DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is a Non-Final Office Action in response to application 18/300,344 entitled "SYSTEMS AND METHODS FOR OUTLIER DETECTION USING UNSUPERVISED MACHINE LEARNING MODELS TRAINED ON OVERSAMPLED DATA" filed on March 17, 2025, with claims 1-15 and 18-22 pending.
Status of Claims
Claims 1-4, 6-11, 14-15, and 18-20 have been amended and are hereby entered.
Claims 16-17 are cancelled.
Claims 21-22 are new
Claims 1-15 and 18-22 are pending and have been examined.
Response to Amendment
The amendment filed March 17, 2025, has been entered. Claims 1-15 and 18-22 remain pending in the application. Applicant’s amendments to the Specification, Drawings, and/or Claims have been noted in response to the Final Office Action mailed December 30, 2024.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on April 9, 2025 and June 23, 2025, are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the Examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-15 and 18-22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
Please see MPEP 2106 for additional information regarding Patent Subject Matter Eligibility Guidance.
Claims 1-15 and 18-22 are directed to a system, method/process, machine/apparatus, or composition of matter, which are/is one of the statutory categories of invention. (Step 1: YES).
The claimed invention is directed to an abstract idea without significantly more.
Independent Claim 1 recites:
“A system of improving access control to resources based on outlier detection using a … model that is … via…, based on an automatically triggered update routine, using oversampled …data of an initially-detected outlier, the system comprising:
comprising: in response to a first … model's prediction indicating that a first event of a plurality of events indicating …attempting to access an electronically accessible resource belongs to an outlier category, triggering an update routine for a second … model comprising a plurality of component models … to identify sub-categories of the outlier category, the update routine comprising:
generating a plurality of synthetic outlier events by oversampling the first event for use in updating the second …. model during an outlier detection process;
augmenting a set of outlier-event … data, including a plurality of prior outlier events previously detected by the first … model, with the plurality of synthetic outlier events, such that an amount of the augmented set of outlier-event … data corresponds to an amount of regular-event … data used to … the first … model;
updating the second … model via …. using the augmented set of outlier-event … data, during the outlier detection process but prior to providing the first event as input to the second … model, to generate an output indicating a respective multi-class result that events belong to, the multi-class result indicating a sub-category of a plurality of sub-categories of the outlier category;
receiving an event data set of the first event;
inputting the event data set of the first event into the second …model to generate a multi-class result indicating which sub-category of the plurality of sub-categories of the outlier category the first event belongs, wherein the second …. model is … via the …. using the augmented set of outlier-event … data;
generating, based on the multi-class result, a recommendation indicating an action to be performed based on the multi-class result for the first event;
and in response to the action indicating to suspend access to the electronically accessible resource, suspending the ….access to the electronically accessible resource.”
These limitations clearly relate to managing transactions/interactions between consumer/client, merchant, and/or financial institution. These limitations, under their broadest reasonable interpretation, cover performance of the limitation as certain methods of organizing human activity. Specific instances include instructing to “generating… for output a recommended subset …wherein the recommended subset comprises events determined to belong to the outlier category”.
The Specification defines an event as:
[036] an event may include a specific occurrence, incident, or situation …events may include a transaction, an offer relating to a (tangible or intangible) product or service, an acceptance of an offer, a series of transactions/offers/acceptances/occurrences within a time period that share at least one common character (e.g., a series of transactions involving a same user, a same merchant, a same credit card, a same account (banking, email, etc.), a same buyer, a same seller, a same geographic location, a same stock, a same class of products, a same company, a same financial institute, or the like
[038] events are credit card transactions
As such, the limitation recites a fundamental economic principles or practice and/or commercial or legal interactions. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation as a fundamental economic, commercial, or financial action, principle, or practice then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. (Step 2A-Prong 1: YES. The claims recite an abstract idea).
