Prosecution Insights
Last updated: July 17, 2026
Application No. 18/921,703

DETECTION OF ABNORMAL ACCESS BEHAVIOR BASED ON MACHINE LEARNING

Final Rejection §102§103
Filed
Oct 21, 2024
Examiner
IDOWU, OLUGBENGA O
Art Unit
2494
Tech Center
2400 — Computer Networks
Assignee
Tp-Link Systems Inc.
OA Round
2 (Final)
71%
Grant Probability
Favorable
3-4
OA Rounds
1y 6m
Est. Remaining
90%
With Interview

Examiner Intelligence

Grants 71% — above average
71%
Career Allowance Rate
464 granted / 650 resolved
+13.4% vs TC avg
Strong +19% interview lift
Without
With
+19.1%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
25 currently pending
Career history
677
Total Applications
across all art units

Statute-Specific Performance

§101
0.5%
-39.5% vs TC avg
§103
82.5%
+42.5% vs TC avg
§102
14.8%
-25.2% vs TC avg
§112
0.5%
-39.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 650 resolved cases

Office Action

§102 §103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed 4/20/2026 have been fully considered but they are not persuasive. Applicant argues that Pegna does not disclose that only a part of the data is used to initialize the clustering. As seen in Pegna [0021], a training stage creates a cluster map for a number of network events. Pegna in [0023] further teaches detecting anomalies when received data deviates based on a known threshold. Hence it is obvious that Pegna implements a training stage for creating clusters and uses the clusters to detect deviations. These deviations are analogous to the required steps of partitioning data as these deviations separate expected and suspicious behaviors. Applicant also argues about improving accuracy of the access behavior model but there is no mention of this improvement in the claims. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 1, 3– 9 and 11-14 and 16-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Pegna, publication number: US 2016/0149936. As per claims 1 and 20, Pegna teaches a method for detecting abnormal access behavior based on machine learning, comprising: obtaining log files stored with access records to create a data set based on the log files (Network traffic as input to cluster engine, [0035] Fig. 4, Fig. 5C, Fig. 7B); processing the data set as a set of access behavior sequences (Mapping network events, [0036]); clustering feature vectors of a portion of access behavior sequences in the set of access behavior sequences based on a clustering algorithm in the machine learning and using a centroid of a cluster as a basis for dividing the feature vectors to construct an access behavior recognition model (clustering based on centroids, [0038-0039], cluster engine training, [0021]); and automatically recognizing whether an access behavior is the abnormal access behavior through the access behavior recognition model (Activating an alarm based on comparing client data to a threshold, [0052]) wherein constructing the access behavior recognition model comprising: clustering the feature vectors of the portion of access behavior sequences using the clustering algorithm to obtain an initial clustering model containing a plurality of clusters; and clustering feature vectors of other access behavior sequences in the set of access behavior sequences into a corresponding cluster of the plurality of clusters based on a centroid of each cluster of the plurality of clusters to obtain the access behavior recognition model (different clusters, [0021], detecting suspicious activities, [0023], clustering and new activities, [0041-0042]). As per claim 3, Pegna teaches wherein constructing the access behavior recognition model further comprising: calculating the similarity between the feature vectors of the portion of access behavior sequences to cluster the feature vectors of the portion of access behavior sequences to obtain the initial clustering model containing the plurality of clusters; for the each cluster, obtaining the centroid of the each cluster by calculating an average value of feature vectors in the each cluster; obtaining a centroid   corresponding to a minimum value by calculating the minimum value of similarity between the feature vectors of other access behavior sequences and the centroid of the each clu PNG media_image1.png 31 47 media_image1.png Greyscale ster; comparing the centroid corresponding to the PNG media_image1.png 31 47 media_image1.png Greyscale minimum value with PNG media_image2.png 31 9 media_image2.png Greyscale a clustering threshold; and adjusting the initial clustering model based on a comparison result (dynamic updating and thresholds, [0034]). As per claim 4, Pegna teaches wherein calculating the similarity between the feature vectors of the portion of access behavior sequences comprising: calculating the similarity between the feature vectors of the portion of access behavior sequences to cluster the feature vectors of the portion of access behavior sequences by the following formula: S i m i l a r i t y v i ,   v j = 1 - v i ⋅ v j | | v i | | ⋅ | | v j | | where PNG media_image3.png 31 32 media_image3.png Greyscale | | ⋅ | | is a l 2 norm, PNG media_image4.png 31 14 media_image4.png Greyscale v i representing the feature vector of the i-th access behavior sequence, v j representing the feature vector of the j-th access behavior sequence, where i , j = 1,2 , ⋅ ⋅ ⋅ , m PNG media_image5.png 31 93 media_image5.png Greyscale , and m is the total number of access behavior sequences (Comparing distances, [0044-0046], Fig. 7B). As per claim 5, Pegna teaches wherein adjusting the initial clustering model based on the comparison result comprising: in response to the centroid corresponding to the minimum value is greater than or equal to the clusteri PNG media_image2.png 31 9 media_image2.png Greyscale ng threshold, increasing the PNG media_image6.png 31 50 media_image6.png Greyscale number of clusters by 1; and in response to the centroid corresponding to the minimum value is smaller than the clusteri PNG media_image2.png 31 9 media_image2.png Greyscale ng threshold, adding the corresponding feature vector among the feature vectors of other access behavior sequences into the corresponding cluster, and updating the centroid corresponding to the minimum value (Updating signature, [0034]). As per claim 6, Pegna teaches wherein updating the centroid corresponding to the minimum value by the following formula: r e p m i n = r e p m i n + v i - r e p m i n | C l u s t e r ( r e p m i n ) | wherein r e p m i n represents a c PNG media_image1.png 31 47 