DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The action is responsive to the Applicant’s Amendment filed on 8/18/2022. Claims 3-10 and 13-22 are pending in the application. Claims 21 and 22 are amended.

Response to Arguments
Applicant’s arguments with respect to the rejections of claims 3-10 and 13-22 have been fully considered. In view of the claim amendment filed, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made. 
Further, regarding the new limitations recited in claims 21 and 22, it is submitted that they are properly addressed by the new ground of rejection.
Furthermore, it is also submitted that all limitations in pending claims, including those not specifically argued, are properly addressed. The reason is set forth in the rejections. See claim analysis below for detail.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3-10, and 13-22 are rejected under 35 U.S.C. 103 as being unpatentable over Comeaux et al. (US Patent No. 10567402 B1, hereinafter Comeaux) in view of Jou et al. (US 20160344762 A1, hereinafter Jou).

Regarding Claim 3, the combined teachings of Comeaux and Jou disclose the system of claim 21 wherein the identified set of features represents features used by the selected model to score an alert (See Comeaux, [Col. 12, lines 6-8]: FIG. 6 shows execution steps of prioritization of issues in an alert queue by generating and updating risk score for the alerts, according to an exemplary method 600; [Col. 34, lines 65-68]: In some cases, each of the set of one or more scenario attribute models may be associated with a different rate of fraud. For example, each of the set of one or more scenario attribute models may be associated with a different percentage of fraud depending on a type of scenario of potential fraud or attack).

Regarding Claim 4, the combined teachings of Comeaux and Jou  disclose the system of claim 21 wherein the event includes receiving a request from a user device indicating the set of alerts (See Comeaux, [Col. 12, lines 6-9]: In one embodiment, a computer-implemented method may include receiving, by a computer, a set of one or more alert elements containing a customer identifier from one or more alert-generating systems configured to generate a corresponding alert element; [Col. 23, lines 33-35]: As another example, the webserver 105 b may generate the alert-elements when the user performs or otherwise requests unusual actions).

Regarding Claim 5, the combined teachings of Comeaux and Jou disclose the system of claim 21 wherein the event includes a first threshold time elapsing (See Comeaux, Fig. 2, [Col. 30, lines 53-57]: In a next step 209, upon the security server identifying an integrated alert matched to an incoming alert element, the security server will determine whether the integrated alert is marked as completed by an analyst or has expired after a threshold timeframe of not being addressed by an analyst).

Regarding Claim 6, the combined teachings of Comeaux and Jou disclose the system of claim 21 wherein each alert of the obtained set of alerts includes: (i) a transaction identifier (See Comeaux, [Col. 14, lines 28-30]: The alert elements may, for example, contain a data field indicating a customer identifier value that is unique to the customer) and (ii) a threshold exceeded ([Col. 17, lines 61-67]: in some cases, the security server 101 may generate or update the risk score for each integrated alert in response to a triggering event, such as receiving a new alert element for the customer identifier of the integrated alert or when a threshold number of alert elements have been received for a customer identifier).

Regarding Claim 7, the combined teachings of Comeaux and Jou disclose the system of claim 21 wherein the parameter database includes, for the user identifier: (i) an account type (See Comeaux, [Col. 14, lines 20-25]: The data fields of an authentication-failure alert element may contain data fields associated with the detected event, such as data fields describing the source device and data fields describing the particular customer account the user was attempting to access, (ii) a total account amount ([Col. 21, lines 62-66]: For example, a third-party payment server 105 a may generate an alert element containing data elements related to money transfers or transaction requests, such as account identifiers, customer identifiers, a timestamp, and the amount of money at issue, (iii) trading frequency [Col. 13, lines 57-62]: A risk-level may be determined by computing devices of the automated system 100 based on how likely fraudulent activity associated with the integrated alert is to have occurred and/or the frequency of potentially fraudulent activity), and (iv) an average trading amount ([Col. 20, lines 47-50]: The third-party payment server 105 a may identify such fraudulent transactions when transaction amount is above a threshold amount or an average amount to computing devices).

Regarding Claim 8, the combined teachings of Comeaux and Jou disclose the system of claim 21 wherein the memory is further configured to cause the system to perform: sorting the result list based on the score of each alert of the obtained set of alerts (See Comeaux, [Col. 37, lines 1-5]: The security server or a server hosting the integrated alert database may then sort the integrated alerts according to the risk score, such that the integrated alerts may be presented on a GUI of an analyst computer in order of priority as indicated by the relative risk scores).

