Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to application 17/683,221, filed on 02/28/2022. Claims 1, 18, and 19 are amended and hereby entered. Claims 2 and 20 are canceled. Claims 1-21 are pending and are hereby examined.
Response to Arguments
Applicant's arguments filed 1/22/2026 have been fully considered but they are not persuasive.
Regarding 35 USC 101:
Step 2A Prong 1:
The applicant submits that training a risk model to output risk scores indicating likelihoods that language in the emails is malicious or benign recites elements beyond a mental process. Although the risk model is an additional element outside a mental process, it does not integrate the abstract idea into practical application or amount to significantly more. The model itself is discussed a such a high level of generality that it is used to perform the identified abstract idea, see MPEP 2106.05(f).
Further, the applicant submits selecting threshold risk based on a risk schedule is not part of a mental process. However, changing the threshold risk based on a risk schedule is part of a mental process. Specifying thresholds can be performed mentally. The claims recite accessing a schedule that is associated with attributes, and then selecting a threshold based on the attributes. A person can easily identify a threshold that is dependent on specific attributes. The applicant specification states, “For example, the risk schedule can specify lower risk thresholds - thereby triggering email quarantine for lower-risk emails - for recipients with human resources and accounting responsibilities within the domain (e.g., labeled with "human resources" or "accounting" attributes).” The specification’s discussion of the risk schedule shows choosing a different threshold for those with HR or accounting domains. A person could easily identify emails that are from human resources and quarantine those emails accordingly, thereby having a lower risk threshold.
Further, the applicant submits that the steps taken by the NLP models are beyond the realm of mental processes. However, the NLP model simply correlates natural language from a corpus of data to identify when specific words are likely to indicate financial attacks. Correlating certain phrases to be associated with financial attacks can be performed by the human mind. The NLP model recites an “apply it” level recitation and is used as a tool to perform the abstract idea, see MPEP 2106.05(f). Therefore, the examiner respectfully disagrees and the rejection is maintained.
Step 2A Prong 2:
Additionally, the applicant submits the claims integrate the abstract idea into practical application because there is a specific technical improvement to email security systems. Specifically, the applicant submits that rendering the annotated results in an email viewer is the technical improvement because the annotated scheme improves how email threats are displayed to users. However, a difference in the data displayed on the interface (email viewer), does not improve the interface technology itself. The difference is instead directed to the abstract idea of fraud detection rather than an improvement to the technology.
Further, the applicant submits an active learning feedback loop to retrain the model represents a technical improvement. However, iterative machine learning is common in machine learning model technology, and there is no improvement in the model itself. The output becomes more refined simply because of the additional data that is provided. Rather, the output of the machine only changes based on the data that is inputted, not because of a new learning algorithm.
Additionally, the applicant submits that the aforementioned abstract ideas and elements in combination constitute a specific technical solution to detecting financial attacks in emails. However, this is not in improvement to the technological elements such as the NLP model or risk model, but instead the improvement is directed to the abstract idea of fraud detection and the mental process used to detect financial attacks.
Step 2B:
The applicant also provides arguments regarding step 2B that are similar to the aforementioned arguments in step 2A. The same logic applies in step 2B as there is not improvement to the learning model or natural language model, and the other claim recitations such as the risk schedule or thresholds are directed to the abstract idea. Therefore, the elements cannot amount to significantly more as they fall under section 2106.05(f) of the MPEP. Therefore, the examiner respectfully disagrees with the applicant’s arguments and the rejection is maintained.
Regarding 35 USC 103:
The applicant submits the cited references do not teach the newly amended features in independent claim (from previous dependent claims 2 and 20), because the risk schedule is a specific data structure correlating threshold risks and combinations of recipient attributes. However, the claims simply recite steps of retrieving attributes, accessing risk schedule specifying thresholds, and selecting thresholds based on the attributes. All of these steps under broadest reasonable interpretation are shown in the cited reference LaRosa in previously rejected claims 2 and 20. The applicant further submits the risk schedule is a targeted attribute-based approach to threshold selection that adapts the sensitivity of the detection based on patterns. However, LaRosa shows sensitivity of detection based on patterns in paragraph 60. The reference shows that high risk individuals are labeled “high risk” which contributes to overall scoring.
