ARTIFICIAL INTELLIGENCE-BASED AUTHENTICATION SYSTEM WITH PROCESSING OF DATA STRUCTURES

§101 §103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 are presented for examination. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. As per independent claims 1, 12 and 17: Step 1: Statutory Categories: Claim 1 is a computer-implemented method (Process). Claim 12 is a non-transitory processor-readable storage medium (Article of Manufacture). Claim 17 is an apparatus comprising a processing device and memory (Machine). Step 2A, Prong 1: Is the claim directed to a judicial exception? The claims are directed to an abstract idea, specifically “certain methods of organizing human activity (managing access and authentication) and “mental processes or “mathematical concepts (evaluating data to find commonalities). The claims core focus include: Obtaining information (collecting data). Determining commonalities using "artificial intelligence techniques" to process data structures (analyzing data / mathematical algorithms / mental processes). Generating and outputting queries (presenting information). Performing automated actions based on the responses (applying conditional logic/rules). Claims that are broadly directed to collecting information, analyzing it, and presenting the results are directed to an abstract idea. The concept of deciding whether to grant someone access based on checking their profile against an application's requirements is a well-known commercial and human practice. Step 2A, Prong 2: Is the abstract idea integrated into a practical application? The claim must recite additional elements that apply, rely on, or use the abstract idea in a manner that imposes a meaningful limit, such as effecting a specific improvement in computer functionality. While the specification states that the invention overcomes "problems associated with security risks related to provisioning of resource access through dynamically managing resource access privileges," the claims themselves do not recite a specific technological solution to this problem. The claim language is highly functional and result-oriented ("determining one or more commonalities," "performing one or more automated actions"). They do not explain how the AI techniques technically improve the functioning of the computer or network itself, but rather uses AI as a tool to automate the abstract idea of authentication. The data structures recited ("first set... associated with user-related data" and "second set... associated with application-related data") are merely generic classifications of the data being analyzed. Therefore, the claims do not integrate the abstract idea into a practical application. Step 2B: Do the claims provide an "Inventive Concept" (Significantly More)? If a claim is directed to an abstract idea not integrated into a practical application, it must recite additional elements that amount to "significantly more" than the exception itself. The claims rely on generic, conventional computer components functioning in their standard capacities: "at least one processing device comprising a processor coupled to a memory," and "at least one user device." The use of "one or more artificial intelligence techniques" (Claim 1) or "one or more LLMs" (Dependent Claims 2 and 3) without claiming the specific, novel architecture, training method, or technological implementation to perform the abstract data analysis. The steps of receiving a request, checking data, asking a user a question, and granting access based on the answer are well-understood and routine tasks in computer security, simply executed here by an AI model. As per claims 2, 3, 8, 13, 16, 18: These claims specify that the "artificial intelligence techniques" are Large Language Models (LLMs) (Claims 2, 3), and that the system automatically trains the AI based on user responses (Claim 8). Merely reciting a specific type of algorithm or model—even a complex one like an LLM—does not confer subject matter eligibility. The courts view mathematical algorithms and machine learning models as abstract ideas themselves. Using an LLM to process data and generate questions is simply applying a known computational tool to perform the abstract idea (evaluating user credentials). Similarly, "training" an AI model (Claim 8) is a standard, well-understood mathematical process inherent to machine learning. Without claiming a specific, novel technical method of how the LLM operates or is structurally integrated into the hardware to improve system functioning, these claims just add a generic technological environment to the abstract idea. As per claims 9, 10: These claims specify exactly what is in the data structures: "natural language descriptions" of activities, temporal information, privileges, roles, skills, and application purposes. The courts consistently hold that gathering, analyzing, and outputting data is an abstract idea, regardless of the content of that data. Specifying that the data represents "user skills" or "application usage patterns" characterizes the informational content of the data structures, rather than providing a technical limitation. Organizing human knowledge or administrative data (like job roles and access levels) into a database is a fundamental concept that does not provide an inventive concept. As per claims 4-7, 11, 14, 15, 19, 20: These claims define the "automated actions" performed by the system: Granting access based on the answers (Claim 4). Processing subsequent activity data using an API (Claim 5). Modifying the user/application data structures based on that activity (Claim 6). Dynamically granting or revoking privileges based on activity (Claim 7). Receiving the initial request and user ID (Claim 11). Automating routine, manual processes on a generic computer does not transform an abstract idea into a patent-eligible invention. Each of these steps describe classic administrative security protocols. These limitations are directed to organizing human activity. Automating these steps via an API or updating a data structure relies entirely on well-understood, routine, and conventional computer functions (receiving data, processing data via API, updating a database). They do not improve the functioning of the computer itself, but rather use the computer to improve an administrative security process. