SYSTEM AND METHOD FOR COMPUTING DEVICE INTRUSION DETECTION VIA MACHINE LEARNING FOR INTERACTION DATA ANALYSIS

§101 §103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims The following is a Final Office Action in response to applicant’s filing on January 16, 2026. Claims 2, 9, and 16 were canceled. Claims 1, 3-8, 10-15, and 17-20 are pending, of which claims 1, 8, and 15 are in independent form. Response to Amendment Applicant’s amendment regarding the specification obviates the objection, therefore the specification objection is withdrawn. Applicant’s amendment regarding claims 1, 8, and 15 obviates the claim rejection, therefore the rejection under 35 U.S.C. § 112(b) is withdrawn. Applicant’s amendment regarding claim 15 does not obviate the claim rejection, therefore the rejection under 35 U.S.C. § 101 is maintained. Response to Arguments Applicant’s arguments with respect to claim(s) are rejected, under 35 USC 103(a), have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter. Rejection under 35 USC § 101 On Pages 14-16 of remarks by Applicant, Applicant’s argument asserting that amended independent claim 15 is patent eligible, have been fully considered but are not persuasive. The amendments of claim 15 continues to recite steps directed to receiving interaction event data and browser history data, associating such data with an endpoint device, training a machine learning model, inputting data into the model, determining the presence of an anomaly, and transmitting a notification. The step of “transmitting a notification” does not add patent-eligible subject matter because it merely communicates the result of the abstract analysis. Once the “schema mismatch” is determined, transmitting a notification is simply reporting that conclusion. This step could be performed by a human after reviewing the interaction data and determining the mismatch, a human could verbally notify a supervisor, send an email, or make a phone call which is treated as insignificant extra-solution activity under §101. When considered as a whole, the claim remains directed to analyzing data, identifying anomaly, and reporting results, which constitutes an abstract idea under Step 2A, Prong One, consistent with mental process and data analysis concept as previously set forth in the office action. Applicant asserts that claim 15 is directed to a partial application because it relates to computing device intrusion detection and employs machine learning to detect unauthorized access. However, merely limiting an abstract idea to a particular technological field does not render the claim patent eligible. The amended claim does not recite a specific technical solution regarding a functioning of a computer. Under Step 2A, Prong Two, the abstract idea is not integrated into a practical application. The machine learning model is recited at a high level of generality and functions as a generic tool without specifying any particular model architecture. The identification of “schema mismatch” represents an informational result and does not limit the abstract idea. For similar reasons, claim 15 does not recite additional elements sufficient to amount to significantly more than the abstract idea under Step 2B, Therefore, the rejection of claim 15 under 35 USC § 101 is maintained. Dependent claims 17-20 remain rejected by virtue of dependency to independent claim 15. Rejection under 35 USC § 103 On Pages 16-18 of remarks, Applicant argues that “ None of Pallemulle, Hazan, or Schell, alone or in combination, combination, teach or suggest the above-presented features of independent Claims 1, 8, and 15. Specifically, the cited references do not teach or suggest (1) receiving browser history data from the first endpoint device of domains visited via the first endpoint device... associating the interaction event data and the browser history data with the first endpoint device as a first schema ... receiving an interaction event data stream, a browser data stream of domains currently visited, and a corresponding endpoint device identifier, [and] determining, by inputting the interaction event data stream, the browser data stream, and the corresponding endpoint device identifier to the trained machine learning model, an identified endpoint device and a presence of at least one anomaly or (2) transmitting a notification signal comprising schema mismatch details to the identified endpoint device, the notification signal configured to trigger a notification alert for displaying the schema mismatch details on the identified endpoint device. ”. Applicant’s arguments, with respect to the rejection(s) of claim(s) 1, 8, and 15 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Renner et al. (US 2021/0342339 A1), and Smith et al. (US 12,505,089 B1). Therefore, the rejection of claims 1, 3-8, 10-15, and 17-20 under 35 USC § 103 is maintained. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL. — The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1, 3-8, 10-15, and 17-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claim 1 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claim 1 recites “the notification signal configured to trigger a notification alert for displaying the schema mismatch details on the identified endpoint device.”