Prosecution Insights
Last updated: July 17, 2026
Application No. 19/257,831

ANOMALY-BASED MITIGATION OF ACCESS REQUEST RISK

Non-Final OA §102§103§112
Filed
Jul 02, 2025
Priority
Apr 22, 2021 — continuation of 12/381,876
Examiner
HERZOG, MADHURI R
Art Unit
2438
Tech Center
2400 — Computer Networks
Assignee
Microsoft Technology Licensing, LLC
OA Round
1 (Non-Final)
78%
Grant Probability
Favorable
1-2
OA Rounds
1y 11m
Est. Remaining
90%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
526 granted / 673 resolved
+20.2% vs TC avg
Moderate +12% lift
Without
With
+12.0%
Interview Lift
resolved cases with interview
Typical timeline
2y 11m
Avg Prosecution
19 currently pending
Career history
704
Total Applications
across all art units

Statute-Specific Performance

§101
1.1%
-38.9% vs TC avg
§103
90.7%
+50.7% vs TC avg
§102
2.7%
-37.3% vs TC avg
§112
3.5%
-36.5% vs TC avg
Black line = Tech Center average estimate • Based on career data from 673 resolved cases

Office Action

§102 §103 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 have been examined. Priority Acknowledgement is made of the applicant’s claim to priority as a continuation of parent application 17/237872, filed 04/22/2021, now U.S. Patent No. 12381876. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 12381876. Although the claims at issue are not identical, they are not patentably distinct from each other because: Instant application U.S. Patent No. 12381876 1. A computing system for processing access requests, comprising: a processor; and a memory storing instructions that, when executed by the processor, cause the computing system to: receive a request for access to a secured resource or service by a requestor; compute, using an explanatory machine learning model, an anomaly-based risk score for the request, the explanatory ML model configured to produce both (i) the anomaly-based risk score and (ii) an explanation of the anomaly-based risk score, the explanation identifying one or more input features that contributed to the anomaly-based risk score; select, based at least on the anomaly-based risk score and the explanation, an approval procedure from among a plurality of approval procedures, the plurality of approval procedures comprising at least one of: a step-up approval procedure requiring human review; a step-down approval procedure avoiding human review; or an alert-based procedure configured to notify a stakeholder; execute the approval procedure to determine whether the access request is to be granted or denied; and implement an access control decision based on the approval procedure. 4. The computing system of claim 1, wherein the input features to the explanatory ML model comprise at least a user identifier, a resource category, and a request context attribute. 9. A method for adaptive access control decision processing using an explanatory machine learning (ML) model in a computing environment, comprising: receiving, by a processing system, a request for access to a secured computing resource from a requestor; generating an anomaly-based risk score and an explanation using the explanatory ML model trained on historical access request data, the explanatory ML model being configured to receive as input a user identifier, resource classification, and access context; selecting, based on the anomaly-based risk score and the explanation, an approval procedure from a plurality of approval procedures, the plurality of approval procedures comprising at least: a manual review procedure, an automatic approval procedure, and a policy-based alert procedure; executing the approval procedure; and implementing an access control decision based on the result of the approval procedure. 15. A non-transitory computer-readable medium storing instructions that, when executed by a processor, cause a computing system to: receive a request for access to a secured resource or service by a requestor; compute, using an explanatory machine learning (ML) model, an anomaly-based risk score for the request, the explanatory ML model configured to produce both the anomaly- based risk score and an explanation of the anomaly-based risk score, the explanation identifying one or more input features that contributed to the anomaly-based risk score; select, based at least on the anomaly-based risk score and the explanation, an approval procedure from among a plurality of approval procedures, the plurality of approval procedures comprising at least one of: a step-up approval procedure requiring human review; a step-down approval procedure avoiding human review; or an alert-based procedure configured to notify a stakeholder; execute the selected approval procedure to determine whether the request is to be granted or denied; and implement an access control decision based on the selected approval procedure. 1. A computing system configured to mitigate cybersecurity risk from access requests, the system comprising: a digital memory; a processor in operable communication with the digital memory, the processor configured to perform cybersecurity risk mitigation steps including automatically obtaining from an explanatory machine learning model subsystem an explainable anomaly-based risk score of a request by a requestor for access to a secured resource or a secured service or both, selecting an approval procedure based on at least the explainable anomaly-based risk score, the approval procedure being selected from a set of multiple approval procedures which includes at least one step-up approval procedure which upon computational execution compels presentation of the request to a non-requestor for human review prior to approval of the request and at least one step-down approval procedure which upon computational execution avoids presentation of the request for human review prior to approval of the request, submitting the request to the selected approval procedure, getting an access decision from the approval procedure, implementing the access decision in at least one of the following ways: allowing the requested access, barring the requested access, or deferring access by submitting the request to additional approval processing, the cybersecurity risk mitigation steps also including automatically computing a black box risk score using a black box machine learning model, determining that the black box risk score is within a predetermined tolerance of the explainable anomaly-based risk score, and then displaying an explanation of at least one risk, the explanation being automatically derived from at least one of the following: an input to the explanatory machine learning model subsystem, or an output of the explanatory machine learning model subsystem. 