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement. The claims contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. Claims 1, 12, and 17, broadly recite using "one or more artificial intelligence techniques" to process data structures, determine "commonalities," and generate "queries." This a broad functional recitation that encompasses any AI technique. However, paragraph [0040] of the specification mentions using an LLM like BERT or GPT and to parse natural language descriptions of user and application profiles to find an “intersection of interests” [0047]. The specification demonstrates a possession of a specific species of LLMs interpreting natural language. The claims are broad enough to cover any AI technique that achieves the stated result, but the specification only provides high-level functional descriptions and basic pseudocode (FIG. 3). Therefore, the claims lack the required written description and enablement for their full scope. The dependent claims are rejected based on their dependency, and do not add limitations that cure the aforementioned deficiencies regarding the lack or written description and enablement for the “artificial intelligence techniques”. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 11,790,078 to Semichev et al., and further in view of US 10,891,360 to Nygate et al. Regarding claim 1, Semichev discloses computer-implemented method comprising: obtaining information pertaining to at least one authentication request between at least one user and at least one application (Abstract: An electronic request on a computing device from an unverified customer who desires to perform a high-risk account activity is received. The “unverified customer” corresponds to the user and the “account activity/system” corresponds to the application.); determining one or more commonalities pertaining to the at least one user and the at least one application by processing, using one or more artificial intelligence techniques, a first set of one or more data structures associated with user-related data and a second set of one or more data structures associated with application-related data (Fig. 5, teaches using a “machine learning model” (artificial intelligence technique) to evaluate account requests based on “prior account activities” (user-related data structures). Semichev does not explicitly use the exact phrase “determining commonalities” between user data and application data structures. However, Nygate teaches determining one or more commonalities pertaining to the at least one user and the at least one application (using a “predictive model (AI technique) to process “identity information associated with a subject” (first set of user related data) and querying “one or more databases” (second set of application/system related data) to determine “subject characteristics” and “matches” (commonalities) between the user’s provided info and the system’s records, See Abstract and claim 1.). It would have been obvious to one or ordinary skill in the art, before the effective filing date of the claimed invention, to modify Semichev’s machine-learning authentication system with Nygate’s AI driven method of determining common matches between user data and system databases in order to improve the generation of Knowledge-Based Authentication (KBA) questions, as taught by Nygate. Semichev, as modified above, further discloses generating and outputting, to at least one user device associated with the at least one user, one or more queries related to user activity with respect to the at least one application (Fig. 5 and Abstract: A set of challenge questions for authenticating a plurality of customers… that are based on prior account activities (queries related to user activity) and sending them to unverified customer to be answered.) ; and performing one or more automated actions in connection with the at least one authentication request and based at least in part on one or more user responses to at least a portion of the one or more queries; wherein the method is performed by at least one processing device comprising a processor coupled to a memory (Abstract: the processor performs automated actions based on the answers: “either allowing the verified customer to perform the at least one high-risk account activity with a respective account…or blocking the fraudster” based on the “answers to the ranked challenge questions”). Regarding claims 2-3, while Semichev broadly disclose “machine learning models”. Nygate specifically teaches wherein processing the first set of one or more data structures associated with user-related data and the second set of one or more data structures associated with application-related data comprises using one or more large language models (LLMs); wherein generating the one or more queries related to user activity with respect to the at least one application comprises using the one or more LLMs to generate the one or more queries (Fig. 1 and col. 5, line 28: may be evaluated using one or more learning models and/or decision tree(s) and related to the subject characteristic. Natural Language Processing and semantic analysis to extract characteristics from unstructured text for authentication matching. LLM is well-known class of NLP/machine learning model.). It would have been obvious to one or ordinary skill in the art, before the effective filing date of the claimed invention, to modify Semichev’s machine-learning authentication system with Nygate’s LLLM in order to improve the generation of Knowledge-Based Authentication (KBA) questions, as taught by Nygate. Regarding claim 4, Semichev, as modified above, further discloses the computer-implemented method of claim 1, wherein performing one or more automated actions comprises automatically granting at least a portion of the at least one authentication request between at least one user and at least one application based at least in part on the one or more user responses to the at least a portion of the one or more queries (Abstract: Upon evaluating the user’s answers to the challenge questions, performs the automated action of “allowing the verified customer to perform the