. The specification fails to reasonably convey to a person of ordinary skill in the art as to what constitutes such “”schema mismatch details. (i.e., at block 312, the system 130 may transmit a notification signal including schema mismatch details to the identified endpoint device 140. The system 130 may transmit a first notification signal to a first endpoint device 140 associated with the first user. The first notification signal may be sent using a pre-determined communication protocol, and through a wireless network, a wired connection, or an internet-based platform, depending on the infrastructure in place. In some implementations, the first notification signal may trigger a notification alert to capture the first user's attention, see paragraph [0106]). In particular, the disclosure does not describe structure or content of the mismatch details or what exact details of the schema mismatch have been displayed. The level of detail required to satisfy the written description requirement varies depending on the nature and scope of the claims and on the complexity and predictability of the relevant technology. Ariad, 598 F.3d at 1351, 94 USPQ2d at 1172; Capon v. Eshhar, 418 F.3d 1349, 1357-58, 76 USPQ2d 1078, 1083-84 (Fed. Cir. 2005). Computer-implemented inventions are often disclosed and claimed in terms of their functionality. For computer-implemented inventions, the determination of the sufficiency of disclosure will require an inquiry into the sufficiency of both the disclosed hardware and the disclosed software due to the interrelationship and interdependence of computer hardware and software. The critical inquiry is whether the disclosure of the application relied upon reasonably conveys to those skilled in the art that the inventor had possession of the claimed subject matter as of the filing date. Vasudevan Software, Inc. v. MicroStrategy, Inc., 782 F.3d 671, 682. 114 USPQ2d 1349, 1356 (citing Ariad Pharm., Inc. V. Eli Lilly & Co, 598 F.3d 1336, 1351, 94 USPQ2d 1161, 1172 (Fed. Cir. 2010) in the context of determining possession of a claimed means of accessing disparate databases). Independent claims 8, and 15 are similarly rejected. Dependent claims 3-6, 10-14, and 17-20 are rejected by virtue of dependency to their independent claims. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION. — The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1, 3-8, 10-15, and 17-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claims 1, 8, and 15 recite the limitation “displaying the Schema mismatch details” renders the claim indefinite. The claim recites “Schema mismatch details” without defining what constitutes a “schema”, what constitute “mismatch” or what information qualifies as details to be displayed. The claim does not provide an objective standard for determining the content or scope of the displayed information. As a result, one of ordinary skill in the art cannot determine the metes and bounds of the claim with reasonable certainty. Dependent claims 3-6, 10-14, and 17-20 are rejected by virtue of dependency to their independent claims. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims recite a method for auctioning goods or services which is considered a judicial exception because it falls under Certain Methods of Organizing Human Activity such as commercial or legal interactions including sales activities. This judicial exception is not integrated into a practical application as discussed below and the claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception as discussed below. This part of the eligibility analysis evaluates whether the claim falls within any statutory category. MPEP 2106.03. In claim(s) 15 the claim recites at least one step or act, including receiving, determining, activating, and selecting. Thus, the claim is to a process, which is one of the statutory categories of invention. Analysis Step 1 (Statutory Categories) — 2019 PEG pq. 53 Claims 15, 17-20 are directed to the statutory categories of invention. Step 2A, Prong 1 (Do the claims recite an abstract idea?) — 2019 PEG pq. 54 For independent claim 15, the claim recites an abstract idea of: enabling one or more restrictions by the user for the steps of: “A computer-implemented method for computing device intrusion detection via machine learning for interaction data analysis, the method comprising: receiving interaction event data from a first endpoint device, the interaction event data comprising data from a plurality of keystrokes and a plurality of touch events; receiving browser history data from the first endpoint device of domains visited via the first endpoint device; associating the interaction event data and the browser history data with the first endpoint device as a first schema within a database, wherein the first endpoint device is designated as an authorized endpoint device, and wherein the database comprises a plurality of schema, each respective schema of the plurality of schema comprising at least one corresponding authorized endpoint device; training a machine learning model using the plurality of schema and the at least one corresponding authorized endpoint device to form a trained machine learning model; receiving an interaction event data stream, a browser data stream of domains currently visited, and a corresponding endpoint device identifier; determining, by inputting the interaction event data stream, the browser data stream, and the corresponding endpoint device identifier to the trained machine learning model, an identified endpoint device and a presence of at least one anomaly as outputs based on the interaction event data stream, the browser data stream, and the corresponding endpoint device identifier input to the trained machine learning model, wherein the at least one anomaly comprises a schema mismatch; and transmitting a notification signal comprising schema mismatch details to the identified endpoint device, the notification signal configured to trigger a notification alert for displaying the schema mismatch details on the identified endpoint device.”, when considered collectively as an ordered combination, recite the abstract idea and falls within the “Mental Processes” grouping of abstract ideas. Claim 1 is directed to: collecting user interaction data and browser data, organizing the data, applying a machine learning model to compare data, detecting an anomaly, and generating a notification. These steps fall within (data collection, data organization, data analysis, mathematical evaluation and information reporting), which are recognized abstract ideas. Claim 17 recites “scoring, using the trained machine learning model each anomaly of the at least one anomaly; and determining an intrusion event by comparing scores of each anomaly of the at least one anomaly to a predetermined threshold”. The judicial exception is not integrated into a practical application because the additional elements in the dependent claims are also recited at a high-level of generality such that it amounts to more no more than mere instructions to apply the exception using generic computer components. Therefore, the claim is directed to an abstract idea. Claim 18 only recites “preprocessing the interaction event data and the browser history data to reduce dimensionality of the interaction event data and the browser history data.”