This judicial exception is not integrated into a practical application. In particular, the claims recite the additional elements of:
[one or more processors and non-transitory, computer-readable media storing instructions that, when executed by the one or more processors, cause operations][client device's][ a client device]:
merely applying computer processing, storage, and networking technology as tools to perform an abstract idea
[machine learning][unsupervised machine learning][training/train]:
merely applying machine learning technology as tools to perform an abstract idea
are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer components and/or electronic processes. For example, the Applicant’s Specification reads:
[020] system 100 may include mobile device 122 and user terminal 124....mobile device 122 and user terminal 124 may be any computing device, including, but not limited to, a laptop computer, a tablet computer, a handheld computer, and other computer equipment (e.g., a server)...and/or mobile devices.
[021] The control circuitry may comprise any suitable processing, storage, and/or I/O circuitry.
Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The additional elements merely add instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, see MPEP 2106.05(f). Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea and are at a high level of generality. Therefore, Claim 1 is directed to an abstract idea without a practical application. (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
Accordingly, these additional elements, do not change the outcome of the analysis, when considered separately and as an ordered combination. The independent claim further define the abstract idea that is present and hence are abstract for the reasons presented above. The independent claim does not include any additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination. Therefore, the independent claim is directed to an abstract idea. Thus, the claim is not patent eligible. (Step 2B: NO. The claims do not provide significantly more)
Independent Claim 2 recites:
“method of improving access control to resources based on outlier detection using a …model that is…, based on an automatically triggered update routine, using oversampled training data of an initially-detected outlier, the method comprising:
in connection with a first … model's prediction indicating that an event associated with a client device attempting to access an electronically accessible resource belongs to an outlier category, triggering an update routine for a second …. model trained to determine sub-categories of the outlier category, the update routine comprising:
generating a plurality of synthetic outlier events based on oversampling the event;
augmenting a set of outlier-event … data, including a plurality of prior outlier events, with the plurality of synthetic outlier events, such that an amount of the augmented set of outlier-event … data corresponds to an amount of regular-event … data used to … the first …. model;
updating the second …. model, …, using the augmented set of outlier-event training data to generate outputs indicating a respective multi-class result that events belong to, the multi-class result indicating a sub-category of a plurality of sub-categories of the an outlier category;
receiving an event data set of the event;
inputting the event data set of the event to the second … model to generate a multi-class result indicating which sub-category of the plurality of sub-categories of the outlier category the event belongs, wherein the second …. model is …. using the augmented set of outlier-event … data;
generating, based on the multi-class result, a recommendation indicating an action to be performed based on the multi-class result;
and in response to the action indicating to suspend access to the electronically accessible resource, suspending the access to the electronically accessible resource.”
These limitations clearly relate to managing transactions/interactions between consumer/client, merchant, and/or financial institution. These limitations, under their broadest reasonable interpretation, cover performance of the limitation as certain methods of organizing human activity. Specific instances include instructing to “generating… for output an identifier of the event”.
The Specification defines an event as:
[036] an event may include a specific occurrence, incident, or situation …events may include a transaction, an offer relating to a (tangible or intangible) product or service, an acceptance of an offer, a series of transactions/offers/acceptances/occurrences within a time period that share at least one common character (e.g., a series of transactions involving a same user, a same merchant, a same credit card, a same account (banking, email, etc.), a same buyer, a same seller, a same geographic location, a same stock, a same class of products, a same company, a same financial institute, or the like
[038] events are credit card transactions
As such, the limitation recites a fundamental economic principles or practice and/or commercial or legal interactions. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation as a fundamental economic, commercial, or financial action, principle, or practice then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. (Step 2A-Prong 1: YES. The claims recite an abstract idea).
