Detailed Action
Office Action and Claim Status
1. The office action is in response to the communication dated on September 3, 2024.
2. Claims 1-20 are submitted for examination.
3. Claims 1-20 are pending.
Notice of Pre-AIA or AIA Status
4. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Oath/Declaration
6. Applicant’s oath/declaration filed on 9/03/2024 has been reviewed by the examiner and is found to conform to the requirements prescribed in 37 C.F.R. 1.63.
Information Disclosure Statement
5. The information disclosure statement (IDS) submitted on 9/03/2024 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Drawings
7. The drawings submitted on 9/03/2024 with the instant application are acceptable for examination purposes.
Specification
8. The specification submitted on 9/03/2024 with the instant application are acceptable for examination purposes.
Claim Rejections - 35 USC § 103
9. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
10. Claim(s) 1-4, 7-8, 10-12, 15, 17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gosset (US Pub. No. 20190392450 A1) in view of Jones (US Patent No. 12452282 B2).
Regarding Claim 1:
Gosset teaches a server for detecting fraudulent user authentication requests, the server (Gosset – Paragraph [0025, lines 6-17]: The RBA-enabled directory server receives an authentication request message for a transaction involving a market regulated by a regulatory entity…the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold) comprising:
a memory storing computer readable instructions (Gosset – Paragraph [0087, lines 2-3]: instructions may be stored in a memory area 310); and
processing circuitry configured to execute the computer readable instructions to cause the server to (Gosset – Paragraph [0063, lines 1-6]: a processor may include any programmable system including systems using micro-controllers, reduced instruction set circuits (RISC), application specific integrated circuits (ASICs), logic circuits, and any other circuit or processor capable of executing the functions described herein),
generate, with [the plurality of] ML model[s] configured to detect a plurality of different fraud types, a response based on the dataset, the response including at least one ML score representing a probability of at least one of the plurality of different fraud types occurring during the authentication request, and (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0051, lines 15-20]: The authentication data may also be divided by category, such as: transaction data (amount, currency, date, and time), device data (IP address, device info, and channel data), cardholder data (account number and shipping address), and merchant data (name, category, and country); Paragraph [0032, lines 1-6]: [0032] The RBA-enabled directory server receives an authentication request (AReq) message from a 3DS server; Paragraph [0031, lines 1-7]: Specifically, in the systems and methods described herein, the authentication system uses the 3DS 2 Protocol (or subsequent versions of the 3DS Protocol) for authentication, and performs RBA on transactions to determine when the transaction may avoid SCA and when SCA is mandated based on the regulator-configured threshold value and risk value; Paragraph [0115, lines 4-6]: RBA-enabled directory server 610 transmits at least some of the data in the AReq message (e.g., the authentication data) to RBA engine 612; Paragraph [0118, lines 1-7]: the RBA result data generated by RBA engine 612 includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction, with lower scores indicating lower risk and higher scores indicating higher risk. In other words, the risk score represents a likelihood …; Paragraph [0034, lines 3-4]: Further the reason codes include one or more factors that influenced the risk score; Paragraph [0120, lines 5-9]: Based on the analysis of the data in the AReq message, RBA engine 612 may activate one or more anchors. The reason codes are then generated based on which anchors (and how many anchors) are activated; and Paragraph [0127, lines 1-2] The following Table 3 lists of number of example reason codes; Examiner’s Notes: Table 3 of Gosset shows reason code C corresponds to a device or profile associated with fraud, reason code F corresponds to a fraud being detected in the PAN that is used for a transaction, and reason code H corresponds to a merchant submitting transactions with a high fraud rate)
generate an authentication denial response for the authentication request based on the ML score and a threshold (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0033, lines 1-4]: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction; Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold; and Paragraph [0039, lines 2-7]: In the example embodiment, in the case of a high risk transaction, the authentication platform may deny the transaction. The authentication platform may transmit an authentication response (ARes) message including the denial to the 3DS server).
Gosset does not expressly teach receive, by a plurality of machine learning (ML) models, a dataset including user data specific to a user logging into an account during an authentication request and device data specific to a computing device used by the user to log into the account during the authentication request, and generate, with the plurality of ML models [configured to detect a plurality of different fraud types], a response based on the dataset, [the response including at least one ML score representing a probability of at least one of the plurality of different fraud types] occurring during the authentication request.
However, Jones teaches receive, by a plurality of machine learning (ML) models, a dataset including user data specific to a user logging into an account during an authentication request and device data specific to a computing device used by the user to log into the account during the authentication request, (Jones – [Col. 5, lines 9-19]: A context is a set of access attempt features that can be used to characterize an authentication request. Context can be determined from data headers or other surrounding information related to the authentication request. Data header can include information such as IP address, ports, host, user-agent, and other information that can be obtained from headers at any network level. Surrounding information can include the time the authentication request was received, the userID and password being sent with the authentication request, and other metadata or data related to the request; and [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score)
generate, with the plurality of ML models [configured to detect a plurality of different fraud types], a response based on the dataset, [the response including at least one ML score representing a probability of at least one of the plurality of different fraud types] occurring during the authentication request (Jones – [Col. 5, lines 9-19]: A context is a set of access attempt features that can be used to characterize an authentication request. Context can be determined from data headers or other surrounding information related to the authentication request. Data header can include information such as IP address, ports, host, user-agent, and other information that can be obtained from headers at any network level. Surrounding information can include the time the authentication request was received, the userID and password being sent with the authentication request, and other metadata or data related to the request; and [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score).
It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify Gosset, further incorporating Jones to arrive at the claimed invention. One would be motivated to incorporate Jones’s teachings into Gosset’s invention to allow an ensemble of ML models to detect authentication request anomalies in order to improve the accuracy of positive alerts; see Jones [Col. 4, lines 35-54].
