SYSTEMS AND METHODS FOR CONTROLLING COMPUTING SYSTEMS ASSOCIATED WITH NETWORK OPERATIONS

DETAILED ACTION This office action is in response to the application filed on 06/28/2024. Claims 1-20 are pending and are examined. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was. Claims 1-3, 6-11, 1418 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Wong et al. (U.S Pub No. 2022/0,253,856 A1, referred to as Wong), in view of Ben Arie et al. (U.S Patent No. 11,763,207 B1, referred to as Ben). Regarding claims 1, 9 and 16, Wong teaches: A method of training machine learning (ML) models to determine likelihoods of fraud in network operations caused by computing systems (Wong: Fig. 3; ¶ 0061, “raining module 302 generates a trained process 308 for use by the execution module 310 to predict a likelihood of fraud in input new transaction data 301 (e.g. an example of customer data 107 shown in FIG. 1) and therefore classifies the transaction data 301 as fraudulent or legitimate”; Fig. 5; ¶ 0078- ¶ 0083, “The operations 500 facilitate training an unsupervised machine learning model (e.g. model 306 in FIG. 3) for fraud detection associated with an entity for subsequent detection of fraud in transactions between the entity and one or more client devices.”), comprising: generating, by a server, training data to include (i) a digital fingerprint associated with an identity of a computing system of a plurality of computing systems and (ii) a plurality of network operation metrics associated with the computing system (Wong: Fig, 1, Items 102 (Server), 108 (computing systems),116 (users); ¶ 0035- ¶ 0036; Fig. 3; ¶ 0054, “during an initial training period, the fraud detection module 212 accesses a legitimate data repository 214 to train the unsupervised machine learning model with legitimate data and improve prediction stability of the trained machine learning in later detecting fraud during execution. The legitimate data repository 214 contains training data with positive samples of legitimate customer data. For example, it may include values for a pre-defined set of features characterizing the legitimate customer data. The features held in the legitimate data repository 214 can include, identifying information about the corresponding legitimate customer (e.g. account(s) held by the legitimate customer; gender; address; location; salary; etc.); metadata characterizing online behavior of the corresponding legitimate customer (e.g. online interactions between the users 116 and the transaction server such as interactions for opening accounts”; Fig. 4; ¶ 0059- ¶ 0061, “As shown in FIG. 4, which illustrates an example process 400 for applying the trained process 308 to detect fraud, an input vector feature set 405 applied to the trained process 308 can include a plurality of features such as client information; customer behaviors; and digital fingerprint for the user (e.g. user 116 in FIG. 1). These define an example feature set needed for both the training data 304 and in the testing/deployment stage for the new transaction data 301.”), the computing system configured to provide a request to execute a first network operation using a plurality of attributes provided by an end user device to the computing system (Wong: ¶ 0036, “Client device 108 is configured to receive input from one or more users 116 (individually shown as example user 116″ and example user 116′) for transactions either directly with a transaction server 106 (e.g. a request to open a new account for users 116) or via a merchant server 110 (e.g. an online purchase made by users 116 processed by the merchant server 110) or via a data transfer processing server 112 (e.g. a request for transferring data either into or out of an account for users 116 held by transaction server 106).”); executing, by the server, using the digital fingerprint and the plurality of network operations of the training data, a ML model having a plurality of weights to generate a likelihood of fraud caused by the computing system (Wong: Fig. 4, system 400; ¶ 0071, “Referring to FIG. 4 now in further detail, shown is a block diagram of a process 400 implemented by the fraud detection module 212 and depicting application of the trained process 308, whether in the testing or deployment stage, for detection of fraud in customer data 107 including transactions 104 (e.g. see FIG. 1).”; Fig. 6, flowchart 600; ¶ 0085- ¶ 0091, “Referring now to FIG. 6 shown is a flowchart of example operations 600 performed by the computing device 102 for determining anomalies in current customer data and predicting a likelihood of fraud.”). Wong does not explicitly disclose, however Ben teaches: labeling, by the server, the training data to indicate whether fraudulence is caused by the computing system (Ben: Fig. 4, Items 400, 402 and 404; C10, ln 52-60, “based on identifying whether the given network event corresponds to the actual fraud event, the given network event may be labeled as fraudulent or not fraudulent.”); comparing, by the server, the likelihood of fraud generated by the ML model with labeled training data to determine an error metric in accordance with a loss function; and updating, by the server, at least one of the plurality of weights of the ML model using the error metric (Ben: Fig. 2, steps 