Regarding Claim 9, the combined teachings of Comeaux and Jou disclose the system of claim 21 wherein: the memory is further configured to cause the system to perform, in response to receiving analyst feedback corresponding to a first alert of the obtained set of alerts, updating the selected model based on the analyst feedback and a first score corresponding to the first alert and the analyst feedback indicates whether the first alert is (i) important or (ii) unimportant (See Comeaux, [Col. 26, lines 9-17]: In some implementations, an analyst computer 107 may have a GUI that allows an analyst to mark or “tag” an integrated alert or alert element. A data field in the record of the integrated alert or alert element is then updated to reflect the tag inputted by the analyst computer 107. In some instances, the tag reflects an analyst's concern that an integrated alert or alert element may contain data fields that could be cross-referenced and found in another integrated alert or alert element).

Regarding Claim 10, the combined teachings of Comeaux and Jou disclose the system of claim 21 wherein: the memory stores a result list database and the memory is further configured to cause the system to perform storing the result list in the result list database (See Comeaux, [Col. 26, lines 34-36]: The case management database may be configured to store a plurality of security records such as a whitelist record and a blacklist record) and the corresponding scores ([Col. 26, lines 39-45]: In some embodiments, upon determining that the device IP address and/or device IDs fails an acceptability threshold of risk score, the security server 101 may update the whitelist record and/or the blacklist record in the case management database with the details of the device IP address and/or device IDs that failed the acceptability threshold of their corresponding risk score).

Regarding Claim 13, the combined teachings of Comeaux and Jou disclose the method of claim 22 wherein the identified set of features represents features used by the selected model to score an alert (See Comeaux, [Col. 12, lines 6-8]: FIG. 6 shows execution steps of prioritization of issues in an alert queue by generating and updating risk score for the alerts, according to an exemplary method 600; [Col. 34, lines 65-68]: In some cases, each of the set of one or more scenario attribute models may be associated with a different rate of fraud. For example, each of the set of one or more scenario attribute models may be associated with a different percentage of fraud depending on a type of scenario of potential fraud or attack).

Regarding Claim 14, the combined teachings of Comeaux and Jou disclose the method of claim 22 wherein the event includes receiving a request from a user device indicating the set of alerts (See Comeaux, [Col. 12, lines 6-9] In one embodiment, a computer-implemented method may include receiving, by a computer, a set of one or more alert elements containing a customer identifier from one or more alert-generating systems configured to generate a corresponding alert element; [Col. 23, lines 33-35]: As another example, the webserver 105 b may generate the alert-elements when the user performs or otherwise requests unusual actions).

Regarding Claim 15, the combined teachings of Comeaux and Jou disclose the method of claim 22 wherein the event includes a first threshold time elapsing (See Comeaux, Fig. 2, [Col. 30, lines 53-57]: In a next step 209, upon the security server identifying an integrated alert matched to an incoming alert element, the security server will determine whether the integrated alert is marked as completed by an analyst or has expired after a threshold timeframe of not being addressed by an analyst).

Regarding Claim 16, the combined teachings of Comeaux and Jou disclose the method of claim 22 wherein each alert of the obtained set of alerts includes: (i) a transaction identifier (See Comeaux, [Col. 14, lines 28-30]: The alert elements may, for example, contain a data field indicating a customer identifier value that is unique to the customer) and (ii) a threshold exceeded ([Col. 17, lines 61-67]: in some cases, the security server 101 may generate or update the risk score for each integrated alert in response to a triggering event, such as receiving a new alert element for the customer identifier of the integrated alert or when a threshold number of alert elements have been received for a customer identifier. 

Regarding Claim 17, the combined teachings of Comeaux and Jou disclose the method of claim 22 wherein the parameter database includes, for the user identifier: (i) an account type (See Comeaux, [Col. 14, lines 20-25]: The data fields of an authentication-failure alert element may contain data fields associated with the detected event, such as data fields describing the source device and data fields describing the particular customer account the user was attempting to access), (ii) a total account amount ([Col. 21, lines 62-66]: For example, a third-party payment server 105 a may generate an alert element containing data elements related to money transfers or transaction requests, such as account identifiers, customer identifiers, a timestamp, and the amount of money at issue), (iii) trading frequency ([Col. 13, lines 57-62]: A risk-level may be determined by computing devices of the automated system 100 based on how likely fraudulent activity associated with the integrated alert is to have occurred and/or the frequency of potentially fraudulent activity), and (iv) an average trading amount ([Col. 20, lines 47-50]: The third-party payment server 105 a may identify such fraudulent transactions when transaction amount is above a threshold amount or an average amount to computing devices).