Regarding Claim 2:
The combination of Gosset and Jones teaches the server of claim 1.
Gosset further teaches wherein the server is further caused to compare the ML score to the threshold and generate the authentication denial response for the authentication request in response to the ML score being greater than the threshold (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0033, lines 1-6]: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction, with lower scores indicating lower risk and higher scores indicating higher risk; Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold; and Paragraph [0039, lines 2-7]: In the example embodiment, in the case of a high risk transaction, the authentication platform may deny the transaction. The authentication platform may transmit an authentication response (ARes) message including the denial to the 3DS server).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 3:
The combination of Gosset and Jones teaches the server of claim 1.
Gosset further teaches wherein the server is further caused to generate an authentication approval response for the authentication request in response to the ML score being less than the threshold (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0033, lines 1-6]: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction, with lower scores indicating lower risk and higher scores indicating higher risk; Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold; and Paragraph [0040, lines 2-5]: If the transaction is low risk, the authentication platform may approve the transaction and transmit an authentication response (ARes) message including the approval to the 3DS server).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 4:
The combination of Gosset and Jones teaches the server of claim 1.
Gosset further teaches wherein the server is further caused to generate an authentication response with one or more additional authentication steps (Gosset – Paragraph [0036, lines 1-10]: The enhanced AReq message may then be transmitted from the RBA-enabled directory server to the ACS. The ACS then analyzes the RBA result data in the enhanced AReq message to make an authentication decision. That is, in the example embodiment, the ACS may determine to fully authenticate the transaction, deny authentication for the transaction, or perform additional authentication (e.g., by issuing a step-up challenge to the cardholder) for the transaction, based on at least one of a risk score, the risk analysis, and the reason codes).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 7:
The combination of Gosset and Jones teaches the server of claim 1.
Jones further teaches wherein the at least one ML score is an aggregation of individual scores generated by the plurality of ML models, and each individual score represents [a probability of a fraud type of the plurality of different fraud types] occurring during the authentication request (Jones – [Col. 18, lines 12-14]: FIG. 5A and FIG. 5B list example code for an ensemble approach to obtaining a risk score that combines autoencoding models, clustering models and rule-based heuristics; [Col. 19, lines 23-32]: FIG. 5C illustrates a flow diagram showing how the source code 500 calculates the risk score from the various risk sub-scores…Model risk score 540 is the maximum of encoder-decoder risk score aggregation 520 and clustering risk score 530; and [Col. 10, lines 22-24]: Access prediction service 285 is the service interface though which Autonomous Access 275 receives features of authentication requests)
Jones does not expressly teach [wherein the at least one ML score is an aggregation of individual scores generated by the plurality of ML models, and each individual score represents] a probability of a fraud type of the plurality of different fraud types [occurring during the authentication request].
However, Gosset further teaches wherein the at least one ML score [is an aggregation of individual scores generated by the plurality of ML models, and each individual score] represents a probability of a fraud type of the plurality of different fraud types occurring during the authentication request (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0051, lines 15-20]: The authentication data may also be divided by category, such as: transaction data (amount, currency, date, and time), device data (IP address, device info, and channel data), cardholder data (account number and shipping address), and merchant data (name, category, and country); Paragraph [0032, lines 1-6]: [0032] The RBA-enabled directory server receives an authentication request (AReq) message from a 3DS server; Paragraph [0031, lines 1-7]: Specifically, in the systems and methods described herein, the authentication system uses the 3DS 2 Protocol (or subsequent versions of the 3DS Protocol) for authentication, and performs RBA on transactions to determine when the transaction may avoid SCA and when SCA is mandated based on the regulator-configured threshold value and risk value; Paragraph [0115, lines 4-6]: RBA-enabled directory server 610 transmits at least some of the data in the AReq message (e.g., the authentication data) to RBA engine 612; Paragraph [0118, lines 1-7]: the RBA result data generated by RBA engine 612 includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction, with lower scores indicating lower risk and higher scores indicating higher risk. In other words, the risk score represents a likelihood …; Paragraph [0034, lines 3-4]: Further the reason codes include one or more factors that influenced the risk score; Paragraph [0120, lines 5-9]: Based on the analysis of the data in the AReq message, RBA engine 612 may activate one or more anchors. The reason codes are then generated based on which anchors (and how many anchors) are activated; and Paragraph [0127, lines 1-2] The following Table 3 lists of number of example reason codes; Examiner’s Notes: Table 3 of Gosset shows reason code C corresponds to a device or profile associated with fraud, reason code F corresponds to a fraud being detected in the PAN that is used for a transaction, and reason code H corresponds to a merchant submitting transactions with a high fraud rate).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 8:
The combination of Gosset and Jones teaches the server of claim 1.
Jones further teaches wherein the server is further caused to generate, with a plurality of rule-based fraud detection algorithms, an output based on the dataset, and train the plurality of ML models based on the output generated by the plurality of rule-based fraud detection algorithms and the response generated by the plurality of ML models (Jones – [Col. 17, lines 1-4]: FIG. 4. illustrates a block diagram of several example rule-based heuristics that can signal anomaly. Diagram 400 includes authentication attempt features 411 and rule-based heuristics 419; [Col. 18, lines 26-32]: Heuristic risk score aggregation process 510 performs a max function on a heuristic score array that stores the risk sub-scores from each individual rule-based heuristic. In other words, if the Credential Stuffing score is ninety and the Automated User Agents score is eight-seven, heuristic risk sub-score aggregation process 510 returns a heuristic risk sub-score of ninety; [Col. 18, lines 66-67 – Col. 19, lines 1-4]: In general, when model training is necessary, the types of analysis employed in the ensemble support training by unlabeled data. As a further enhancement, the ensemble can also use supervised and/or semi-supervised learning models in addition to rule-based heuristics and unsupervised learning models).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 10:
The combination of Gosset and Jones teaches the server of claim 1.