This judicial exception is not integrated into a practical application. In particular, the claims recite the additional elements of:
[client device's]:
merely applying computer processing, storage, and networking technology as tools to perform an abstract idea
[machine learning] [trained via unsupervised machine learning][training] [train] [via unsupervised machine learning]:
merely applying machine learning technology as tools to perform an abstract idea
are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer components and/or electronic processes. For example, the Applicant’s Specification reads:
[020] system 100 may include mobile device 122 and user terminal 124....mobile device 122 and user terminal 124 may be any computing device, including, but not limited to, a laptop computer, a tablet computer, a handheld computer, and other computer equipment (e.g., a server)...and/or mobile devices.
[021] The control circuitry may comprise any suitable processing, storage, and/or I/O circuitry.
Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The additional elements merely add instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, see MPEP 2106.05(f). Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea and are at a high level of generality. Therefore, Claim 2 is directed to an abstract idea without a practical application. (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
Accordingly, these additional elements, do not change the outcome of the analysis, when considered separately and as an ordered combination. The independent claim further define the abstract idea that is present and hence are abstract for the reasons presented above. The independent claim does not include any additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination. Therefore, the independent claim is directed to an abstract idea. Thus, the claim is not patent eligible. (Step 2B: NO. The claims do not provide significantly more)
Dependent Claims recite additional elements.
This judicial exception is not integrated into a practical application. In particular, the recited additional elements of
Claim 3:
“machine learning”: merely applying machine learning technology as tools to perform an abstract idea
Claim 4:
“machine learning”: merely applying machine learning technology as tools to perform an abstract idea
Claim 5:
“user interface”: merely applying computer processing, networking, and display technologies as a tool to perform an abstract idea
Claim 6:
“machine learning”: merely applying machine learning technology as tools to perform an abstract idea
Claim 7:
“machine learning”: merely applying machine learning technology as tools to perform an abstract idea
Claim 8:
“machine learning”: merely applying machine learning technology as tools to perform an abstract idea
Claim 9:
“machine learning”: merely applying machine learning technology as tools to perform an abstract idea
Claim 10:
“machine learning”, “trained”: merely applying machine learning technology as tools to perform an abstract idea
Claim 11:
“machine learning”: merely applying machine learning technology as tools to perform an abstract idea
Claim 12: (none found: does not include additional elements and merely narrows the abstract idea)
Claim 13:
“training an unsupervised machine learning”, “training”: merely applying machine learning technology as tools to perform an abstract idea
Claim 14:
“machine learning”, “training”: merely applying machine learning technology as tools to perform an abstract idea
Claim 15:
“using control circuitry”: merely applying computer processing, networking, and display technologies as a tool to perform an abstract idea
“machine learning”, “trained”: merely applying machine learning technology as tools to perform an abstract idea
are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer components and/or electronic processes. For example, the Applicant’s Specification reads:
[020] system 100 may include mobile device 122 and user terminal 124....mobile device 122 and user terminal 124 may be any computing device, including, but not limited to, a laptop computer, a tablet computer, a handheld computer, and other computer equipment (e.g., a server)...and/or mobile devices.
[021] The control circuitry may comprise any suitable processing, storage, and/or I/O circuitry.
Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The additional elements merely add instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, see MPEP 2106.05(f). Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea and are at a high level of generality. Therefore, the claim is directed to an abstract idea without a practical application. (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The additional elements merely add instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, see MPEP 2106.05(f). Accordingly, these additional elements, do not change the outcome of the analysis, when considered separately and as an ordered combination. Dependent claims further define the abstract idea that is present in their respective independent claims and hence are abstract for the reasons presented above. The dependent claims do not include any additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination. Therefore, the dependent claims are directed to an abstract idea. Thus, the dependent claims are not patent eligible. (Step 2B: NO. The claims do not provide significantly more)
Independent Claim 18 recites:
“A … comprising: in connection with a first … model's prediction indicating that an event associated with an accessing of an electronically accessible resource belongs to an outlier category, triggering an update routine for a second … model trained to determine a sub-category of the outlier category, the update routine comprising:
generating a plurality of synthetic outlier events based on oversampling the event;
augmenting a set of outlier-event … data, including a plurality of prior outlier events, with the plurality of synthetic outlier events;
updating the second …. model, …, using the augmented set of outlier-event … data, to generate outputs indicating a respective multi-class result that events belong to, the multi-class result indicating a sub-category of a plurality of sub-categories of the outlier category;
inputting an event data set of the event to the second … model to generate a multi-class result indicating which sub-category of the plurality of sub-categories of the outlier category the event belongs, wherein the second … model is … … on the augmented set of outlier-event training data;
generating based on the multi-class result, a recommendation indicating an action to be performed based on the multi-class result;
and in response to the action indicating to suspend access to the electronically accessible resource, suspending the access to the electronically accessible resource.”