200- 210; C8, ln 4- C9, ln 19, ” Step 210 includes generating an adjusted machine learning model by adjusting the machine learning model based on the metric. The machine learning model may be adjusted by changing one or more parameters of the machine learning model and then retraining the machine learning model. For example, the metric may be used as the basis for determining a loss function, and then the loss function used in a machine learning model training process, as described above. The retrained machine learning model may be the adjusted machine learning model.”). It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Wong by Ben and have a system using labeled training data to identify a metric and use it for determining a loss function and use it to adjust and retrain a machine learning model for more fraud detection accuracy. (Ben: C8, ln 4- C9, ln 19). Regarding claim 9, Wong further teaches: A system for training machine learning (ML) models to determine likelihoods of fraud in network operations caused by computing systems, comprising: a server having one or more processors coupled with memory (Wong: Fig. 3; ¶ 0091- ¶ 0095). Regarding claim 16, Wong further teaches: A non-transitory computer readable medium storing instruction, which when executed by at least one processor (Wong: ¶ 0094, “computer-readable media generally may correspond to (1) tangible computer-readable storage media, which is non-transitory or (2) a communication medium such as a signal or carrier wave. Data storage media may be any available media that can be accessed by one or more computers or one or more processors to retrieve instructions, code and/or data structures for implementation of the techniques described in this disclosure”). Regarding claims 2, 10 and 17, the combination of Wong and Ben teaches all the features of claims 1, 9 and 16, as outlined above. Wong further teaches: retrieving, by the server, (i) a second digital fingerprint associated with an identity of a second computing system of the plurality of computing systems and (ii) a second plurality of network operation metrics associated with the second computing system; and executing, by the server, using the second digital fingerprint and the second plurality of network operation metrics, the ML model to generate a second likelihood of fraud caused by the second computing system (Wong: Fig. 4; ¶ 0059- ¶ 0061, “As shown in FIG. 4, which illustrates an example process 400 for applying the trained process 308 to detect fraud, an input vector feature set 405 applied to the trained process 308 can include a plurality of features such as client information; customer behaviors; and digital fingerprint for the user (e.g. user 116 in FIG. 1). These define an example feature set needed for both the training data 304 and in the testing/deployment stage for the new transaction data 301.”; “Fraud detection module 212 performs two operations: training via training module 302 and execution for subsequent deployment via execution module 310. Training module 302 generates a trained process 308 for use by the execution module 310 to predict a likelihood of fraud in input new transaction data 301 (e.g. an example of customer data 107 shown in FIG. 1) and therefore classifies the transaction data 301 as fraudulent or legitimate… As shown in FIG. 4, which illustrates an example process 400 for applying the trained process 308 to detect fraud, an input vector feature set 405 applied to the trained process 308 can include a plurality of features such as client information; customer behaviors; and digital fingerprint for the user (e.g. user 116 in FIG. 1). These define an example feature set needed for both the training data 304 and in the testing/deployment stage for the new transaction data 301.”; Fig. 6, flowchart 600; ¶ 0085- ¶ 0091, “Referring now to FIG. 6 shown is a flowchart of example operations 600 performed by the computing device 102 for determining anomalies in current customer data and predicting a likelihood of fraud.”). Regarding claims 3, 11 and 18, the combination of Wong and Ben teaches all the features of claims 2, 10 and 16, as outlined above. Wong does not explicitly disclose, however Ben teaches: selecting, by the server, from a plurality of network operations, one or more network operations for the second computing system, responsive to the second likelihood of fraud exceeding a threshold; and executing, by the server, the one or more network operations of the plurality of network operations to control communications including subsequent requests for network operations from the second computing system (Ben: Fig. 2, Steps 214- 220; C9, ln 28- 61, “If the new fraud score satisfies the fraud threshold (a “yes” at step 216), then step 218 includes blocking, responsive to the adjusted machine learning model predicting a new fraud score that is above a threshold fraud score, the new network event. The new network may be prevented from interacting with the protected subject. The new network event may be re-directed to a sandbox (i.e., a fake copy of the protected subject) in order to study the new network event, discern the source of the new network event, block the server from receiving other network events sent by the source of the new network event, or take some