Jones further teaches wherein the plurality of ML models includes at least one unsupervised ML model and at least one supervised ML model (Jones – [Col. 11, lines 3-4]: ML models 295 contains at least a variety of unsupervised machine learning models; and [Col. 11, lines 12-13]: In further enhancements, ML models 295 also include one or more supervised and/or semi-supervised learning models).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 11:
Gosset teaches a method for detecting fraudulent user authentication requests, the method comprising: (Gosset – Paragraph [0009, lines 5-16]: The method includes receiving an authentication request message for a transaction involving a market regulated by a regulatory entity.…The method also includes determining that a risk of fraud in the transaction satisfies a risk threshold)
generating, with the [plurality of] ML model[s] configured to detect a plurality of different fraud types, a response based on the dataset, the response including at least one ML score representing a probability of at least one of the plurality of different fraud types occurring during the authentication request (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0051, lines 15-20]: The authentication data may also be divided by category, such as: transaction data (amount, currency, date, and time), device data (IP address, device info, and channel data), cardholder data (account number and shipping address), and merchant data (name, category, and country); Paragraph [0032, lines 1-6]: [0032] The RBA-enabled directory server receives an authentication request (AReq) message from a 3DS server; Paragraph [0031, lines 1-7]: Specifically, in the systems and methods described herein, the authentication system uses the 3DS 2 Protocol (or subsequent versions of the 3DS Protocol) for authentication, and performs RBA on transactions to determine when the transaction may avoid SCA and when SCA is mandated based on the regulator-configured threshold value and risk value; Paragraph [0115, lines 4-6]: RBA-enabled directory server 610 transmits at least some of the data in the AReq message (e.g., the authentication data) to RBA engine 612; Paragraph [0118, lines 1-7]: the RBA result data generated by RBA engine 612 includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction, with lower scores indicating lower risk and higher scores indicating higher risk. In other words, the risk score represents a likelihood ….; Paragraph [0034, lines 3-4]: Further the reason codes include one or more factors that influenced the risk score; Paragraph [0120, lines 5-9]: Based on the analysis of the data in the AReq message, RBA engine 612 may activate one or more anchors. The reason codes are then generated based on which anchors (and how many anchors) are activated; and Paragraph [0127, lines 1-2] The following Table 3 lists of number of example reason codes; Examiner’s Notes: Table 3 of Gosset shows reason code C corresponds to a device or profile associated with fraud, reason code F corresponds to a fraud being detected in the PAN that is used for a transaction, and reason code H corresponds to a merchant submitting transactions with a high fraud rate)
and generating an authentication denial response for the authentication request based on the ML score and a threshold (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0033, lines 1-4]: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction; Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold; and Paragraph [0039, lines 2-7]: In the example embodiment, in the case of a high risk transaction, the authentication platform may deny the transaction. The authentication platform may transmit an authentication response (ARes) message including the denial to the 3DS server).
Gosset does not expressly teach receiving, by a plurality of machine learning (ML) models, a dataset including user data specific to a user logging into an account during an authentication request and device data specific to a computing device used by the user to log into the account during the authentication request; generating, with the [plurality of] ML model[s] configured to detect a plurality of different fraud types, a response based on the dataset, the response including at least one ML score representing a probability of at least one of the plurality of different fraud types occurring during the authentication request.
However, Jones teaches receiving, by a plurality of machine learning (ML) models, a dataset including user data specific to a user logging into an account during an authentication request and device data specific to a computing device used by the user to log into the account during the authentication request; (Jones – [Col. 5, lines 9-19]: A context is a set of access attempt features that can be used to characterize an authentication request. Context can be determined from data headers or other surrounding information related to the authentication request. Data header can include information such as IP address, ports, host, user-agent, and other information that can be obtained from headers at any network level. Surrounding information can include the time the authentication request was received, the userID and password being sent with the authentication request, and other metadata or data related to the request; and [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score)
generating, with the plurality of ML models [configured to detect a plurality of different fraud types], a response based on the dataset, [the response including at least one ML score representing a probability of at least one of the plurality of different fraud types] occurring during the authentication request (Jones – [Col. 5, lines 9-19]: A context is a set of access attempt features that can be used to characterize an authentication request. Context can be determined from data headers or other surrounding information related to the authentication request. Data header can include information such as IP address, ports, host, user-agent, and other information that can be obtained from headers at any network level. Surrounding information can include the time the authentication request was received, the userID and password being sent with the authentication request, and other metadata or data related to the request; and [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score).
It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify Gosset, further incorporating Jones to arrive at the claimed method. One would be motivated to incorporate Jones’s teachings into Gosset’s method to allow an ensemble of ML models to detect authentication requests anomalies in order to improve the accuracy of positive alerts; see Jones [Col. 4, lines 35-54].
Regarding Claim 12:
The combination of Gosset and Jones teaches the method of claim 11.
Gosset further teaches further comprising comparing the ML score to the threshold, wherein generating the authentication denial response for the authentication request includes generating the authentication denial response in response to the ML score being greater than the threshold (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0033, lines 1-6]: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction, with lower scores indicating lower risk and higher scores indicating higher risk; Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold; and Paragraph [0039, lines 2-7]: In the example embodiment, in the case of a high risk transaction, the authentication platform may deny the transaction. The authentication platform may transmit an authentication response (ARes) message including the denial to the 3DS server).
