DETAILED ACTION
This communication is responsive to the application # 16/286,918 filed on February 27, 2019. Claims 1-20 are pending and are directed toward an ANOMALOUS ACTIVITY DETECTION IN MULTI-PROVIDER TRANSACTIONAL ENVIRONMENTS.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Apostolopoulos, US 2018/0219888, Pub. Date: Aug. 2, 2018, in view of Widmann et al. (US 2019/0378051, Filed: Jun. 12, 2018), hereinafter referred to as Apostolopoulos and Widmann.

identifying a target provider node (FIG. 12 is a flow diagram describing an example process 1200 for detecting anomalies. Process 1200 begins at step 1202 with receiving event data 1002 indicative of activity by a particular entity associated with a computer network. Apostolopoulos, [0176]) of a plurality of provider nodes (in some embodiments, event data 1002 is received by a security platform from a plurality of entities associated with the computer network via an ETL pipeline. Apostolopoulos, [0176]);
determining, based on 
generating one or more risk scores, including a risk score for each relationship of the multiple relationships (Various features ( or risk factors) that capture how risky the underlying 
determining a network risk score for the target provider node based on each firsts relationship score associated with a relationship of the multiple relationships and the one or more risk scores (Threats can be detected based on the adjusted risk score for a component (i.e., a group of linked entities) as well as a number of other factors. Apostolopoulos, [0037]); and
performing the anomalous activity detection based on the network risk score (More specifically, the security platform introduced here can perform user behavioral analytics (UBA), or more generally user/entity behavioral analytics (UEBA), to detect the security related anomalies and threats, regardless of whether such anomalies and threats are previously known or unknown. Additionally, by presenting analytical results scored with risk ratings and supporting evidence, the security platform can enable network security administrators or analysts to respond to a detected anomaly or threat, and to take action promptly. Apostolopoulos, [0035]).
Apostolopoulos teaches different sources of data (Apostolopoulos, [0117]-[0122]) including Financial Services Information Sharing, but does not explicitly uses term “transactional”. Widmann however teaches further comprising: determining the transactional data (One general aspect includes a machine learning system that optimizes a feature vector, the system including: a first interface configured to receive transaction data; Widmann, [0008]).
Apostolopoulos in view of Widmann are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Apostolopoulos in view of Widmann. This would have been desirable because the data may correspond to one or more transactions, such as log-in transactions, computer network transactions, financial transactions, and/or the like (Widmann, [0070]).



one or more direct relationships each satisfying a direct relational proximity criterion and each involving the target provider node and a direct partner node of the plurality of provider nodes (In general, each event can be associated with a timestamp that is derived from the raw data in the event, determined through interpolation between temporally proximate events having known timestamps, or determined based on other configurable rules for associating timestamps with events, etc. Apostolopoulos, [0044]); and
one or more indirect relationships each satisfying an indirect relational proximity criterion (The method introduced here detects anomalies based on the mini-graphs, and combines the anomalies with the mini-graphs to generate the composite relationship graph, which may also be called an "enterprise security graph" to the extent it may relate to a network of a particular enterprise (e.g., a corporation, educational institution, government agency, etc.). The composite relationship graph includes nodes that represent the anomalies and edges that represent relationships between anomalies and other entities involved in the events. Apostolopoulos, [0188]) and each involving a first direct partner node associated with a first direct relationship of the one or more direct relationships and an indirect partner node of the plurality of provider nodes (The method further identifies security threats by correlating the anomalies across the composite relationship graph. For example, the method can use a neighborhood computation algorithm to identify a group of related anomalies in the composite relationship graph that represent a security threat. Alternatively, the method can identify an insider who poses a security threat based on a group of anomalies being close to each other in time and their confidence metrics. Apostolopoulos, [0190]).