Regarding Claim 18, the combined teachings of Comeaux and Jou disclose the method of claim 22 further comprising sorting the result list based on the score of each alert of the obtained set of alerts (See Comeaux, [Col. 37, lines 1-5]: The security server or a server hosting the integrated alert database may then sort the integrated alerts according to the risk score, such that the integrated alerts may be presented on a GUI of an analyst computer in order of priority as indicated by the relative risk scores).

Regarding Claim 19, the combined teachings of Comeaux and Jou disclose the method of claim 22 further comprising, in response to receiving analyst feedback corresponding to a first alert of the obtained set of alerts: updating the selected model based on the analyst feedback and a first score corresponding to the first alert, wherein the analyst feedback indicates whether the first alert is (i) important or (ii) unimportant (See Comeaux, [Col. 26, lines 9-17]: In some implementations, an analyst computer 107 may have a GUI that allows an analyst to mark or “tag” an integrated alert or alert element. A data field in the record of the integrated alert or alert element is then updated to reflect the tag inputted by the analyst computer 107. In some instances, the tag reflects an analyst's concern that an integrated alert or alert element may contain data fields that could be cross-referenced and found in another integrated alert or alert element).

Regarding Claim 20, the combined teachings of Comeaux and Jou disclose the method of claim 22 further comprising: storing the result list in a result list database (See Comeaux, [Col. 26, lines 34-36]: The case management database may be configured to store a plurality of security records such as a whitelist record and a blacklist record; [Col. 26, lines 39-45]: In some embodiments, upon determining that the device IP address and/or device IDs fails an acceptability threshold of risk score, the security server 101 may update the whitelist record and/or the blacklist record in the case management database with the details of the device IP address and/or device IDs that failed the acceptability threshold of their corresponding risk score).

