DETAILED ACTION


1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-20 are pending.  Claims 1, 14 and 20 are independent.  

3.	The IDS submitted on 6/14/2019 has been considered.















Claim Rejections - 35 USC § 112
4.	The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

5.	Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. 
Independent claim 1 recites “performing unsupervised attack ring detection”; however, it is unclear for one skilled in the art to design a system that performs “performing unsupervised attack ring detection” as it is unclear what an “unsupervised attack ring detection” is.
Independent claims 14 and 20 also recite similar subject matters, therefore, are also rejected for the same reason discussed above in claim 1.
Claims 2-13 and 15-19 are also rejected based on their direct or indirect dependency of the rejected claims 1, 14 and 20.


Claim Rejections - 35 USC § 102
6.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

7.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


8.	Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Cook (PG Pub. 2006/0149674).
As regarding claim 1, Cook discloses A method comprising: 
obtaining input data associated with a plurality of accounts associated with a particular entity [abstract, para. 27 and 146; obtaining input identity record]; 
extracting features from the input data [para. 27-28; extracting identity-related fields]; 
performing unsupervised attack ring detection using the extracted features, wherein the unsupervised attack ring detection identifies suspicious clusters of accounts that have strong similarity or correlations in the high dimensional feature space [para. 27-28 and 95; performing fraud detection that identifies historical identity records that are linked to the input identity record based on common identity-related fields]; and 
generating an output for the detected attack rings [para. 26, 85, 97 and 141].  

As regarding claim 2, Cook further discloses The method of claim 1, wherein the unsupervised attack ring detection identifies suspicious clusters by reducing feature dimensions and determining a distance function that computes a distance between data points [para. 64 and 72; a distally centered feature could identify the linkage, via a common telephone number, of the current identity record to a cluster of identity records associated with a common address and a high fraud rate].  

As regarding claim 3, Cook further discloses The method of claim 2, wherein the selection of particular features and distance functions are guided by one or more of: feature weights assigned to features based on importance [para. 66, 83 and 96-97; feature weights]; initial detection results based on global intelligence network or known fraud signals; or statistical analyses of various feature distribution from the input data.  

As regarding claim 4, Cook further discloses The method of claim 2, wherein the unsupervised attack ring detection groups all data points to generate clusters, wherein the clustering process is non-exclusive such that each account can belong to different clusters, and wherein each cluster is created by a different set of criteria [FIGS. 9 & 10 and para. 146 and 151].  

As regarding claim 5, Cook further discloses The method of claim 1, wherein output from the unsupervised attack ring detection is used as training data to automatically train a supervised learning model and detect additional individual malicious accounts that share similar patterns with the already captured ones [para. 38 and 95-96].  

As regarding claim 6, Cook further discloses The method of claim 1, wherein the feature extraction comprises generating categories of features that describe each user account from both structured [para. 52] and unstructured input data [para. 52 and 144].  

As regarding claim 7, Cook further discloses The method of claim 6, wherein the categories of features include one or more of profile information [para. 27], behaviors and activities, origins and digital fingerprints, contents and metadata, and relationships between accounts.  

As regarding claim 8, Cook further discloses The method of claim 6, wherein the number of feature dimensions automatically adjust to changes in the type of input data fields or the number of input data fields [para. 82 and 128].  

As regarding claim 9, Cook further discloses The method of claim 1, wherein generating the output for the detected attack rings comprises ranking detected accounts, assigning confidence scores to the detected accounts, and categorizing attack rings by a respective nature of their attacks [para. 66].  

As regarding claim 10, Cook further discloses The method of claim 1, wherein the obtaining the input data includes receiving one or more of continuous event streams or multiple batch input files that describe user account profiles or different types of account activities [para. 27-28 and 35].  

As regarding claim 11, Cook further discloses The method of claim 1, wherein the unsupervised attack ring detection further comprises using graph analysis to link clusters that share similar accounts or strong features together, wherein the graph analysis is based on a graph where the nodes represent clusters and the edges link similar clusters [para. 36 and 69-71].  

As regarding claim 12, Cook further discloses The method of claim 11, wherein identification of tightly connected sub-graph components from the graph analysis provides an indication of attack rings [FIGS. 8-10 and para. 36 and 69-71].  

As regarding claim 13, Cook further discloses The method of claim 1, wherein the unsupervised attack ring detection further outputs detection reasons, the detection reasons are based on the attributes and values shared by clusters of correlated accounts determined by the unsupervised attack ring detection [para. 94].  

As regarding claim 14, Cook discloses A system comprising: 
one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations [para. 36 and 49] comprising: 
obtaining input data associated with a plurality of accounts associated with a particular entity [abstract, para. 27 and 146; obtaining input identity record]; 
extracting features from the input data [para. 27-28; extracting identity-related fields]; 
using an unsupervised machine learning engine to perform unsupervised attack ring detection using the extracted features, wherein the unsupervised attack ring detection identifies suspicious clusters of accounts that have strong similarity or correlations in the high dimensional feature space [para. 27-28 and 95; performing fraud detection that identifies historical identity records that are linked to the input identity record based on common identity-related fields]; and 
generating an output for the detected attack rings [para. 26, 85, 97 and 141].  

As regarding claim 15, Cook further discloses The system of claim 14, wherein the unsupervised machine learning engine identifies suspicious clusters by reducing feature dimensions and determining a distance function that computes a distance between data points [para. 64 and 72; a distally centered feature could identify the linkage, via a common telephone number, of the current identity record to a cluster of identity records associated with a common address and a high fraud rate].  

As regarding claim 16, Cook further discloses The system of claim 15, wherein the selection of particular features and distance functions are guided by one or more of: feature weights assigned to features based on importance [para. 66, 83 and 96-97; feature weights]; initial detection results based on global intelligence network or known fraud signals; or statistical analyses of various feature distribution from the input data.  
17, Cook further discloses The system of claim 15, wherein the unsupervised attack ring detection groups all data points to generate clusters, wherein the clustering process is non-exclusive such that each account can belong to different clusters, and wherein each cluster is created by a different set of criteria [FIGS. 9 & 10 and para. 146 and 151].  

As regarding claim 18, Cook further discloses The system of claim 14, wherein output from the unsupervised attack ring detection is used as training data to automatically train a supervised learning model and detect additional individual malicious accounts that share similar patterns with the already captured ones [para. 38 and 95-96].  

As regarding claim 19, Cook further discloses The system of claim 14, wherein the feature extraction comprises generating categories of features that describe each user account from both structured and unstructured input data [para. 52 and 144].  

As regarding claim 20, Cook discloses One or more computer-readable storage media encoded with instructions that, when executed by one or more computers, cause the one or more computers to perform operations comprising: 
obtaining input data associated with a plurality of accounts associated with a particular entity [abstract, para. 27 and 146; obtaining input identity record]; 
extracting features from the input data [para. 27-28; extracting identity-related fields]; 
performing unsupervised attack ring detection using the extracted features, wherein the unsupervised attack ring detection identifies suspicious clusters of accounts that have strong similarity or correlations in the high dimensional feature space [para. 27-28 and 95; performing fraud detection that identifies historical identity records that are linked to the input identity record based on common identity-related fields]; and 
generating an output for the detected attack rings [para. 26, 85, 97 and 141].













Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 57127267986798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THONG TRUONG/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433