5. The system of claim 1, wherein the system comprises the explanatory machine learning model subsystem, and the system utilizes at least two of the following as an input signal to a machine learning model of the explanatory machine learning model subsystem or as a scoring condition, or both:… a resource category of the secured resource; … a personnel identification which uniquely identifies the requestor; a personnel category of the requestor; a service identification which uniquely identifies a service that contains the secured resource or is otherwise secured; a service category of a service that contains the secured resource or is otherwise secured; a requestor risk score; a resource risk score; or a service risk score. 6. A method for mitigating cybersecurity risk from access requests, comprising: receiving a request for access to a secured resource or a secured service or both; computing an explainable anomaly-based risk score of the request using an explanatory machine learning model, the explainable anomaly-based risk score being computed based on at least a weighted combination of historical access pattern models; claim 7: The method of claim 6, wherein the selecting is also based on at least one of: a request resource count which indicates a number of resources the requestor seeks to access through the request; a request resource level which indicates a resource access level the requestor seeks through the request; a personnel identification which uniquely identifies the requestor; a personnel category of the requestor; or a requestor risk score. claim 1: selecting an approval procedure based on at least the explainable anomaly-based risk score; submitting the request to the selected approval procedure; getting an access decision from the approval procedure; providing the access decision to an access control infrastructure which is configured to implement the access decision; computing a black box risk score using a black box machine learning model; and determining that the black box risk score is within a predetermined tolerance of the explainable anomaly-based risk score, and then displaying an explanation of at least one risk, the explanation being automatically derived from at least one of the following: an input to the explanatory machine learning model, or an output of the explanatory machine learning model. 16. A computer-readable storage device configured with data and instructions which upon execution by a processor cause a cloud computing system to perform a method for mitigating cybersecurity risk from access requests, the method comprising: receiving a request for access to a secured resource or a secured service or both; computing an explainable anomaly-based risk score of the request using an explanatory machine learning model, the explainable anomaly-based risk score being computed in a machine learning model subsystem using at least one machine learning model; ascertaining that the request has an entropy above a specified threshold, the entropy including a measure of uncertainty in a distribution of access requests; selecting an approval procedure which upon execution avoids alerting on the request and which is selected based on at least the explainable anomaly-based risk score; submitting the request to the selected approval procedure; getting an access decision from the approval procedure; providing the access decision to an access control infrastructure which is configured to implement the access decision; computing a black box risk score using a black box machine learning model; and determining that the black box risk score is within a predetermined tolerance of the explainable anomaly-based risk score, and then displaying an explanation of at least one risk, the explanation being automatically derived from at least one of the following: an input to the explanatory machine learning model, or an output of the explanatory machine learning model. 17. The storage device of claim 16, wherein the method comprises sending an alert toward a stakeholder in response to an anomalous access request. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1, 2, and 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 1 recites the limitation "the access request" in line 17. There is insufficient antecedent basis for this limitation in the claim. Claims 2 and 16 recite the limitation "the predicted probabilities" in last 2 lines. There is insufficient antecedent basis for this limitation in the claim. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claims 1, 4, 6, 9, 13, and 15 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by US 12260411 to Ederle et al (hereinafter Ederle). As per claims 1 and 15, Ederle teaches: A computing system for processing access requests, comprising: a processor; and a memory storing instructions that, when executed by the processor (Ederle: column 14, lines 32-42: all such computer systems include a processor and a memory), cause the computing system to: receive a request for access to a secured resource or service by a requestor (Ederle: column 3, lines 51-60: The RBA-enabled directory server receives an authentication request message for a transaction. The authentication request message includes authentication data); compute, using an explanatory machine learning model, an anomaly-based risk score for the request, the explanatory ML model configured to produce both (i) the anomaly-based risk score and (ii) an explanation of the anomaly-based risk score, the explanation identifying one or more input features that contributed to the anomaly-based risk score (Ederle: column 12, lines 54-60: the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model where, over time, the authentication platform is capable of improving its ability to determine the risk level associated with transactions. Column 3, lines 61-67: the RBA-enabled directory server generates, based at least in part on the extracted authentication data, risk-based authentication (RBA) result data including a risk score. column 5, lines 18-22 and 40-44: The RBA-enabled directory server receives an authentication request (AReq) message from a 3DS server. The RBA-enabled directory server transmits at least some of the data in