DETAILED ACTION
This communication is in response to the claims filed on 09/20/2019. 
Application No: 16/577,749
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


EXAMINER’S AMENDMENT 
An examiner’s amendment to the record appears below. Should the changes and/OR additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with 
Pingping Wang on July 21, 2021. 
The claims have been amended as follows:
The listing of claims will replace all prior versions of claims in the application.

LISTING OF CLAIMS

 1.	(Currently Amended) A computer-implemented method for updating a detection model for detecting suspicious activity while maintaining data protection in a data processing system comprising a processing device and a memory comprising instructions which are executed by the processor, the method comprising:
a package comprising instructions and a threshold 
retraining the detection model to include a detection component that uses the instructions;
collecting data comprising customer data and transaction data stored at the first local node;
determining a value for the at least one general feature from the collected data using the instructions; and
triggering a suspicious activity alert based on the determined value and the instructions, wherein triggering the suspicious activity alert comprises comparing the determined value to the threshold and providing an alert to a user based on the comparison,
wherein the customer data and transaction data are indeterminable from the at least one general feature and the determined value.

2.	(Original) The method of claim 1, wherein the at least one general feature comprises one or more of counting statistics, regional statistics, time statistics, or amount statistics.
 
3.	(Original) The method of claim 1, further comprising decrypting the instructions to obtain an algorithm for calculating the at least one general feature.

4.	(Original) The method of claim 1, further comprising recording events associated with the retraining of the detection model and providing the recorded events to a detection model system.



7.	(Currently Amended) The method of claim [[5]] 1, wherein the package is encrypted and the method further comprises decrypting the package to obtain the instructions and the threshold.

8.	(Currently Amended) A local node comprising a processing device and a memory comprising instructions which are executed by the processing device for retraining a model based on a data set comprising data, the local node further comprising:
a sharing module configured to receive a package comprising instructions and a threshold 
a retraining module configured to retrain the detection model to include a detection component that uses the instructions;
a data collection module configured to collect data comprising customer data and transaction data stored at the first local node;
a performance module configured to:
	determine a value for the at least one general feature from the collected data using the instructions, and
	trigger a suspicious activity alert based on the determined value and the instructions, wherein triggering the suspicious activity alert comprises comparing the determined value to the threshold and providing an alert to a user based on the comparison,
	wherein the customer data and transaction data are indeterminable from the at least one general feature and the determined value.


 
10.	(Original) The local node of claim 8, wherein the sharing module is configured to decrypt the instructions to obtain an algorithm for calculating the at least one general feature.

11.	(Original) The local node of claim 8, further comprising recording events associated with the retraining of the detection model and providing the recorded events to a detection model system.

12-13. (Canceled)

14.	(Currently Amended) The local node of claim [[12]] 8, wherein the package is encrypted and the method further comprises decrypting the package to obtain the instructions and the threshold.

15.	(Currently Amended) A local node comprising a processing device and a memory comprising instructions which are executed by the processing device for retraining a model based on a data set comprising data, the local node further comprising:
	a model manager comprising a performance module, a retraining module, and a sharing module; and
	a privacy manager comprising a data collection module, an aggregation module, and an instructions module,

	the aggregation module is configured to aggregate the data into a first feature that describes the contents of the data;
	the instructions module is configured to determine first instructions for calculating the first feature;
	the sharing module is configured to: 
		generate a package having the instructions for calculating the first feature and a threshold, 
			transmit the package to a second local node for retraining a detection model at the second local node, and
			receive second instructions for determining a second feature from the data; 
	the data collection module is configured to collect the data comprising customer data and transaction data; 
	the retraining module is configured to retrain the detection model to include a detection component that uses the first instructions and the second instructions;
and
	the performance module is configured to:
		determine values for the first feature and the second feature from the collected data using the first instructions and second instructions, and
		trigger a suspicious activity alert based on one or more of the determined values, the first instructions, [[and]] the second instructions, and the threshold.



17.	(Original) The local node of claim 15, wherein the first and second features comprise one or more of counting statistics, regional statistics, time statistics, or amount statistics.

18.	(Currently Amended) A system comprising:
	a first local node;
	a second local node; and 
	a detection model system,
		wherein the first local node and the second local node each comprising:
			a data collection module configured to collect data comprising customer data and transaction data;
 		an aggregation module configured to determine values for one or more features from the collected data, wherein the customer data and transaction data are indeterminable from the one or more features and the determined values; and
		a sharing module configured to transmit the determined values for the one or more features to the detection model system; and 
		wherein the detection model system comprises:
			a data control module configured to receive the determined values for the features from the first local node and the second local node;
,
wherein retraining the detection model comprises determining a metric and a threshold for comparing to the metric and alerting to suspicious activity based on the comparison.

19. (Canceled)

20.	(Currently Amended) The detection model of claim [[19]] 18, wherein the metric is determined based on the determined values for the one or more features.