other action.”; C7, ln 21-29. “In another example, the server controller (142) may monitor new network events and block or permit the new network events. Thus, the server controller (142) may block, responsive to an adjusted machine learning model (140) predicting a new fraud score that is above a threshold fraud score, a new network event. Similarly, the server controller (142) may permit, responsive to the adjusted machine learning model predicting the new fraud score being below the threshold fraud score, the new network event.”). It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Wong by Ben and have a fraud detection system capable to control or block future network/communications operations based on predefined fraud score threshold in order to improve future security of a network system. (Ben: C7, ln 21- 29) Regarding claims 6, 14 and 20, the combination of Wong and Ben teaches all the features of claims 1, 9 and 16, as outlined above. Wong further teaches: adding, by the server, to the training data, a plurality of risk factors associated with the computing system from an instrumentation service, and wherein executing the ML model further comprises executing the ML model using the plurality of risk factors from the instrumentation service (Wong: ¶ 0053- ¶ 0054, “The features held in the legitimate data repository 214 can include, identifying information about the corresponding legitimate customer (e.g. account(s) held by the legitimate customer; gender; address; location; salary; etc.); metadata characterizing online behavior of the corresponding legitimate customer (e.g. online interactions between the users 116 and the transaction server such as interactions for opening accounts; modifying accounts; adding services; researching additional services; etc. (EN: Risk factors). The fraud detection module 212 additionally accesses the hyper parameter repository which contains a set of hyper parameters (e.g. optimal number of layers; number of inputs to the model; number of outputs; etc.) for training the machine learning model.”). Regarding claims 7 and 15, the combination of Wong and Ben teaches all the features of claims 1 and 9, as outlined above. Wong does not explicitly disclose, however Ben teaches: determining, by the server, from a plurality of classifications, a classification of the computing system based on the likelihood, and wherein comparing the likelihood further comprises comparing the classification with the label to determine the error metric (Ben: C5, ln 63- C6, ln 19, “Machine learning training is a process of preparing the machine learning model (140) for a specific task. A training data set is provided, which includes data labeled with known results. A training portion of the training data is used as input to the machine learning model. The output of the machine learning model, executing on the training portion, is compared to the known results of the labels. A determination is made whether convergence occurs. Convergence occurs if, when the output is compared to the known labels, the output is accurate to within a pre-determined degree relative to the known labels. If convergence does not occur, then the difference between the output and the known labels is used to determine a loss function. The loss function is used to modify one or more parameters of the machine learning model (140)”; Fig. 2, steps 200- 210; C8, ln 4- C9, ln 19, ”Step 208 includes determining a metric based on comparing the first table to a second table, wherein the second table logs at least the given fraud score and the fraud scores. As indicated above, the metric (126) is a measure of the performance of the machine learning model (140). Step 210 includes generating an adjusted machine learning model by adjusting the machine learning model based on the metric. The machine learning model may be adjusted by changing one or more parameters of the machine learning model and then retraining the machine learning model. For example, the metric may be used as the basis for determining a loss function, and then the loss function used in a machine learning model training process, as described above. The retrained machine learning model may be the adjusted machine learning model.”). Same motivation as claims 1, 9 and 16. Regarding claim 8, the combination of Wong and Ben teaches all the features of claim 1, as outlined above. Wong further teaches: wherein executing the machine learning model to generate the likelihood of fraud further comprises generating a plurality of constituent scores corresponding to a plurality of fraud indicators for the computing system (Wong: Fig. 4, Items 409 and 411; ¶ 0068- ¶ 0069, “In at least some implementations, in response to classification provided by the trained machine learning model (e.g. trained process 308), the optimizer module 216 may provide a user interface to present results of the classification (e.g. low anomaly score 409 or high anomaly score 411 as discussed in FIG. 4)”; ¶ 0071, “Referring again to FIG. 4, the process 400 calculates an error difference between the output vector feature set 407 and the input vector feature set 405. If the error difference exceeds a pre-defined threshold 220′ (e.g. as in the case of a fraud sample 403), then that is considered a high anomaly