. The judicial exception is not integrated into a practical application because the additional elements in the dependent claims are also recited at a high-level of generality such that it amounts to more no more than mere instructions to apply the exception using generic computer components. Therefore, the claim is directed to an abstract idea. Claim 19 only recites “wherein the trained machine learning model determines a predicted endpoint device by receiving the interaction event data stream, and wherein the predicted endpoint device is compared to the identified endpoint device for determining the schema mismatch”. This additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea. Claim 20 only recites “wherein the schema mismatch comprises an identification of a different schema not associated with the identified endpoint device”. This additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea. Step 2A, Prong 2 (Does the claim recite additional elements that integrate the judicial exception into a practical application?) - 2019 PEG pq. 54 This judicial exception is not integrated into a practical application. In particular, independent claim 15 only recites the additional elements of “A method for computing device intrusion detection via machine learning for interaction data analysis, the method comprising: receiving interaction event data from a first endpoint device, the interaction event data comprising data from a plurality of keystrokes and a plurality of touch events; associating the interaction event data with the first endpoint device as a first schema within a database, wherein the first endpoint device is designated as an authorized endpoint device, and wherein the database comprises a plurality of schema, each respective schema of the plurality of schema comprising at least one corresponding authorized endpoint device; training a machine learning model using the plurality of schema and the at least one corresponding authorized endpoint device to form a trained machine learning model; receiving an interaction event data stream and a corresponding endpoint device identifier; determining, by inputting the interaction event data stream and the corresponding endpoint device identifier to the trained machine learning model, an identified endpoint device and a presence of at least one anomaly, wherein the at least one anomaly comprises a schema mismatch; and transmitting a notification signal comprising schema mismatch details to the identified endpoint device;”. A plain reading of descriptions in the specification in at least: para. 0005 stating “the instructions may further cause the processing device to perform the steps of receiving browser history data from the first endpoint device, associating the browser history data with the first endpoint device in the first schema, receiving a browser data stream, and determining, by inputting the browser data stream and the corresponding endpoint device identifier to the trained machine learning model, the identified endpoint device and the presence of the at least one anomaly”, reveals that access a computing resource, at least one data feature, wherein a data feature is a browser data stream may be used to execute the claimed steps. The additional elements of “a computing device, a machine learning , an endpoint device, a machine learning model , a trained machine learning model, and an endpoint device identifier” recited at a high level of generality (i.e., as a generic processor performing generic computer functions) such that it amounts to no more than mere instructions to apply the exception using generic computer components (See MPEP 2106.05(f)) and limits the judicial exception to a particular environment (See MPEP 2106.05(h)). Mere instructions to apply an exception using a generic computer component and limiting the judicial exception to a particular environment doesn’t integrate the abstract idea into a practical application in Step 2A. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. Hence, independent claim 15 is directed to an abstract idea. Dependent claim 17, recites similar additional elements as the independent claims including generic computer components, such as “scoring, using the trained machine learning model each anomaly of the at least one anomaly; and determining an intrusion event by comparing scores of each anomaly of the at least one anomaly to a predetermined threshold.”