Further, the applicant submits LaRosa does not teach target frequency of recipients represented by unique combinations of recipient attributes. However, figure 4 of LaRosa shows various attributes which include frequency. Therefore, the examiner respectfully disagrees and the rejection is maintained.
Further, the applicant argues the references don’t teach the cohesive integrated approach, and that there was no motivation to combine the references to arrive at the specific combination of features. In response to applicant’s argument that there is no teaching of a cohesive integrated approach without suggestion or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). In this case, the combination of features would have yielded predictable results to one of ordinary skill. As stated in the motivation statement in the previous rejection of the independent claims, applying known techniques (highlighting) would yield predictable results. For example, simply adding highlighting (Blumenthal) to visually indicate malicious portions of an email would have been obvious to one of ordinary skill. Additionally, as stated in the motivation statement of the previous rejection, incorporating a training method (Jeyakumar) would have been obvious to one of ordinary skill. Simply pulling data from different parts of an email in to train a model that detects malicious emails would have yielded predictable results. Therefore, the examiner respectfully disagrees and the rejection is maintained.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1, 3-19, and 21 are rejected under 35 U.S.C. 101 because the claimed invention is directed to judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) with no practical application and without significantly more.
Step 1: Claims 1, 3-19, and 21 are method claims. Thus, each claim on its face is directed towards one of the statutory categories of 35 USC 101. However, all claims are rejected under 35 USC 101 because the claimed invention is directed to an abstract idea without significantly more
Step 2A Prong 1: The independent claims (1, 18, and 19) recite methods to detect financial attacks in emails. These elements are being interpreted as concepts performed in the human mind (including observation, evaluation, judgement, and opinion). The evaluation of emails to identify potentially threatening language signals can be equivalently be done by pen and paper, and attacks could be detected through human observation of the emails. Additionally, the independent claims recite “calculating a risk”. This element is being interpreted as a mathematical concept because the output of “calculating risk” is then compared to a threshold, indicating a numerical value output and calculation taking place.
Step 2A Prong 2: If the claims are directed toward the judicial exception of an abstract idea, it must then be determined under Step 2A Prong 2 whether the judicial exception is integrated into a practical application.
The instant application fails to integrate the judicial exception into a practical application because the instant application merely recites an “apply it” (or an equivalent) with the judicial exception, or merely includes instructions to implement an abstract idea. The instant application is directed towards a method and systems to implement the identified abstract idea of receiving information, processing information, and displaying the result of the analysis (i.e. processing natural language data to evaluate the presence of a financial attack) on a generically claimed computer structure. The claims do not include additional elements that amount to significantly more than the judicial exception. The independent claims recite the additional elements “a risk model”, “a first natural language processing (NLP) model”, “a second NLP model”, and “an email viewer”. These claim elements are recited at a high level of generality such that it amounts to no more than mere instructions to apply the exception using a general computer environment. The machines merely act as a modality to implement the abstract idea and is not indicative of integration into a practical application (i.e., the additional elements are simply used as a tool to perform the abstract idea), see MPEP 2106.05(f).
Step 2B: The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed in Step 2A Prong Two, the additional elements in the claims amount to no more than mere instructions to apply the exception using generic computer components. The same analysis applies here in 2B and does not provide an inventive concept.
