Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/18/2020 has been entered.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/18/2020 was filed after the mailing date of the Final Rejection on 09/23/2020. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This Action is in response to communications filed on 12/18/2020.
Claims 1-2, 8 and 15 have been amended.
Claims 3, 10, and 17 were previously cancelled. There are no new claims.
Claims 1-2, 4-9, 11-16, and 18-20 are presented for examination. 
Claims 1-2, 4-9, 11-16, and 18-20 remain pending in this application.

Specification
The amendment to abstract received on 12/18/2020 is acceptable, and as a result, the respective specification objections made in the final Office Action has been withdrawn.
Claim Objections
In the final office Action mailed on 09/23/2020, claim 2 was objected to for minor informality. In the response filed on 12/18/2020, applicant amends the respective claims to obviate the objection, and as a result, the respective claim objection made in the final Office Action has been withdrawn. 

Response to Arguments Regarding Claim Rejections - 35 USC § 103
The Applicant's amendment/ arguments, see page 13-16 of REMARKS, filed 12/18/2020, with respect to Claim Rejections - 35 USC § 103 have been fully considered but they are not persuasive. In the response filed on 12/18/2020, applicant puts forth in substance that:
“In the final Office Action dated September 23rd, 2020, the Office asserts that the Applicant's arguments filed September 10t, 2020 with respect to Claim Rejections - 35 USC § 103 are not persuasive. Specifically, the Office cites paragraphs [0031] and [0238] as support for the interpretation of the term "resource pool" to mean "an account or profile" of a customer (Office Action, Page 6). Paragraphs [0031] and [0238] of the specification as was previously amended and filed concurrently with the arguments dated September 10, 2020 are reproduced below (with emphasis added): 
[0031] Embodiments of the present invention provide a system and method for detecting and remediating potential malfeasance interactions through the generation and analysis of dynamic directed graphs of networked accounts and transactions. A dynamic directed graph is generated, where the nodes of the dynamic directed graph represent one or more accounts (e.g., financial accounts, or the like), and the edges of the dynamic directed graph represent transactions between the nodes (i.e., transactions from one account to another account). Each edge may represent a single transaction, or multiple transactions (e.g., an aggregate set of transactions). 

[0238] As used herein, the term an "account" or "resource pool" may be the relationship that the customer has with the financial institution. Examples of accounts include a deposit account, such as a transactional account (e.g., a banking account), a savings account, an investment account, a money market account, a time deposit, a demand deposit, a pre-paid account, a credit account, or the like. An account may be associated with and/or maintained by a financial institution. As used herein, the terms "resource distribution request,"  "resource distribution," and "resource distribution events" may refer to a transaction between two resource pools performed using a computing device. 

Applicant asserts that as shown above, the specification specifically defines "resource pool" as being interchangeable with "account" and goes on to define an account as including "a deposit account, such as a transactional account (e.g., a banking account), a savings account, an investment account, a money market account, a time deposit, a demand deposit, a pre-paid account, a credit account, or the like." At no point does the specification suggest or teach that a single resource pool or account is equivalent to a single user or customer. 
Verma, in Paragraphs [0057]-[0059] and [0064], expressly teaches a graph including a plurality of nodes wherein each node may correspond to one of a plurality of network users. Verma goes on to teach that the edges of these graphs "correspond to connections or relationships between the various network users." (Verma, Paragraph [0064]). While it is true that Verma does disclose specific sets of variables for both account level monitoring and customer level monitoring in Paragraphs [0050]-[0051], the specification goes on to clarify in Paragraph [0054] that "the important aspect of constructing the network model based on the user network activities is the relationships that those activities create between the various users and/or the service provider, and the insights those activities provide into user behaviors." Therefore, even if assuming arguendo that the graph nodes taught by Verma could be representative of individual accounts, it is clear that the overall purpose of the graph construction is to identify relationships, trends, and potential security threats at the customer level.” (See page 13-15 of REMARKS, filed 12/18/2020).

The applicant argues that the overall purpose of the graph construction taught by Verma is to identify relationships, trends, and potential security threats at the customer level. However, the examiner notes that the current invention also discloses generating directed and undirected graphs (indicating relationships), detecting a malfeasance pattern based on the generated directed and undirected graphs (identifying trend and potential security threats), and executing remediation actions. More specifically, 
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.

