Prosecution Insights
Last updated: July 17, 2026
Application No. 18/290,274

Categorizing a New User in an Information Technology System

Non-Final OA §102§103
Filed
Nov 10, 2023
Priority
May 11, 2021 — nonprovisional of PCTSE2021050444
Examiner
MORALES, PEDRO JESUS
Art Unit
2124
Tech Center
2100 — Computer Architecture & Software
Assignee
Telefonaktiebolaget LM Ericsson
OA Round
1 (Non-Final)
67%
Grant Probability
Favorable
1-2
OA Rounds
1y 0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 67% — above average
67%
Career Allowance Rate
8 granted / 12 resolved
+11.7% vs TC avg
Strong +50% interview lift
Without
With
+50.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 8m
Avg Prosecution
14 currently pending
Career history
33
Total Applications
across all art units

Statute-Specific Performance

§101
2.7%
-37.3% vs TC avg
§103
93.2%
+53.2% vs TC avg
§112
2.7%
-37.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 12 resolved cases

Office Action

§102 §103
DETAILED ACTION This non-final office action is responsive to application 18/290,274 as submitted on 10 November 2023. Claim status is currently pending and under examination for claims 1-20 of which independent claims are 1, 11 and 19. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1-6, 8-16 and 18-20 are rejected under 35 U.S.C. 102a(1) as being anticipated by Nathezhtha et al. (“Cloud Insider Attack Detection Using Machine Learning”), hereinafter Nathezhtha. Regarding Claim 1, Nathezhtha teaches: A categorizing device (32) for categorizing a new user (U1) in an information technology system (10) ((P. 60, Abstract) “proposed ILSTM not only identifies an anomaly node but also finds whether a misbehaving node is a broken node or a new user node or a compromised node using the calculated trust factor. The proposed model not only detects the attack accurately but also reduces the false alarm in the cloud network” A computer (‘categorizing device’) is implied by using an ILSTM model to classify new user nodes.), the categorizing device (32) comprising a processor (40) acting on computer instructions (44) whereby said categorizing device (32) is operative to (A computer (‘categorizing device’) is implied by using an ILSTM model, which further implies a processor executing computer instructions.): obtain user behaviour data of at least one known user of the system, which at least one known user is similar to the new user (U1) ((P. 63, Sec. IV, ¶3) “The details in the comparable users database is used to find whether the new user is malicious node or not. The model compares the behavior of similar users with the newly joined user and their transactions until the necessary personal behavior data is produced by the new entity”); provide the user behaviour data of the at least one known user as comparable user behaviour data (CUBD) for application in a cell (93) of a long short-term memory architecture provided for the new user (U1) ((P. 62, Sec. III, ¶3) “A concatenation layer (Bi) does not exists in LSTM. The concatenation layer is added to this state which provides additional information about the comparable cell state, using these values the new user node can be classified as either malicious node or a normal node, the value of Bi is calculated” (P. 62, Sec. III, Last Paragraph) “In ILSTM, when the states of the user lack, it compares the transaction of the user with the data of other similar users and also analyzes the transaction history of the user to categorize a normal user from an attacker. So the comparable user behavior data is also recorded and stored in a memory cell along with their transaction history so that a compromised user can easily be identified even if the compromised node is a newly joined user”); and obtain a categorization (CAT) of the new user (U1), which categorization has been made based on said application of the comparable user behaviour data (CUBD) in the cell (93) of the long short-term memory architecture ((P. 62, Sec. III, ¶3) “A concatenation layer (Bi) does not exists in LSTM. The concatenation layer is added to this state which provides additional information about the comparable cell state, using these values the new user node can be classified as either malicious node or a normal node, the value of Bi is calculated” (P. 63, Sec. IV, ¶3) “comparable user’s behavior data (Bi) … The ILSTM calculates the value of a user behavior data and value of a comparable user behavior data using UPDB and CUDB database. …The CUDB is the comparable user’s behavior data”). Regarding Claims 2 and 12, Nathezhtha teaches: The categorizing device (32) according to claim 1, wherein the comparable user behaviour data (CUBD) of the at least one known user is provided for application in a similar user gate layer (100) of the cell (93) and the categorization (CAT) is based on an output (Bt) of the similar user gate layer (100) ((P. 61-62, Sec. III, Last Paragraph) “ILSTM follows the basic structure of LSTM for adding deleting and maintaining the information. A new layer has been added to the second gate which is used to maintain additional information to identify the