These limitations clearly relate to managing transactions/interactions between consumer/client, merchant, and/or financial institution. These limitations, under their broadest reasonable interpretation, cover performance of the limitation as certain methods of organizing human activity. Specific instances include instructing to “generating for output an identifier of the event”.
The Specification defines an event as:
[036] an event may include a specific occurrence, incident, or situation …events may include a transaction, an offer relating to a (tangible or intangible) product or service, an acceptance of an offer, a series of transactions/offers/acceptances/occurrences within a time period that share at least one common character (e.g., a series of transactions involving a same user, a same merchant, a same credit card, a same account (banking, email, etc.), a same buyer, a same seller, a same geographic location, a same stock, a same class of products, a same company, a same financial institute, or the like
[038] events are credit card transactions
As such, the limitation recites a fundamental economic principles or practice and/or commercial or legal interactions. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation as a fundamental economic, commercial, or financial action, principle, or practice then it falls within the “Certain Methods of Organizing Human Activity” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. (Step 2A-Prong 1: YES. The claims recite an abstract idea).
This judicial exception is not integrated into a practical application. In particular, the claims recite the additional elements of:
[non-transitory computer-readable media comprising instructions that, when executed by one or more processors, cause operations]:
merely applying computer processing, storage, and networking technology as tools to perform an abstract idea
[machine learning] [via unsupervised machine learning][trained via the unsupervised machine learning] [training] [machine learning]:
merely applying machine learning technology as tools to perform an abstract idea
are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer components and/or electronic processes. For example, the Applicant’s Specification reads:
[020] system 100 may include mobile device 122 and user terminal 124....mobile device 122 and user terminal 124 may be any computing device, including, but not limited to, a laptop computer, a tablet computer, a handheld computer, and other computer equipment (e.g., a server)...and/or mobile devices.
[021] The control circuitry may comprise any suitable processing, storage, and/or I/O circuitry.
Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The additional elements merely add instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, see MPEP 2106.05(f). Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea and are at a high level of generality. Therefore, Claim 18 is directed to an abstract idea without a practical application. (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
Accordingly, these additional elements, do not change the outcome of the analysis, when considered separately and as an ordered combination. The independent claim further define the abstract idea that is present and hence are abstract for the reasons presented above. The independent claim does not include any additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination. Therefore, the independent claim is directed to an abstract idea. Thus, the claim is not patent eligible. (Step 2B: NO. The claims do not provide significantly more)
Dependent Claims recite additional elements.
This judicial exception is not integrated into a practical application. In particular, the recited additional elements of
Claim 19:
“non-transitory computer-readable media”: merely applying computer processing, networking, and display technologies as a tool to perform an abstract idea
“machine learning”, “trained”: merely applying machine learning technology as tools to perform an abstract idea
Claim 20:
“non-transitory computer-readable media”: merely applying computer processing, networking, and display technologies as a tool to perform an abstract idea
“machine learning”, “support vector machine (SVM)”: merely applying machine learning technology as tools to perform an abstract idea
Claim 21:
“non-transitory computer-readable media”: merely applying computer processing, networking, and display technologies as a tool to perform an abstract idea
“machine learning”, “majority expert”, “trained”, “training”: merely applying machine learning technology as tools to perform an abstract idea
Claim 22:
“non-transitory computer-readable media”: merely applying computer processing, networking, and display technologies as a tool to perform an abstract idea
“machine learning”, “training”: merely applying machine learning technology as tools to perform an abstract idea
are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function) such that it amounts no more than mere instructions to apply the exception using a generic computer components and/or electronic processes. For example, the Applicant’s Specification reads:
[020] system 100 may include mobile device 122 and user terminal 124....mobile device 122 and user terminal 124 may be any computing device, including, but not limited to, a laptop computer, a tablet computer, a handheld computer, and other computer equipment (e.g., a server)...and/or mobile devices.