The motivation to combine the arts is the same as that of Claim 11.
Regarding Claim 15:
The combination of Gosset and Jones teaches the method of claim 11.
Jones further teaches wherein the at least one ML score is an aggregation of individual scores generated by the plurality of ML models, and each individual score represents [a probability of a fraud type of the plurality of different fraud types] occurring during the authentication request (Jones – [Col. 18, lines 12-14]: FIG. 5A and FIG. 5B list example code for an ensemble approach to obtaining a risk score that combines autoencoding models, clustering models and rule-based heuristics; [Col. 19, lines 23-32]: FIG. 5C illustrates a flow diagram showing how the source code 500 calculates the risk score from the various risk sub-scores…Model risk score 540 is the maximum of encoder-decoder risk score aggregation 520 and clustering risk score 530; and [Col. 10, lines 22-24]: Access prediction service 285 is the service interface though which Autonomous Access 275 receives features of authentication requests)
Jones does not expressly teach [wherein the at least one ML score is an aggregation of individual scores generated by the plurality of ML models, and each individual score represents] a probability of a fraud type of the plurality of different fraud types [occurring during the authentication request].
However, Gosset further teaches wherein the at least one ML score [is an aggregation of individual scores generated by the plurality of ML models, and each individual score] represents a probability of a fraud type of the plurality of different fraud types occurring during the authentication request (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0051, lines 15-20]: The authentication data may also be divided by category, such as: transaction data (amount, currency, date, and time), device data (IP address, device info, and channel data), cardholder data (account number and shipping address), and merchant data (name, category, and country); Paragraph [0032, lines 1-6]: [0032] The RBA-enabled directory server receives an authentication request (AReq) message from a 3DS server; Paragraph [0031, lines 1-7]: Specifically, in the systems and methods described herein, the authentication system uses the 3DS 2 Protocol (or subsequent versions of the 3DS Protocol) for authentication, and performs RBA on transactions to determine when the transaction may avoid SCA and when SCA is mandated based on the regulator-configured threshold value and risk value; Paragraph [0115, lines 4-6]: RBA-enabled directory server 610 transmits at least some of the data in the AReq message (e.g., the authentication data) to RBA engine 612; Paragraph [0118, lines 1-6]: the RBA result data generated by RBA engine 612 includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction, with lower scores indicating lower risk and higher scores indicating higher risk; Paragraph [0034, lines 3-4]: Further the reason codes include one or more factors that influenced the risk score; Paragraph [0120, lines 5-9]: Based on the analysis of the data in the AReq message, RBA engine 612 may activate one or more anchors. The reason codes are then generated based on which anchors (and how many anchors) are activated; and Paragraph [0127, lines 1-2] The following Table 3 lists of number of example reason codes; Examiner’s Notes: Table 3 of Gosset shows reason code C corresponds to a device or profile associated with fraud, reason code F corresponds to a fraud being detected in the PAN that is used for a transaction, and reason code H corresponds to a merchant submitting transactions with a high fraud rate).
The motivation to combine the arts is the same as that of Claim 11.
Regarding Claim 17:
The combination of Gosset and Jones teaches the method of claim 11.
Jones further teaches further comprising generating, by a plurality of rule-based fraud detection algorithms, an output based on the dataset; and training the plurality of ML models based on the output generated by the plurality of rule-based fraud detection algorithms and the response generated by the plurality of ML models (Jones – [Col. 17, lines 1-4]: FIG. 4. illustrates a block diagram of several example rule-based heuristics that can signal anomaly. Diagram 400 includes authentication attempt features 411 and rule-based heuristics 419; [Col. 18, lines 26-32]: Heuristic risk score aggregation process 510 performs a max function on a heuristic score array that stores the risk sub-scores from each individual rule-based heuristic. In other words, if the Credential Stuffing score is ninety and the Automated User Agents score is eight-seven, heuristic risk sub-score aggregation process 510 returns a heuristic risk sub-score of ninety; [Col. 18, lines 66-67 – Col. 19, lines 1-4]: In general, when model training is necessary, the types of analysis employed in the ensemble support training by unlabeled data. As a further enhancement, the ensemble can also use supervised and/or semi-supervised learning models in addition to rule-based heuristics and unsupervised learning models).
The motivation to combine the arts is the same as that of Claim 11.
Regarding Claim 19:
The combination of Gosset and Jones teaches the method of claim 11.
Jones further teaches wherein the plurality of ML models includes at least one unsupervised ML model and at least one supervised ML model (Jones – [Col. 11, lines 3-4]: ML models 295 contains at least a variety of unsupervised machine learning models; and [Col. 11, lines 12-13]: In further enhancements, ML models 295 also include one or more supervised and/or semi-supervised learning models).
The motivation to combine the arts is the same as that of Claim 11.
