Prosecution Insights
Last updated: July 17, 2026
Application No. 19/014,159

DETECTING MALICIOUS ACTIVITY USING USER-SPECIFIC PARAMETERS

Non-Final OA §103
Filed
Jan 08, 2025
Priority
Sep 29, 2023 — CIP of 18/374,906 +1 more
Examiner
CHAMPAKESAN, BADRI NARAYANAN
Art Unit
Tech Center
Assignee
Citibank, N.A.
OA Round
1 (Non-Final)
91%
Grant Probability
Favorable
1-2
OA Rounds
10m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 91% — above average
91%
Career Allowance Rate
351 granted / 385 resolved
+31.2% vs TC avg
Strong +56% interview lift
Without
With
+55.6%
Interview Lift
resolved cases with interview
Typical timeline
2y 4m
Avg Prosecution
13 currently pending
Career history
394
Total Applications
across all art units

Statute-Specific Performance

§101
1.0%
-39.0% vs TC avg
§103
90.5%
+50.5% vs TC avg
§102
4.9%
-35.1% vs TC avg
§112
2.3%
-37.7% vs TC avg
Black line = Tech Center average estimate • Based on career data from 385 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Note: The claims are patent eligible as the concept integrates into a practical utility to determine if user activity is malicious. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1 – 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of U.S. Patent No. 12225026. Although the claims at issue are not identical, they are not patentably distinct from each other because the instant application claims are anticipated by patent claims as shown below. Instant App. 19014159 Patent #: 12225026 1. A system for using user-specific parameters to detect malicious activity in an interaction, the system comprising:a storage device; andone or more processors communicatively coupled to the storage device storing instructions thereon, that cause the one or more processors to: receive user action data representing user actions for a plurality of users relative to a plurality of applications; generate, using first user action data and without using other user action data representing other user actions for other users of the plurality of users, a plurality of parameters specific to a first user for determining whether interactions of the first user represent malicious activity;receive, for the first user, a request for a pending interaction with a particular application of the plurality of applications;providing, to a first user model, the pending interaction to cause the first user model to generate a plurality of parameter identifiers identifying a set of parameters within the plurality of parameters, wherein the set of parameters for identifying malicious activity, wherein the first user model is trained for the first user using the first user action data and without using the other user action data;determining whether the set of parameters matches a set of interaction parameters associated with the pending interaction; andbased on determining that the set of parameters matches the set of interaction parameters, determining that the pending interaction is malicious. 2. The system of claim 1, wherein the instructions for generating the plurality of parameters specific to the first user further cause the one or more processors to:input, into a parameter generating machine learning model, the first user action data to cause the parameter generating machine learning model to generate the plurality of parameters Page 1specific to the first user, wherein the parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user; andreceive, from the parameter generating machine learning model, the plurality of parameters. 3. The system of claim 1, wherein the instructions further cause the one or more processors to:determine that the first user model corresponds to the first user of the plurality of users;and provide, to the first user model, the first user action data without providing the other user action data to train the first user model to generate parameter identifiers identifying sets of parameters for the first user based on pending interactions. 4. The system of claim 1, wherein the instructions further cause the one or more processors to:receive, from the first user model, the plurality of parameter identifiers identifying the set of parameters; andextract, from parameter storage using the plurality of parameter identifiers, the set of parameters associated with the first user of the plurality of users, wherein the parameter storage stores the plurality of parameters specific to the first user and other pluralities of parameters associated with other users. 5. The system of claim 1, wherein the instructions further cause the one or more processors to determine, for the set of parameters, a corresponding set of interaction parameters, wherein the corresponding set of interaction parameters is extracted from the pending interaction that is received as part of the request. 6. The system of claim 5, wherein the instructions further cause the one or more processors to:determine that a number of parameters within the set of parameters matches the corresponding set of interaction parameters; determine a ratio of the number of parameters that matches the corresponding set of interaction parameters to a total number of parameters of the set of parameters; and based on determining that the ratio satisfies a threshold ratio, determine that the pending interaction is malicious. 7. The system of claim 6, wherein the instructions further cause the one or more processors to reject the pending interaction based on determining that the pending interaction is malicious. 8. The system of claim 1, wherein the instructions further cause the one or more processors to:extract, from the user action data, second user action data representing second user actions of a second user of the plurality of users;generate, using a parameter generating machine learning model with the second user action data, a new plurality of parameters specific to the second user for determining whether user interactions of the second user represent new malicious activity, wherein the parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user;receive, for the second user, a new request for a new pending interaction with an application of the plurality of applications;input, into a second user model, the pending interaction to cause the second user model to generate a new plurality of parameter identifiers identifying a new set of parameters within the new plurality of parameters, wherein the second user model is trained for the second user using the second user action data and without using the other user action data;perform, during pendency of the new pending interaction, a new comparison between a new plurality of corresponding parameter values associated with the new set of parameters and one or more new interaction values associated with the new pending interaction; andgenerate, based on the new comparison during the pendency of the new pending interaction, a new output indicating a new likelihood that the new request represents the new malicious activity. 9. A method comprising:receiving user action data representing user actions for a plurality of users relative to a plurality of applications;generating, using first user action data representing first user actions of a first user of the plurality of users, a plurality of parameters specific to the first user for determining whether interactions of the first user represent one or more malicious activities;receiving, for the first user, a request for a pending interaction with a particular application of the plurality of applications;providing, to a first user model, the pending interaction to cause the first user model to generate a plurality of parameter identifiers identifying a set of parameters within the plurality of parameters for identifying malicious activity, wherein the first user model is trained for the first user using the first user action data;determining whether the set of parameters matches set of interaction parameters associated with the pending interaction; andbased on determining that the set of parameters matches the set of interaction parameters, determining that the pending interaction is malicious. 10. The method of claim 9, wherein generating the plurality of parameters specific to the first user further comprises:inputting, into a parameter generating machine learning model, the first user action data to cause the parameter generating machine learning model to generate the plurality of parameters specific to the first user for determining whether the interactions of the first user represent the malicious activity, wherein the parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user; andreceiving, from the parameter generating machine learning model, the plurality of parameters. 11. The method of claim 9, further comprising:determining that the first user model corresponds to the first user of the plurality of users;and providing, to the first user model, the first user action data without providing other user action data to train the first user model to generate parameter identifiers identifying sets of parameters for the first user based on pending interactions. 12. The method of claim 9, wherein validating the request comprises:performing, during pendency of the pending interaction, a comparison between a plurality of corresponding parameter values associated with the set of parameters and one or more interaction values associated with the pending interaction; andgenerating, based on the comparison and during the pendency of the pending interaction, an output indicating a likelihood that the request represents the malicious activity. 