[021] The control circuitry may comprise any suitable processing, storage, and/or I/O circuitry.
Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The additional elements merely add instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, see MPEP 2106.05(f). Accordingly, these additional elements, when considered separately and as an ordered combination, do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea and are at a high level of generality. Therefore, the claim is directed to an abstract idea without a practical application. (Step 2A-Prong 2: NO. The additional claimed elements are not integrated into a practical application)
Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The additional elements merely add instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea, see MPEP 2106.05(f). Accordingly, these additional elements, do not change the outcome of the analysis, when considered separately and as an ordered combination. Dependent claims further define the abstract idea that is present in their respective independent claims and hence are abstract for the reasons presented above. The dependent claims do not include any additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception when considered both individually and as an ordered combination. Therefore, the dependent claims are directed to an abstract idea. Thus, the dependent claims are not patent eligible. (Step 2B: NO. The claims do not provide significantly more)
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-4, 10-14, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Wong (“TRAINING A MACHINE LEARNING SYSTEM FOR TRANSACTION DATA PROCESSING”, U.S. Publication Number: 20230118240 A1), in view of Saeed (“NETWORK ANOMALY DETECTION”, U.S. Publication Number: 20230125203 A1).
Regarding Claim 1,
Wong teaches,
A system of improving access control to resources based on outlier detection using a machine learning model that is trained via unsupervised machine learning, based on an automatically triggered update routine,
(Wong [0143] There are a number of comparative approaches to detecting anomalies in data sets. These include unsupervised outlier detection, a Synthetic Minority Over-sampling Technique (SMOTE), the “Snorkel” system
Wong [0006] data that is siloed or partitioned based on access security
Wong [0002] applying machine learning systems to transaction data.)
using oversampled
(Wong [0143] There are a number of comparative approaches to detecting anomalies in data sets. These include...a Synthetic Minority Over-sampling Technique (SMOTE))
training data of an initially-detected outlier,
(Wong [0144] In unsupervised outlier detection,...where the features are input to an anomaly detection system, which is configured to identify features that...are outliers relative to the overall data distribution of those features.
Wong [0061] the model initialisation operation may comprise loading a defined machine learning model and parameters that instantiate the defined machine learning model
Wong [Abstract] obtaining a training set of data samples)
the system comprising: one or more processors and non-transitory, computer-readable media storing instructions that, when executed by the one or more processors, cause operations
(Wong [0033] memory references to a function initiated via a method call, where the function comprises computer program code that is executed by one or more processors; in a hardware implementation, an interface may comprise a wired interconnect)
comprising: in response to a first machine learning model's prediction indicating that a first event of a plurality of events indicating a client device attempting to access an electronically accessible resource
(Wong [0040] neural network architectures ...may be trained using an approach called backpropagation. During backpropagation, the neural network layers that make up each neural network architecture are initialized .... and then used to make a prediction using a set of input data from a training set
Wong [0149] help determine whether a malicious third party has gained access to payment data
Wong [0032] transaction data may be used broadly to refer actions taken with respect to one or more electronic devices.)
generating a plurality of synthetic outlier events
(Wong [0116] the partitioned data samples 1030 are passed to a synthetic data generation stage 1040. During the synthetic data generation stage 1040, a set of synthetic data samples 1050 is generated)
by oversampling
(Wong [0143] There are a number of comparative approaches to detecting anomalies in data sets. These include...a Synthetic Minority Over-sampling Technique (SMOTE))
the first event for use in updating the second machine learning model during an outlier detection process;
(Wong [0150] The output of the machine learning system may be used as is, or provide the basis for a further pipeline of processing (e.g., as an input feature to another machine learning system trained to predict other output data).