“With respect to the amended claim recitation of "receiving current resource distribution request information for a second plurality of resource pools, wherein the current resource distribution request information is associated with a current set of resource distribution requests, wherein the current set of resource distribution requests is updated continuously after the ending of a first period of time," the Office cites Verma at Paragraph [0036] as teaching this recitation and claims that the use of "existing data" implies that the "current" data is associated with a later time period. However, Verma explicitly teaches in Paragraph [0044] that the claimed system is configured to "periodically check the remote database to determine whether any changes in the information stored therein have occurred since a last time that the detection device retrieved the data" and that "the detection device may be reconfigured to retrieve data from the database in a timely manner to ensure that it is operating on the correct data sets." (See Verma, Paragraph [0044]). The current invention on the other hand continuously updates with data in order to ensure that the dynamic graph reflects real-time transaction activity. Paragraph [0091] of the current specification further explains this claim recitation, stating that each directed and/or undirected graph may continuously update as new transactions are proposed, initiated, and/or executed, thereby dynamically changing over time to provide a current representation of a network of accounts and their transaction interactions.” (See page 15 of REMARKS, filed 12/18/2020).

wherein the current set of resource distribution requests is updated continuously after the ending of a first period of time”.
Applicant admits that Verma explicitly teaches in Paragraph [0044] that the claimed system is configured to "periodically check the remote database to determine whether any changes in the information stored therein have occurred since a last time that the detection device retrieved the data" and that "the detection device may be reconfigured to retrieve data from the database in a timely manner to ensure that it is operating on the correct data sets." (See page 15 of REMARKS, filed 12/18/2020). However, examiner notes that the cited reference to Verma also teaches that detection device may check for updated data once a week, once a month, once a quarter, once every six months, or some other time interval (see paragraph [0044]). More importantly, Verma discloses that banks may have data regarding previously identified outlier customers (see [0105]). Verma then teaches that a graphical user interface is configured to depict various aspects of network activity over time. More specifically, [0137]-[0139] in view of Fig.11 discloses that the interface may be updated as additional data is received by the system that facilitates visualization of appearance of abnormal accounts over time. The interface of FIG. 11 may provide a timeline 1130 representing activity within the network over a time period (e.g., from a time t=0 to a time t=n). The timeline 1130 may indicate how dynamic or static the network or a snapshot of the network is. 
Periodically checking for updated data at a set time interval, and updating the graphical user interface that facilitates visualization of appearance of accounts representing activity within the network over a time period t=0 to t=n imply continuously updating transaction activities after t=0. Therefore, examiner articulates that the cited reference to Verma sufficiently discloses the argued limitation.

“Additionally, with respect to the claim recitation of "monitoring the current dynamic graph and identifying a current malfeasance pattern from a portion of the current dynamic graph matching at least one historical malfeasance pattern in a historical pattern database based on monitoring the current dynamic graph," the Office cites Verma at Paragraphs [0039] and [0046]- [0048] as teaching this recitation. However, at no point does Verma teach or suggest the use of a historical pattern database to provide historical pattern data with which to compare current patterns against. Verma teaches generally of detecting data outliers, which are stated to "present unique behavior characteristics that can be detected and compared against the behaviors of other users." (See Verma, Paragraph [0039]). The Office claims that the "analytics data mart" taught by Verma in Paragraphs [0046]-[0048] is an example of a graph analytics technique which is equivalent to the use of a historical pattern database. Applicant asserts that this is a mischaracterization of the technique taught by Verma, which detects outliers based on their correlation to a set of hypothetical rules or situations, which is not at all analogous to the technique claimed here of evaluating current patterns against known patterns which have occurred at a given time and were recorded and stored in a historical pattern database.” (See page 15-16 of REMARKS, filed 12/18/2020).

In response to the Applicant’s arguments, it is noted that the cited reference to Verma also discloses evaluating current patterns against known patterns. More specifically, Verma discloses that banks may have data regarding previously identified outlier customers (see [0105]), and that through evaluation of the one or more models against the one or more rule sets, systems operating in accordance with embodiments generate a set of outlier network activity predictions based on behavioral similarities (i.e., similarities in user activity) between the modeled network user behaviors and the behaviors of known outlier network activities (see [0004] and [0041]). While Verma might detect outliers based on their correlation to a set of hypothetical rules or situations, such rules or situations involve matching 

“Regarding the claim recitation of "transmitting a notification associated with the second plurality of resource pools to a third party entity, wherein the notification comprises the current resource distribution request information," the Office does not cite a reference or otherwise suggest that this claim limitation has been taught in the prior art. Applicant respectfully submits that, in absence of a prior art citation, the independent claims 1, 8, and 15 claiming this recitation are patentable.” (See page 16 of REMARKS, filed 12/18/2020).

In response to the Applicant’s arguments, it is noted that the claim limitation that the applicant argues upon recites, 
“in response to detecting the current malfeasance pattern, execute one or more remediation actions on one or more of the second plurality of resource pools that are associated with the portion of the current dynamic graph associated with the malfeasance, wherein the one or more remediation actions comprise at least one of: 
block the second plurality of resource pools from sending resource distribution requests; 
freeze the second plurality of resource pools from receiving subsequent one or more resource distribution requests; 
prompt a sender of the subsequent one or more resource distribution requests to provide additional authentication credentials before executing the subsequent one or more resource distribution requests; and 
transmit a notification associated with the second plurality of resource pools to a third party entity, wherein the notification comprises the current resource distribution request information.”