the AReq message (e.g., authentication data) to the RBA engine. In the example embodiment, the RBA engine analyzes the data in the AReq message to generate RBA result data. Column 6, lines 6-25: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction. Further the reason codes (explanation) include one or more factors that influenced the risk score. In some embodiments, the reason codes are generated using reason code categories and anchors, as described herein. Column 28, lines 9-45: Based on analysis of the data in the AReq message, RBA engine 612 may activate at least one anchor. For example, for the cardholder category, if RBA engine 612 determines that a shipping address (input factor) for the transaction has been used with the PAN in past transactions and/or the shipping address is unchanged from prior transaction, RBA engine 612 may activate the shipping address anchor. For the environment category, the IP address anchor may be activated if the IP address (input factor) is known and is not on a list of “bad” IP addresses. Further, the device anchor may be activated if the device is known and is not on a list of “bad” devices, the device has had successful authentications in past transactions, and/or the device has scored well in past transactions. Column 29, lines 4-10: The reasons codes are generated based on the activated anchors, and are loosely structured in a hierarchical order based on connections between anchors in different categories. For example, if at least one anchor in the cardholder category is activated, a positive reason code (i.e., indicating relatively low risk) is generated. Also, claim 1); select, based at least on the anomaly-based risk score and the explanation, an approval procedure from among a plurality of approval procedures, the plurality of approval procedures comprising at least one of: a step-up approval procedure requiring human review; a step-down approval procedure avoiding human review; or an alert-based procedure configured to notify a stakeholder (Ederle: column 6, lines 28-35 and 45-67: The RBA-enabled directory server embeds the RBA result data into the AReq message to generate an enhanced or enriched AReq message. The enhanced AReq message is then transmitted from the RBA-enabled directory server to the ACS. The ACS then analyzes the RBA result data in the enhanced AReq message to make an authentication decision. That is, in the example embodiment, the ACS may determine to fully authenticate the transaction (step-down approval procedure avoiding human review), deny authentication for the transaction (step-down approval procedure avoiding human review), or perform additional authentication (e.g., by issuing a step-up challenge to the cardholder) for the transaction, based on at least one of a risk score, the risk analysis, and the reason codes. Column 7, lines 41-60: in the case of a high risk transaction, the authentication platform may deny the transaction (step-down approval procedure avoiding human review). If the transaction is low risk, the authentication platform may approve the transaction (step-down approval procedure avoiding human review). Column 34, lines 28-32: Further, authentication platform 614 may notify the issuer and/or merchant that the transaction was clearly fraudulent (alert-based procedure), enabling the issuer and/or merchant to take appropriate action (e.g., flagging the associated account number and/or cardholder). Also, column 31, lines 24-32 and 53-62); execute the approval procedure to determine whether the access request is to be granted or denied; and implement an access control decision based on the approval procedure (Ederle: column 7, lines 40-67: The authentication platform may transmit an authentication response (ARes) message including the denial to the 3DS server. The 3DS server may transmit the Ares message including the denial to the merchant. If the transaction is low risk, the authentication platform may approve the transaction and transmit an authentication response (ARes) message including the approval to the 3DS server, where at least one of the 3DS server and the merchant may initiate the authorization process). As per claim 4, Ederle teaches: The computing system of claim 1, wherein the input features to the explanatory ML model comprise at least a user identifier, a resource category, and a request context attribute (Ederle: column 10, lines 23-43: The following Table 1 lists a number of the data elements that are used in the 3DS 2 Protocol for authentication. For example, at least some of these data elements may be included in the authentication data included in the AReq sent to directory server 510. The authentication data may also be divided by category, such as: transaction data (amount, currency, date, and time), device data (IP address, device info, and channel data), cardholder data (account number and shipping address) (user identifier), and merchant data (name (request context attribute), category (resource category), and country). Table 1: Data element 3: 3DS Requestor ID (user identifier)). As per claim 6, Ederle teaches: The computing system of claim 1, wherein the computing system is further configured to monitor post-access activity of the requestor or the secured resource during a post-access observation period (Ederle: column 10, lines 13-23: a payment processor could indicate if a particular device is associated with fraud, and flag that device for issuers in future transactions. The issuer may then reject transactions involving that device or prompt for additional authentication (e.g., through two-factor authentication) (monitoring post-access activity)). As per claim 9, Ederle teaches: A method for adaptive access control decision processing using an explanatory machine learning (ML) model in a computing environment, comprising: receiving, by a processing system, a request for access to a secured computing resource from a requestor (Ederle: column 3, lines 51-60: The RBA-enabled directory server receives an authentication request message for a transaction. The authentication request message includes authentication data); generating an anomaly-based risk score and an explanation using the explanatory ML model trained on historical access request data, the explanatory ML model being configured to receive as input a user identifier, resource classification, and access context (Ederle: column 12, lines 54-60: the authentication platform performs the