Regarding Claim 20:
Gosset teaches a non-transitory computer readable medium storing computer readable instructions, which when executed by processing circuitry of a server, causes the server to: (Gosset – Paragraph [0010, lines 1-7]: one non-transitory computer-readable storage media having computer-executable instructions.…When executed by at least one processor, the computer-executable instructions cause the at least one processor; Paragraph [0063, lines ]: As used herein, a processor may include any programmable system including systems using micro-controllers, reduced instruction set circuits (RISC), application specific integrated circuits (ASICs), logic circuits, and any other circuit or processor capable of executing the functions described herein)
generate, with the [plurality of] ML model[s] configured to detect a plurality of different fraud types, a response based on the dataset, the response including at least one ML score representing a probability of at least one of the plurality of different fraud types occurring during the authentication request; and (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0051, lines 15-20]: The authentication data may also be divided by category, such as: transaction data (amount, currency, date, and time), device data (IP address, device info, and channel data), cardholder data (account number and shipping address), and merchant data (name, category, and country); Paragraph [0032, lines 1-6]: [0032] The RBA-enabled directory server receives an authentication request (AReq) message from a 3DS server; Paragraph [0031, lines 1-7]: Specifically, in the systems and methods described herein, the authentication system uses the 3DS 2 Protocol (or subsequent versions of the 3DS Protocol) for authentication, and performs RBA on transactions to determine when the transaction may avoid SCA and when SCA is mandated based on the regulator-configured threshold value and risk value; Paragraph [0115, lines 4-6]: RBA-enabled directory server 610 transmits at least some of the data in the AReq message (e.g., the authentication data) to RBA engine 612; Paragraph [0118, lines 1-7]: the RBA result data generated by RBA engine 612 includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction, with lower scores indicating lower risk and higher scores indicating higher risk. In other words, the risk score represents a likelihood …; Paragraph [0034, lines 3-4]: Further the reason codes include one or more factors that influenced the risk score; Paragraph [0120, lines 5-9]: Based on the analysis of the data in the AReq message, RBA engine 612 may activate one or more anchors. The reason codes are then generated based on which anchors (and how many anchors) are activated; and Paragraph [0127, lines 1-2] The following Table 3 lists of number of example reason codes; Examiner’s Notes: Table 3 of Gosset shows reason code C corresponds to a device or profile associated with fraud, reason code F corresponds to a fraud being detected in the PAN that is used for a transaction, and reason code H corresponds to a merchant submitting transactions with a high fraud rate)
generate an authentication denial response for the authentication request based on the ML score and a threshold (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0033, lines 1-4]: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction; Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold; and Paragraph [0039, lines 2-7]: In the example embodiment, in the case of a high risk transaction, the authentication platform may deny the transaction. The authentication platform may transmit an authentication response (ARes) message including the denial to the 3DS server).
Gosset does not expressly teach receive, by a plurality of machine learning (ML) models, a dataset including user data specific to a user logging into an account during an authentication request and device data specific to a computing device used by the user to log into the account during the authentication request; generate, with the [plurality of] ML model[s] configured to detect a plurality of different fraud types, a response based on the dataset, the response including at least one ML score representing a probability of at least one of the plurality of different fraud types occurring during the authentication request.
However, Jones teaches receive, by a plurality of machine learning (ML) models, a dataset including user data specific to a user logging into an account during an authentication request and device data specific to a computing device used by the user to log into the account during the authentication request; (Jones – [Col. 5, lines 9-19]: A context is a set of access attempt features that can be used to characterize an authentication request. Context can be determined from data headers or other surrounding information related to the authentication request. Data header can include information such as IP address, ports, host, user-agent, and other information that can be obtained from headers at any network level. Surrounding information can include the time the authentication request was received, the userID and password being sent with the authentication request, and other metadata or data related to the request; and [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score)
generate, with the plurality of ML models [configured to detect a plurality of different fraud types], a response based on the dataset, [the response including at least one ML score representing a probability of at least one of the plurality of different fraud types] occurring during the authentication request; (Jones – [Col. 5, lines 9-19]: A context is a set of access attempt features that can be used to characterize an authentication request. Context can be determined from data headers or other surrounding information related to the authentication request. Data header can include information such as IP address, ports, host, user-agent, and other information that can be obtained from headers at any network level. Surrounding information can include the time the authentication request was received, the userID and password being sent with the authentication request, and other metadata or data related to the request; and [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score).
It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify Gosset, further incorporating Jones to arrive at the claimed invention. One would be motivated to incorporate Jones’s teachings into Gosset’s invention to allow an ensemble of ML models to detect authentication requests anomalies in order to improve the accuracy of positive alerts; see Jones [Col. 4, lines 35-54].
11. Claim(s) 5-6 and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Gosset (US Pub. No. 20190392450 A1) in view of Jones (US Patent No. 12452282 B2), and further in view of Djosic (US Patent No. 12058135 B2).
Regarding Claim 5:
The combination of Gosset and Jones teaches the server of claim 1.
Jones further teaches wherein the response generated by the plurality of ML models is a first response, (Jones – [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score)
and the server is further caused to receive, [by a risk-based authentication (RBA) system,] the dataset including the user data and the device data, [generate, with the RBA system, a second response] based on the dataset [and a set of defined rules, the second response including an RBA score representing an aggregation of scores generated by the defined rules when triggered by] the dataset, (Jones – [Col. 5, lines 9-19]: A context is a set of access attempt features that can be used to characterize an authentication request. Context can be determined from data headers or other surrounding information related to the authentication request. Data header can include information such as IP address, ports, host, user-agent, and other information that can be obtained from headers at any network level. Surrounding information can include the time the authentication request was received, the userID and password being sent with the authentication request, and other metadata or data related to the request; and [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score).
Gosset further teaches and generate the authentication denial response for the authentication request based on the ML score and/or the RBA score (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0033, lines 1-4]: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction; Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold; and Paragraph [0039, lines 2-7]: In the example embodiment, in the case of a high risk transaction, the authentication platform may deny the transaction. The authentication platform may transmit an authentication response (ARes) message including the denial to the 3DS server).
The combination of Gosset and Jones does not expressly teach the server is further caused to receive, by a risk-based authentication (RBA) system, [the dataset including the user data and the device data], generate, with the RBA system, a second response [based on the dataset] and a set of defined rules, the second response including an RBA score representing an aggregation of scores generated by the defined rules when triggered by [the dataset, and generate the authentication denial response for the authentication request based on the ML score and/or the RBA score].