transmit a notification associated with the second plurality of resource pools to a third party entity, wherein the notification comprises the current resource distribution request information” is recited in the claim, it is only recited as one of multiple alternative remedial actions required to be executed, as highlighted above (i.e., execute one or more remediation actions… wherein the one or more remediation actions comprise at least one of…). Examiner further notes that where a claim reads on multiple alternative, only one alternative needs to be taught or suggested by the prior art in order for the claim to be anticipated or rendered obvious. See, e.g., Fresenius USA, Inc. v. Baxter Int’l, Inc., 582 F.3d 1288, 1298, 92 USPQ2d 1163, 1171 (Fed. Cir. 2009). In other words, the entire element is disclosed by the prior art if one alternative is in the prior art. See MPEP 803.02. Therefore, so long as the cited reference to Verma discloses executes one or more remediation actions, it satisfies the claim limitation.

Applicant's arguments for the independent claims 8 and 15 (see page 16 of REMARKS, filed 12/18/2020) appear to stem from the applicant's assertion that the combination of Verma and Marvasti fails to disclose the similarly recited limitations of claim 1. However, as set forth above, this assertion does not hold ground, and therefore, the current rejection of record for the independent claims 8 and 15 persist.

Applicant's arguments for the claims dependent from independent claims 1, 8 and 15 (see page 16 of REMARKS, filed 12/18/2020) appear to stem from the applicant's assertion that the combination of Verma and Marvasti fails to disclose all the limitations of independent claims 1, 8 and 15. However, as set forth above, this assertion does not hold ground, and therefore, the current rejection of record for the dependent claims persist.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 1-2, 5-9, 12-16 and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Verma et al. (hereinafter, Verma, US 20190132224 A1) in view of Marvasti et al. (hereinafter, Marvasti, US 20130097463 A1).

NOTE: the reference to Verma has a U.S. filing date of August 9, 2018, and claims priority to European Patent Application No. EP 17386042.0 filed Oct. 26, 2017.