authentication process on the transaction, including RBA. This analysis is based on a machine learning model where, over time, the authentication platform is capable of improving its ability to determine the risk level associated with transactions. The authentication platform analyzes transactions that are authenticated by the ACS and compares these transactions with historical data to generate a risk model for each issuer. Column 3, lines 61-67: the RBA-enabled directory server generates, based at least in part on the extracted authentication data, risk-based authentication (RBA) result data including a risk score. column 5, lines 18-22 and 40-50: The RBA-enabled directory server receives an authentication request (AReq) message from a 3DS server. The RBA-enabled directory server transmits at least some of the data in the AReq message (e.g., authentication data) to the RBA engine. In the example embodiment, the RBA engine analyzes the data in the AReq message to generate RBA result data. Column 6, lines 6-25: the RBA result data generated by the RBA engine includes a risk score, a risk analysis, and at least one reason code. The risk score is a score representing a determined riskiness of the transaction. Further the reason codes (explanation) include one or more factors that influenced the risk score. Column 10, lines 23-43: The following Table 1 lists a number of the data elements that are used in the 3DS 2 Protocol for authentication. For example, at least some of these data elements may be included in the authentication data included in the AReq sent to directory server 510. The authentication data may also be divided by category, such as: transaction data (amount, currency, date, and time), device data (IP address, device info, and channel data), cardholder data (account number and shipping address) (user identifier), and merchant data (name (request context attribute), category (resource category), and country). Table 1: Data element 3: 3DS Requestor ID (user identifier); selecting, based on the anomaly-based risk score and the explanation, an approval procedure from a plurality of approval procedures, the plurality of approval procedures comprising at least: a manual review procedure, an automatic approval procedure, and a policy-based alert procedure (Ederle: column 6, lines 28-35 and 45-67: The RBA-enabled directory server embeds the RBA result data into the AReq message to generate an enhanced or enriched AReq message. The enhanced AReq message is then transmitted from the RBA-enabled directory server to the ACS. The ACS then analyzes the RBA result data in the enhanced AReq message to make an authentication decision. That is, in the example embodiment, the ACS may determine to fully authenticate the transaction (step-down approval procedure avoiding human review), deny authentication for the transaction (step-down approval procedure avoiding human review), or perform additional authentication (e.g., by issuing a step-up challenge to the cardholder) for the transaction, based on at least one of a risk score, the risk analysis, and the reason codes. Column 7, lines 41-60: in the case of a high risk transaction, the authentication platform may deny the transaction (step-down approval procedure avoiding human review). If the transaction is low risk, the authentication platform may approve the transaction (step-down approval procedure avoiding human review). Column 34, lines 28-32: Further, authentication platform 614 may notify the issuer and/or merchant that the transaction was clearly fraudulent (alert-based procedure), enabling the issuer and/or merchant to take appropriate action (e.g., flagging the associated account number and/or cardholder). Also, column 31, lines 24-32 and 53-62); executing the approval procedure; and implementing an access control decision based on the result of the approval procedure (Ederle: column 7, lines 40-67: The authentication platform may transmit an authentication response (ARes) message including the denial to the 3DS server. The 3DS server may transmit the Ares message including the denial to the merchant. If the transaction is low risk, the authentication platform may approve the transaction and transmit an authentication response (ARes) message including the approval to the 3DS server, where at least one of the 3DS server and the merchant may initiate the authorization process). As per claim 13, Ederle teaches: The method of claim 9, wherein selecting the approval procedure comprises evaluating a decision policy that maps combinations of: a quantitative range of the anomaly-based risk score; and a categorical classification of the explanation output from the explanatory ML model, to a corresponding approval procedure selected from a predefined set of approval workflows (Ederle: column 38, lines 31-47: In some embodiments, the risk score and the risk threshold may be integer values that may be compared to determine whether the risk score is more or less than the risk threshold. In other embodiments, the risk threshold may be a category of a tiered set of categories (e.g., “low”, “medium”, “high”) and the risk score may be of that same tiered set of categories, or the risk score may be a value that is mapped into that tiered set of categories (e.g., with regulator-, issuer-, or system-defined ranges for each category). For example, RBA engine 612 may allow the regulators for this market to define the “low risk” category as being any transaction score below 400 (e.g., as evaluated under 3DS 2 by RBA engine 612). Column 7, lines 41-60: in the case of a high risk transaction, the authentication platform may deny the transaction. If the transaction is low risk, the authentication platform may approve the transaction). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 2 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Ederle and US 20150363791 to Raz et al (hereinafter Raz). As per claims 2 and 16, Ederle does not teach the limitations of claim 2. However, Raz teaches: wherein: the explanatory ML model is part of a machine learning model subsystem that further comprises a plurality of historical access pattern models; and the instructions to compute the anomaly-based risk score for the request, further cause the computing system to: obtain a predicted probability from a historical access pattern model of the plurality of historical access pattern models; determine an entropy value for a respective predicted probability; and weigh the predicted probabilities according to their respective entropy values to compute the anomaly-based risk score (Raz: [0069]-[0070]: Query analyzer 159 may send the pertinent parameter extracted by feature extractor 120 to the appropriate analyzer 151-154. For example, text may be sent to natural language processor 151 for analysis as described in more detail herein below. It will be appreciated that query analyzer 159 may handle text, numbers, menu selections and URLs. [0070] It will be appreciated that natural language processor 151 may utilize a Markov graph tree, produced by statistical model generator 40 from the texts received from multiple users during the training phase and stored in query models 54 and 64. The graph tree may be utilized to determine if a newly received piece of text has been seen before (such as during the training phase), i.e., the query models are historical access pattern models. [0078]-[0081]: Numerical analyzer 152 may utilize a numeric analysis algorithm which may, given a new number, determine how normal that new number is relative to the existing series of numbers in query models 54 and 64. [0087]-[0088]: [0087] For menu choice analyzer 153, statistical model generator 40 may determine the probability associated with each value received during the training phase, where the probability is an empirical probability function. [0092] Referring back to FIG. 4, query analyzer 159 may receive the probability output from natural language processor 151, numeric analyzer 152, menu choice analyzer 153, and URL analyzer 154 and may determine a Query Score as a weighted sum of the probabilities from each set of analyzers, per HTTP request, using Shannon's entropy of information). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Raz in the invention of Ederle to include the above limitations. The motivation to do so would be to provide a business action fraud detection system for a website (Raz: [0007]). Claims 3, 5, 14, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ederle and US 6330546 to Gopinathan et al (hereinafter Gopinathan). As per claims 3 and 17, Ederle teaches: The computing system of claim 1, wherein the instructions to select, based on the anomaly-based risk score and the explanation, the approval procedure further causes the computing system to: classify the explanation into one of a plurality of predefined explanation categories, wherein a predefined explanation category is associated with a corresponding approval procedure selected from among a human-in-the-loop approval procedure and an automated approval procedure; and select the approval procedure based on the classification and the anomaly-based risk score to determine whether access should be granted to the secured resource for the specific requestor at the specific time of the access request (Ederle: column 6, lines 28-35 and 45-67: The RBA-enabled directory server embeds the RBA result data into the AReq message to generate an enhanced or enriched AReq message. The enhanced AReq message is then transmitted from the RBA-enabled directory server to the ACS. The ACS then analyzes the RBA result data in the enhanced AReq message to make an authentication decision. That is, in the example embodiment, the ACS may determine to fully authenticate the transaction, deny authentication for the transaction, or perform additional authentication (e.g., by issuing a step-up challenge to the cardholder) for the transaction, based on at least one of a risk score, the risk analysis, and the reason codes. Column 7, lines 41-60: in the case of a high risk transaction, the authentication platform may deny the transaction. If the transaction is low risk, the authentication platform may approve the transaction (automated approval procedure)). Ederle does not teach: a human-in-the-loop approval procedure. However, Gopinathan teaches: a human-in-the-loop approval procedure (Gopinathan: column 2, lines 41-56: In accordance with the present invention, there is provided an automated system and method for detecting fraudulent transactions, which uses a predictive model such as a neural network to evaluate individual customer accounts and identify potentially fraudulent transactions based on learned relationships among known variables. These relationships enable the system to estimate a probability of fraud for each transaction. This probability may then be provided as output to a human decision-maker involved in processing the transaction, or the issuer may be signaled when the probability exceeds a predetermined amount. The system may also output reason codes (explanation) that reveal the relative contributions of various factors to a particular result. Column 4, lines 23-36: FIG. 4 shows transaction analysis screen 401 that allows the fraud analyst to examine each high-risk transaction and determine appropriate fraud control actions). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Gopinathan in the invention of Ederle to include the above limitations. The motivation to do so would be to have an automated system that uses available information regarding cardholders, merchants, and transactions to screen transactions and isolate those which are likely to be fraudulent, and which captures a relatively high proportion of frauds while maintaining a relatively low false-positive rate (Gopinathan: column 2 lines 29-39). As per claim 5, Ederle does not teach the limitations of claim 5. However, Gopinathan teaches: wherein the computing system is further configured to display the explanation to a reviewing user when the approval procedure is the step-up approval procedure (Gopinathan: column 2, lines 41-56: In accordance with the present invention, there is provided an automated system and method for detecting fraudulent transactions, which uses a predictive model such as a neural network to evaluate individual customer accounts and identify potentially fraudulent transactions based on learned relationships among known variables. These relationships enable the system to estimate a probability of fraud for each transaction. This probability may then be provided as output to a human decision-maker involved in processing the transaction, or the issuer may be signaled when the probability exceeds a predetermined amount. The system may also output reason codes (explanation) that reveal the relative contributions of various factors to a particular result. Column 4, lines 23-36: FIG. 4 shows transaction analysis screen 401 that allows the fraud analyst to examine each high-risk transaction and determine appropriate fraud control actions. It includes account information 402, fraud score 403, explanations derived from reason codes 404 that indicate the reasons for fraud score 403). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Gopinathan in the invention of Ederle to include the above limitations. The motivation to do so would be to have an automated system that uses available information regarding cardholders, merchants, and transactions to screen transactions and isolate those which are likely to be fraudulent, and which captures a relatively high proportion of frauds while maintaining a relatively low false-positive rate (Gopinathan: column 2 lines 29-39). As per claims 14 and 20, Ederle does not teach the limitations of claims 14 and 20. However, Gopinathan teaches: wherein generating the explanation using the explanatory ML model comprises applying a model-intrinsic interpretability technique within the explanatory ML model, the interpretability technique being selected from the group consisting of: attention-based feature weighting; input feature attribution using gradient-based or perturbation-based analysis; and class-conditional probability decomposition for feature-level contribution assessment (Gopinathan: column 2, lines 41-56: In accordance with the present invention, there is provided an automated system and method for detecting fraudulent transactions, which uses a predictive model such as a neural network to evaluate individual customer accounts and identify potentially fraudulent transactions based on learned relationships among known variables. These relationships enable the system to estimate a probability of fraud for each transaction. This probability may then be provided as output to a human decision-maker involved in processing the transaction, or the issuer may be signaled when the probability exceeds a predetermined amount. The system may also output reason codes (explanation) that reveal the relative contributions of various factors to a particular result. Column 17, line 62-column 18, line 65: Network Training: Once pre-processing is complete, the fraud-related variables are fed to the network and the network is trained. The preferred embodiment uses a modeling technique known as a "feed forward" neural network. This type of network estimates parameters which define relationships among variables using a training method. The preferred training method, well known to those skilled in the art, is called "backpropagation gradient descent optimization", although other well-known neural network training techniques may also be used. Also, column 19, lines 33-43). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Gopinathan in the invention of Ederle to include the above limitations. The motivation to do so would be to have an automated system that uses available information regarding cardholders, merchants, and transactions to screen transactions and isolate those which are likely to be fraudulent, and which captures a relatively high proportion of frauds while maintaining a relatively low false-positive rate (Gopinathan: column 2 lines 29-39). Claims 7, 8, 10-12, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ederle and US 20200065813 to Walters et al (hereinafter Walters). As per claim 7, Ederle does not teach the limitations of claim 7. However, Walters teaches: wherein the computing system is further configured to detect an anomalous post-access behavior using a second machine learning model trained to identify deviations from historical usage patterns (Walters: [0027]: For example, some embodiments fully train the neural network 1017 with the transaction data from multiple customers prior to training an instance of the neural network 1017 with purchase history of a specific customer. Other embodiments may not fully train the neural network 1017 prior to provision of an instance to train with purchase history of a specific customer. [0028] The neural networks 1037 and 1047 represent instances of the neural network 1017 retrained for customers associated with the customer devices 1030 and 1040, respectively. In several embodiments, one or more the server(s) 1010 may perform fraud detection with the neural networks 1037 and 1047. For example, the when the customer associated with the customer device 1030 completes a transaction such as purchasing gas, the fraud detection logic circuitry 1015 may apply transaction data that describes the purchase as a tensor to the input layer of the neural network 1037. The neural network 1037 may operate in inference mode and output an indication of error associated with the purchase. [0031]: For example, the fraud detection logic circuitry 1015 may collect transaction data from new transactions associated with the customer device 1030, verify that the new transactions that are non-fraudulent (post-access behavior). [0034]: perform an inference computation, by a neural network of the fraud detection logic circuitry 1115 based on transaction data. The inference computation may determine a deviation of the purchase from a range of purchases predicted for a customer based on pretraining of the neural network to predict purchases by the customer. The pretraining of the neural network to predict purchases by the customer may be based on a purchase history of that customer). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Walters in the invention of Ederle to include the above limitations. The motivation to do so would be to change a fundamental concept of fraud detection by determining if a transaction is non-fraudulent (Walters: [0012]). As per claim 8, Ederle in view of Walters teaches: The computing system of claim 7, wherein: the computing system is further configured to update at least one access control policy or retrain the explanatory ML model based on the anomalous post-access behavior; and to perform the update or retrain the explanatory ML model, the instructions further cause the computing system to: analyze the anomalous post-access behavior; and determine, based on the analysis, whether to modify at least one policy rule or initiate retraining of the explanatory ML model (Walters: [0031]: For example, the fraud detection logic circuitry 1015 may collect transaction data from new transactions associated with the customer device 1030, verify that the new