13. The method of claim 9, further comprising:receiving, from the first user model, the plurality of parameter identifiers identifying the set of parameters; andextracting, from parameter storage using the plurality of parameter identifiers, the set of parameters associated with the first user of the plurality of users, wherein the parameter storage stores the plurality of parameters specific to the first user and other pluralities of parameters associated with other users. 14. The method of claim 9, wherein the set of parameters is more likely than a different set of parameters within the plurality of parameters to identify the malicious activity. 15. The method of claim 13, further comprising:determining that the pending interaction is malicious; andbased on determining that the pending interaction is malicious, rejecting the pending interaction. 16. One or more non-transitory, computer-readable media storing instructions that, when executed by one or more processors, cause operations comprising:receiving user action data representing user actions for a plurality of users relative to a plurality of applications;generating, using first user action data representing first user actions of a first user of the plurality of users, a plurality of parameters specific to the first user for determining whether interactions of the first user represent one or more malicious activities;receiving, for the first user, a request for a pending interaction with a particular application of the plurality of applications;providing, to a first user model, the pending interaction to cause the first user model to generate a plurality of parameter identifiers identifying a set of parameters within the plurality of parameters for identifying malicious activity, wherein the first user model is trained for the first user using the first user action data;determining whether the set of parameters matches set of interaction parameters associated with the pending interaction; andbased on determining that the set of parameters matches the set of interaction parameters, determining that the pending interaction is malicious. 17. The one or more non-transitory, computer-readable media of claim 16, wherein generating the plurality of parameters specific to the first user further comprises:inputting, into a parameter generating machine learning model, the first user action data to cause the parameter generating machine learning model to generate the plurality of parameters specific to the first user for determining whether the interactions of the first user represent the malicious activity, wherein the parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user; andreceiving, from the parameter generating machine learning model, the plurality of parameters. 18. The one or more non-transitory, computer-readable media of claim 16, further comprising:receiving, from the first user model, the plurality of parameter identifiers identifying the set of parameters; andextracting, from parameter storage using the plurality of parameter identifiers, the set of parameters associated with the first user of the plurality of users, wherein the parameter storage stores the plurality of parameters specific to the first user and other pluralities of parameters associated with other users. 19. The one or more non-transitory, computer-readable media of claim 18, further comprising:determining that the pending interaction is malicious; andbased on determining that the pending interaction is malicious, rejecting the pending interaction. 20. The one or more non-transitory, computer-readable media of claim 16, wherein the instructions further cause the one or more processors to determine, for the set of parameters, a corresponding set of interaction parameters, wherein the corresponding set of interaction parameters is extracted from the pending interaction that is received as part of the request. 1. A system for using user-specific parameters to detect malicious activity in an interaction, the system comprising: a storage device; and one or more processors communicatively coupled to the storage device storing instructions thereon, that cause the one or more processors to: receive user action data representing user actions for a plurality of users relative to a plurality of applications; extract, from the user action data, first user action data representing first user actions of a first user of the plurality of users; generate, using the first user action data and without using other user action data representing other user actions for other users of the plurality of users, a plurality of parameters specific to the first user for determining whether interactions of the first user represent malicious activity, wherein each parameter of the plurality of parameters comprises a corresponding parameter identifier and a corresponding parameter value; receive, for the first user, a request for a pending interaction with a particular application of the plurality of applications; input, into a first user model, the pending interaction to cause the first user model to generate a plurality of parameter identifiers identifying a set of parameters within the plurality of parameters, wherein the set of parameters is more likely than another set of parameters within the plurality of parameters to identify the malicious activity, and wherein the first user model is trained for the first user using the first user action data and without using the other user action data; and during pendency of the pending interaction: determine, for the set of parameters, a corresponding set of interaction parameters, wherein the corresponding set of interaction parameters is extracted from the pending interaction that is received as part of the request; determine whether the corresponding set of interaction parameters matches the set of parameters; and based on determining that the corresponding set of interaction parameters matches the set of parameters, determine that the pending interaction is malicious. 2. The system of claim 1, wherein the instructions for generating the plurality of parameters specific to the first user further cause the one or more processors to: input, into a parameter generating machine learning model, the first user action data to cause the parameter generating machine learning model to generate the plurality of parameters specific to the first user, wherein the parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user; and receive, from the parameter generating machine learning model, the plurality of parameters. 3. The system of claim 1, wherein the instructions further cause the one or more processors to: determine that the first user model corresponds to the first user of the plurality of users; and provide, to the first user model, the first user action data without providing the other user action data to train the first user model to generate parameter identifiers identifying sets of parameters for the first user based on pending interactions. 4. The system of claim 1, wherein the instructions further cause the one or more processors to: receive, from the first user model, the plurality of parameter identifiers identifying the set of parameters; and extract, from parameter storage using the plurality of parameter identifiers, the set of parameters associated with the first user of the plurality of users, wherein the parameter storage stores the plurality of parameters specific to the first user and other pluralities of parameters associated with other users. 5. (Cancelled) 6. The system of claim 4, wherein the instructions further cause the one or more processors to: determine that a number of parameters within the set of parameters matches the corresponding set of interaction parameters; determine a ratio of the number of parameters that matches the corresponding set of interaction parameters to a total number of parameters of the set of parameters; and based on determining that the ratio satisfies a threshold ratio, determine that the pending interaction is malicious. 7. The system of claim 6, wherein the instructions further cause the one or more processors to reject the pending interaction based on determining that the pending interaction is malicious. 8. The system of claim 1, wherein the instructions further cause the one or more processors to: extract, from the user action data, second user action data representing second user actions of a second user of the plurality of users; generate, using a parameter generating machine learning model with the second user action data, a new plurality of parameters specific to the second user for determining whether interactions of the second user represent new malicious activity, wherein the [[second]] parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user; receive, for the second user, a new request for a new pending interaction with an application of the plurality of applications; input, into a second user model, the pending interaction to cause the second user model to generate a new plurality of parameter identifiers identifying a new set of parameters within the new plurality of parameters, wherein the second user model is trained for the second user using the second user action data and without using the other user action data; perform, in real time during pendency of the new pending interaction, a new comparison between a new plurality of corresponding parameter values associated with the new set of parameters and one or more new interaction values associated with the new pending interaction; and generate, based on the new comparison and in real time during the pendency of the new pending interaction, a new output indicating a new likelihood that the new request represents the new malicious activity. 