media_image1.png Greyscale entroid corresponding to the minimum value, v i represents a feature vector among the feature vectors of other access behavior sequences, and C l u s t e r ( r e p m i n ) represents the obtained cluster correspo PNG media_image1.png 31 47 media_image1.png Greyscale nding to r e p m i n (Updating centroid, [0041]). As per claim 7, Pegna teaches wherein recognizing whether an access behavior is the abnormal access behavior comprising: for a current time, PNG media_image7.png 31 32 media_image7.png Greyscale obtaining an access log file within a time period before and after the current time; generating a set of access behavior sequences corresponding to the access log file in the time period; calculating a feature vector for each access behavior sequence in the set of access behavior sequences corresponding to the access log file; calculating a minimum value of similarity between the feature vector and all centroids of the access behavior recognition model to determine a cluster to which the feature vector belongs and the corresponding centroid; calculating a distance between the feature vector and the corresponding centroid based on a distance algorithm to obtain a minimum distance value; and comparing the minimum distance value with a predefined threshold, to recognize whether an access behavior is the abnormal access behavior (comparing point 702 to 508, 510 and 512, Fig. 7B, [0046], threshold, [0052]). As per claim 8, Pegna teaches wherein recognizing whether an access behavior is the abnormal access behavior further comprising: in response to the minimum distance value is greater than the predefined threshold, the access behavior recognition model recognizes the access behavior corresponding to the feature vector as the abnormal access behavior; and in response to the minimum distance value is less than or equal to the predefined threshold, the access behavior recognition model recognizes the access behavior corresponding to the feature vector as a normal access behavior (Triggering alarm based on threshold, Fig. 6, [0052]). As per claim 9, Pegna teaches further comprising: in response to the access behavior recognition model recognizes the abnormal access behavior, analyzing a log file corresponding to the abnormal access behavior and performing a risk rating on the abnormal access behavior to alarm based on the risk rating (Alarm based on threshold, [0052]). As per claim 11, Pegna teaches wherein processing the data set as a set of access behavior sequences comprising: extracting information of specified fields indicating an access behavior of a user from the data set to generate the set of access behavior sequences based on the extracted information (Client event input 612, [0048]). As per claim 12, Pegna teaches wherein the method is applicable to all data centers, including internal data centers and hosted data centers (Application server 206, Fig. 2A, [0027-0028]). As per claim 13, Pegna teaches wherein the machine learning is based on an unsupervised learning algorithm (Training, [0021]). Claims 14 and 16 – 19 are rejected based on claims 1,3, 5 and 7-8 Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 10 is rejected under 35 U.S.C. 103 as being unpatentable over Pegna, publication number: US 2016/0149936 in view of Sasaki, publication number: US 2021/0232687. As per claim 10, Pegna teaches clustering network data for determining anomalies. Pegna does not teach wherein performing a risk rating on the abnormal access behavior to alarm based on the risk rating comprising: extracting an event and a corresponding resource from the log file corresponding to the abnormal access behavior, wherein the event is divided into a high-level event, a medium-level event, and a low-level event, and the resource is divided into a risk resource and a safe resource; wherein in response to the extracted event includes the high-level event and the corresponding resource is the risk resource, the abnormal access behavior is defined as a high-risk behavior; in response to the extracted event includes the high-level event and the corresponding resource is the safe resource, or the extracted event includes the medium-level event and the corresponding resource is the risk resource, the abnormal access behavior is defined as a medium-risk behavior, and in response to the extracted event includes the medium-level event and the corresponding resource is the safe resource, or the extracted event includes the low-level event, the abnormal access behavior is defined as a low-risk behavior. In an analogous art, Sasaki teaches wherein performing a risk rating on the abnormal access behavior to alarm based on the risk rating comprising: extracting an event and a corresponding resource from the log file corresponding to the abnormal access behavior, wherein the event is divided into a high-level event, a medium-level event, and a low-level event, and the resource is divided into a risk resource and a safe resource; wherein in response to the extracted event includes the high-level event and the corresponding resource is the risk resource, the abnormal access behavior is defined as a high-risk behavior; in response to the extracted event includes the high-level event and the corresponding resource is the safe resource, or the extracted event includes the medium-level event and the corresponding resource is the risk resource, the abnormal access behavior is defined as a medium-risk behavior, and in response to the extracted event includes the medium-level event and the corresponding resource is the safe resource, or the extracted event includes the low-level event, the abnormal access behavior is defined as a low-risk behavior (calculating risks based on resource ratings and event rating, Fig. 2, Fig. 7A-G[0068][0127][0147]). Therefore, it would have been obvious to one of ordinary skill in the art, prior to the effective filing date of the claimed invention to modify Pegna’s clustering system to include a detailed risk calculation system as described in Sasaki’s cyber attack system for the advantage of reducing false positives and hence reducing the processing burden on the system. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUGBENGA O IDOWU whose telephone number is (571)270-1450. The examiner can normally be reached Monday-Friday 8am - 5pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached at 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /OLUGBENGA O IDOWU/ Primary Examiner, Art Unit 2494
Read full office action