Regarding claim 1, Verma discloses a system (see Fig.1:100; also see [0032]) for a pattern-based examination and detection of malfeasance through dynamic graph network flow analysis (see [0007]-, the system (see Fig.1:100) comprising: 
a controller (see Fig.1:110) for generating undirected graphs (see [0008] lines 1-4; transform existing network data into one or more network models, such as one or more graphs; also see Fig.2:200 and Fig.3:300 for undirected graphs), detecting a malfeasance pattern based on the generated directed and undirected graphs (see [0007]-[0008]; the systems and methods of the present disclosure may allow for faster detection of new, previously unseen outlier (abnormal) network activity patterns and behaviors through analysis of cliques of network users with unknown and/or emerging behaviors...through interactive visualization tools such as graph-based analysis), and executing remediation actions (see [0008]; abnormality of a behavior can be identified and steps can be taken to prevent pursuit of that behavior), the controller (see Fig.1:110) comprising one or more memory devices (see Fig.1:114) with a computer-readable program code stored thereon (see Fig.1:116; also see [0011]), one or more communication devices (see Fig.1:170) connected to a network (see Fig.1:180; also see [0035]; one or more communication interfaces 170 may communicatively couple the detection device 110 to the network 180), and one or more processing devices (see Fig.1: 112), wherein the one or more processing devices execute the computer-readable program code (see [0034]; the memory 114 may store instructions 116 that, when executed by the one or more processors 112, cause the one or more processors 112 to perform operations described in connection with the detection device 110 with reference to FIGS. 1-17) to: 
receive current resource distribution request information for a second plurality of resource pools, wherein the current resource distribution request information is associated with a current set of resource distribution requests (see [0036] in view of [0005]; the system 100 may receive the one or more data sets including information representative of the network activity (i.e. interactions between the network of users, such as transactions in which the plurality of users are engaged) by the plurality of users from the service provider 190 via the network 180; , wherein the current set of resource distribution requests is updated continuously after the ending of a first period of time (see [0044]; detection device may (periodically) check for updated data once a week, once a month, once a quarter, once every six months, or some other time interval; also see [0137]-[0139] in view of Fig.11; graphical user interface depicts various aspects of network activity over time… the graphical user interface may be updated as additional data is received by the system that facilitates visualization of appearance of abnormal accounts over time. The interface of FIG. 11 may provide a timeline 1130 representing activity within the network over a time period- e.g., from a time t=0 to a time t=n; examiner articulates that periodically checking for updated data at a set time interval, and updating the graphical user interface that facilitates visualization of appearance of accounts representing activity within the network over a time period t=0 to t=n imply continuously updating transaction activities after t=0); 
generate a current dynamic graph (see Fig.3:300) comprising a current plurality of nodes (see Fig.3:302) and a current plurality of edges (see [0041]; the detection device 110 may construct one or more network models based on the information received from the service provider 192, where the one or more models include information that conceptualizes or captures attributes (e.g., behaviors, interactions, relationships, activity, etc.) of the network users and their interactions with the one or more services; also see [0050]-[0051]; To facilitate account level and customer level monitoring, appropriate data sets are compiled, and this information may be used by the detection device 110 to construct a graph of user activity at the account level and the customer level; also see [0057]-[0058]; the detection device 110 may be configured to construct a network model representative of at least a portion of the network activity (such as transactions executed across a financial network) based on at least one of the one or more compiled data sets...constructing the network model may include constructing at least one graph of the network activity; also see [0064]; The graph may include a plurality of nodes and a plurality of edges; also see [0071]; For example, graphs constructed by the detection device 110 may be used to provide interactive visualization tools that allow network activity to be viewed as a function of behaviors and relationships), wherein each of the current plurality of nodes represents at least one of the second plurality of resource pools from the received current resource distribution request information (see [0064]; The graph may include a plurality of nodes and a plurality of edges, where each of the plurality of nodes may correspond to one of the plurality of network users), and wherein each of the current plurality of edges is associated with at least a net resource distribution amount and a net resource distribution direction between two of the current plurality of nodes (see [0061]; detection device 110 may be configured to convert the raw relational data into a graph structure based on the set of features (attributes selected based on a set of KPIs) used to generate edges of the graph; also see [0047]; analytics data between accounts and/or customers that are sending or receiving many small transactions in a certain period that sum up to a big amount implies a net resource distribution amount; movement of funds from one account/customer to the other implies a net resource distribution direction; also see [0064]; the graph may include a plurality of edges between nodes, and the edges may correspond to connections or relationships between the various network users), wherein the current dynamic graph is a dynamic directed graph or a dynamic undirected graph (see [0064]; constructing the graph based on the association matrix may include applying edge weights to the plurality of edges of the graph, where edge weights are representative of an association strength between two connected nodes; examiner articulates that graph with edges that have weights representative of strength of association between connected nodes (and no direction) is a dynamic undirected graph); 
monitor the current dynamic graph and identify a current malfeasance pattern from a portion of the current dynamic graph matching at least one historical malfeasance pattern in a historical pattern database based on monitoring the current dynamic graph (see [0039]; The disclosed outlier detection techniques allow the system 100 to detect new outliers through comparisons of the behavior of members of a user population (or subset of the user population) to confirmed outliers using an ensemble of graph analytics techniques; also see [0046]-[0048]; In the description that follows, aspects of establishing an analytics data mart for an anti-money laundering (AML) use case are described; a set of descriptive variables that captures the holistic behavior of each account and user may be defined and engineered to effectively capture the different scenarios commonly associated with money laundering... for e.g. a sudden change in transacting behavior--accounts and/or customers with a significant change their transaction patterns (i.e., in the frequency, volume and/or amount of transactions) may indicate abnormal behavior; unusual cash and monetary instrument activity/ transactions may require a closer analysis to ensure that any abnormal activity is captured; accounts and/or customers with high risk require closer monitoring as they may be prone to conducting money laundering; also see [0072]-[0074]; Once the network model, such as the graph described above, has been constructed, the detection device 110 may be configured to evaluate the network model against a set of rules and produce a set of classifications that classify the nodes (e.g., the users) as exhibiting behaviors similar to outliers) or non-outliers; also see [0077]-[0078]; also see [0107]; By taking various user attributes into consideration, as well as how those attributes compare to attributes of known outliers, the system 100 may detect outlier network activity with a higher degree of accuracy; also see [0113]; system may evaluate the user 302 against all low risk users 304, high risk users 308, and remaining users 306 to evaluate how attributes of the user 302 compare to the attributes of those other users of the model), 