However Djosic teaches the server is further caused to receive, by a risk-based authentication (RBA) system, [the dataset including the user data and the device data], generate, with the RBA system, a second response [based on the dataset] and a set of defined rules, the second response including an RBA score representing an aggregation of scores generated by the defined rules when triggered by [the dataset, and generate the authentication denial response for the authentication request based on the ML score and/or the RBA score] (Djosic – [Col. 5, lines 62-67 – Col. 6, lines 1-3]: Risk level at each block is estimated by the supervised machine learning (ML) processes. We create classification algorithms on training data, and we pass real data through the model. The outcome is the risk level i.e., low, medium, high, severe. In this process, data such as fraud profiles, activity profiles, user's info, static rules, are analyzed with real-time user's attributes. The system is supervised machine learning that naturally improves itself over time when more data is added into the training set; [Col. 5, lines 18-24]: In some embodiments, a risk scoring module calculates the risk of an activity based on various sources of information such as IP address, user agent string, language, display resolution, login time, evercookies, canvas fingerprinting, mouse and keystroke dynamics, field login attempts, WebRTC, counting hosts behind NAT, ad blocker detection, etc; and [Col. 6, lines 18-24]: A traditional DE receives a risk score, examines which security options are available, and decides what action to take. For example, as shown in FIG. 3A, three risk scores RS.sub.α, RS.sub.β, RS.sub.γ are provided to the DE, where RS.sub.β, RS.sub.γ may be optional. The optional value will be set to 0 if it is not passed in. The DE trains a voting system to learn the weights for the three risk scores and calculates the final risk score).
It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the combination of Gosset and Jones, further incorporating Djosic to arrive at the claimed invention. One would be motivated to incorporate Djosic’s teachings into the combination of Gosset and Jones’s invention to allow authentication risk-based systems to perform authorization actions based on a plurality of risk scores; see Jones [Col. 1, lines 22-42].
Regarding Claim 6:
The combination of Gosset, Jones, and Djosic teaches the server of claim 5.
Gosset further teaches wherein the threshold is a first threshold, (Gosset – Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold)
generate the authentication denial response for the authentication request in response to the ML score being greater than the first threshold and/or the RBA score being greater than the second threshold (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0033, lines 1-4]: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction; Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold; and Paragraph [0039, lines 2-7]: In the example embodiment, in the case of a high risk transaction, the authentication platform may deny the transaction. The authentication platform may transmit an authentication response (ARes) message including the denial to the 3DS server).
Djosic further teaches [wherein the threshold is a first threshold,] and the server is further caused to compare the RBA score to a second threshold [and generate the authentication denial response for the authentication request in response to the ML score being greater than the first threshold and/or the RBA score being greater than the second threshold] (Djosic – [Col. 6, lines 43-46]: The threshold controls actions that a DE may take, i.e., making an optional authentication step mandatory or vice versa. At each level, the DE will make the decision based on the risk score for that level; and [Col. 6, lines 50-51]: The DE threshold can be set and altered either manually by operators or automatically by the system).
The motivation to combine the arts is the same as that of Claim 5.
Regarding Claim 13:
The combination of Gosset and Jones teaches the method of claim 11.
Jones further teaches wherein the response generated by the plurality of ML models is a first response, (Jones – [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score)
the method further comprises receiving, [by a risk-based authentication (RBA) system,] the dataset including the user data and the device data, [and generating, with the RBA system, a second response] based on the dataset [and a set of defined rules, the second response including an RBA score representing an aggregation of scores generated by the defined rules when triggered by] the dataset, (Jones – [Col. 5, lines 9-19]: A context is a set of access attempt features that can be used to characterize an authentication request. Context can be determined from data headers or other surrounding information related to the authentication request. Data header can include information such as IP address, ports, host, user-agent, and other information that can be obtained from headers at any network level. Surrounding information can include the time the authentication request was received, the userID and password being sent with the authentication request, and other metadata or data related to the request; and [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score).
Gosset further teaches and generating the authentication denial response for the authentication request based on the ML score and/or the RBA score (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0033, lines 1-4]: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction; Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold; and Paragraph [0039, lines 2-7]: In the example embodiment, in the case of a high risk transaction, the authentication platform may deny the transaction. The authentication platform may transmit an authentication response (ARes) message including the denial to the 3DS server).
The combination of Gosset and Jones does not expressly teach [wherein the response generated by the plurality of ML models is a first response, the method further comprises receiving,] by a risk-based authentication (RBA) system, [the dataset including the user data and the device data], and generating, with the RBA system, a second response [based on the dataset] and a set of defined rules, the second response including an RBA score representing an aggregation of scores generated by the defined rules when triggered by [the dataset, and generating the authentication denial response for the authentication request includes generating the authentication denial response based on the ML score and/or the RBA score].
However Djosic teaches wherein the response generated by the plurality of ML models is a first response, the method further comprises receiving, by a risk-based authentication (RBA) system, [the dataset including the user data and the device data], and generating, with the RBA system, a second response [based on the dataset] and a set of defined rules, the second response including an RBA score representing an aggregation of scores generated by the defined rules when triggered by [the dataset, and generating the authentication denial response for the authentication request includes generating the authentication denial response based on the ML score and/or the RBA score] (Djosic – [Col. 5, lines 62-67 – Col. 6, lines 1-3]: Risk level at each block is estimated by the supervised machine learning (ML) processes. We create classification algorithms on training data, and we pass real data through the model. The outcome is the risk level i.e., low, medium, high, severe. In this process, data such as fraud profiles, activity profiles, user's info, static rules, are analyzed with real-time user's attributes. The system is supervised machine learning that naturally improves itself over time when more data is added into the training set; [Col. 5, lines 18-24]: In some embodiments, a risk scoring module calculates the risk of an activity based on various sources of information such as IP address, user agent string, language, display resolution, login time, evercookies, canvas fingerprinting, mouse and keystroke dynamics, field login attempts, WebRTC, counting hosts behind NAT, ad blocker detection, etc; and [Col. 6, lines 18-24]: A traditional DE receives a risk score, examines which security options are available, and decides what action to take. For example, as shown in FIG. 3A, three risk scores RS.sub.α, RS.sub.β, RS.sub.γ are provided to the DE, where RS.sub.β, RS.sub.γ may be optional. The optional value will be set to 0 if it is not passed in. The DE trains a voting system to learn the weights for the three risk scores and calculates the final risk score).