As per claim 4, Apostolopoulos in view of Widmann teaches the computer-implemented method of claim 1, wherein the data comprises a provider data item for each provider of a plurality of providers and a relationship data item defining a relationship of the multiple relationships (The relationship discovery and recordation technique can be performed by, for example, the relationship graph generator 710. Specifically, after the entities are identified in the tokens, the relationship graph generator 710 is operable to identify a number of relationships between the entities, and to explicitly record these relationships between the entities. Some implementations of the relationship graph generator 710 generate a single relationship graph for each event; such an event-specific relationship graph may also be called a "mini-graph." Further, some implementations incorporate the generated relationship graph into the event data that represents the event, in the form of a data structure representing the relationship graph. A graph in the context of this description includes a number of nodes and edges. Each node in the relationship graph represents one of the entities involved in the event, and each edge represents a 
As per claim 5, Apostolopoulos in view of Widmann teaches the computer-implemented method of claim 4, further comprising: determining the transactional data (One general aspect includes a machine learning system that optimizes a feature vector, the system including: a first interface configured to receive transaction data; Widmann, [0008]).
Apostolopoulos in view of Widmann are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Apostolopoulos in view of Widmann. This would have been desirable because the data may correspond to one or more transactions, such as log-in transactions, computer network transactions, financial transactions, and/or the like (Widmann, [0070]).

As per claim 6, Apostolopoulos in view of Widmann teaches the computer-implemented method of claim 5, wherein determining the transactional data comprises: processing one or more transaction records to create multiple a plurality of provider-consumer relationships; determining one or more providers of interest based on the plurality of provider-consumer relationships; processing the plurality of provider-consumer relationships to generate a plurality of member-based provider relationships; and processing the plurality of member-based provider relationships to generate a plurality of aggregate provider relationships (; a graph module configured to store and update a graph using the transaction data, the graph including nodes and edges, where each node corresponds to an entity type, and where each edge represents a relationship between two nodes; and a machine learning engine including a plurality of machine learning sub-engines, where each entity type in the graph is assigned a separate machine learning sub-engine, the machine learning engine is programmed to perform steps including: training a 
Apostolopoulos in view of Widmann are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Apostolopoulos in view of Widmann. This would have been desirable because the data received may relate to one or more entities and/or one or more associations between the one or more entities. For example, the data received may be related to an online purchase (such as a purchase of an article of clothing) using a credit card. Such a purchase may have involved use of a credit card on a web site, which may then use one or more credit card processing services, which may ultimately be connected with one or more financial institutions. As such, the online purchase may involve a number of entities (Widmann, [0070]).

As per claim 7, Apostolopoulos in view of Widmann teaches the computer-implemented method of claim 6, wherein each provider data item is determined based on the plurality of provider-consumer relationships (The method where the one or more graph representations are associated with one or more transactions between at least two of the plurality of entities. Widmann, [0033]).
Apostolopoulos in view of Widmann are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Apostolopoulos in view of Widmann. This would have been desirable because the data received may relate to one or more entities and/or one or more associations between the one or more entities. For example, the data received may be related to an online purchase (such as a purchase of an article of clothing) using a credit card. Such a purchase may have involved use of a credit card on a web site, which may then use one or more credit card processing services, which may ultimately be connected with one or more financial institutions. As such, the online purchase may involve a number of entities (Widmann, [0070]).

As per claim 8, Apostolopoulos in view of Widmann teaches the computer-implemented method of claim 6, wherein each relationship data item is generated based on the plurality of aggregate provider relationships (In some examples, the ensemble may use parallel ensemble techniques. The ensemble may use bootstrap aggregating (sometimes referred to as bagging) to 
Apostolopoulos in view of Widmann are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Apostolopoulos in view of Widmann. This would have been desirable because , a particular entity may be one or more entity types. Therefore, in some examples, more than one ML model may run on the same set of data-further training and refining the underlying stored graph. (Widmann, [0074]).

Claims 9-20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above. Apostolopoulos teaches limitation “maintaining, in a relational database” (For example, the data access systems include a relational database (e.g., a structured query language (SQL) database), Apostolopoulos, [0158]),

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 1-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-12 of US patent No. 10692153.  Although the conflicting claims are not identical, they are not patentably distinct from each other because all elements of claims 1-20 of the instant application correspond to elements of claims 1-12 of US patent No. 10692153. The above claims of the present application would have been obvious over In re Goodman (CAFC) 29 USPQ2D 2010 (12/3/1993)).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on Monday-Friday 7:30am - 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLEG KORSAK/
Primary Examiner, Art Unit 2492