wherein the current malfeasance pattern is associated with a current set of nodes of the current plurality of nodes (see [0047]; rapid movement of funds--accounts , a current set of edges of the current plurality of edges (see [0047]; exclusive recurring relationships--pairs of accounts and/or customers with a high volume or total amount of transactions can be abnormal since they may indicate a form of unauthorized business between the two parties), or a combination of the current set of nodes and the current set of edges (see [0047]; sudden change in transacting behavior--accounts and/or customers with a significant change their transaction patterns (i.e., in the frequency, volume and/or amount of transactions) which may indicate abnormal behavior), 
wherein the identifying a current malfeasance pattern comprises matching the current dynamic graph with the at least one historical malfeasance pattern at a plurality of hierarchical levels (see [0048]; proposed solution performs monitoring and analysis at an account and/or customer level; also see [0050]-[0051]; To facilitate account level and customer level monitoring, appropriate data sets are compiled, and this information may be used by the detection device 110 to construct a graph of user activity at the account level and the customer level; also see [0072]-[0074]; Once the network model, such as the graph described above, has been constructed, the detection device 110 may be configured to evaluate the network model against a set of rules and produce a set of classifications that classify the nodes (e.g., the users) as exhibiting behaviors similar to outliers) or non-outliers; an account and/or customer level correspond to a plurality of hierarchical levels; also see [0077]-[0078]; the outliers may be injected into the network based on information associated with known outliers, such as through creation of outlier profiles created during compilation of the one or more data sets...the attribute prediction module 130 identifies the nodes within the network model that most closely resemble outlier nodes; attribute prediction module 130 may be configured to assign each node to one of a plurality of classes based on the node rankings. For example, a first classification , wherein the plurality of hierarchical levels are associated with each of the current plurality of nodes or a group of the current plurality of nodes (see [0048]; also see [0050]-[0051]; To facilitate account level monitoring, a set of variables for graph generation may be sorted into one of three categories: 1) account specific details; 2) transaction characteristics that are aggregated to summarize the activity of the account; and 3) customer characteristics that provide information regarding the primary account holder. To facilitate customer level monitoring, a set of variables for graph generation may be sorted into one of three categories: 1) customer specific details; 2) account specific characteristics that provide aggregated information regarding all the accounts that the customer holds as a primary or secondary owner; and 3) transaction characteristics that are aggregated to summarize the activity of each account that is held by the customer); and 
in response to detecting the current malfeasance pattern, execute one or more remediation actions on one or more of the second plurality of resource pools that are associated with the portion of the current dynamic graph associated with the malfeasance (see [0005]; also see [0039]-[0042]; After the detection device 110 identifies these potential cybersecurity threats (or outliers), the detection device 110 may execute one or more processes to mitigate those threats; also see [0103]; the detection device 110 may include outlier network activity mitigation modules and processes designed to address suspected and/or confirmed outlier activity. For example, if a node is identified as being associated with outlier network activity, the detection device 110 may implement one or more processes to hinder the node (e.g., the user and/or devices associated with that user) from engaging in outlier network behaviors), wherein the one or more remediation actions comprise at least one of: 
block the second plurality of resource pools from sending resource distribution requests (see [0103]; the detection device 110 may include outlier network activity mitigation modules and processes designed to address suspected and/or confirmed outlier activity. For example, if a node is identified as being associated with outlier network activity, the detection device 110 may implement one or more processes to hinder the node (e.g., the user and/or devices associated with that user) from engaging in outlier network behaviors, such as disabling or restricting a user account, disabling or restricting the user's access to a network and/or network resource, disabling or restricting a device associated with the user, disabling or restricting access to a service by the user and/or a device of the user, and the like; examiner articulates that limiting users that have behavioral similarities to known outliers from access to services and/or network resources until further evaluation has been completed implies blocking the users from sending transfer requests); 
freeze the second plurality of resource pools from receiving subsequent one or more resource distribution requests (see [0103]; the detection device 110 may include outlier network activity mitigation modules and processes designed to address suspected and/or confirmed outlier activity. For example, if a node is identified as being associated with outlier network activity, the detection device 110 may implement one or more processes to hinder the node (e.g., the user and/or devices associated with that user) from engaging in outlier network behaviors, such as disabling or restricting a user account, disabling or restricting the user's access to a network and/or network resource, disabling or restricting a device associated with the user, disabling or restricting access to a service by the user and/or a device of the user, and the like...until further evaluation has been completed; examiner articulates that disabling or restricting a user account until further evaluation has been completed implies blocking the users from receiving transfer requests); 
prompt a sender of the subsequent one or more resource distribution requests to provide additional authentication credentials before executing the subsequent one or more resource distribution requests (see [0103]; the detection device 110 may include outlier network activity mitigation modules and processes designed to address suspected and/or confirmed outlier activity. For example, if a node is identified as being associated with outlier network activity, the detection device 110 may implement one or more processes to hinder the node (e.g., the user and/or devices associated with that user) from engaging in outlier network behaviors... For example, the detection device 110 may initiate communications with users that are associated with a node that has been identified as an outlier node, and those communications may be configured to extract information from those users (e.g., identity verification, etc.), which may facilitate a determination as to whether those associated nodes are also engaging in outlier network activity and/or limit those users' access to services and/or network resources until further evaluation has been completed); and 
transmit a notification associated with the second plurality of resource pools to a third party entity, wherein the notification comprises the current resource distribution request information.
Although, and as set forth above, Verma discloses undirected graphs (see Fig.2:200 and Fig.3:300), and Fig.3:300 of Verma shows dynamic graph with arrows, Verma does not explicitly and clearly describe generating directed and undirected graphs.
However, Marvasti discloses generating directed and undirected graphs (see [0005]; also see Fig.2 and [0009] for undirected graph; also see Fig.8 and [0015] for directed graph).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Marvasti with Verma to generate dynamic directed graph or a dynamic undirected graph.