score 411 and classified as fraud whereby if the difference is below or equal to the threshold, the fraud detection module 212 considers it a low anomaly score 409 and thereby classifies the input information relating to a transaction (e.g. the legitimate sample 401) as legitimate.”). Claims 4 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Wong in view of Ben and further in view of Cifarelli et al. (U.S Pub No. 2022/0,188,827 A1, referred to as Cifarelli). Regarding claims 4 and 12, the combination of Wong and Ben teaches all the features of claims 2 and 10, as outlined above. Wong in view of Ben does not explicitly disclose, however Cifarelli teaches: refraining, by the server, from generation of an alert to indicate that fraudulence is caused by the second computing system, responsive to the second likelihood of fraud not exceeding a threshold (Cifarelli: Fig. 2, Steps 210- 260; ¶ 0071- ¶ 0087, “At 250, the fraud score manager raises an alert when the fraud score exceeds a threshold value or deviates by more than a deviation value from a range of values”; “In an embodiment of 242 and 250, at 251, the fraud score manager compares the current transaction fraud score against the ratio value and when a difference is greater than the threshold value, the fraud score manager raises the alert.” (EN: The fraud score manager generates alerts only when the fraud score exceeds a threshold). It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Wong in view of Ben by Cifarelli a fraud score manager to generate alerts only when the fraud score exceeds a threshold in order to provide transaction data to a fraud system for further evaluation and feedback. (Cifarelli: ¶ 0082- ¶ 0087). Allowable Subject Matter Claims 5, 13 and 19 would be allowable if they were rewritten in independent form including all of the limitations of the base claim and any intervening claims. The following is an examiner’s statement of reasons for identifying allowable subject matter. The closest prior arts made of records are, Wong et al. (U.S Pub No. 2022/0,253,856 A1, referred to as Wong), Ben Arie et al. (U.S Patent No. 11,763,207 B1, referred to as Ben) and Cifarelli et al. (U.S Pub No. 2022/0,188,827 A1, referred to as Cifarelli). Wong discloses a computing device for fraud detection of transactions for an entity, the computing device receiving a current customer data comprising a transaction request for the entity. The transaction request is analyzed using a trained machine learning model to determine a likelihood of fraud via determining a difference between values of an input vector of pre-defined features for the transaction request applied to the trained machine learning model and an output vector having corresponding features resulting from applying the input vector. Ben discloses a method for monitoring network events of a network using a machine learning model. The machine learning model generates fraud scores representing a corresponding probability that a corresponding network event is fraudulent and detecting a failure of the machine learning model to generate, within a threshold time, a given fraud score for a given network event. Cifarelli discloses a method for real time transaction monitoring, the method includes a fraud score manager which obtains real-time transaction data for an operator of a transaction terminal during a transaction, extracts features from the transaction data, derives metrics from the features, calculates a total operator intermediate feature score from the operator intermediate feature scores, calculates a total group intermediate score from the group intermediate features scores, and generates a ratio value as the total operator intermediate feature score divided by the total group intermediate feature score and raises an alert when the fraud score exceeds a threshold value or deviates by more than a deviation value from a range of values. However, regarding claim 5, the prior art of Wong, Ben and Cifarelli, when taken in the context of the claim as a whole do not disclose nor suggest, “receiving, by the server, via a user interface, feedback data indicating whether fraudulence is caused by the computing system; comparing, by the server, the likelihood generated by the ML model with the feedback data to generate a second error metric; and updating, by the server, at least one of the plurality of weights of the ML model using the second error metric.” Regarding claims 13 and 19, the prior art of Wong, Ben and Cifarelli, when taken in the context of the claim as a whole do not disclose nor suggest, “receive, via a user interface, feedback data indicating whether fraudulence is caused by the computing system; compare the likelihood generated by the ML model with the feedback data to generate a second error metric; and update at least one of the plurality of weights of the ML model using the second error metric.”. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: See PTO-892. Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408. The examiner can normally be reached Mon-Fri 9:00-5:00. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached at 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /HASSAN SAADOUN/ Examiner, Art Unit 2435 /AMIR MEHRMANESH/ Supervisory Patent Examiner, Art Unit 2491