. The judicial exception is not integrated into a practical application because the additional elements in the dependent claims are also recited at a high-level of generality such that it amounts to more no more than mere instructions to apply the exception using generic computer components. Therefore, the additional elements do not integrate the abstract idea into a practical application because they also do not impose any meaningful limits on practicing the abstract idea. Also, the claims do not affect an improvement to another technology or technical field; the claims do not amount to an improvement of the functioning of a computer system itself; the claims do not effect a transformation or reduction of a particular article to a different state or thing; and the claims do not move beyond a general link of the use of an abstract idea to a particular technological environment. Dependent claim 18, recites similar additional elements as the independent claims including generic computer components, such as “preprocessing the interaction event data and the browser history data to reduce dimensionality of the interaction event data and the browser history data”. The judicial exception is not integrated into a practical application because the additional elements in the dependent claims are also recited at a high-level of generality such that it amounts to more no more than mere instructions to apply the exception using generic computer components. Therefore, the additional elements do not integrate the abstract idea into a practical application because they also do not impose any meaningful limits on practicing the abstract idea. Also, the claims do not affect an improvement to another technology or technical field; the claims do not amount to an improvement of the functioning of a computer system itself; the claims do not effect a transformation or reduction of a particular article to a different state or thing; and the claims do not move beyond a general link of the use of an abstract idea to a particular technological environment. Dependent claim 19, recites similar additional elements as the independent claims including generic computer components, such as “wherein the trained machine learning model determines a predicted endpoint device by receiving the interaction event data stream, and wherein the predicted endpoint device is compared to the identified endpoint device for determining the schema mismatch” The judicial exception is not integrated into a practical application because the additional elements in the dependent claims are also recited at a high-level of generality such that it amounts to more no more than mere instructions to apply the exception using generic computer components. Therefore, the additional elements do not integrate the abstract idea into a practical application because they also do not impose any meaningful limits on practicing the abstract idea. Also, the claims do not affect an improvement to another technology or technical field; the claims do not amount to an improvement of the functioning of a computer system itself; the claims do not effect a transformation or reduction of a particular article to a different state or thing; and the claims do not move beyond a general link of the use of an abstract idea to a particular technological environment. Dependent claim 20, recites similar additional elements as the independent claims including generic computer components, such as “wherein the schema mismatch comprises an identification of a different schema not associated with the identified endpoint device” The judicial exception is not integrated into a practical application because the additional elements in the dependent claims are also recited at a high-level of generality such that it amounts to more no more than mere instructions to apply the exception using generic computer components. Therefore, the additional elements do not integrate the abstract idea into a practical application because they also do not impose any meaningful limits on practicing the abstract idea. Also, the claims do not affect an improvement to another technology or technical field; the claims do not amount to an improvement of the functioning of a computer system itself; the claims do not effect a transformation or reduction of a particular article to a different state or thing; and the claims do not move beyond a general link of the use of an abstract idea to a particular technological environment. Step 2B (Does the claim recite additional elements that amount to significantly more than the judicial exception?) - 2019 PEG pq. 56 Independent claim 15 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of “a computing device, a machine learning , an endpoint device, a machine learning model , a trained machine learning model, and an endpoint device identifier” to perform the steps of independent claim 15 for: A method for computing device intrusion detection via machine learning for interaction data analysis, amounts to no more than mere instructions to apply the exception using a generic computer component (See MPEP 2106.05(f)) and limits the judicial exception to the particular environment of computers (See MPEP 2106.05(h)). The additional elements of the instant underlying process, when taken in combination, together do not offer significantly more than the sum of the functions of the elements when each is taken alone. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept in Step 2B. Therefore, independent claim 15 is not patent eligible. In addition, the dependent claim 17 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of the dependent claims of: “scoring, using the trained machine learning model each anomaly of the at least one anomaly; and determining an intrusion event by comparing scores of each anomaly of the at least one anomaly to a predetermined threshold” to perform the claimed limitations, amounts to no more than mere instructions to apply the exception using a generic computer component (See MPEP 2106.05(f)). Similar to the independent claims, mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Also, for the same reasoning as the independent claims, the additional elements of the limitations of the dependent claims, when considered individually and as an ordered combination, together do not offer significantly more than the sum of the functions of the elements when each is taken alone and the dependent claims as a whole, do not amount to significantly more than the abstract idea itself. In addition, the dependent claim 18 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of the dependent claims of: “preprocessing the interaction event data and the browser history