transactions that are non-fraudulent, and then train the neural network 1037 based on the new transactions. The fraud detection logic circuitry 1015 may also collect new transaction data for the customer associated with customer device 1040, verify that that transactions are non-fraudulent, and continue to train the neural network 1047). The examiner provides the same rationale to combine prior arts Ederle and Walters as in claim 7 above. As per claim 10, Ederle does not teach the limitations of claim 10. However, Walters teaches: further comprising: initiating a post-access observation period following implementation of the access control decision; and monitoring, during the post-access observation period, activity associated with the requestor or the accessed resource to collect behavioral data for subsequent analysis (Walters: [0028] The neural networks 1037 and 1047 represent instances of the neural network 1017 retrained for customers associated with the customer devices 1030 and 1040, respectively. In several embodiments, one or more the server(s) 1010 may perform fraud detection with the neural networks 1037 and 1047. For example, the when the customer associated with the customer device 1030 completes a transaction such as purchasing gas, the fraud detection logic circuitry 1015 may apply transaction data that describes the purchase as a tensor to the input layer of the neural network 1037. The neural network 1037 may operate in inference mode and output an indication of error associated with the purchase. [0031]: For example, the fraud detection logic circuitry 1015 may collect transaction data from new transactions associated with the customer device 1030, verify that the new transactions that are non-fraudulent (post-access behavior)). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Walters in the invention of Ederle to include the above limitations. The motivation to do so would be to change a fundamental concept of fraud detection by determining if a transaction is non-fraudulent (Walters: [0012]). As per claim 11, Ederle in view of Walters teaches: The method of claim 10, further comprising: processing the activity monitored during the post-access observation period using a second machine learning model, the second machine learning model configured to represent normal post-access behavior of users or resources (Walters: [0012]: embodiments may train neural networks to learn what a non-fraudulent transaction is and when transaction data for a fraudulent transaction is input into the neural network, the neural network may produce an error indicative of the difference between a non-fraudulent transaction and the transaction provided as the input. [0028]: If the customer buys the gas at the same gas station for about the same amount, at about the same time, on about the same day of the week that the customer normally purchases gas for a vehicle, the error output from the neural network 1037 will likely be very small if not nil. On the other hand, if one or more of these factors deviate significantly from the customer's purchase history and/or from the sequences of transactions learned from training on transaction data from multiple customers, the error output from the neural network 1037 may be large, i.e., the neural network is trained on normal behavior of a user. [0031]: For example, the fraud detection logic circuitry 1015 may collect transaction data from new transactions associated with the customer device 1030, verify that the new transactions that are non-fraudulent (post-access behavior)); and detecting, based on an output of the second machine learning model, an anomalous post-access behavior associated with the requestor or the accessed resource (Walters: [0029]: The fraud detection logic circuitry 1015 may compare the deviation threshold to the error output by the neural network 1037 in response to the purchase to determine if the error represents a potentially fraudulent transaction). The examiner provides the same rationale to combine prior arts Ederle and Walters as in claim 10 above. As per claim 12, Ederle does not teach the limitations of claim 12. However, Walters teaches: further comprising: detecting, subsequent to implementing the access control decision, anomalous behavior associated with the requestor or the accessed resource during a post-access observation period (Walters: [0029]: The fraud detection logic circuitry 1015 may compare the deviation threshold to the error output by the neural network 1037 in response to the purchase to determine if the error represents a potentially fraudulent transaction); and based on detecting the anomalous behavior, performing at least one of: updating an access control policy; or retraining the explanatory ML model (Walters: For example, the fraud detection logic circuitry 1015 may collect transaction data from new transactions associated with the customer device 1030, verify that the new transactions that are non-fraudulent, and then train the neural network 1037 based on the new transactions). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Walters in the invention of Ederle to include the above limitations. The motivation to do so would be to change a fundamental concept of fraud detection by determining if a transaction is non-fraudulent (Walters: [0012]). As per claim 18, Ederle teaches: The non-transitory computer-readable medium of claim 15, further comprising instructions to: initiate a post-access observation period following implementation of the access control decision; monitor, during the post-access observation period, activity associated with the requestor or the accessed resource (Ederle: column 10, lines 13-23: a payment processor could indicate if a particular device is associated with fraud, and flag that device for issuers in future transactions. The issuer may then reject transactions involving that device or prompt for additional authentication (e.g., through two-factor authentication)); Ederle does not teach the rest of the limitations. However, Walters teaches: detect anomalous post-access behavior within the activity during the post-access observation period using a second machine learning model trained to recognize deviations from historical behavior (Walters: [0027]: For example, some embodiments fully train the neural network 1017 with the transaction data from multiple customers prior to training an instance of the neural network 1017 with purchase history of