21.	(Original) The detection model of claim 20, wherein the detection model system further comprises a privacy manager configured to generate instructions for determining the metric based on the determined values for the one or more features.

22.	(Original) The detection model of claim 21, wherein transmitting the retrained detection model comprises delivering the instructions for determining the metric to the first node and the second node.

23.	(Original) The detection model of claim 22, wherein the first node and the second node further comprise a performance module configured to determine a value for the metric and compare the value for the metric to the threshold and trigger an alert based on the comparison.

*** 

Reasons for allowance
Claims 1-4, 7-11, 14-18 and 20-23 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The reason for allowance is that the prior arts of record fail to teach the limitations along with preamble as a whole claim. The limitations recited in the independent claims comprise a particular combination of elements, functions and preamble, which are neither taught nor-suggested by the prior arts as a whole claim. 
 

The representative claim 1 distinguish features are underlined and summarized below:
 	A computer-implemented method for updating a detection model for detecting suspicious activity while maintaining data protection in a data processing system comprising a processing device and a memory comprising instructions which are executed by the processor, the method comprising:
receiving a package comprising instructions and a threshold for calculating at least one general feature from data stored at a first local node; 
retraining the detection model to include a detection component that uses the instructions;
collecting data comprising customer data and transaction data stored at the first local node;
determining a value for the at least one general feature from the collected data using the instructions; and
triggering a suspicious activity alert based on the determined value and the instructions, wherein triggering the suspicious activity alert comprises comparing the determined value to the threshold and providing an alert to a user based on the comparison,
wherein the customer data and transaction data are indeterminable from the at least one general feature and the determined value.
 

The representative claim 8 distinguish features are underlined and summarized below:
	A local node comprising a processing device and a memory comprising instructions which are executed by the processing device for retraining a model based on a data set comprising data, the local node further comprising:
a sharing module configured to receive a package comprising instructions and a threshold for calculating at least one general feature from data stored at the first local node; 
a retraining module configured to retrain the detection model to include a detection component that uses the instructions;
a data collection module configured to collect data comprising customer data and transaction data stored at the first local node;
a performance module configured to:
	determine a value for the at least one general feature from the collected data using the instructions, and
 trigger a suspicious activity alert based on the determined value and the instructions, wherein triggering the suspicious activity alert comprises comparing the determined value to the threshold and providing an alert to a user based on the comparison,
wherein the customer data and transaction data are indeterminable from the at least one general feature and the determined value. 


The representative claim 15 distinguish features are underlined and summarized below:
	A local node comprising a processing device and a memory comprising instructions which are executed by the processing device for retraining a model based on a data set comprising data, the local node further comprising:
	a model manager comprising a performance module, a retraining module, and a sharing module; and
	a privacy manager comprising a data collection module, an aggregation module, and an instructions module,
	wherein:
	the aggregation module is configured to aggregate the data into a first feature that describes the contents of the data;
	the instructions module is configured to determine first instructions for calculating the first feature;
	the sharing module is configured to: 
		generate a package having the instructions for calculating the first feature and a threshold, 
			transmit the package to a second local node for retraining a detection model at the second local node, and
			receive second instructions for determining a second feature from the data; 
the data collection module is configured to collect the data comprising customer data and transaction data; 
	the retraining module is configured to retrain the detection model to include a detection component that uses the first instructions and the second instructions;
and
	the performance module is configured to:
		determine values for the first feature and the second feature from the collected data using the first instructions and second instructions, and
		trigger a suspicious activity alert based on one or more of the determined values, the first instructions, the second instructions, and the threshold.


The representative claim 18 distinguish features are underlined and summarized below:
A system comprising:
	a first local node;
	a second local node; and 
	a detection model system,
		wherein the first local node and the second local node each comprising:
			a data collection module configured to collect data comprising customer data and transaction data;
 		an aggregation module configured to determine values for one or more features from the collected data, wherein the customer data and transaction data are indeterminable from the one or more features and the determined values; and
a sharing module configured to transmit the determined values for the one or more features to the detection model system; and 
		wherein the detection model system comprises:
			a data control module configured to receive the determined values for the features from the first local node and the second local node;
			a model manager configured to retrain a detection model based on the received determined values from the first and second local nodes, and transmit the retrained detection model to the first local node and the second local node,
wherein retraining the detection model comprises determining a metric and a threshold for comparing to the metric and alerting to suspicious activity based on the comparison.
	 

Applicant's independent claim 1 comprises a particular combination of underlined features in combination with other recited limitations, which are neither taught nor-suggested by the prior arts as a whole claim. 
Similarly other independent claims 8, 15 and 18 comprises a particular combination of underlined features in combination with other recited limitations with analogous wording, which are neither taught nor-suggested by the prior arts as a whole claim.
Dependent claims are deemed allowable for the same reasons as corresponding independent claims.
 