data to reduce dimensionality of the interaction event data and the browser history data” to perform the claimed limitations, amounts to no more than mere instructions to apply the exception using a generic computer component (See MPEP 2106.05(f)). Similar to the independent claims, mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Also, for the same reasoning as the independent claims, the additional elements of the limitations of the dependent claims, when considered individually and as an ordered combination, together do not offer significantly more than the sum of the functions of the elements when each is taken alone and the dependent claims as a whole, do not amount to significantly more than the abstract idea itself. In addition, the dependent claim 19 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of the dependent claims of: “wherein the trained machine learning model determines a predicted endpoint device by receiving the interaction event data stream, and wherein the predicted endpoint device is compared to the identified endpoint device for determining the schema mismatch” to perform the claimed limitations, amounts to no more than mere instructions to apply the exception using a generic computer component (See MPEP 2106.05(f)). Similar to the independent claims, mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Also, for the same reasoning as the independent claims, the additional elements of the limitations of the dependent claims, when considered individually and as an ordered combination, together do not offer significantly more than the sum of the functions of the elements when each is taken alone and the dependent claims as a whole, do not amount to significantly more than the abstract idea itself. In addition, the dependent claim 20 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of the dependent claims of: “wherein the schema mismatch comprises an identification of a different schema not associated with the identified endpoint device” to perform the claimed limitations, amounts to no more than mere instructions to apply the exception using a generic computer component (See MPEP 2106.05(f)). Similar to the independent claims, mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Also, for the same reasoning as the independent claims, the additional elements of the limitations of the dependent claims, when considered individually and as an ordered combination, together do not offer significantly more than the sum of the functions of the elements when each is taken alone and the dependent claims as a whole, do not amount to significantly more than the abstract idea itself. For these reasons, claims 15, and 17-20 are not patent eligible under 35 U.S.C 101. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1, 4-8, 11-15 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pallemulle et al . (US 10,936,710 B1), hereinafter Pallemulle in view of Renner et al. (US 2021/0342339 A1), hereinafter Renner, and further in view of Smith et al. (US 12,505,089 B1), hereinafter Smith. Regarding claim 1, Pallemulle discloses a system for computing device intrusion detection via machine learning for interaction data analysis, the system comprising (Pallemulle, Col. 5, Lines 7-10, as requests or interactions that are suspicious may be detected by the trusted component, for example, such as by using the interaction-based posture assessment techniques of the present disclosure): a processing device (Pallemulle, Col. 16, Line 29, at least one central processing unit (CPU)); and a non-transitory storage device containing instructions, where, when executed by the processing device, the instructions cause the processing device to perform the steps of (Pallemulle, Col. 16, Lines 62-67, and Col. 17, Lines1-9, including non-transitory computer-readable storage media, such as but not limited to volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program services, or other data, including RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the a system device. Based on the disclosure and teachings provided herein, a person of ordinary skill in the art will appreciate other ways and/or methods to implement the various embodiments): associating the interaction event data and the browser history data with the first endpoint device as a first schema within a database (Pallemulle, Col. 10, Lines 65-68 and Col. 11, Lines 1-3, if the session is active, interaction data can be monitored for security and as means of continuous authentication. Thus, interaction data is received 706 from the client device and analyzed 708. Based on the analysis, it can be determined 710 whether aberrant behavior is detected) and (Pallemulle, Col. 5, Lines 53-57, the posture model may be based on interaction data collected during one or more previous sessions. In some cases, a history of interaction data may be collected and a robust posture model can be built for the user account), wherein the first endpoint device is designated as an authorized endpoint device (Pallemulle, Col. 14, Lines 65-67, and Col. 15, Lines 1-5, the data store might access the user information to verify the identity of the user and can access the catalog detail information to obtain information about elements of that type. The information can then be returned to the user, such as in a results listing on a Web page that the user is able to view via a browser on the user device 1102. Information for a particular element of interest can be viewed in a dedicated page or window of the browser), and wherein the database comprises a plurality of schema, each respective schema of the plurality of schema comprising at least one corresponding authorized endpoint device (Pallemulle, Col. 9, Lines 53-65, the posture model may include interaction data from authenticated sessions or session durations associated with an authorized user and/or an authorized session. In some embodiments, the posture model