trustworthiness of the new user nodes” (P. 62, Sec. III, ¶3) “the tanh layer creates a new value that updates the old cell state into a new cell state(equation (3)). … A concatenation layer (Bi) does not exists in LSTM. The concatenation layer is added to this state which provides additional information about the comparable cell state, using these values the new user node can be classified as either malicious node or a normal node, the value of Bi is calculated using equation (4) … B i =   σ ( W B t ( c o t - 1 ,   o i t +   b B t ) ” (P. 62, Sec. III, ¶4) “The value of the current state (CSt) is computed by multiplying the forget gate value with the value of the old state (CSt-1) and adding the multiplied value of input gate and tanh layer” (P. 62, Sec. III, ¶6) “ c o t =   o g t * t a n h ⁡ ( C S t ) … c o t is the current output value” A concatenation layer B i is added to a second gate (input gate) and uses a sigmoid function σ to produce an output B i , therefore layer B i is a similar user gate layer. Layer B i is added to new cell state (current state CSt) and current state CSt is used to calculate output value c o t , therefore categorization is based on an output of the similar user gate layer.). Regarding Claims 3 and 13, Nathezhtha teaches: The categorizing device (32) according to claim 2, wherein the similar user gate layer (100) is a sigmoid gate layer ((P. 62, Sec. III, ¶3) “the value of Bi is calculated using equation (4) … B i =   σ ( W B t ( c o t - 1 ,   o i t +   b B t ) ”). Regarding Claims 4 and 14, Nathezhtha teaches: The categorizing device (32) according claim 2, wherein the categorization (CAT) is based on a temporary trustworthiness indicator (TTI) for the new user (U1) ((P. 63, Sec. IV, ¶4-5) “Since the model is trained automatically there might be lack of data for a new user, to avoid unwanted alert generation for new user, node whose time is lesser than the number of training days i.e. when threshold value is lesser than G and ut is lesser than T, a temporary trust factor is calculated as given below PNG media_image1.png 75 427 media_image1.png Greyscale If the equation (9) produces a positive value then it is considered to be a normal user behavior … if ttf is around 0 then it is considered to be a broken node if the value of ttf is negative an anomaly detection alarm is raised to the server”), which temporary trustworthiness indicator is based on the output (Bt) of the similar user gate layer (100) (Equation 9 for calculating a temporary trust factor uses an output B i . See (P. 62, Sec. III, ¶3) describing an output B i of the concatenation layer B i is calculated using a sigmoid function.). Regarding Claims 5 and 15, Nathezhtha teaches: The categorizing device (32) according to claim 2, being further operative to obtain personal user behaviour data (PUBD) of the new user (U1) and provide the personal user behaviour data (PUBD) for application in said cell (93) ((P. 61, Sec. II, Last Paragraph) “The proposed model automatically trains itself based on both the behavioral process of a user personal data and comparable user data. … The ILSTM approach is used to predict the behavior of a user based on the behavior data” (P. 62, Sec. III, ¶3) “The next layer is an input gate (igt) and a tanh layer (Ci) which decides about the information stored in the cell. The input gate is responsible to decide whether the information needs to be updated or not. The information is updated based on the value produced from equation (2) … PNG media_image2.png 68 786 media_image2.png Greyscale ” (P. 62, Sec. III, ¶6) “cot-1 is the previous input, cit is the input value”), said application comprising applying the personal user behaviour data (PUBD) in an input gate layer (96) and a new candidate state layer (98) of the cell (93) ((P. 62, Sec. III, ¶3) “The next layer is an input gate (igt) and a tanh layer (Ci) which decides about the information stored in the cell. The input gate is responsible to decide whether the information needs to be updated or not … the tanh layer creates a new value that updates the old cell state into a new cell state(equation (3)). tanh layer is a vector of new candidate value. … PNG media_image3.png 37 509 media_image3.png Greyscale ” Input information (input value cit) is applied to an input gate and tanh layer (‘new candidate state layer’).) and combining an output (it) of the input gate layer (96) with an output (Ct) of the new candidate state layer (98) and with the output (Bt) of the similar user gate layer (100) in order to obtain a cell output (ht) ((P. 62, Sec. III, ¶3) “the tanh layer creates a new value that updates the old cell state into a new cell state(equation (3)). … A concatenation layer (Bi) does not exists in LSTM. The concatenation layer is added to this state which provides additional information about the comparable cell state … the value of Bi is calculated using equation (4)” (P. 62, Sec. III, ¶4) “The value of the current state (CSt) is computed by multiplying the forget gate value with the value of the old state (CSt-1) and adding the multiplied value of input gate and tanh layer” (P. 