9. A method comprising: receiving user action data representing user actions for a plurality of users relative to a plurality of applications; generating, using first user action data representing first user actions of a first user of the plurality of users, a plurality of parameters specific to the first user for determining whether interactions of the first user represent malicious activity, wherein each parameter of the plurality of parameters comprises a corresponding parameter identifier and a corresponding parameter value; receiving, for the first user, a request for a pending interaction with a particular application of the plurality of applications; inputting, into a first user model, the pending interaction to cause the first user model to generate a plurality of parameter identifiers identifying a set of parameters within the plurality of parameters, wherein the set of parameters is more likely than another set of parameters within the plurality of parameters to identify the malicious activity, wherein the first user model is trained for the first user using the first user action data; and during pendency of the pending interaction: determining, for the set of parameters, a corresponding set of interaction parameters, wherein the corresponding set of interaction parameters is extracted from the pending interaction that is received as part of the request; determining whether the corresponding set of interaction parameters matches the set of parameters; and based on determining that the corresponding set of interaction parameters matches the set of parameters, determining that the pending interaction is malicious. 10. The method of claim 9, wherein generating the plurality of parameters specific to the first user further comprises: inputting, into a parameter generating machine learning model, the first user action data to cause the parameter generating machine learning model to generate the plurality of parameters specific to the first user for determining whether interactions of the first user represent malicious activity, wherein the parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user; and receiving, from the parameter generating machine learning model, the plurality of parameters. 11. The method of claim 9, further comprising: determining that the first user model corresponds to the first user of the plurality of users; and providing, to the first user model, the first user action data without providing other user action data to train the first user model to generate parameter identifiers identifying sets of parameters for the first user based on pending interactions. 12. The method of claim 9, wherein validating the request comprises: performing, in real time during pendency of the pending interaction, a comparison between a plurality of corresponding parameter values associated with the set of parameters and one or more interaction values associated with the pending interaction; and generating, based on the comparison and in real time during the pendency of the pending interaction, an output indicating [[the]] a likelihood that the request represents the malicious activity. 13. The method of claim 9, further comprising: receiving, from the first user model, the plurality of parameter identifiers identifying the set of parameters; and extracting, from parameter storage using the plurality of parameter identifiers, the set of parameters associated with the first user of the plurality of users, wherein the parameter storage stores the plurality of parameters specific to the first user and other pluralities of parameters associated with other users. 14. (Cancelled) 15. The method of claim 13, further comprising: determining that the pending interaction is malicious; and based on determining that the pending interaction is malicious, rejecting the pending interaction. 16. One or more non-transitory, computer-readable media storing instructions that, when executed by one or more processors, cause operations comprising: receiving user action data representing user actions for a plurality of users relative to a plurality of applications; generating, using first user action data representing first user actions of a first user of the plurality of users, a plurality of parameters specific to the first user for determining whether interactions of the first user represent malicious activity, wherein each parameter of the plurality of parameters comprises a corresponding parameter identifier and a corresponding parameter value; receiving, for the first user, a request for a pending interaction with a particular application of the plurality of applications; inputting, into a first user model, the pending interaction to cause the first user model to generate a plurality of parameter identifiers identifying a set of parameters within the plurality of parameters, wherein the set of parameters is more likely than another set of parameters within the plurality of parameters to identify the malicious activity, wherein the first user model is trained for the first user using the first user action data; and during pendency of the pending interaction: determining, for the set of parameters, a corresponding set of interaction parameters, wherein the corresponding set of interaction parameters is extracted from the pending interaction that is received as part of the request; determining whether the corresponding set of interaction parameters matches the set of parameters; and based on determining that the corresponding set of interaction parameters matches the set of parameters, determining that the pending interaction is malicious. 17. The one or more non-transitory, computer-readable media of claim 16, wherein generating the plurality of parameters specific to the first user further comprises: inputting, into a parameter generating machine learning model, the first user action data to cause the parameter generating machine learning model to generate the plurality of parameters specific to the first user for determining whether interactions of the first user represent malicious activity, wherein the parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user; and receiving, from the parameter generating machine learning model, the plurality of parameters. 18. The one or more non-transitory, computer-readable media of claim 16, further comprising: receiving, from the first user model, the plurality of parameter identifiers identifying the set of parameters; and extracting, from parameter storage using the plurality of parameter identifiers, the set of parameters associated with the first user of the plurality of users, wherein the parameter storage stores the plurality of parameters specific to the first user and other pluralities of parameters associated with other users. 19. (Cancelled) 20. The one or more non-transitory, computer-readable media of claim 18, further comprising: determining that the pending interaction is malicious; and based on determining that the pending interaction is malicious, rejecting the pending interaction. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claim(s) 1 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dichiu et al (US 11,153,332), Dic and Lewis et al (US 20220046047), Lew. Claim 1: Dic teaches a system for using user-specific parameters to detect malicious activity in an interaction, the system comprising: a storage device; and one or more processors communicatively coupled to the storage device storing instructions thereon, that cause the one or more processors to (Fig. 3A): receive user action data representing user actions for a plurality of users relative to a plurality of applications; (C1L50-53: receiving an indication of an occurrence of a target event on a target client system, to assemble an event sequence including the target event, all events of the event sequence having occurred on the target client system (C12L19-22) wherein each line represents a distinct event type (e.g., launching a browser, initiating a file download, writing data to disk, etc.), N represents a size of a "vocabulary" of event types (i.e., user actions); C7L10-25: a user among plurality of users (C8L47-49, 56-60) wherein each client profile may represent a single user, a single machine. User application generically represents any application such as word processing, image processing, spreadsheet, calendar, online games, social media, web browser, and electronic communication applications, among others). generate, using first user action data and without using other user action data representing other user actions for other users of the plurality of users, a plurality of parameters specific to a first user for determining whether interactions of the first user represent malicious activity; (C1L57-59: in response to receiving the indication, select a parameter value from a plurality of parameter values according to the target client system (C17L45-50, Fig. 16 step 258) with parameter values specific to the respective selected client profile (i.e., without using other user data). Following profile-specific instantiation, ... events of the