It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the combination of Gosset and Jones, further incorporating Djosic to arrive at the claimed method. One would be motivated to incorporate Djosic’s teachings into the combination of Gosset and Jones’s method to allow authentication risk-based systems to perform authorization actions based on a plurality of risk scores; see Jones [Col. 1, lines 22-42].
Regarding Claim 14:
The combination of Gosset, Jones, and Djosic teaches the method of claim 13.
Gosset further teaches wherein the threshold is a first threshold, (Gosset – Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold)
and generating the authentication denial response for the authentication request includes generating the authentication denial response in response to the ML score being greater than the first threshold and/or the RBA score being greater than the second threshold (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0033, lines 1-4]: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction; Paragraph [0025, lines 15-19]: the RBA-enabled directory server determines that a risk of fraud in the transaction is below a regulated risk threshold established by the regulatory entity by comparing the risk score to the regulated risk threshold; and Paragraph [0039, lines 2-7]: In the example embodiment, in the case of a high risk transaction, the authentication platform may deny the transaction. The authentication platform may transmit an authentication response (ARes) message including the denial to the 3DS server).
Djosic further teaches [wherein the threshold is a first threshold,] the method further comprises comparing the RBA score to a second threshold, [and generating the authentication denial response for the authentication request includes generating the authentication denial response in response to the ML score being greater than the first threshold and/or the RBA score being greater than the second threshold] (Djosic – [Col. 6, lines 43-46]: The threshold controls actions that a DE may take, i.e., making an optional authentication step mandatory or vice versa. At each level, the DE will make the decision based on the risk score for that level; and [Col. 6, lines 50-51]: The DE threshold can be set and altered either manually by operators or automatically by the system).
The motivation to combine the arts is the same as that of Claim 13.
12. Claim(s) 9, 16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gosset (US Pub. No. 20190392450 A1) in view of Jones (US Patent No. 12452282 B2), and further in view of Hernandez (US Pub. No. 20210073819 A1).
Regarding Claim 9:
The combination of Gosset and Jones teaches the server of claim 8.
Jones further teaches wherein the server is further caused [to compare, by a fraud research system,] the output generated by the plurality of rule-based fraud detection algorithms and the response generated by the plurality of ML models, and train the plurality of ML models [based on the comparison of] the output and the response (Jones – [Col. 17, lines 1-4]: FIG. 4. illustrates a block diagram of several example rule-based heuristics that can signal anomaly. Diagram 400 includes authentication attempt features 411 and rule-based heuristics 419; [Col. 18, lines 26-28]: Heuristic risk score aggregation process 510 performs a max function on a heuristic score array that stores the risk sub-scores from each individual rule-based heuristic; [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score; and [Col. 2, lines 28-30]: train Machine Learning (ML) models based on the features of an authentication journey)
The combination of Gosset and Jones does not expressly teach wherein the server is further caused to compare, by a fraud research system, [the output generated by the plurality of rule-based fraud detection algorithms and the response generated by the plurality of ML models, and train the plurality of ML models] based on the comparison of [the output and the response].
However, Hernandez teaches wherein the server is further caused to compare, by a fraud research system, [the output generated by the plurality of rule-based fraud detection algorithms and the response generated by the plurality of ML models, and train the plurality of ML models] based on the comparison of [the output and the response] (Hernandez – Paragraph [0083, lines 20-27]: In this example, the threat tool 225 can improve fraud monitoring processes by providing means for the monitoring system 200 to compare monitored activities to known fraudulent, or otherwise security policy-violating, activities. In another example, the threat tool 225 can receive blacklists comprising IP addresses, locations, and/or other data with which historical fraud events are associated; and Paragraph [0116, lines 7-10]: In this example, the output of the machine learning model can be compared to the known output and, based on the comparison, an accuracy or error metric can be computed).
It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the combination of Gosset and Jones, further incorporating Hernandez to arrive at the claimed invention. One would be motivated to incorporate Hernandez’s teachings into the combination of Gosset and Jones’s invention to allow for a bi-directional data feed between fraud detection systems to improve identification efficacy and allow for corrective and/or preventative modifications to improve future fraud detection processes; see Hernandez Paragraph [0010, lines 1-8].
Regarding Claim 16:
The combination of Gosset and Jones teaches the method of claim 15.