Regarding Claim 21, Comeaux discloses a system comprising: at least one processor; and at least one memory, wherein the memory stores 
an alert database (Fig. 1, integrated alert databases 104), 
a model database ([Col. 14, lines 55-56]: Scenario models may be computer files stored on the security server 101 or separate database device, such as a system database 102), 
a parameter database ([Col. 13, lines 18-21]: Using the alert elements stored in the alert element database 103, the security server 101 may then generate integrated alerts that are associated with the customers of the system 100), and 
a features database ([Col. 3, lines 20-23]: The computer-implemented method may further include iteratively updating, by the computer, the first learning algorithm dataset based on updated data associated with the set of one or more scenario attribute models, wherein the computer periodically queries a database to receive the updated data associated with the set of one or more scenario attribute models); 
the at least one memory configured to, with the at least one processor, cause the system to perform, in response to an event, 
obtaining a set of alerts stored in the alert database for a scenario (Fig. 2, [Col. 30, lines 47-52]: In a next step 207, the security server may query an alert element database or an integrated alert database to potentially identify existing alert elements or an integrated alert for the customer identifier matched to a customer identifier in a data field of one or more alert elements or integrated alerts); 
selecting a model from the model database for the scenario ([Col. 34, lines 1-8]: In some embodiments, the security server may match attributes of the one or more alert elements received from the one or more alert-generating systems with a set of one or more scenario attribute models. The security server then determine a scenario from the set of one or more scenario attribute models that is matched with the one or more alert elements received from the one or more alert-generating systems); 
identifying a set of features from the features database for the scenario ([Col. 34, lines 8-10]: The scenario from the set of one or more scenario attribute models may identify a particular type of fraud or attack); 
for each alert of the obtained set of alerts, retrieving parameters of the identified set of features from the parameter database corresponding to a user identifier of the alert; inputting the parameters into the selected model ([Col. 3, lines 20-26]: The computer-implemented method may further include iteratively updating, by the computer, the first learning algorithm dataset based on updated data associated with the set of one or more scenario attribute models, wherein the computer periodically queries a database to receive the updated data associated with the set of one or more scenario attribute models); 
determining, with the selected model, a score for the alert based on the identified set of features ([Col. 3, l lines 26-30]: The computer-implemented method may further include executing, by the computer, the first learning algorithm on each integrated alert stored in the integrated alert database to generate a risk score for each respective integrated alert; [Col. 2, lines 44-55]: a fraud prevention system that performs various processes using alert elements containing various data fields, indicating threats of fraud… Using these alert elements, the security server… assign a risk score for the integrated alerts); 
assigning a weight to each feature of the identified set of features based on how influential the feature is to the scenario (Fig. 2; [Col. 30, lines 41-43]: The security server then adjusts the risk score of the alert element according to priority weight, at step 205). 
However, Comeaux does not explicitly teach “dividing the identified set of features into a first subset of features and a second subset of features, the first subset of features being more influential on the determined score for the alert than the second subset of features, the first subset of features and the second subset of features being mutually exclusive; adding the alert, the determined score, and the first subset of features to a result list; and causing a user device to display the result list.”
On the other hand, in the same field of endeavor, Jou teaches 
dividing the identified set of features into a first subset of features and a second subset of features ([Abstract]: The present invention provides a method… having the steps of identifying a plurality of alerts, selecting a subset of the plurality alerts based on at least one preselected theme; [0020]: Fig. 4; processing (120) the source data set by computing (130) features from this data set to derive (140) a data set of alerts having the features related to a pre-selected theme. See also para [0020]-[0025]), the first subset of features being more influential on the determined score for the alert than the second subset of features based on the assigned weights ([00029]-[0031]: As a first step, if there are multiple alerts of the same type within this grouping, they are aggregated into a single score… These are combined using a weighted sum, with each alert type having a possibly different weight reflecting its relative importance; [0042]: Further, it is contemplated that individual alert type weights may be used, allowing one to control each alert type's relative influence. See also Fig. 3, para [0012], [0019], [0048]), the first subset of features and the second subset of features being mutually exclusive ([0022]: In at least one embodiment, this “Story” construct works by grouping multiple alerts together in subsets based on one or more common themes and aggregating them into a single score);
adding the alert ([0018]: Fig. 2… (2) provides the Story title or theme), the determined score ([0018]: Fig. 2… (1) provides the aggregated score (80% or 0.80), and the first subset of features to a result list ([0018]: Fig. 2… (3) provides five indicators corresponding to one or more anomaly models that have detected a specific behavior that is indicative of a compromised account (i.e. the story's theme)); and
causing a user device to display the result list ([0018]: FIG. 2 is an example of an user interface for use in connection with the method of at least one embodiment of the present invention. See also para [0034]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of Comeaux to incorporate the teachings of Jou to include “dividing the identified set of features into a first subset of features and a second subset of features, the first subset of features being more influential on the determined score for the alert than the second subset of features, the first subset of features and the second subset of features being mutually exclusive; adding the alert, the determined score, and the first subset of features to a result list; and causing a user device to display the result list.”
The motivation for doing so would be to aggregate and prioritize alert data, as recognized by Jou ([0003] of Jou: More specifically, the present invention relates to systems and method for the aggregating and ranking/prioritizing of security event and alert data).