Wong [0025] an indication of whether a transaction or entity is “normal” or “anomalous” ... that is then useable to prevent fraud ....machine learning systems may apply machine learning models that are updated as more transaction data is obtained, e.g. that are constantly trained based on new data)
augmenting a set of outlier-event training data, including a plurality of prior outlier events previously detected by the first machine learning model, with the plurality of synthetic outlier events, such that an amount of the augmented set of outlier-event training data corresponds to an amount of regular-event training data used to train the first machine learning model;
(Wong [0116] The synthetic data samples 1050 thus comprise mixed pairs 1052, 1054 from the first and second set of features 1032, 1034.
Wong [0117] Following the synthetic data generation stage 1040, the original partitioned data 1030 and the synthetic data samples 1050 are passed to a data labelling stage 1060. ... The augmented data set 1070 may then be used to train a binary classifier that implements the machine learning system of previous examples.
Wong [0125] At block 1208, synthetic data samples are generated by combining features from the two feature sets that respectively relate to two different ones of the set of uniquely identifiable entities. For example, each data sample may be directly ...or indirectly...associated with a particular uniquely identifiable entity
Wong [0128] the observable features are derived from a function of transaction data within a predefined temporal window for the current transaction. For example, this may comprise a defined time range (such as within 24 hours) and/or a defined number of transactions (e.g., the last 3 actions). )
updating the second machine learning model via unsupervised machine learning using the augmented set of outlier-event training data, during the outlier detection process but prior to providing the first event as input to the second machine learning model
(Wong [0150] data augmentation method for training that synthesises binary labels for unlabelled historical training data. ...Once trained on this augmented dataset, the machine learning system may be applied to new data samples {C*, O*} to determine if an anomaly is present. The output of the machine learning system may be used as is, or provide the basis for a further pipeline of processing (e.g., as an input feature to another machine learning system trained to predict other output data).
Wong [0061] the machine learning system 508 may perform any defined pre-processing prior to application of the machine learning model)
receiving an event data set of the first event;
(Wong [0044] The machine learning server 150 implements a machine learning system 160 for the processing of transaction data. The machine learning system 160 is arranged to receive input data 162 and to map this to output data 1...the machine learning system 160 receives at least transaction data associated with the particular transaction)
generating, based on the multi-class result a recommendation indicating an action to be performed based on the multi-class result for the first event
(Wong [0044] determine whether the transaction is to be authorised (i.e., approved) or declined.)
and in response to the action indicating to suspend access to the electronically accessible resource, suspending the client device's access to the electronically accessible resource.
(Wong [0042] a set of client devices 110 that are configured to initiate a transaction.
Wong [0032] transaction data may be used broadly to refer actions taken with respect to one or more electronic devices.
Wong [0139] This may comprise generating control data to control whether at least one transaction within the transaction data is...denied based on the value output... a threshold may be applied to the output...and values higher than the threshold (representing an “anomaly”) may be declined)
Wong does not explicitly teach belongs to an outlier category, triggering an update routine for a second machine learning model comprising a plurality of component models trained to identify sub-categories of the outlier category, the update routine comprising; to generate an output indicating a respective multi-class result that events belong to, the multi-class result indicating a sub-category of a plurality of sub-categories of the outlier category; inputting the event data set of the first event into the second machine learning model to generate a multi-class result indicating which sub-category of the plurality of sub-categories of the outlier category the first event belongs, wherein the second machine learning model is trained via the unsupervised machine learning using the augmented set of outlier-event training data;
Saeed explicitly teaches,
belongs to an outlier category,
(Saeed [0025] an anomaly classifier 240, a known anomaly model 250, an unknown anomaly analyser 260
Saeed [0026] detect new types of previously unknown anomalies involving those computer devices. When a new type of anomaly is detected
Saeed [0047] indicating the classification of the known type of anomaly)
triggering an update routine for a second machine learning model comprising a plurality of component models
(Saeed [0009] receiving an indication confirming that the network traffic associated with the cluster is anomalous such that the updated second model represents the characteristics of the network traffic)
trained to identify sub-categories of the outlier category, the update routine comprising;
(Saeed [0046] the known anomaly model represents the characteristics of network traffic which are associated with known types of anomalies involving the set of devices....can be used to train a machine learning model to classify network traffic having the same or similar characteristics.