Regarding claim 2, Verma (modified by Marvasti) discloses the system of claim 1, as set forth above. In addition, Verma further discloses wherein the one or more processing devices execute the computer-readable program code to: 
extract historical resource distribution information for a first plurality of resource pools (see [0043]; detection device 110 may retrieve/ receive information from the service provider 190 and may use the received data to compile one or more data sets that include information representative of user activity conducted via the network 180. For example, where the network 180 is a financial network operated by a financial services provider, the one or more data sets may include information associated with accounts, transactions, demographics, and the like; examiner articulates that transactions information in which the plurality of user accounts  conducted financial transactions correspond to historical resource distribution information; examiner also articulates that plurality of users, or users' accounts, engaged in these historical transactions correspond to a first plurality of resource pools), wherein the historical resource distribution information is associated with historical resource distribution requests that occurred during a first period of time (see [0036] and [0102]; examiner articulates that 'existing data' utilized for 'previous analysis', and 'subsequent executions of outlier detection analysis' imply that the compiled/ existing data set or information is associated with historical transaction activity that occurred before the subsequent analysis); 
generate a historical dynamic graph (see Fig.3:300) comprising a plurality of nodes (see Fig.3:304-308) and a plurality of edges (see [0041]; also see [0050]-[0051]; To facilitate account level and customer level monitoring, appropriate data sets are compiled, and this information may be used by the detection device 110 to construct a graph of user activity at the account level and the customer level; also see [0057]-[0058]; also see [0064]; The graph may include a plurality of nodes and a plurality of edges; also see [0071]; For example, graphs constructed by the detection device 110 may be used to , wherein each of the plurality of nodes represents at least one of the first plurality of resource pools (see [0064]; The graph may include a plurality of nodes and a plurality of edges, where each of the plurality of nodes may correspond to one of the plurality of network users), and wherein each of the plurality of edges represent resource distribution information associated with a resource distribution event between two of the plurality of nodes (see [0061]; detection device 110 may be configured to convert the raw relational data into a graph structure based on the set of features (attributes selected based on a set of KPIs) used to generate edges of the graph; also see [0047]; analytics data between accounts and/or customers that are sending or receiving many small transactions in a certain period correspond to resource distribution information; movement of funds from one account/customer to the other correspond to resource distribution event between nodes; also see [0064]; the graph may include a plurality of edges between nodes, and the edges may correspond to connections or relationships between the various network users), wherein the historical dynamic graph is a historical dynamic directed graph or a historical dynamic undirected graph (see [0064]; constructing the graph based on the association matrix may include applying edge weights to the plurality of edges of the graph, where edge weights are representative of an association strength between two connected nodes; examiner articulates that graph with edges that have weights representative of strength of association between connected nodes (and no direction) is a dynamic undirected graph); 
identify, from the historical resource distribution information, a historical set of resource distribution events associated with a malfeasance (see [0047]; sudden change in transacting behavior--accounts and/or customers with a significant change their transaction patterns (i.e., in the frequency, volume and/or amount of transactions) indicate abnormal behavior; examiner articulates that identification of sudden change in transacting behavior such as frequency of transactions implies identification of historical behavior of such frequent transactions; examiner also articulate that such frequent transactions correspond to a historical set of resource distribution events associated with abnormal behavior); 
determine, from the historical dynamic graph, the at least one historical malfeasance pattern of node characteristics, edge characteristics, and nodal interactions associated with the malfeasance (see [0047]; also see known outliers 308 in graph 300 of Fig.3; known outlier corresponds to determined historical malfeasance pattern), wherein the at least one historical malfeasance pattern is associated with a set of nodes of the plurality of nodes (see [0047]; rapid movement of funds--accounts and/or customers that receive and send a lot of money in very short times may be abnormal as they appear to be intermediate money launderers), a set of edges of the plurality of edges (see [0047]; exclusive recurring relationships--pairs of accounts and/or customers with a high volume or total amount of transactions can be abnormal since they may indicate a form of unauthorized business between the two parties), or a combination of the set of nodes and the set of edges (see [0047]; sudden change in transacting behavior--accounts and/or customers with a significant change their transaction patterns (i.e., in the frequency, volume and/or amount of transactions) which may indicate abnormal behavior); and 
store the at least one historical malfeasance pattern in the historical pattern database (see [0046]-[0047] in view of [0041]; the service provider 190 may maintain a database 192 of information associated with its subscribers and their use of the one or more services. To identify potential threats to the cybersecurity of the service provider 190, the information stored in the database 192 may be provided to the detection device 110; information received from the service provider 192 may include information associated with known hackers (e.g., known outliers); compiling the one or more data sets may include constructing an analytics data mart, which may be stored at the database 118; also see [0105]; Entities operating in finance and risk industries, such as banks, may have data regarding previously identified outlier customers).
Although, and as set forth above, Verma discloses that banks may have data regarding previously identified outlier customers (see [0105]), the reference to Marvasti is relied on to more explicitly disclose store the at least one historical malfeasance pattern in the historical pattern database (see [0029]; historical event data is gathered and used to determine and correlate root causes. The historical root cause data is stored for use in active mode 30; also see [0044] regarding “Historical Mode”; the graphs are stored in a database table).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Marvasti with Verma to store the at least one historical malfeasance pattern in the historical pattern database.
One of ordinary skill in the art would have been motivated to determine root causes of events in complex systems in real-time based on a statistical processing of a virtual directed graph produced from historical events (Marvasti: [0003]-[0004]).