Regarding Claim 22, Comeaux discloses a method comprising: in response to an event (Fig. 2; In a first step 201, the security server receives an alert element from an alert-generating system), 
obtaining a set of alerts from an alert database corresponding to a scenario (Fig. 2, [Col. 30, lines 47-52]: In a next step 207, the security server may query an alert element database or an integrated alert database to potentially identify existing alert elements or an integrated alert for the customer identifier matched to a customer identifier in a data field of one or more alert elements or integrated alerts); 
selecting a model from a model database for the scenario ([Col. 34, lines 1-8]: In some embodiments, the security server may match attributes of the one or more alert elements received from the one or more alert-generating systems with a set of one or more scenario attribute models. The security server then determine a scenario from the set of one or more scenario attribute models that is matched with the one or more alert elements received from the one or more alert-generating systems); 
identifying a set of features stored in a features database for the scenario ([Col. 34, lines 8-10]: The scenario from the set of one or more scenario attribute models may identify a particular type of fraud or attack); 
for each alert of the set of alerts, retrieving parameters of the identified set of features from a parameter database corresponding to a user identifier of the alert; inputting the retrieved parameters into the selected model ([Col. 3, lines 20-26]: The computer-implemented method may further include iteratively updating, by the computer, the first learning algorithm dataset based on updated data associated with the set of one or more scenario attribute models, wherein the computer periodically queries a database to receive the updated data associated with the set of one or more scenario attribute models); 
determining a score for the alert using the selected model based on the identified set of features ([Col. 3, l lines 26-30]: The computer-implemented method may further include executing, by the computer, the first learning algorithm on each integrated alert stored in the integrated alert database to generate a risk score for each respective integrated alert; [Col. 2, lines 44-55]: a fraud prevention system that performs various processes using alert elements containing various data fields, indicating threats of fraud… Using these alert elements, the security server… assign a risk score for the integrated alerts); 
assigning a weight to each feature of the identified set of features based on how influential the feature is to the scenario (Fig. 2; [Col. 30, lines 41-43]: The security server then adjusts the risk score of the alert element according to priority weight, at step 205); 
However, Comeaux does not explicitly teach “dividing the identified set of features into a first subset of features and a second subset of features, the first subset of features being more influential on the determined score for the alert than the second subset of features, the first subset of features and the second subset of features being mutually exclusive; adding the alert, the determined score, and the first subset of features to a result list; and causing a user device to display the result list.”
On the other hand, in the same field of endeavor, Jou teaches 
dividing the identified set of features into a first subset of features and a second subset of features ([Abstract]: The present invention provides a method… having the steps of identifying a plurality of alerts, selecting a subset of the plurality alerts based on at least one preselected theme; [0020]: Fig. 4; processing (120) the source data set by computing (130) features from this data set to derive (140) a data set of alerts having the features related to a pre-selected theme. See also para [0020]-[0025]), the first subset of features being more influential on the determined score for the alert than the second subset of features based on the assigned weights ([00029]-[0031]: As a first step, if there are multiple alerts of the same type within this grouping, they are aggregated into a single score… These are combined using a weighted sum, with each alert type having a possibly different weight reflecting its relative importance; [0042]: Further, it is contemplated that individual alert type weights may be used, allowing one to control each alert type's relative influence. See also Fig. 3, para [0012], [0019], [0048]), the first subset of features and the second subset of features being mutually exclusive ([0022]: In at least one embodiment, this “Story” construct works by grouping multiple alerts together in subsets based on one or more common themes and aggregating them into a single score); and
adding the alert ([0018]: Fig. 2… (2) provides the Story title or theme), the determined score ([0018]: Fig. 2… (1) provides the aggregated score (80% or 0.80), and the first subset of features to a result list ([0018]: Fig. 2… (3) provides five indicators corresponding to one or more anomaly models that have detected a specific behavior that is indicative of a compromised account (i.e. the story's theme)) and
causing a user device to display the result list ([0018]: FIG. 2 is an example of an user interface for use in connection with the method of at least one embodiment of the present invention. See also para [0034]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the method of Comeaux to incorporate the teachings of Jou to include “dividing the identified set of features into a first subset of features and a second subset of features, the first subset of features being more influential on the determined score for the alert than the second subset of features, the first subset of features and the second subset of features being mutually exclusive; adding the alert, the determined score, and the first subset of features to a result list; and causing a user device to display the result list.”
The motivation for doing so would be to aggregate and prioritize alert data, as recognized by Jou ([0003] of Jou: More specifically, the present invention relates to systems and method for the aggregating and ranking/prioritizing of security event and alert data).



Examiner Note
Examiner has cited particular columns/paragraph and line numbers in the references applied to the claims above for the convenience of the applicant. Although the specified citations are representative of the teachings of the art and are applied to specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant in preparing responses, to fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.
In the case of amending the Claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. This will assist in expediting compact prosecution. MPEP 714.02 recites: "Applicant should also specifically point out the support for any amendments made to the disclosure. See MPEP § 163.06. An amendment which does not comply with the provisions of 37 CFR 1.12l(b), (c),  (d), and (h) may be held not fully responsive. See MPEP § 714." Amendments not pointing to
specific support in the disclosure may be deemed as not complying with provisions of 37 C.F.R. 1.131(b), (c), (d), and (h) and therefore held not fully responsive. Generic statements such as "Applicants believe no new matter has been introduced" may be deemed insufficient.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIRLEY D. HICKS whose telephone number is (571)272-3304.  The examiner can normally be reached on Mon - Fri 7:30 - 4:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Fred Ehichioya can be reached on (571) 272-4034.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/S D H/Examiner, Art Unit 2168



                                            
/MICHELLE N OWYANG/Primary Examiner, Art Unit 2168