may be based on (e.g., include, utilize) interaction data collected during the current sessions. In some embodiments, this information can be stored in session repository 518, a log data store, or other such location, which might contain additional information for the time and location at which the image content was displayed, as well as potentially information about the user or any other persons present at the determined time); training a machine learning model using the plurality of schema and the at least one corresponding authorized endpoint device to form a trained machine learning model (Pallemulle, Col. 6, Lines 24-31, the posture model may be trained using a first set of interaction data associated from the user account. The first set of interaction data may include interaction data that is trusted to be associated with the user account. Thus, the first set of interaction data may serve as examples of what interaction data should look like when the device is secure (e.g., being used by an user authorized to the user account)); Pallemulle does not explicitly disclose receiving interaction event data from a first endpoint device, the interaction event data comprising data from a plurality of keystrokes and a plurality of touch events; receiving browser history data from the first endpoint device of domains visited via the first endpoint device; receiving an interaction event data stream, a browser data stream of domains currently visited, and a corresponding endpoint device identifier; However, Renner teaches receiving interaction event data from a first endpoint device, the interaction event data comprising data from a plurality of keystrokes and a plurality of touch events (Renner, Para. 0036, other contextual information may likewise include various user interactions, whether the interactions are with an endpoint device 304, a network 140, a resource, or another user. In certain embodiments, user behaviors, and their related contextual information, may be collected at particular points of observation, and at particular points in time, described in greater detail herein); receiving browser history data from the first endpoint device of domains visited via the first endpoint device (Renner, Para. 0110, user ‘A’ 702 may use an endpoint device 304 to browse a particular web page on a news site on an external system 776. In this example, the individual actions performed by user ‘A’ 702 to access the web page are entity behavior elements that constitute an entity behavior) and (Renner, Para. 0069, a user entity profile 602 broadly refers to a collection of information that uniquely describes a user entity's identity and their associated behavior, whether the behavior occurs within a physical realm or cyberspace); receiving an interaction event data stream (Renner, Para. 0046, an event stream collector 402 may be implemented to collect event and related contextual information, described in greater detail herein, associated with various entity behaviors. In these embodiments, the method by which the event and contextual information is selected to be collected by the event stream collector 402), a browser data stream of domains currently visited (Renner, Para. 0110, user ‘A’ 702 may use an endpoint device 304 to browse a particular web page on a news site on an external system 776. In this example, the individual actions performed by user ‘A’ 702 to access the web page are entity behavior elements that constitute an entity behavior) and (Renner, Para. 0069, a user entity profile 602 broadly refers to a collection of information that uniquely describes a user entity's identity and their associated behavior, whether the behavior occurs within a physical realm or cyberspace), and a corresponding endpoint device identifier (Renner, Para. 0065, an entity behavior profile 638 broadly refers to a collection of information that uniquely describes a particular entity's identity and their associated behavior, whether the behavior occurs within a physical realm or cyberspace); Pallemulle and Renner are both considered to be analogous to the claim invention because they are in the same field of detecting anomalous behavior in an execution environment. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Pallemulle to incorporate the teachings of Renner to include receiving interaction event data from a first endpoint device, the interaction event data comprising data from a plurality of keystrokes and a plurality of touch events (Renner, Para. 0036); receiving browser history data from the first endpoint device of domains visited via the first endpoint device (Renner, Para. 0110) and (Renner, Para. 0069); receiving an interaction event data stream (Renner, Para. 0046), a browser data stream of domains currently visited (Renner, Para. 0110) and (Renner, Para. 0069), and a corresponding endpoint device identifier (Renner, Para. 0065). Doing so would aid the efficacy and accuracy of such statistical analyses may likewise be dependent upon reflecting changes in the dataset over time, or to adapt to new knowledge of the ways in which the entity behavior to be detected manifests itself (Renner, Para. 0017). Pallemulle and Renner do not explicitly disclose determining, by inputting the interaction event data stream, the browser data stream, and the corresponding endpoint device identifier to the trained machine learning model, an identified endpoint device and a presence of at least one anomaly as outputs based on the interaction event data stream, the browser data stream, and the corresponding endpoint device identifier input to the trained machine learning model, wherein the at least one anomaly comprises a schema mismatch; and transmitting a notification signal comprising schema mismatch details to the identified endpoint device, the notification signal configured to trigger a notification alert for displaying the schema mismatch details on the identified endpoint