Regarding claim 5, Verma (modified by Marvasti) discloses the system of claim 2, as set forth above. In addition, Verma further discloses wherein the historical resource distribution information and the current resource distribution request information comprise resource distribution amount (see [0047]; amount of transactions corresponds to resource distribution amount), resource distribution time (see [0047]; receive and send a lot of money in very short times, and accounts and/or customers that are sending or receiving many small transactions in a certain period implies transaction time/ period), payor resource pool information (see [0047]; accounts and/or customers that are sending money implies payor resource pool information), and payee resource pool information (see [0047]; accounts and/or customers that are receiving money implies payee resource pool information). 

Regarding claim 6, Verma (modified by Marvasti) discloses the system of claim 1, as set forth above. In addition, Verma further discloses wherein identifying the current malfeasance pattern comprises at least identifying a match between one or more factors of the plurality of nodes associated with the first plurality of resource pools and the current plurality of nodes associated with the second plurality of resource pools (see [0072]-[0074]; Once the network model, such as the graph described above, has been constructed, the detection device 110 may be configured to evaluate the network model against a set of rules and produce a set of classifications that classify the nodes (e.g., the users) as , wherein the one or more factors comprise at least one of (1) reputation scores (see [0047]; customers with high risk (e.g., credit risk) implies nodes/ accounts with reputation scores), (2) entropy values, (3) divergence values, (4) frequency of resource distribution requests (see [0047]; transaction patterns (i.e., in the frequency, volume and/or amount of transactions, and pairs of accounts and/or customers with a high volume or total amount of transactions indicate frequency of resource distribution requests), (5) timing of the resource distribution requests (see [0047]; receive and send a lot of money in very short times, and accounts and/or customers that are sending or receiving many small transactions in a certain period implies timing of transactions; also see [0105]; the finance and risk industries face many different types of problems associated with outlier network activity, including, but not limited to, fraud and anti-money laundering (AML). In these types of situations, an outlier may be a fraudster or a money launderer. Currently, a case of abnormal or outlier activity may be raised if a customer breaks a rule or exceeds a specific threshold, e.g., when an amount of money transferred by the customer in the last day exceeds a threshold amount of money), (6) resource distribution amounts associated with the resource distribution requests (see [0047]; transaction patterns (i.e., in the frequency, volume and/or amount of transactions, and pairs of accounts and/or customers with a high volume or total amount of transactions indicate resource distribution amounts; also see [0105]; the finance and risk industries face many different types of problems associated with outlier network activity, including, but not limited to, fraud and anti-money laundering (AML). In these types of situations, an outlier may be a fraudster or a money launderer. Currently, a case of abnormal or outlier activity may be raised if a customer breaks a rule or exceeds a specific threshold, e.g., when an amount of money transferred by the customer in the last day exceeds a threshold amount of money), and (7) connectivity characteristics (see [0111]; network models constructed in accordance with the present disclosure may include graphs that capture various attributes . 

Regarding claim 7, Verma (modified by Marvasti) discloses the system of claim 1, as set forth above. In addition, Verma further discloses wherein the processing device is further configured to: 
receive new set of current resource distribution request information associated with a new set of current resource distribution requests, wherein the new set of current resource distribution requests are associated with second plurality of resource distribution pools (see [0041]; identify new instances of outlier network users; also see [0102]; self-learning may enable the detection device 110 to identify new and emerging cases of outlier network activity; examiner articulates that identification of new outlier user and activity in the network/ graph indicate receiving new information associated with new transaction/ activity that are associated with new users/ accounts); 
update the current dynamic graph based on the new set of current resource distribution request information (see [0102]; self-learning may enable the detection device 110 to identify new and emerging cases of outlier network activity during subsequent executions of outlier detection analysis. For example, as network users and behaviors change, those changes may be reflected in one or more of the various types of graph analysis performed by the detection device 110. If the emerging activity exhibits behaviors similar to other known cases of outlier activity, the nodes exhibiting that activity may gravitate towards outlier network nodes and/or outlier network activity during graph analysis); and 
determine a new malfeasance pattern matching at least one other pattern stored in the historical pattern database (see [0102]; self-learning may enable the detection device 110 to identify new and emerging cases of outlier network activity during subsequent executions of outlier detection analysis. For example, as network users and behaviors change, those changes may be reflected in one or more of the various types of graph analysis performed by the detection device 110. If the emerging activity exhibits behaviors similar to other known cases of outlier activity, the nodes exhibiting that activity may gravitate towards outlier network nodes and/or outlier network activity during one or more stages of the graph analysis). 

