering a plurality of identified sequences (Djosic, [0038]-[0041], see [0031] and [0080] describing the clustering). As to claims 7 and 15, the teachings of Djosic and Spiers as combined for the same reasons set forth in claim 1’s rejection further disclose generating a severity score for the fraudulent event based at least in part on a frequency of sequence-based fraudulent events (Djosic, [0038]-[0041]). Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Djosic and Spiers in view of Shivamoggi et al (US. Pub. No. 2019/0141066). As to claims 6 and 14, Djosic and Spiers disclose the parent claim but does not disclose reporting includes providing data regarding a fraudulent ring associated with more user accounts than user email addresses. However, Shivamoggi discloses identifying outlier clusters generated by the clustering process ([0008]). Therefore it would be obvious to one of ordinary skill prior to the effective filing date of the application to combine the teachings of Djosic and Spiers with Shivamoggi as a means identify and sort the clusters more effectively. Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Djosic and Spiers in view of Mityagin (US. Pub. No. 2020/0228514). As to claims 8 and 16, Djosic and Spiers disclose the parent claim but does not disclose reporting includes providing data regarding a fraudulent ring associated with more user accounts than user email addresses. However, Shivamoggi discloses reporting includes providing data regarding a fraudulent ring associated with more user accounts than user email addresses ([0051]-[0052]). Therefore it would be obvious to one of ordinary skill prior to the effective filing date of the application to combine the teachings of Djosic and Spiers with Shivamoggi as a means identify and prevent malicious actions more effectively. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246. The examiner can normally be reached on 9:30am-6:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /THOMAS J DAILEY/ Primary Examiner, Art Unit 2458
Read full office action

Prosecution Timeline

Show 1 earlier event
Mar 27, 2025
Non-Final Rejection mailed — §103
Apr 28, 2025
Response Filed
Aug 15, 2025
Final Rejection mailed — §103
Nov 05, 2025
Request for Continued Examination
Nov 10, 2025
Response after Non-Final Action
Dec 29, 2025
Non-Final Rejection mailed — §103
Mar 23, 2026
Response Filed
Jun 09, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683988
MANAGING INTRUSION EVENTS USING A MANAGEMENT CONTROLLER
2y 2m to grant Granted Jul 14, 2026
Patent 12670291
PREDICTING LIKELIHOOD OF AND PREVENTING END USERS INAPPROPRIATELY INPUTTING SENSITIVE DATA
3y 10m to grant Granted Jun 30, 2026
Patent 12659294
EXTENDING CLOUD-BASED VIRTUAL PRIVATE NETWORKS TO USER EQUIPMENT ON RADIO-BASED NETWORKS
4y 6m to grant Granted Jun 16, 2026
Patent 12634277
ACCESS CONTROL SYSTEM AND METHOD THEREOF
3y 11m to grant Granted May 19, 2026
Patent 12634305
UNSUPERVISED GAN-BASED INTRUSION DETECTION SYSTEM USING TEMPORAL CONVOLUTIONAL NETWORKS, SELF-ATTENTION, AND TRANSFORMERS
2y 6m to grant Granted May 19, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
81%
Grant Probability
96%
With Interview (+15.0%)
3y 2m (~3m remaining)
Median Time to Grant
High
PTA Risk
Based on 869 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month