at least one high-risk account activity” (granting access)). Regarding claim 5, Semichev, as modified above, further discloses the computer-implemented method of claim 4, wherein performing one or more automated actions comprises automatically processing, using at least one application programming interface (API), activity data attributed to the at least one user in connection with the at least one application subsequent to the granting of the at least a portion of the at least one authentication request; wherein performing one or more automated actions comprises automatically modifying one or more of at least a portion of the first set of one or more data structures associated with user-related data and at least a portion of the second set of one or more data structures associated with application-related data based at least in part on the processing of the activity data; wherein performing one or more automated actions comprises one or more of automatically granting one or more additional application access privileges to the at least one user and automatically revoking one or more application access privileges from the at least one user based at least in part on the processing of the activity data (col. 13, line 16: application program interfaces (API), instruction. Col. 3, lines 20-30: Continuously monitoring, storing, and updating account activity in financial intuition’s databases. Col. 26, lines 5-7: teaches blocking accounts if incorrect or fraudulent interactions are detected during a session.). Regarding claim 8, Semichev, as modified above, further discloses the computer-implemented method of claim 1, wherein performing one or more automated actions comprises automatically training at least a portion of the one or more artificial intelligence techniques based at least in part on the one or more user responses to the at least a portion of the one or more queries (col. 8, lines 7-38: updating and retraining its machine learning authentication models based on whether the unverified customer was successfully authenticated or flagged as a fraudster). Regarding claims 9-10, Semichev lacks or does not expressly disclose natural language. However Nygate teaches wherein the first set of one or more data structures associated with user-related data comprises natural language descriptions related to one or more of activities performed by the at least one user, temporal information associated with user performance of one or more activities, access privileges utilized by the at least one user, one or more roles associated with the at least one user, and one or more skills associated with the at least one user; wherein the second set of one or more data structures associated with application-related data comprises natural language descriptions related to one or more of one or more purposes of the at least one application, application usage patterns across multiple users, privileges needed by one or more users to access the at least one application, temporal information associated with one or more application operations, one or more user role requirements associated with the at least one application, and one or more user skill requirements associated with the at least one application (Col. 7, lines 43-col. 8, line 10, and Col. 15, line 57-Col. 16, line2: teaches querying unstructured proprietary and public databases containing natural language records (e.g. employment histories, social media text) to determine subject characteristics for authentication). It would have been obvious to one or ordinary skill in the art, before the effective filing date of the claimed invention, to modify Semichev’s machine-learning authentication system with Nygate’s LLLM in order to improve the generation of Knowledge-Based Authentication (KBA) questions, as taught by Nygate. Regarding claim 11, Semichev, as modified above, further discloses the computer-implemented method of claim 1, wherein obtaining information pertaining to at least one authentication request between at least one user and at least one application comprises receiving indication of the at least one authentication request from the at least one application in conjunction with identifying information associated with the at least one user (Col. 24, lines 35-41: the processor may be configured to identify the at least one fraudulent person from the plurality of customers by tagging customer interactions in the plurality of customer transactions as fraudulent by assessing that the unverified customer communicated with the financial institution through an IP address or a telephone number previously associated with fraudulent activity.). As per claims 12-16 and 17-20, this is a non-transitory medium and apparatus version of the claimed method discussed above in claims 1-11 wherein all claimed limitations have also been addressed and/or cited as set forth above. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. WO 2024/228863 teaches machine learning (ML) and natural language processing (NLP), and specifically, provide an end-to-end system or platform for extracting statistical relationships from scientific literature using one or more machine learning and/or statistical models, including generative large language models (LLMs). US 2024/0232890 teaches extracting external data from the external account, the external data corresponding to external account content, providing user activity data from the secure account as an input to an authentication machine learning model, providing the external data as an input to the authentication machine learning model, the authentication machine learning model configured to output a certainty level that the external account is associated with a user of the secure account based on the external data and the activity data, receiving the certainty level from the authentication machine learning model, determining that the certainty level meets a certainty threshold, and pairing the external account with the secure account based on determining that the certainty level meets the certainty threshold. Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALI SHAYANFAR can be reached at 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /AUBREY H WYSZYNSKI/Primary Examiner, Art Unit 2434