As for Claim(s) 8 and 15, the claims list all the same elements of claim 1, but in a computer program product comprising at least one non-transitory computer readable medium comprising computer readable instructions (see Verma [0011]), and a method form to carry out the steps of claim 1, rather than the system form. Therefore, the supporting rationale of the rejection to claim 1 applies equally as well to claims 8 and 15.  

As for Claims 9, 12-14, 16 and 19-20, the claims do not teach or further define over the limitations in claims 2 and 5-7. Therefore, claims 9, 12-14, 16 and 19-20 are rejected for the same reasons as set forth in claims 2 and 5-7.

Claim(s) 4, 11 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Verma et al. (hereinafter, Verma, US 20190132224 A1) in view of Marvasti et al. (hereinafter, Marvasti, US 20130097463 A1) and in view of Mohr et al. (hereinafter, Mohr, US 20150339835 A1).

Regarding claim 4, Verma (modified by Marvasti) discloses the system of claim 1, as set forth above. In addition, Marvasti further discloses wherein the one or more processing devices (see Fig.12:1206) are further configured to execute computer-readable program code (see [0096]) to: 
identify, from the current dynamic graph (see Fig.1:12; also see graphs on Fig.2 and on Fig.8), a nodal set of one or more pairs of nodes linked by an edge (see [0053]; to determine whether subgraphs exist, an adjacency matrix A(i,j) of the graph … is created…to detect the connectivity of the graph; examiner articulates that connectivity of the graph indicate nodes are connected or linked by an edge), based on the nodal set having an aggregate customer entropy (see [0056]-[0060]; the directed graph is used for determination of entropies (impact factors); for each node E.sub.i (in the directed graph) an sum of all entropy; entropy as used herein utilizes the principles of Shannon's entropy) and divergence value associated with interconnectivity or common control (see Fig.1:16; also see [0053]; A(i,j)=1 if nodes i and j are connected, otherwise A(i,j)=0; examiner articulates that the value of 1 or 0 of adjacency matrix A(i,j) correspond to divergence value associated with interconnectivity).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Marvasti with Verma to identify, from the current dynamic graph, a nodal set of one or more pairs of nodes linked by an edge, based on the nodal set having an aggregate customer entropy and divergence value associated with interconnectivity or common control.
One of ordinary skill in the art would have been motivated to determine root causes of events in complex systems in real-time based on a statistical processing of a virtual directed graph produced from historical events (Marvasti: [0003]-[0004]).
Verma (modified by Marvasti) does not disclose collapse the nodal set into a single node that represents the one or more pair of nodes linked by an edge of the second nodal set as if it was a single resource pool.
Mohr discloses collapse the nodal set into a single node that represents the one or more pair of nodes linked by an edge of a second nodal set as if it was a single resource pool (see [0044]-[0049]; Available transform operations include collapsing to join a group of related nodes into a single node that maintains references to the individual nodes and inherits the edges of all joined nodes; also see [0039]-[0041] in view of Fig.8 - Fig.10; FIG. 8 shows a screen 800 that contains an unfocused map of data… As seen in Fig.9, base node 810 is shown along with three edges 120 that connect the node 810 to the three nodes 910, 920, 930 that are separated from the base node 810 by one degree of separation… This includes all of the first-degree nodes 910 shown in screen 900, and also all second-degree nodes 1010 connected to these first degree nodes 910).

One of ordinary skill in the art would have been motivated to make the visual rendering less processor intensive and thus work faster for larger graphs (Mohr: [0065]).

As for Claims 11 and 18, the claims do not teach or further define over the limitations in claim 4. Therefore, claims 11 and 18 are rejected for the same reasons as set forth in claim 4.

Additional References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
McAfee (US 20110238516 A1) teaches e-commerce threat detection using graph models.
Gieseke (US 20170178139 A1) discloses generating a graph database based on the transaction information, and determining, based on information associated with the nodes of the graph database, whether a particular node of the graph database is potentially fraudulent.
McBennett (US 20180197183 A1) teaches updating the graph structure to reflect new transactions or events that have occurred in the time since the last update.
Bose et al. (US 9087088 B1) discloses updating, creating, and/or recreating an entity subgraph of a graph database on a periodic basis based upon new data, as a consumer's transaction history develops and changes.
Yang et al. (US 10528958 B2) teaches generating relationships via a property graph model to determine incidences of fraud where pattern data reveals multiple reports of fraud from a particular merchant.
Peer et al. (US 9967265 B1) teaches detecting malicious online activities using event stream processing over a graph database.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANDARVA KHANAL whose telephone number is (571)272-8107.  The examiner can normally be reached on MON-FRI, 0800-1700.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on 571-272-5863.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SANDARVA KHANAL/Examiner, Art Unit 2453                                                                                                                                                                                                        
/KAMAL B DIVECHA/Supervisory Patent Examiner, Art Unit 2453