Saeed [0056] new type of anomaly (i.e. that associated with the cluster) to a set of training data for the known anomaly model 250 and retraining the model 250.
Saeed [0025] an anomaly classifier 240, a known anomaly model 250, an unknown anomaly analyser)
to generate an output indicating a respective multi-class result that events belong to, the multi-class result indicating a sub-category of a plurality of sub-categories of the outlier category;
(Saeed [0005] anomaly-based intrusion detection systems work by comparing a device's behaviour to the “normal” behaviour that is expected for the device. Any deviations from the device's “normal” behaviour are then considered to be anomalies that could indicate an attack involving that device
Saeed [0025] an anomaly classifier 240, a known anomaly model 250, an unknown anomaly analyser)
inputting the event data set of the first event into the second machine learning model to generate a multi-class result indicating which sub-category of the plurality of sub-categories of the outlier category the first event belongs,
(Saeed [Claim 3] obtaining a second model representing the characteristics of network traffic associated with known types of anomalies involving the set of devices, wherein analysing the network traffic using the model to identify anomalous network traffic....comprises using the second model to identify anomalous network traffic that is not associated with a known type of anomaly)
wherein the second machine learning model is trained via the unsupervised machine learning using the augmented set of outlier-event training data;
(Saeed [0041] the system 200 can use any suitable machine-learning technique to train the model ... One suitable technique for learning the normal behaviour model 230 is the hierarchical density-based spatial clustering of applications with noise (HDBSCAN) technique. HDBSCAN is an unsupervised density based algorithm
Saeed [0046] the method 300 obtains the known anomaly model 250.)
It is prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the outlier detection of Wong to incorporate the outlier classification teachings of Saeed for “for detecting anomalies in a computer network …to identify anomalous network traffic associated with the set of devices. ” (Saeed [Abstract]). The modification would have been obvious, because it is merely applying a known technique (i.e. outlier classification) to a known concept (i.e. outlier detection) ready for improvement to yield predictable result (i.e. “provides an indication that either (i) the network traffic associated with a cluster relates to a new type of anomaly involving the set of devices or (ii) that no new types of anomaly are present” Saeed [Abstract])
Claim 2 is rejected on the same basis as Claim 1.
Regarding Claim 3,
Wong and Saeed teach the outlier detection of Claim 2 as described earlier.
Wong teaches,
for each data set of a plurality of respective events,
(Wong [0005] many thousands of transactions need to be processed every second)
inputting each event data set into the second machine learning model; and
(Wong [0066] The machine learning system 600 comprises a first processing stage 603 and a second processing stage
Wong [0150] The output of the machine learning system may be used as is, or provide the basis for a further pipeline of processing (e.g., as an input feature to another machine learning system trained to predict other output data).)
generating an identifier for a respective event of the plurality of respective events based on a respective output from the second machine learning model, wherein the identifier indicates whether the event belongs to the outlier category.
(Wong [0025] an indication of whether a transaction or entity is “normal” or “anomalous”
Wong [0055] a value of “0.2” may be a common output for a “normal” event and a value of “0.8” may be seen as being over a threshold for a typical “anomalous” or fraudulent event.