device. However, Smith teaches determining, by inputting the interaction event data stream, the browser data stream, and the corresponding endpoint device identifier to the trained machine learning model (Smith, Col. 12, Lines 37-46, Responsive to identifying schema alterations (e.g., a difference between an input schema of input data and a stored/predetermined schema associated with stored data and/or a target database), the schema comparison system 114 can initiate appropriate actions within the hydration system 110, such as triggering the in-flight transformation system 116 to update data models to reflect the new schema structure, updating the input data to match/align with a predetermined schema (e.g. of database 120)) and (The schema comparison system 114, executing the ML models, can analyze the incoming data streams in real-time, and identify any new data points or format changes introduced by, for example, firmware updates), an identified endpoint device and a presence of at least one anomaly as outputs based on the interaction event data stream, the browser data stream (Smith, Col. 5, Lines 15-18, Fig. 1, the one or more processing circuits can output a divergence result (e.g., match, non-match, partial match, etc.) based on comparing the schemas of the data, which can be further utilized as described herein (e.g., regarding the in-flight transformation system 116)), and the corresponding endpoint device identifier input to the trained machine learning model (Smith, Col. 13, Lines 25-34, the schema comparison system 114 can employ computational techniques or algorithms (e.g., natural language processing (NLP) techniques, etc.) to analyze and extract key information (e.g., data fields such as event types, product identifiers, activity data, etc.) and to structure one or more of the extracted data fields into predefined categories and/or formats that align with a previously known schema (e.g., a schema of database 120)), wherein the at least one anomaly comprises a schema mismatch (Smith, Col. 5, Lines 15-18, Fig. 1, the output can be a categorized report of divergences, including matches, non-matches, and partial matches); and transmitting a notification signal comprising schema mismatch details to the identified endpoint device (Smith, Col. 25, Lines 12-15, responsive to determining a divergence between the schema of the input data and the known (or predetermined) schema, the data stream 624 and/or data transformation system 614 can output a divergence result (e.g., match, partial match, etc), the notification signal configured to trigger a notification alert for displaying the schema mismatch details on the identified endpoint device (Smith, Col. 25, Lines 12-15, responsive to determining a divergence between the schema of the input data and the known (or predetermined) schema, the data stream 624 and/or data transformation system 614 can output a divergence result (e.g., match, partial match, etc) and (Smith, Col. 13, Lines 25-34, to analyze and extract key information (e.g., data fields such as event types, product identifiers, activity data, etc.) and to structure one or more of the extracted data fields into predefined categories and/or formats that align with a previously known schema (e.g., a schema of database 120)). Pallemulle, Renner and Smith are all considered to be analogous to the claim invention because they are in the same field of detecting anomalous behavior in an execution environment. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Pallemulle and Renner to incorporate the teachings of Smith to include determining, by inputting the interaction event data stream, the browser data stream, and the corresponding endpoint device identifier to the trained machine learning model (Smith, Col. 12, Lines 37-46), an identified endpoint device and a presence of at least one anomaly as outputs based on the interaction event data stream, the browser data stream (Smith, Col. 5, Lines 15-18, Fig. 1), and the corresponding endpoint device identifier input to the trained machine learning model (Smith, Col. 13, Lines 25-34), wherein the at least one anomaly comprises a schema mismatch (Smith, Col. 5, Lines 15-18, Fig. 1); and transmitting a notification signal comprising schema mismatch details to the identified endpoint device (Smith, Col. 25, Lines 12-15), the notification signal configured to trigger a notification alert for displaying the schema mismatch details on the identified endpoint device (Smith, Col. 25, Lines 12-15). Doing so would aid the differences between data types lead to complexities in harmonizing data various formats, ensuring data quality, and optimizing retrieval and analysis, especially in large-scale systems. To address these technical problems, the technical solution implemented herein includes a data lake hydration system offering data normalization and integration protocols to model a variety of data formats effectively (Smith, Col. 5, Lines 8-15). Regarding claim 4, the combination of Pallemulle in view of Hazan teaches the system of claim 1, wherein the instructions further cause the processing device to perform the steps of: preprocessing the interaction event data and the browser history data to reduce dimensionality of the interaction event data and the browser history data (Hazan, Fig. 2, and Para. 0043, the processor can also apply dimensionality reduction algorithms such as principal component analysis (PCA), or correlation-based feature selection (CFS) on the extracted features or higher level features. PCA refers to a statistical procedure that uses an orthogonal transformation to convert a set of observations of possibly correlated variables into a set of values of linearly uncorrelated variables called principal components). Regarding claim 5, the combination of Pallemulle in view of Hazan teaches the system of claim 1, wherein the trained machine learning model determines a predicted endpoint