respective event sequence in the event embedding space associated with the respective client profile (C2L34-35) to determine whether the target event is indicative of a computer security threat). receive, for the first user, a request for a [pending] interaction with a particular application of the plurality of applications; providing, to a first user model, the [pending] interaction to cause the first user model to generate a plurality of parameter identifiers identifying a set of parameters within the plurality of parameters, wherein the set of parameters for identifying malicious activity, wherein the first user model is trained for the first user using the first user action data and without using the other user action data; (C6L24-33: event indicators may include, for instance, indicators of network events such as network access requests issued by client systems connected to the respective router/gateway. For instance, event indicator 20b may include an originating IP address, a destination IP address, a timestamp, and a payload size... (C2L22-31) select a parameter value from a plurality of parameter values according to the target client system. In response to selecting the set (of) parameter values, ... instantiate a behavior model with the parameter values, the behavior model configured to input a selected event of the event sequence and in response, to produce a prediction indicator indicative of a likelihood that the event sequence includes the target event; (C16L47-49) In response to a successful training, (Figs. 14-15) at step 248 save profile-specific (i..e, user model) parameter values of the trained behavior model; (C17L44-67) following profile-specific instantiation, executing model (step 260) comprises projecting events of the respective event sequence in the event embedding space associated with the respective client profile ... a score value lower than the threshold indicates that the respective event Ea is substantially unlikely to occur in the respective event context, and therefore indicates an anomaly consistent with a potential computer security threat). Dic is silent on determining whether the set of parameters matches a set of interaction parameters associated with the pending interaction; and based on determining that the set of parameters matches the set of interaction parameters, determining that the pending interaction is malicious. But analogous art Lew teaches determining whether the set of parameters matches a set of interaction parameters associated with the pending interaction; and based on determining that the set of parameters matches the set of interaction parameters, determining that the pending interaction is malicious. ([05] the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device. The computing platform may then evaluate the new activity data relative to the data associated with the series of activities ([060] evaluated in real-time or near real-time), wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data relative to the data associated with the series of activities, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. [053-54] the data is received and may be parsed to identify one or more parameters of activity during the virtual desktop session. For instance, the data may be parsed to identify timing of the session, information accessed during the session, steps taken during the sessions, and the like. New activity data may be compared to activity data of previous sessions that were verified as authentic by a user (e.g., an enterprise employee) to identify a potentially suspicious activity or a potential cyber-attack. If a potential cyber-threat is identified, one or more relevant parameters obtained from the new activity data may be identified... For instance, a potential cyber-attack is identified based on a confidentiality classification of accessed data as part of the virtual desktop session [069, 79] unusual activity detected subsequent to the detection of an idle state may be more indicative of potentially suspicious behavior than the same behavior in the middle of an active virtual desktop session where surrounding activity fits a non-anomalous pattern of use by the user). Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dic to include the idea of comparing prior user actions with pending action(s) as taught by Lew so that ensuring information security and preventing unauthorized access by monitoring devices at enterprise locations using machine-learning models to protect enterprise-managed information and resources [02]. Claim 2: the combination of Dic and Lew teaches the system of claim 1, wherein the instructions for generating the plurality of parameters specific to the first user further cause the one or more processors to: input, into a parameter generating machine learning model, the first user action data to cause the parameter generating machine learning model to generate the plurality of parameters specific to the first user, wherein the parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user; and receive, from the parameter generating machine learning model, the plurality of parameters. (Dic: C6L24-33: event indicators may include, for instance, indicators of network events such as network access requests issued by client systems connected to the respective router/gateway. For instance, event indicator 20b may include an originating IP address, a destination IP address, a timestamp, and a payload size... (C2L22-31) select a parameter value from a plurality of parameter values according to the target client system. In response to selecting the set (of) parameter values, ... instantiate a behavior model with the parameter values, the behavior model configured to input a selected event of the event sequence and in response, to produce a prediction indicator indicative of a likelihood that the event sequence includes the target event; (C16L47-49) In response to a successful training, (Figs. 14-15) at step 248 save profile-specific (i.e, user model) parameter values of the trained behavior model; (C17L44-67) following profile-specific instantiation, executing model (step 260) comprises projecting events of the respective event sequence in the event embedding space associated with the respective client profile ... a score value lower than the threshold indicates that the respective event Ea is substantially unlikely to occur in the respective event context, and therefore indicates an anomaly consistent with a potential computer security threat). Claim 3: the combination of Dic and Lew teaches the system of claim 1, wherein the instructions further cause the one or more processors to: determine that the first user model corresponds to the first user of the plurality of users; and provide, to the first user model, the first user action data without providing the other user action data to train the first user model to generate parameter identifiers identifying sets of parameters for the first user based on [pending] interactions. (Dic: C17L18-26: profile manager 84 may select a client profile according to the respective event indicator, e.g., according to an identity of the target client system where the respective event has occurred. When the respective target client system has provided training events for the development of client profiles and/or for the training of behavior models, ... comprises selecting a client profile having the respective target client system as a member. Other profile selection criteria may also be used. C20L9-15: Profile-specific behavior models were developed for each of the respective client clusters. Event sequences harvested from the test machine were fed to an anomaly detector instantiated, in turn, with parameters specific to each of the behavior models). Lew teaches pending interactions. ([05] the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device. The computing platform may then evaluate the new activity data relative to the data associated with the series of activities ([060] evaluated in real-time or near real-time), wherein evaluating includes applying a machine learning model to the new activity data). Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dic to include the idea of comparing prior user actions with pending action(s) as taught by Lew so that ensuring information security and preventing unauthorized access by monitoring devices at enterprise locations using machine-learning models to protect enterprise-managed information and resources [02]. Claim 4: the combination of Dic and Lew teaches the system of claim 1, wherein the instructions further cause the one or more processors to: receive, from the first user model, the plurality of parameter identifiers identifying the set of parameters; and extract, from parameter storage using the plurality of parameter identifiers, the set of parameters associated with the first user of the plurality of users, wherein the parameter storage stores the plurality of parameters specific to the first user and other pluralities of parameters associated with other users. (Dic: C6L24-33: event indicators may include, for instance, indicators of network events such as network access requests issued by client systems connected to the respective router/gateway. For instance, event indicator 20b may include an originating IP address, a destination IP address, a timestamp, and a payload size... (C2L22-31) select a parameter value from a plurality of parameter values according to the target client system. In response to selecting the set (of) parameter values, ... instantiate a behavior model with the parameter values, the behavior model configured to input a selected event of the event sequence and in response, to produce a prediction indicator indicative of a likelihood that the event sequence includes the target event; (C16L47-49) In response to a successful training, (Figs. 14-15) at step 248 save profile-specific (i. e, user model) parameter values of the trained behavior model; (C17L44-50) anomaly detector may instantiate behavior model with parameter values specific to the respective selected client profile. In some embodiments, following profile-specific instantiation, executing model comprises projecting events of the respective event sequence in the event embedding space associated with the respective client profile). Claim 5: the combination of Dic and Lew teaches the system of claim 1, wherein the instructions further cause the one or more processors to determine, for the set of parameters, a corresponding set of interaction parameters, wherein the corresponding set of interaction parameters is extracted from the pending interaction that is received as part of the request. (Lew: [05] the computing platform may then evaluate the new activity data relative to the data associated with the series of activities ([060] evaluated in real-time or near real-time), wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data relative to the data associated with the series of activities, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. [053-54] the data is received and may be parsed to identify one or more parameters of activity during the virtual desktop session. For instance, the data may be parsed to identify timing of the session, information accessed during the session, steps taken during the sessions, and the like. New activity data may be compared to activity data of previous sessions that were verified as authentic by a user (e.g., an enterprise employee) to identify a potentially suspicious activity or a potential cyber-attack. If a potential cyber-threat is identified, one or more relevant parameters obtained from the new activity data may be identified... For instance, a potential cyber-attack is identified based on a confidentiality classification of accessed data as part of the virtual desktop session). Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dic to include the idea of determining prior user actions with pending action(s) as taught by Lew so that ensuring information security and preventing unauthorized access by monitoring devices at enterprise locations using machine-learning models to protect enterprise-managed information and resources [02]. Claim 6: the combination of Dic and Lew teaches the system of claim 5, wherein the instructions further cause the one or more processors to: determine that a number of parameters within the set of parameters matches the corresponding set of interaction parameters; determine a ratio of the number of parameters that matches the corresponding set of interaction parameters to a total number of parameters of the set of parameters; and based on determining that the ratio satisfies a threshold ratio, determine that the pending interaction is malicious. (Dic: C17L55-65: feeding the event context (E,, i"0) of the respective sequence to behavior model and computing the prediction score vector of the respective sequence (C11L59-63: To achieve the desired representation of event vectors, parameters of encoder 70 may be tuned until some performance condition is satisfied). Step 262 may then comprise identifying the element of vector corresponding to the event type of the actual central event Ea of the sequence, and comparing the respective score to a predetermined threshold (e.g., 0.95). In some embodiments, a score value lower than the threshold indicates that the respective event Ea is substantially unlikely to occur in the respective event context, and therefore indicates an anomaly consistent with a potential computer security threat. C11L59-66: To achieve the desired representation of event vectors, parameters of encoder 70 may be tuned until some performance condition is satisfied. Such tuning is herein referred to as training as in Fig. 7. In a neural network embodiment, exemplary tunable parameters of event encoder 70 include a set of synapse weights, among others). Claim 7: the combination of Dic and Lew teaches the system of claim 6, wherein the instructions further cause the one or more processors to reject the pending interaction based on determining that the pending interaction is malicious. (Dic: C7L42-48: take protective action, for instance sending security alerts to the respective client system and/or to an administrator of the respective client system. In another example of protective action, instruct a router which belongs to the same local network as the suspect client system to block communications to and/or from the respective suspect client system). Claim 8: the combination of Dic and Lew teaches the system of claim 1, wherein the instructions further cause the one or more processors to: extract, from the user action data, second user action data representing second user actions of a second user of the plurality of users; generate, using a parameter generating machine learning model with the second user action data, a new plurality of parameters specific to the second user for determining whether user interactions of the second user represent new malicious activity, wherein the parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user; receive, for the second user, a new request for a new pending interaction with an application of the plurality of applications; input, into a second user model, the pending interaction to cause the second user model to generate a new plurality of parameter identifiers identifying a new set of parameters within the new plurality of parameters, wherein the second user model is trained for the second user using the second user action data and without using the other user action data; perform, during pendency of the new pending interaction, a new comparison between a new plurality of corresponding parameter values associated with the new set of parameters and one or more new interaction values associated with the new pending interaction; and generate, based on the new comparison during the pendency of the new pending interaction, a new output indicating a new likelihood that the new request represents the new malicious activity. (Lew: [05] the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device. The computing platform may then evaluate the new activity data relative to the data associated with the series of activities, wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data relative to the data associated with the series of activities, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. In response to determining that the new activity data is indicative of a potential cyber-attack, the computing platform may initiate one or more security response actions. [020] monitor data associated with a series of activities from a remote user account at a remote computing device, detect new activity data from the remote user account at the remote computing device, evaluate the new activity data relative to the data associated with the series of activities, determine if the new activity data is indicative of a potential cyber-attack based on evaluating the new activity relative to the series of activities, and in response to determining that the new activity data is indicative of a potential cyber-attack, initiate one or more security response actions. [054] new activity data may be compared to activity data of previous sessions that were verified as authentic by a user (e.g., an enterprise employee) to identify a potentially suspicious activity or a potential cyber-attack). Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dic to include the idea of determining and processing second or another set of prior user actions with pending action(s) as taught by Lew so that ensuring information security and preventing unauthorized access by monitoring devices at enterprise locations using machine-learning models to protect enterprise-managed information and resources [02]. Claim 9: Dic teaches a method comprising: receiving user action data representing user actions for a plurality of users relative to a plurality of applications; generating, using first user action data representing first user actions of a first user of the plurality of users, a plurality of parameters specific to the first user for determining whether interactions of the first user represent one or more malicious activities; receiving, for the first user, a request for a [pending] interaction with a particular application of the plurality of applications; providing, to a first user model, the [pending] interaction to cause the first user model to generate a plurality of parameter identifiers identifying a set of parameters within the plurality of parameters for identifying malicious activity, wherein the first user model is trained for the first user using the first user action data; determining whether the set of parameters matches set of interaction parameters associated with the [pending] interaction; and based on determining that the set of parameters matches the set of interaction parameters, determining that the [pending] interaction is