Wong [0139] a threshold may be applied to the output of the supervised machine learning system and values higher than the threshold (representing an “anomaly”) may be declined while those below the threshold may be approved (representing “normal” actions))
Regarding Claim 4,
Wong and Saeed teach the outlier detection of Claim 3 as described earlier.
Wong teaches,
generating, based on the respective outputs from the second machine learning model, for output a recommended subset among the plurality of respective events, wherein the recommended subset comprises events determined to belong to the outlier category by the second machine learning model.
(Wong [0139] a threshold may be applied to the output of the supervised machine learning system and values higher than the threshold (representing an “anomaly”) may be declined while those below the threshold may be approved (representing “normal” actions))
Regarding Claim 10,
Wong and Saeed teach the outlier detection of Claim 2 as described earlier.
Wong does not teach wherein the second machine learning model comprises a plurality of component models each of which is trained to identify a respective sub-category of the plurality of sub-categories of the outlier category.
Saeed teaches,
wherein the second machine learning model comprises a plurality of component models each of which is trained to identify a respective sub-category of the plurality of sub-categories of the outlier category.
(Saeed [0046] the known anomaly model represents the characteristics of network traffic which are associated with known types of anomalies involving the set of devices....can be used to train a machine learning model to classify network traffic having the same or similar characteristics.
Saeed [0056] new type of anomaly (i.e. that associated with the cluster) to a set of training data for the known anomaly model 250 and retraining the model 250.
Saeed [0025] an anomaly classifier 240, a known anomaly model 250, an unknown anomaly analyser)
It is prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the outlier detection of Wong to incorporate the outlier classification teachings of Saeed for “for detecting anomalies in a computer network …to identify anomalous network traffic associated with the set of devices. ” (Saeed [Abstract]). The modification would have been obvious, because it is merely applying a known technique (i.e. outlier classification) to a known concept (i.e. outlier detection) ready for improvement to yield predictable result (i.e. “provides an indication that either (i) the network traffic associated with a cluster relates to a new type of anomaly involving the set of devices or (ii) that no new types of anomaly are present” Saeed [Abstract])
Regarding Claim 11,
Wong and Saeed teach the outlier detection of Claim 10 as described earlier.
Wong does not teach wherein the second machine learning model generates the multi-class result based on one or more outputs of the plurality of component models indicating to which one or more sub-categories of the plurality of sub-categories of the outlier category the event belongs.
Saeed teaches,
wherein the second machine learning model generates the multi-class result based on one or more outputs of the plurality of component models indicating to which one or more sub-categories of the plurality of sub-categories of the outlier category the event belongs.
(Saeed [0025] an anomaly classifier 240, a known anomaly model 250, an unknown anomaly analyser
[0046] the known anomaly model represents the characteristics of network traffic which are associated with known types of anomalies involving the set of devices. For example, various attacks or modes of failure may already be known
Saeed [0050] the method 300 clusters the unknown anomalous network traffic into clusters of network traffic that share similar characteristics.)
It is prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the outlier detection of Wong to incorporate the outlier classification teachings of Saeed for “for detecting anomalies in a computer network …to identify anomalous network traffic associated with the set of devices. ” (Saeed [Abstract]). The modification would have been obvious, because it is merely applying a known technique (i.e. outlier classification) to a known concept (i.e. outlier detection) ready for improvement to yield predictable result (i.e. “provides an indication that either (i) the network traffic associated with a cluster relates to a new type of anomaly involving the set of devices or (ii) that no new types of anomaly are present” Saeed [Abstract])
Regarding Claim 12,
Wong and Saeed teach the outlier detection of Claim 11 as described earlier.
Wong teaches,
selecting, from a plurality of candidate reactions, a reaction the action to be performed based on the multi-class result
(Wong [0044] determine whether the transaction is to be authorised (i.e., approved) or declined.)
Regarding Claim 13,
Wong and Saeed teach the outlier detection of Claim 11 as described earlier.
Wong teaches,
obtaining at least one of the plurality of component models by training an unsupervised machine learning model using a