In regards to the dependent claims:
Claims 3-17 and 21 do not introduce any new additional abstract ideas or new additional elements and do not impact analysis under 35 USC 101.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3-11, 14-19, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over LaRosa (US 20170251006 A1) in view Blumenthal (US 20060218485 A1) in further view of Jeyakumar (US 20200344251 A1)
Regarding Claim 1, LaRosa teaches:
A method for detecting financial attacks in emails comprising: accessing an email inbound to a recipient address the recipient address associated with a recipient attribute; [(Para 0055) “In one embodiment, a system is running an email server software and is configured to be positioned “inline” in order to monitor email communications”]
retrieving the recipient attribute of a recipient associated with the recipient address; [(Para 0016) “obtain each communication going to and from the first domain and: analyze one or more parameters of the obtained communication; store the analyzed one or more parameters of the obtained communication with respect to a sender of the obtained communication and one or more recipients of each obtained communication”, (Para 0017) “for each communication going to or coming from the first domain, to:”, (Figure 4)]
accessing a risk schedule specifying a set of threshold risks, each threshold risk in the set of threshold risks associated with a unique combination of recipient attributes and based on malicious targeting frequency of recipients represented by the unique combination of recipient attributes within the email domain; [(Para 0017) “generate a risk score for the communication as function of the comparison to the stored relationships and associated characterizations; and process the communication as function of a comparison of the generated risk score to one more predetermined threshold values comprising: an alerting threshold value, a notification threshold value, and a communications labeling threshold value.”]
selecting a threshold risk, from the risk schedule, based on the recipient attribute; [(Para 0060) “Users identified as “High Risk” will have the Boolean value of 1 set in the attribute called “High Risk” on the Node in the graph database”, (Para 0047) “A rules engine provides for customized alerting based on user defined thresholds that are based on organizational risk tolerance”, (Para 0039) “using the risk score parameters in an actions engine in any combination to determine alerting thresholds, notification thresholds”]
scanning a body of the email for a set of language signals; [(Para 0057) “Thus, as presented in FIG. 5, inbound email is analyzed to extract communications components, e.g., header and body information.”]
correlating, using a first natural language processing (NLP) model trained on a financial services and financial transaction lexicon, a first sequence of words, in the email, with a financial signal in the set of language signals; [The limitations recite correlating words with a chosen signal, the signal type/category (financial, action, urgency, etc.) is non-functional descriptive material that does not carry patentable weight; (Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions, supply chain activity, header/footer mismatches, abnormal increases in the use of formality, etc.”, (Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring… a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”]
correlating, using a second NLP model trained on an action request and prompt lexicon, a second sequence of words, in the email, with an action request signal in the set of language signals; [The limitations again recite correlating words with a chosen signal, the signal type/category (financial, action, urgency, etc.) is non-functional descriptive material that does not carry patentable weight; (Para 0053) “A third aspect requiring detection in this scenario is the ‘ask.’ … getting the insider to take action on the objective controlled by the insider”, (Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring…. a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”]
calculating, using the risk model trained on past emails, a risk score for the email representing a financial attack based on a combination of the financial signal and the action request signal detected in the email; and [(Para 0029) “profiling electronic communications creating patterns of behavior from the various elements of the electronic communications identifying risk elements of the communications used to determine impersonations of the communications”, (Para 0064) “The content acquisition engines will extract/lookup/count/calculate the respective elements… [a]ssociated relationships and counts will be calculated based on the schema diagrams from the above two diagrams for use in the risk score calculations”]
redirecting the email to a quarantine folder. [(Figure 5), (Para 0039)]
receiving input from an administrator indicating that the first sequence of words and the second sequence of words indicate the email is a malicious email; [(Para 0111-0118) “isolating, messages that are over the organizational tolerance level of risk points going forward for later manual review or modifying the message to send to recipients with a warning indicator of risk score data… [a]nalysts reviewing held messages for legitimacy and making a decision as to handling…[p]reserving, but not passing along, “true” positives, i.e., those emails deemed to be an impersonation/insider threat, and a copy of the full message is preserved for forensic evidence…[S]etting the Boolean flag value to 1 in the social graph marking the fraudulent email address as a known malicious email address for future risk scoring consideration”
and retraining the risk model using the email and the input from the administrator to improve the risk model [(Para 0118) “Setting the Boolean flag value to 1 in the social graph marking the fraudulent email address as a known malicious email address for future risk scoring consideration.”]