malicious. (C1L50-53: receiving an indication of an occurrence of a target event on a target client system, to assemble an event sequence including the target event, all events of the event sequence having occurred on the target client system (C12L19-22) wherein each line represents a distinct event type (e.g., launching a browser, initiating a file download, writing data to disk, etc.), N represents a size of a "vocabulary" of event types (i.e., user actions); C7L10-25: a user among plurality of users (C8L47-49, 56-60) wherein each client profile may represent a single user, a single machine. User application generically represents any application such as word processing, image processing, spreadsheet, calendar, online games, social media, web browser, and electronic communication applications, among others; C1L57-59: in response to receiving the indication, select a parameter value from a plurality of parameter values according to the target client system (C17L45-50, Fig. 16 step 258) with parameter values specific to the respective selected client profile (i.e., without using other user data). In some embodiments, following profile-specific instantiation, ... events of the respective event sequence in the event embedding space associated with the respective client profile (C2L34-35) to determine whether the target event is indicative of a computer security threat; C6L24-33: event indicators may include, for instance, indicators of network events such as network access requests issued by client systems connected to the respective router/gateway. For instance, event indicator 20b may include an originating IP address, a destination IP address, a timestamp, and a payload size... (C2L22-31) select a parameter value from a plurality of parameter values according to the target client system. In response to selecting the set (of) parameter values, ... instantiate a behavior model with the parameter values, the behavior model configured to input a selected event of the event sequence and in response, to produce a prediction indicator indicative of a likelihood that the event sequence includes the target event; (C16L47-49) In response to a successful training, (Figs. 14-15) at step 248 save profile-specific (i..e, user model) parameter values of the trained behavior model; (C17L44-67) following profile-specific instantiation, executing model (step 260) comprises projecting events of the respective event sequence in the event embedding space associated with the respective client profile ... a score value lower than the threshold indicates that the respective event Ea is substantially unlikely to occur in the respective event context, and therefore indicates an anomaly consistent with a potential computer security threat). Dic is silent on determining whether the set of parameters matches a set of interaction parameters associated with the pending interaction; and based on determining that the set of parameters matches the set of interaction parameters, determining that the pending interaction is malicious. But analogous art Lew teaches determining whether the set of parameters matches a set of interaction parameters associated with the pending interaction; and based on determining that the set of parameters matches the set of interaction parameters, determining that the pending interaction is malicious. ([05] the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device. The computing platform may then evaluate the new activity data relative to the data associated with the series of activities ([060] evaluated in real-time or near real-time), wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data relative to the data associated with the series of activities, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. [053-54] the data is received and may be parsed to identify one or more parameters of activity during the virtual desktop session. For instance, the data may be parsed to identify timing of the session, information accessed during the session, steps taken during the sessions, and the like. New activity data may be compared to activity data of previous sessions that were verified as authentic by a user (e.g., an enterprise employee) to identify a potentially suspicious activity or a potential cyber-attack. If a potential cyber-threat is identified, one or more relevant parameters obtained from the new activity data may be identified... For instance, a potential cyber-attack is identified based on a confidentiality classification of accessed data as part of the virtual desktop session [069, 79] unusual activity detected subsequent to the detection of an idle state may be more indicative of potentially suspicious behavior than the same behavior in the middle of an active virtual desktop session where surrounding activity fits a non-anomalous pattern of use by the user). Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dic to include the idea of comparing prior user actions with pending action(s) as taught by Lew so that ensuring information security and preventing unauthorized access by monitoring devices at enterprise locations using machine-learning models to protect enterprise-managed information and resources [02]. Claim 10: the combination of Dic and Lew teaches the method of claim 9, wherein generating the plurality of parameters specific to the first user further comprises: inputting, into a parameter generating machine learning model, the first user action data to cause the parameter generating machine learning model to generate the plurality of parameters specific to the first user for determining whether the interactions of the first user represent the malicious activity, wherein the parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user; and receiving, from the parameter generating machine learning model, the plurality of parameters. (Dic: C6L24-33: event indicators may include, for instance, indicators of network events such as network access requests issued by client systems connected to the respective router/gateway. For instance, event indicator 20b may include an originating IP address, a destination IP address, a timestamp, and a payload size... (C2L22-31) select a parameter value from a plurality of parameter values according to the target client system. In response to selecting the set (of) parameter values, ... instantiate a behavior model with the parameter values, the behavior model configured to input a selected event of the event sequence and in response, to produce a prediction indicator indicative of a likelihood that the event sequence includes the target event; (C16L47-49) In response to a successful training, (Figs. 14-15) at step 248 save profile-specific (i.e, user model) parameter values of the trained behavior model; (C17L44-67) following profile-specific instantiation, executing model (step 260) comprises projecting events of the respective event sequence in the event embedding space associated with the respective client profile ... a score value lower than the threshold indicates that the respective event Ea is substantially unlikely to occur in the respective event context, and therefore indicates an anomaly consistent with a potential computer security threat). Claim 11: the combination of Dic and Lew teaches the method of claim 9, further comprising: determining that the first user model corresponds to the first user of the plurality of users; and providing, to the first user model, the first user action data without providing other user action data to train the first user model to generate parameter identifiers identifying sets of parameters for the first user based on [pending] interactions. (Dic: C17L18-26: profile manager 84 may select a client profile according to the respective event indicator, e.g., according to an identity of the target client system where the respective event has occurred. When the respective target client system has provided training events for the development of client profiles and/or for the training of behavior models, ... comprises selecting a client profile having the respective target client system as a member. Other profile selection criteria may also be used. C20L9-15: Profile-specific behavior models were developed for each of the respective client clusters. Event sequences harvested from the test machine were fed to an anomaly detector instantiated, in turn, with parameters specific to each of the behavior models). Lew teaches pending interactions. ([05] the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device. The computing platform may then evaluate the new activity data relative to the data associated with the series of activities ([060] evaluated in real-time or near real-time), wherein evaluating includes applying a machine learning model to the new activity data). Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dic to include the idea of comparing prior user actions with pending action(s) as taught by Lew so that ensuring information security and preventing unauthorized access by monitoring devices at enterprise locations using machine-learning models to protect enterprise-managed information and resources [02]. Claim 12: the combination of Dic and Lew teaches the method of claim 9, wherein validating the request comprises: performing, during pendency of the pending interaction, a comparison between a plurality of corresponding parameter values associated with the set of parameters and one or more interaction values associated with the pending interaction; and generating, based on the comparison and during the pendency of the pending interaction, an output indicating a likelihood that the request represents the malicious activity. (Lew: [079, Fig. 2C] cyber event analysis computing platform 110 may verify the authenticity of the responsive communication from the remote user computing device 170. Verifying the authenticity may include comparing the responsive communication to stored user credentials, passwords, passcodes, and the like. Upon verifying the authenticity at step 213, the cyber event analysis computing platform 110 may flag the recent activity as a non-cyber-attack or non-anomalous. In some examples, flagging the recent activity as a non-cyber-attack or non-anomalous may include updating the machine learning model with the recent activity data to better train the machine learning model to virtual desktop session on the user account and more accurately detect a potential cyber-attack). Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dic to include the idea of comparing attributes of user actions with pending action(s) as taught by Lew so that ensuring information security and preventing unauthorized access by monitoring devices at enterprise locations using machine-learning models to protect enterprise-managed information and resources [02]. Claim 13: the combination of Dic and Lew teaches the method of claim 9, further comprising: receiving, from the first user model, the plurality of parameter identifiers identifying the set of parameters; and extracting, from parameter storage using the plurality of parameter identifiers, the set of parameters associated with the first user of the plurality of users, wherein the parameter storage stores the plurality of parameters specific to the first user and other pluralities of parameters associated with other users. (Dic: C6L24-33: event indicators may include, for instance, indicators of network events such as network access requests issued by client systems connected to the respective router/gateway. For instance, event indicator 20b may include an originating IP address, a destination IP address, a timestamp, and a payload size... (C2L22-31) select a parameter value from a plurality of parameter values according to the target client system. In response to selecting the set (of) parameter values, ... instantiate a behavior model with the parameter values, the behavior model configured to input a selected event of the event sequence and in response, to produce a prediction indicator indicative of a likelihood that the event sequence includes the target event; (C16L47-49) In response to a successful training, (Figs. 14-15) at step 248 save profile-specific (i. e, user model) parameter values of the trained behavior model; (C17L44-50) anomaly detector may instantiate behavior model with parameter values specific to the respective selected client profile. In some embodiments, following profile-specific instantiation, executing model comprises projecting events of the respective event sequence in the event embedding space associated with the respective client profile). Claim 14: the combination of Dic and Lew teaches the method of claim 9, wherein the set of parameters is more likely than a different set of parameters within the plurality of parameters to identify the malicious activity. (Dic: C7L37-41: Stated otherwise, security server may determine whether the respective event matches a pattern of normality/baseline behavior encoded in the respective client profile. When no, the respective event may indicate suspicious activity. C17L44-50: anomaly detector may instantiate behavior model with parameter values specific to the respective selected client profile. Following profile-specific instantiation, executing model comprises projecting events of the respective event sequence in the event embedding space associated with the respective client profile). Claim 15: the combination of Dic and Lew teaches the method of claim 13, further comprising: determining that the pending interaction is malicious; and based on determining that the pending interaction is malicious, rejecting the pending interaction. (Dic: C7L42-48: take protective action, for instance sending security alerts to the respective client system and/or to an administrator of the respective client system. In another example of protective action, instruct a router which belongs to the same local network as the suspect client system to block communications to and/or from the respective suspect client system). Claim 16: Dic teaches one or more non-transitory, computer-readable media storing instructions that, when executed by one or more processors, cause operations comprising (Fig. 3A): receiving user action data representing user actions for a plurality of users relative to a plurality of applications; generating, using first user action data representing first user actions of a first user of the plurality of users, a plurality of parameters specific to the first user for determining whether interactions of the first user represent one or more malicious activities; receiving, for the first user, a request for a pending interaction with a particular application of the plurality of applications; providing, to a first user model, the pending interaction to cause the first user model to generate a plurality of parameter identifiers identifying a set of parameters within the plurality of parameters for identifying malicious activity, wherein the first user model is trained for the first user using the first user action data; determining whether the set of parameters matches set of interaction parameters associated with the pending interaction; and based on determining that the set of parameters matches the set of interaction parameters, determining that the pending interaction is malicious. (C1L50-53: receiving an indication of an occurrence of a target event on a target client system, to assemble an event sequence including the target event, all events of the event sequence having occurred on the target client system (C12L19-22) wherein each line represents a distinct event type (e.g., launching a browser, initiating a file download, writing data to disk, etc.), N represents a size of a "vocabulary" of event types (i.e., user actions); C7L10-25: a user among plurality of users (C8L47-49, 56-60) wherein each client profile may represent a single user, a single machine. User application generically represents any application such as word processing, image processing, spreadsheet, calendar, online games, social media, web browser, and electronic communication applications, among others; C1L57-59: in response to receiving the indication, select a parameter value from a plurality of parameter values according to the target client system (C17L45-50, Fig. 16 step 258) with parameter values specific to the respective selected client profile (i.e., without using other user data). Following profile-specific instantiation, ... events of the respective event sequence in the event embedding space associated with the respective client profile (C2L34-35) to determine whether the target event is indicative of a computer security threat; C6L24-33: event indicators may include, for instance, indicators of network events such as network access requests issued by client systems connected to the respective router/gateway. For instance, event indicator 20b may include an originating IP address, a destination IP address, a timestamp, and a payload size... (C2L22-31) select a parameter value from a plurality of parameter values according to the target client system. In response to selecting the set (of) parameter values, ... instantiate a behavior model with the parameter values, the behavior model configured to input a selected event of the event sequence and in response, to produce a prediction indicator indicative of a likelihood that the event sequence includes the target event; (C16L47-49) In response to a successful training, (Figs. 14-15) at step 248 save profile-specific (i..e, user model) parameter values of the trained behavior model; (C17L44-67) following profile-specific instantiation, executing model (step 260) comprises projecting events of the respective event sequence in the event embedding space associated with the respective client profile ... a score value lower than the threshold indicates that the respective event Ea is substantially unlikely to occur in the respective event context, and therefore indicates an anomaly consistent with a potential computer security threat). Dic is silent on determining whether the set of parameters matches a set of interaction parameters associated with the pending interaction; and based on determining that the set of parameters matches the set of interaction parameters, determining that the pending interaction is malicious. But analogous art Lew teaches determining whether the set of parameters matches a set of interaction parameters associated with the pending interaction; and based on determining that the set of parameters matches the set of interaction parameters, determining that the pending interaction is malicious. ([05] the computing platform may detect new activity data on the virtual desktop accessed by the remote computing device. The computing platform may then evaluate the new activity data relative to the data associated with the series of activities ([060] evaluated in real-time or near real-time), wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data relative to the data associated with the series of activities, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. [053-54] the data is received and may be parsed to identify one or more parameters of activity during the virtual desktop session. For instance, the data may be parsed to identify timing of the session, information accessed during the session, steps taken during the sessions, and the like. New activity data may be compared to activity data of previous sessions that were verified as authentic by a user (e.g., an enterprise employee) to identify a potentially suspicious activity or a potential cyber-attack. If a potential cyber-threat is identified, one or more relevant parameters obtained from the new activity data may be identified... For instance, a potential cyber-attack is identified based on a confidentiality classification of accessed data as part of the virtual desktop session [069, 79] unusual activity detected subsequent to the detection of an idle state may be more indicative of potentially suspicious behavior than the same behavior in the middle of an active virtual desktop session where surrounding activity fits a non-anomalous pattern of use by the user). Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dic to include the idea of comparing prior user actions with pending action(s) as taught by Lew so that ensuring information security and preventing unauthorized access by monitoring devices at enterprise locations using machine-learning models to protect enterprise-managed information and resources [02]. Claim 17: the combination of Dic and Lew teaches the one or more non-transitory, computer-readable media of claim 16, wherein generating the plurality of parameters specific to the first user further comprises: inputting, into a parameter generating machine learning model, the first user action data to cause the parameter generating machine learning model to generate the plurality of parameters specific to the first user for determining whether the interactions of the first user represent the malicious activity, wherein the parameter generating machine learning model is trained to generate user-specific parameters based on particular user action data relating to a particular user; and receiving, from the parameter generating machine learning model, the plurality of parameters. (Dic: C6L24-33: event indicators may include, for instance, indicators of network events such as network access requests issued by client systems connected to the respective router/gateway. For instance, event indicator 20b may include an originating IP address, a destination IP address, a timestamp, and a payload size... (C2L22-31) select a parameter value from a plurality of parameter values according to the target client system. In response to selecting the set (of) parameter values, ... instantiate a behavior model with the parameter values, the behavior model configured to input a selected event of the event sequence and in response, to produce a prediction indicator indicative of a likelihood that the event sequence includes the target event; (C16L47-49) In response to a successful training, (Figs. 14-15) at step 248 save profile-specific (i.e, user model) parameter values of the trained behavior model; (C17L44-67) following profile-specific instantiation, executing model (step 260) comprises projecting events of the respective event sequence in the event embedding space associated with the respective client profile ... a score value lower than the threshold indicates that the respective event Ea is substantially unlikely to occur in the respective event context, and therefore indicates an anomaly consistent with a potential computer security threat). Claim 18: the combination of Dic and Lew teaches the one or more non-transitory, computer-readable media of claim 16, further comprising: receiving, from the first user model, the plurality of parameter identifiers identifying the set of parameters; and extracting, from parameter storage using the plurality of parameter identifiers, the set of parameters associated with the first user of the plurality of users, wherein the parameter storage stores the plurality of parameters specific to the first user and other pluralities of parameters associated with other users. (Dic: C6L24-33: event indicators may include, for instance, indicators of network events such as network access requests issued by client systems connected to the respective router/gateway. For instance, event indicator 20b may include an originating IP address, a destination IP address, a timestamp, and a payload size... (C2L22-31) select a parameter value from a plurality of parameter values according to the target client system. In response to selecting the set (of) parameter values, ... instantiate a behavior model with the parameter values, the behavior model configured to input a selected event of the event sequence and in response, to produce a prediction indicator indicative of a likelihood that the event sequence includes the target event; (C16L47-49) In response to a successful training, (Figs. 14-15) at step 248 save profile-specific (i. e, user model) parameter values of the trained behavior model; (C17L44-50) anomaly detector may instantiate behavior model with parameter values specific to the respective selected client profile. In some embodiments, following profile-specific instantiation, executing model comprises projecting events of the respective event sequence in the event embedding space associated with the respective client profile). Claim 19: the combination of Dic and Lew teaches the one or more non-transitory, computer-readable media of claim 18, further comprising: determining that the pending interaction is malicious; and based on determining that the pending interaction is malicious, rejecting the pending interaction. (Dic: C7L42-48: take protective action, for instance sending security alerts to the respective client system and/or to an administrator of the respective client system. In another example of protective action, instruct a router which belongs to the same local network as the suspect client system to block communications to and/or from the respective suspect client system). Claim 20: the combination of Dic and Lew teaches the one or more non-transitory, computer-readable media of claim 16, wherein the instructions further cause the one or more processors to determine, for the set of parameters, a corresponding set of interaction parameters, wherein the corresponding set of interaction parameters is extracted from the pending interaction that is received as part of the request. (Lew: [05] the computing platform may then evaluate the new activity data relative to the data associated with the series of activities ([060] evaluated in real-time or near real-time), wherein evaluating includes applying a machine learning model to the new activity data. Based on evaluating the new activity data relative to the data associated with the series of activities, the computing platform may determine if the new activity data is indicative of a potential cyber-attack. [053-54] the data is received and may be parsed to identify one or more parameters of activity during the virtual desktop session. For instance, the data may be parsed to identify timing of the session, information accessed during the session, steps taken during the sessions, and the like. New activity data may be compared to activity data of previous sessions that were verified as authentic by a user (e.g., an enterprise employee) to identify a potentially suspicious activity or a potential cyber-attack. If a potential cyber-threat is identified, one or more relevant parameters obtained from the new activity data may be identified... For instance, a potential cyber-attack is identified based on a confidentiality classification of accessed data as part of the virtual desktop session). Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dic to include the idea of determining prior user actions with pending action(s) as taught by Lew so that ensuring information security and preventing unauthorized access by monitoring devices at enterprise locations using machine-learning models to protect enterprise-managed information and resources [02]. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8.30am-4.30pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached at (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BADRINARAYANAN /Primary Examiner, Art Unit 2494.
Read full office action

Prosecution Timeline

Jan 08, 2025
Application Filed
Jun 08, 2026
Non-Final Rejection mailed — §103
Jul 16, 2026
Interview Requested

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12676868
Pattern Analysis Threat Identification
2y 12m to grant Granted Jul 07, 2026
Patent 12675561
MODULAR DATA CENTER
1y 11m to grant Granted Jul 07, 2026
Patent 12675758
NESTED MODEL STRUCTURES FOR THE PERFORMANCE OF COMPLEX TASKS
1y 8m to grant Granted Jul 07, 2026
Patent 12671702
TAMPERING DETECTION USING A MANAGEMENT CONTROLLER
2y 2m to grant Granted Jun 30, 2026
Patent 12665917
SYSTEMS AND METHODS OF ADAPTIVELY IDENTIFYING ANOMALOUS NETWORK COMMUNICATION TRAFFIC
1y 8m to grant Granted Jun 23, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
91%
Grant Probability
99%
With Interview (+55.6%)
2y 4m (~10m remaining)
Median Time to Grant
Low
PTA Risk
Based on 385 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month