a specific customer. Other embodiments may not fully train the neural network 1017 prior to provision of an instance to train with purchase history of a specific customer. [0028] The neural networks 1037 and 1047 represent instances of the neural network 1017 retrained for customers associated with the customer devices 1030 and 1040, respectively. In several embodiments, one or more the server(s) 1010 may perform fraud detection with the neural networks 1037 and 1047. For example, the when the customer associated with the customer device 1030 completes a transaction such as purchasing gas, the fraud detection logic circuitry 1015 may apply transaction data that describes the purchase as a tensor to the input layer of the neural network 1037. The neural network 1037 may operate in inference mode and output an indication of error associated with the purchase. [0031]: For example, the fraud detection logic circuitry 1015 may collect transaction data from new transactions associated with the customer device 1030, verify that the new transactions that are non-fraudulent (post-access behavior). [0034]: perform an inference computation, by a neural network of the fraud detection logic circuitry 1115 based on transaction data. The inference computation may determine a deviation of the purchase from a range of purchases predicted for a customer based on pretraining of the neural network to predict purchases by the customer. The pretraining of the neural network to predict purchases by the customer may be based on a purchase history of that customer); and based on the anomalous post-access behavior, perform at least one of: updating an access control policy or retraining the explanatory ML model (Walters: [0031]: For example, the fraud detection logic circuitry 1015 may collect transaction data from new transactions associated with the customer device 1030, verify that the new transactions that are non-fraudulent, and then train the neural network 1037 based on the new transactions. The fraud detection logic circuitry 1015 may also collect new transaction data for the customer associated with customer device 1040, verify that that transactions are non-fraudulent, and continue to train the neural network 1047). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Walters in the invention of Ederle to include the above limitations. The motivation to do so would be to change a fundamental concept of fraud detection by determining if a transaction is non-fraudulent (Walters: [0012]). Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Ederle and US 20070000999 to Kubo et al (hereinafter Kubo). As per claim 19, Ederle does not teach the limitations of claim 19. However, Kubo teaches: wherein the explanatory ML model is part of a machine learning model subsystem further comprising: a conditional probability machine learning model; or a collaborative filtering machine learning model (Kubo: [0007] an authorization engine configured to perform an analysis in relation to a received request for authorization of a current electronic payment transaction and generate an authorization output based on the analysis. [0010] determine one or more intermediate values in relation to the received authorization request based on the one or more distribution functions, [0011] determine a conditional probability in relation to the one or more intermediate values based on at least some of the stored transaction records, the conditional probability indicative of a probability of a predetermined transaction result under the condition of the one or more intermediate values, and [0012] generate the authorization output based on the determined conditional probability. [0071] The conditional probability distributions can be determined by the first authorization engine 18 in different ways. Other ways, which may be computationally more feasible, resort to methods of predictive modeling and may employ Naive Bayes networks or neural networks). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kubo in the invention of Ederle to include the above limitations. The motivation to do so would be to provide a transaction authorization system and method which allow to achieve improved decision reliability to thereby prevent increased load on existing computing and network resources (Kubo: [0005]). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: US 20210295427 to Shiu et al: Certain aspects of the present disclosure provide techniques for generating a human readable summary explanation to a user for an outcome generated by a complex machine learning model. In one embodiment, a risk assessment service can receive a request from a user in which a risk model of the risk assessment service performs a specific task (e.g., determining the level of risk associated with the user). Once the risk model determines the risk associated with the user, in order to comply with regulations from a compliance system, the risk model can provide a user with an explanation as to the outcome for transparency purposes. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-4:30PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached at (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. MADHURI R. HERZOG Primary Examiner Art Unit 2438 /MADHURI R HERZOG/Primary Examiner, Art Unit 2438
Read full office action

Prosecution Timeline

Jul 02, 2025
Application Filed
Apr 21, 2026
Non-Final Rejection mailed — §102, §103, §112
May 13, 2026
Interview Requested
Jun 08, 2026
Applicant Interview (Telephonic)
Jun 08, 2026
Examiner Interview Summary

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12682083
CRYPTOSYSTEM MIGRATION FOR SECURE BOOT SEQUENCES
2y 8m to grant Granted Jul 14, 2026
Patent 12670277
ACCESS CONTROL LIST (ACL) AND ROLE-BASED ACCESS CONTROL (RBAC) MANAGEMENT USING CONTENT-BASED DATASETS
3y 8m to grant Granted Jun 30, 2026
Patent 12671718
System and Method for Quantum-Enabled Cyber Security in a Wireless Mobile Network
2y 2m to grant Granted Jun 30, 2026
Patent 12652540
METHOD AND ELECTRONIC DEVICE FOR DETERMINING SECURITY THREAT ON RADIO ACCESS NETWORK
2y 10m to grant Granted Jun 09, 2026
Patent 12645839
Offset Data Integrity Checks for Latency Reduction
3y 8m to grant Granted Jun 02, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
78%
Grant Probability
90%
With Interview (+12.0%)
2y 11m (~1y 11m remaining)
Median Time to Grant
Low
PTA Risk
Based on 673 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month