Prosecution Timeline

Oct 21, 2024
Application Filed
Jan 28, 2026
Non-Final Rejection mailed — §102, §103
Apr 20, 2026
Response Filed
Jun 18, 2026
Final Rejection mailed — §102, §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12670410
PRIVACY ENHANCED FEDERATED TRAINING AND INFERENCE OVER VERTICALLY AND HORIZONTALLY PARTITIONED DATA
3y 4m to grant Granted Jun 30, 2026
Patent 12665777
BLOCKCHAIN-BASED DATA PROCESSING METHOD AND APPARATUS, DEVICE, MEDIUM, AND PRODUCT
2y 7m to grant Granted Jun 23, 2026
Patent 12659166
BIOSECURITY CONTROL SYSTEM BASED ON BLOCKCHAIN TECHNOLOGY FOR REGULATION AND MONITORING THE PRINTING OF GENETIC SEQUENCES
2y 0m to grant Granted Jun 16, 2026
Patent 12652181
MANAGEMENT SYSTEM, CONTENT MANAGEMENT METHOD, AND STORAGE MEDIUM FOR MANAGING CONTENT DATA USING BLOCKCHAIN
2y 5m to grant Granted Jun 09, 2026
Patent 12634145
CRYPTOGRAPHIC TRUST SYSTEM FOR ELECTRONIC COMMUNICATIONS INTEGRITY USING TUPLE SPACES AND MESSAGING USER AGENTS
2y 4m to grant Granted May 19, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
71%
Grant Probability
90%
With Interview (+19.1%)
3y 3m (~1y 6m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 650 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month