device by receiving the interaction event data stream (Pallemulle, Col. 2, Lines 50-57, the posture model may be based on (e.g., include, utilize) interaction data collected during the current session. In another embodiment, the posture model may be based on interaction data collected during one or more previous sessions. In some embodiments, passive and continuous authentication may be implemented by monitoring interaction data received from the client device and comparing to the posture model), and wherein the predicted endpoint device is compared to the identified endpoint device for determining the schema mismatch (Pallemulle, Col. 2, Lines 59-65, the interaction-based posture assessment may detect both unauthorized users as well as unauthorized software running in the background on the client that is attempting to communicate with the content host as the interaction data may include any data transmitted from the client device to the trusted component or the content host). Regarding claim 6, the combination of Pallemulle in view of Hazan teaches the system of claim 1, wherein the schema mismatch comprises an identification of a different schema not associated with the identified endpoint device (Pallemulle, Col. 2, Lines 59-65, the interaction based posture assessment may detect both unauthorized users as well as unauthorized software running in the background on the client that is attempting to communicate with the content host as the interaction data may include any data transmitted from the client device to the trusted component or the content host). Regarding claim 7, the combination of Pallemulle in view of Hazan teaches the system of claim 1, wherein the interaction event data further comprises accelerometer data corresponding to at least one selected from the group consisting of the plurality of keystrokes and the plurality of touch events (Pallemulle, Col. 13, Lines 27-30, such a sensor can include, for example, an accelerometer or gyroscope operable to detect an orientation and/or change in orientation of the computing device, as well as small movements of the device). Regarding claim 8, claim 8 is interpreted and rejected for the same rational set forth in claim 1. Regarding claim 11, claim 11 is interpreted and rejected for the same rational set forth in claim 4. Regarding claim 12, claim 12 is interpreted and rejected for the same rational set forth in claim 5. Regarding claim 13, claim 13 is interpreted and rejected for the same rational set forth in claim 6. Regarding claim 14, claim 14 is interpreted and rejected for the same rational set forth in claim 7. Regarding claim 15, claim 15 is interpreted and rejected for the same rational set forth in claims 1 and 8. Regarding claim 18, claim 18 is interpreted and rejected for the same rational set forth in claims 4 and 11. Regarding claim 19, claim 19 is interpreted and rejected for the same rational set forth in claims 5 and 12. Regarding claim 20, claim 20 is interpreted and rejected for the same rational set forth in claims 6 and 13. Claims 3, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Pallemulle et al . (US 10,936,710 B1), hereinafter Pallemulle in view of Renner et al. (US 2021/0342339 A1), hereinafter Renner, in view of Smith et al. (US 12,505,089 B1), hereinafter Smith, and further in view of Schell ( US 2023/0244754 A1), hereinafter Schell. Regarding claim 3, the combination of Pallemulle in view of Renner and Smith does not explicitly teach the system of claim 1, wherein the instructions further cause the processing device to perform the steps of: scoring, using the trained machine learning model each anomaly of the at least one anomaly; and determining an intrusion event by comparing scores of each anomaly of the at least one anomaly to a predetermined threshold. However, Schell teaches scoring, using the trained machine learning model each anomaly of the at least one anomaly (Schell, Para. 0033, a predicted normality score is compared to the determined anomaly activation value and in the event the predicted normality score exceeds the anomaly activation value, an anomaly is determined to have occurred); and determining an intrusion event by comparing scores of each anomaly of the at least one anomaly to a predetermined threshold (Schell, Para. 0027, a predicted normality score that exceeds the anomaly threshold corresponds to the occurrence of an anomaly for the customer's network computer environment). Pallemulle, Renner, Smith and Schell are all considered to be analogous to the claim invention because they are in the same field of detecting anomalous behavior in an execution environment. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Pallemulle, Renner and Smith to incorporate the teachings of Schell, to include scoring, using the trained machine learning model each anomaly of the at least one anomaly (Schell, Para. 0033); and determining an intrusion event by comparing scores of each anomaly of the at least one anomaly to a predetermined threshold (Schell, Para. 0027). Doing so would aid the trained model to detect anomalies in a training dataset. The detected anomalies are removed from the training dataset to create a revised and reduced training dataset that better represents normal system behavior. The model is then retrained using the revised dataset that has detected anomalies removed (Schell, Para. 0014). Regarding claim 10, claim 10 is interpreted and rejected for the same rational set forth in claim 3. Regarding claim 17, claim 17 is interpreted and rejected for the same rational set forth in claims 3 and 10. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571)272-0248. The examiner can normally be reached Monday- Friday 9:00 am- 6:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached at (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /GITA FARAMARZI/Examiner, Art Unit 2496 /JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496