62, Sec. III, ¶6) “ c o t =   o g t * t a n h ⁡ ( C S t ) … c o t is the current output value” An output B i of concatenation layer B i (‘similar user gate layer’) is added to new cell state (current state CSt). Current state CSt is computed by adding the multiplied value of input gate and tanh layer, therefore current state CSt combines an output of an input gate layer with an output of a new candidate state layer (tanh layer) with an output of a similar user gate layer. The current state CSt is used to calculate output value c o t (‘cell output’).). Regarding Claims 6 and 16, Nathezhtha teaches: The categorizing device (32) according to claim 5, wherein the categorization (CAT) is based on a regular trustworthiness indicator (TI) of the user (U1) ((P. 63, Sec. IV, ¶2) “All the cloud users are assigned a trust factor (tf) … if the trust factor is greater than G (G is the threshold fixed by a service provider to identify an authorized user) then it is assumed to be a normal user activity else an anomaly detection suspicion is raised”), which regular trustworthiness indicator (TI) is determined based on the cell output (ht) and the similar user gate layer output (Bt) ((P. 63, Sec. IV, ¶3) “ t f =   c o t +   B i +   t l t   … The trust factor is calculated by taking the output value cot and comparable user’s behavior data (Bi) and the threshold of transaction history value of the user node(tlt). … If the trust factor of the user is greater than G then the user is considered to be a normal user, if the tf is lesser than G then the user is suspected to be an abnormal node” See (P. 62, Sec. III, ¶3) describing an output B i of the concatenation layer B i (‘similar user gate layer’) is calculated using a sigmoid function.). Regarding Claim 8, Nathezhtha teaches: The categorizing device (32) according to claim 1, wherein the categorization (CAT) is a categorization of the new user as a normal user, as a broken user or as a malicious user ((P. 60, Abstract) “The proposed ILSTM not only identifies an anomaly node but also finds whether a misbehaving node is a broken node or a new user node or a compromised node using the calculated trust factor”). Regarding Claims 9 and 18, Nathezhtha teaches: The categorizing device (32) according to claim 1, being further operative to perform an activity in the information technology system (10) based on the categorization (CAT) ((P. 63, Sec. IV, ¶1) “The output value reduces from 1 when a value reaches to 0 it can either be a broken node or a malicious node. In this case, the recorded transaction history of the user is referred. If the transaction value (tlt) contains positive value then the node is referred to be a legal but broken node. If the output value is -1 then a malicious insider existence is confirmed. Fig.3 shows the detection and alert generation of a compromised user” See Figure 3 on P. 63 depicting an alert is generated after a user is classified as anomalous (malicious).). Regarding Claim 10, Nathezhtha teaches: The categorizing device (32) according to claim 1, wherein said at least one known user that is similar to the new user is a user having the same quality of service in the information technology system (10) ((P. 63, Sec. IV, ¶3) “The trust factor is calculated by taking the output value cot and comparable user’s behavior data (Bi) and the threshold of transaction history value of the user node(tlt). … The transaction value(tlt) is calculated based on the number of transactions made by the user in the cloud. It takes the number of file uploads, downloads and data transfer rate by a single user. … the threshold value is calculated based on comparing a user’s transaction with the other user’s transaction belonging to the same domain” (P. 65, Sec. V, Last Paragraph) “Based on the similarity of the behavior and transaction value the node is classified as either malicious or normal node” The data transfer rates of a new user and other users belonging to the same domain are compared to determine a trust factor. Data transfer rates measure the speed a user can upload or download data from a cloud server, therefore a low or high data transfer rate indicates the quality of a user’s connection to a cloud server (and therefore a data transfer rate is a measurement of quality of service).). Regarding Claim 11, the rejection of claim 1 is incorporated. The difference in scope being: A method of categorizing a new user (U1) in an information technology system (10), the method ((P. 60, Abstract) “proposed ILSTM not only identifies an anomaly node but also finds whether a misbehaving node is a broken node or a new user node or a compromised node using the calculated trust factor. The proposed model not only detects the attack accurately but also reduces the false alarm in the cloud network”). Regarding Claim 19, the rejection of claim 1 is incorporated. The difference in scope being: A computer program … the computer program comprising computer program code (44) which when run by a processor (40) of a categorizing device (32), causes the categorizing device (32) to ((P. 60, Abstract) “proposed ILSTM not only identifies an anomaly node” A computer (‘categorizing device’) is implied by using an ILSTM model to classify nodes, which further implies a processor executing computer program code.). Regarding Claim 20, Nathezhtha teaches: A computer program product for categorizing a new user in an information technology system (10), the computer program product comprising a data carrier (128) with said computer program code (44) according to claim 19 ((P. 60, Abstract) “proposed ILSTM not only identifies an anomaly node but also finds whether a misbehaving node is a broken node or a new user node” A computer is implied by using an ILSTM model, which further implies a computer program product comprising a hard drive (‘data carrier’) that stores computer program code.). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Nathezhtha in view of Esman (US 11450419 B1). Regarding Claims 7 and 17, Nathezhtha teaches: The categorizing device (32) according to claim 6, wherein the current regular trustworthiness indicator (TI) is formed based on a current sum of the cell output (ht) with a current similar user gate layer output (Bt) ((P. 63, Sec. IV, ¶3) “ t f =   c o t +   B i +   t l t   … The trust factor is calculated by taking the output value cot and comparable user’s behavior data (Bi)”). However, Nathezhtha does not teach comparing a trustworthiness indicator with a middle point of clusters of regular trustworthiness indicators, which is taught by Esman: wherein the categorization (CAT) that is based on the regular trustworthiness indicator (TI) is based on a comparison of a current regular trustworthiness indicator (TI) with a middle point of clusters (Cm) of regular trustworthiness indicators ((Col. 145, Lines 34-53) “the healthcare privacy analytics application uses a k-means clustering algorithm to cluster the plurality of feature vectors. … Using the clustering algorithm, the healthcare privacy analytics application identifies a centroid of the cluster and determines each vertices' distances away from the centroid of the cluster and compares the determined value with a threshold value. In one embodiment, the healthcare privacy analytics application flags, or otherwise indicates, each vertex whose distance from the centroid of the cluster are less than the threshold value as being “Typical” or “Expected.” In contrast, the healthcare privacy analytics application flags, or otherwise indicates, each vertex whose distance from the centroid of the cluster are greater than the threshold value as an “Anomaly,” which indicates that the corresponding users are accessing, or otherwise interacting, with the patient records in the patient record systems in ways that are different, beyond an expected variance” (Col. 139, Lines 34-37) “Each feature of a user's feature vector is generally associated with a numerical value indicating a characteristic of the user's interactions with the medication dispensing system” Feature vectors are clustered and compared to a cluster centroid to classify a user’s behavior as anomalous if distance from a centroid exceeds a threshold, therefore feature vectors are regular trustworthiness indicators.). Esman teaches calculating distances from a cluster’s centroid to classify users as anomalous is a known method in the art. Before the effective filing date, it would have been obvious to a person of ordinary skill in the art to modify the detection system of Nathezhtha with the technique disclosed by Esman to perform clustering to classify user behavior. By performing clustering to classify user behavior, data can be grouped into clusters by using distance-based metrics, thereby reducing dimensionality and revealing hidden patterns. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to PEDRO J MORALES whose telephone number is (571)272-6106. The examiner can normally be reached 8:30 AM - 6:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, MIRANDA M HUANG can be reached at (571)270-7092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /PEDRO J MORALES/Examiner, Art Unit 2124 /VINCENT GONZALES/Primary Examiner, Art Unit 2124
Read full office action

Prosecution Timeline

Nov 10, 2023
Application Filed
Jun 08, 2026
Non-Final Rejection mailed — §102, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12664036
ANOMALY DETECTION IN COMPUTER SYSTEMS
4y 0m to grant Granted Jun 23, 2026
Patent 12651179
REINFORCEMENT LEARNING MODEL FOR BALANCED UNIT RECOMMENDATION
4y 5m to grant Granted Jun 09, 2026
Patent 12639625
BIAS ADJUSTMENT DEVICE, INFORMATION PROCESSING DEVICE, INFORMATION PROCESSING METHOD, AND INFORMATION PROCESSING PROGRAM
4y 1m to grant Granted May 26, 2026
Patent 12591803
SYSTEMS AND METHODS FOR APPLYING MACHINE LEARNING BASED ANOMALY DETECTION IN A CONSTRAINED NETWORK
3y 11m to grant Granted Mar 31, 2026
Patent 12530412
SEARCH-QUERY SUGGESTIONS USING REINFORCEMENT LEARNING
4y 2m to grant Granted Jan 20, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
67%
Grant Probability
99%
With Interview (+50.0%)
3y 8m (~1y 0m remaining)
Median Time to Grant
Low
PTA Risk
Based on 12 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month