Prior Art References 
The closest combined references of Muddu, Stockdale and Zoldi teach following:
 	Muddu (US 20170063896 A1) teaches that a security platform employs a variety techniques and mechanisms to detect security related anomalies and threats in a computer network environment. The security platform is "big data" driven and employs machine learning to perform security analytics. The security platform performs user/entity behavioral analytics (UEBA) to detect the security related anomalies and threats, regardless of whether such anomalies/threats were previously known. The security platform can include both real-time and batch paths/modes for detecting anomalies and threats. By visually presenting analytical results scored with risk ratings and supporting evidence, the security platform enables network security administrators to respond to a detected anomaly or threat, and to take action promptly.

Stockdale (US 20190260784 A1) teaches that a privacy protection component can automatically comply with a set of privacy requirements when displaying input data. An ingestion module collects input data describing network activity executed by a network entity. A clustering module identifies data fields with data values within the input data as data identifiable to the network entity using machine-learning models trained on known data fields and their data. The clustering module also clusters the data values with other data values having similar characteristics using machine-learning models to infer a privacy level associated with each data field. The privacy level is utilized to indicate whether a data value in that data field should be anonymized. A permission module determines a privacy status of that data field by comparing the privacy level from the clustering module to a permission threshold. An aliasing module applies an alias transform to the data value of that data field with a privacy A user interface module displays the input data to a system user with the privacy alias from the aliasing module substituted for the data value for that data field.
 
Zoldi (US 20190073647 A1) teaches a method of processing transactions to determine the fraud risk of transactions incorporating card issuer bin and cardholder location associated with a multitude of customers. The artificial intelligence models developed with such information provide an output of likelihood of fraud for payment card transactions. Disclosed are the methods of utilizing aggregated payment card transaction data at the card issuer bin and card holder location level to improve fraud detection. The implementation of the method is demonstrated to have boosted the performance of the developed models in detection of fraudulent payment cards. 
 
 	However cited references, alone or in any combination, neither discloses nor fairly suggests combination of features specifically listed above and/or underlined, in particular, 
receiving a package comprising instructions and a threshold for calculating at least one general feature from data stored at a first local node; retraining the detection model to include a detection component that uses the instructions; collecting data comprising customer data and transaction data stored at the first local node; determining a value for the at least one general feature from the collected data using the instructions; and
triggering a suspicious activity alert based on the determined value and the instructions, wherein triggering the suspicious activity alert comprises comparing the determined value to the threshold and providing an alert to a user based on the comparison,
wherein the customer data and transaction data are indeterminable from the at least one general feature and the determined value.


Muddu teaches that a security platform employs a variety techniques and mechanisms to detect security related anomalies and threats; but Muddu failed to teach one or more limitations, including, 
receiving a package comprising instructions and a threshold for calculating at least one general feature from data stored at a first local node; retraining the detection model to include a detection component that uses the instructions; collecting data comprising customer data and transaction data stored at the first local node; determining a value for the at least one general feature from the collected data using the instructions; and
triggering a suspicious activity alert based on the determined value and the instructions, wherein triggering the suspicious activity alert comprises comparing the determined value to the threshold and providing an alert to a user based on the comparison,
wherein the customer data and transaction data are indeterminable from the at least one general feature and the determined value.

Stockdale and Zoldi alone or in combination failed to cure the deficiency of Muddu.

	 Thus, the cited references, alone or in combination, fail to disclose or suggest each of the elements recited by the independent claims.


The present invention provides an improved system for updating a shared detection models while maintaining data privacy. For example, various analytical models are used to detect banking fraud, aid in regulatory compliance, and many other complex, data-driven problems. Many fields require the most up-to-date models for accurate and timely event detection. In some fields, for example, many types of fraud, a third party is agent is actively working to escape detection by current analytical models. Thus, what is needed is a system for updating detection models that allows a model update to be distributed, analyzed, and implemented in a rapid fashion over multiple local nodes of the system. Moreover, due to the usefulness of larger and more diverse data sets, there are incentives to share information, such as detection models and data for model generation, across multiple entity systems. However, especially due to the sensitivity of the data being shared, data privacy must be considered and taken into account. The present disclosure describes a computer-implemented method for updating a detection model while maintaining data protection in a data processing system.

Therefore, when taken as a whole application, and incorporating all the respective limitations, none of the prior art discloses the features as claimed.


Conclusion
Any comments considered necessary by applicant must be submitted no laterthan the payment of the issue fee and, to avoid processing delays, should preferablyaccompany the issue fee. Such submission should be clearly labeled "Comments onStatement of Reasons for Allowance." 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Mahendra Patel whose telephone number is (571)270-7499. The examiner can normally be reached on 9:30 AM to 5:30 PM (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Anthony Addy can be reached on (571) 272-779. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MAHENDRA R PATEL/Primary Examiner, Art Unit 2645