Jones further teaches wherein generating the response [includes populating a table] with each individual score [and corresponding fraud type], and generating the response [to include the table] (Jones – [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score; [Col. 18, lines 12-14]: FIG. 5A and FIG. 5B list example code for an ensemble approach to obtaining a risk score that combines autoencoding models, clustering models and rule-based heuristics)
Gosset further teaches [wherein generating the response includes populating a table with each individual score] and corresponding fraud type, [and generating the response to include the table] (Gosset – Paragraph [0114, lines 1-5]: authentication system 600 includes an RBA-enabled directory server 610 communicatively coupled to a RBA engine 612 (which may be collectively referred to as an authentication platform 614); Paragraph [0055, lines 1-4]: In the example embodiment, the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model; Paragraph [0051, lines 15-20]: The authentication data may also be divided by category, such as: transaction data (amount, currency, date, and time), device data (IP address, device info, and channel data), cardholder data (account number and shipping address), and merchant data (name, category, and country); Paragraph [0032, lines 1-6]: [0032] The RBA-enabled directory server receives an authentication request (AReq) message from a 3DS server; Paragraph [0031, lines 1-7]: Specifically, in the systems and methods described herein, the authentication system uses the 3DS 2 Protocol (or subsequent versions of the 3DS Protocol) for authentication, and performs RBA on transactions to determine when the transaction may avoid SCA and when SCA is mandated based on the regulator-configured threshold value and risk value; Paragraph [0115, lines 4-6]: RBA-enabled directory server 610 transmits at least some of the data in the AReq message (e.g., the authentication data) to RBA engine 612; Paragraph [0118, lines 1-6]: the RBA result data generated by RBA engine 612 includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction, with lower scores indicating lower risk and higher scores indicating higher risk; Paragraph [0034, lines 3-4]: Further the reason codes include one or more factors that influenced the risk score; Paragraph [0120, lines 5-9]: Based on the analysis of the data in the AReq message, RBA engine 612 may activate one or more anchors. The reason codes are then generated based on which anchors (and how many anchors) are activated; and Paragraph [0127, lines 1-2] The following Table 3 lists of number of example reason codes; Examiner’s Notes: Table 3 of Gosset shows reason code C corresponds to a device or profile associated with fraud, reason code F corresponds to a fraud being detected in the PAN that is used for a transaction, and reason code H corresponds to a merchant submitting transactions with a high fraud rate)
The combination of Gosset and Jones does not expressly teach [wherein generating the response] includes populating a table [with each individual score and corresponding fraud type, and generating the response] to include the table.
However, Hernandez teaches [wherein generating the response] includes populating a table [with each individual score and corresponding fraud type, and generating the response] to include the table. (Hernandez – Paragraph [0083, lines 20-27]: The cyber-fraud portal 233 can generate and/or cause the display of interactive summary charts and tables of potentially fraudulent events detected by the present system (e.g., in response to monitoring a customer system with respect to one or more triggers); Paragraph [0126]: The user interface 901 can include a log 903 comprising various detected events and/or alerts generated based on the detection of an event (e.g., potentially fraudulent activities)).
It would have been obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to modify the combination of Gosset and Jones, further incorporating Hernandez to arrive at the claimed method. One would be motivated to incorporate Hernandez’s teachings into the combination of Gosset and Jones’s method to allow for a bi-directional data feed between fraud detection systems to improve identification efficacy and allow for corrective and/or preventative modifications to improve future fraud detection processes; see Hernandez Paragraph [0010, lines 1-8].
Regarding Claim 18:
The combination of Gosset and Jones teaches the method of claim 17.
Jones further teaches wherein the method further comprises [comparing, by a fraud research system,] the output generated by the plurality of rule-based fraud detection algorithms and the response generated by the plurality of ML models, and training the plurality of ML models includes training the plurality of ML models [based on the comparison of] the output and the response (Jones – [Col. 17, lines 1-4]: FIG. 4. illustrates a block diagram of several example rule-based heuristics that can signal anomaly. Diagram 400 includes authentication attempt features 411 and rule-based heuristics 419; [Col. 10, lines 24-27]: Once access prediction service 285 receives features from signal node 223, access prediction service provides those features to ML models 295 and receives a risk score; and [Col. 2, lines 28-30]: train Machine Learning (ML) models based on the features of an authentication journey)
The combination of Gosset and Jones does not expressly teach wherein the method further comprises comparing, by a fraud research system, [the output generated by the plurality of rule-based fraud detection algorithms and the response generated by the plurality of ML models, and training the plurality of ML models includes training the plurality of ML models] based on the comparison of [the output and the response].
However, Hernandez teaches the method further comprises comparing, by a fraud research system, [the output generated by the plurality of rule-based fraud detection algorithms and the response generated by the plurality of ML models, and training the plurality of ML models includes training the plurality of ML models] based on the comparison of [the output and the response] (Hernandez – Paragraph [0083, lines 20-27]: In this example, the threat tool 225 can improve fraud monitoring processes by providing means for the monitoring system 200 to compare monitored activities to known fraudulent, or otherwise security policy-violating, activities. In another example, the threat tool 225 can receive blacklists comprising IP addresses, locations, and/or other data with which historical fraud events are associated; and Paragraph [0116, lines 7-10]: In this example, the output of the machine learning model can be compared to the known output and, based on the comparison, an accuracy or error metric can be computed)
The motivation to combine the arts is the same as that of Claim 16.
Conclusion
13. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Butvinik (US Pub. No. 20250029106 A1) teaches a rule training system that generates machine learning rules for fraud detection.
Hegde (US Pub. No. 20240428252 A1) teaches a system that has a routing ML model that computes where to send a potential fraud out of a multitude of fraud-detection ML models.
Smets (US Pub. No. 20240176857 A1) teaches a system that uses risk-based analysis when authenticating a payment through biometric data.
Siddens (US Patent No. 12386929 B2) teaches a system that analyzes an access request based on a plurality of authentication protocols.
14. Any inquiry concerning this communication or earlier communications from the examiner should be directed to NATHANIEL C SKIRVIN whose telephone number is (571)272-9798. The examiner can normally be reached Monday-Friday 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin Chin Shaw can be reached at (571) 272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NATHANIEL CHRISTIAN SKIRVIN/Examiner, Art Unit 2498
/YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498