in response to the risk exceeding the selected threshold risk indicating the email is malicious: [(Para 0016) “the processor to manage a fraudulent communications detection system”, (Para 0017) “and process the communication as function of a comparison of the generated risk score to one more predetermined threshold values comprising: an alerting threshold value, a notification threshold value, and a communications labeling threshold value” (Para 0030) “being placed in-line with receiving electronic communications for any combination of detection, prevention, labeling of messages, or alerting”]
While LaRosa teaches the method for detecting attacks, calculating risk, and taking subsequent action, it does not explicitly teach:
obtaining a first set of past emails that include first language in first bodies of the first set of past emails identified as being malicious; obtaining a second set of past emails that include second language in second bodies of the second set of past emails identified as being benign;
assigning malicious labels to the first set of past emails and the benign labels to the second set of past emails to generate training data;
training a risk model unique to an email domain using the training data such that the risk model is trained to output risk scores indicating likelihoods that language in bodies of future emails is malicious or benign;
annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal, wherein the first visual highlighting scheme visually distinguishes the first sequence of words corresponding to the financial signal; annotating the second sequence of words in the email according to a second visual highlighting scheme associated with the action request signal, the second visual highlighting scheme different from the first visual highlighting scheme, wherein the second visual highlighting scheme visually distinguishes the second sequence of words corresponding to the action request signal from the first sequence of words; and redirecting the email to a quarantine folder.
rendering within an email viewer, the email with the first sequence of words highlighted according to the first visual highlighting scheme and with the second sequence of words highlighted according to the second visual highlighting scheme
labeling the first visual highlighting scheme as corresponding to the financial signal; labeling the second visual highlighting scheme as corresponding to the action request signal;
However, Blumenthal teaches:
annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal, wherein the first visual highlighting scheme visually distinguishes the first sequence of words corresponding to the financial signal; annotating the second sequence of words in the email according to a second visual highlighting scheme associated with the action request signal, the second visual highlighting scheme different from the first visual highlighting scheme, wherein the second visual highlighting scheme visually distinguishes the second sequence of words corresponding to the action request signal from the first sequence of words; [(Para 0007) “The invention is a process that automatically annotates arbitrary collections of data” (Para 0012) “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting, graphics, audio or video indications, highlighting, etc”, (Para 0059) “The presence of an annotation could be indicated by a superscript, a subscript, format change (possibly but not necessarily including italics, bold text, typeface or size changes, highlighting, etc”]
rendering within an email viewer, the email with the first sequence of words highlighted according to the first visual highlighting scheme and with the second sequence of words highlighted according to the second visual highlighting scheme; [(Para 0051) “FIG. 3 shows an example of a webpage which has undergone analysis and annotation step 11, and has been displayed to the user in presentation step 13. In this example, the annotations are indicated by highlighted text”]
labeling the first visual highlighting scheme as corresponding to the financial signal;
labeling the second visual highlighting scheme as corresponding to the action request signal; [(Para 0006) “Rather, the invention provides for distinctive types of annotation”, (Para 0052) “A user could select one or more annotations, all annotations simultaneously, or set up an automated process to select a particular type of annotation (e.g., references to case law, intransitive verbs, etc.)”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method taught by LaRosa with the highlighting method taught by Blumenthal. Simply applying the known technique of annotating and highlighting would yield predictable results. One of ordinary skill would have recognized that rendering different signals taught by LaRosa with different highlighting schemes taught by Blumenthal would help visually distinguish the signals.
While La Rosa in view of Blumenthal teach a Risk model that labels emails, and visual highlighting scheme, they do not explicitly the labeling using the content of the body of the email
obtaining a first set of past emails that include first language in first bodies of the first set of past emails identified as being malicious; obtaining a second set of past emails that include second language in second bodies of the second set of past emails identified as being benign;
assigning malicious labels to the first set of past emails and the benign labels to the second set of past emails to generate training data;
training a risk model unique to an email domain using the training data such that the risk model is trained to output risk scores indicating likelihoods that language in bodies of future emails is malicious or benign;
However, Jeyakumar teaches:
obtaining a first set of past emails that include first language in first bodies of the first set of past emails identified as being malicious; obtaining a second set of past emails that include second language in second bodies of the second set of past emails identified as being benign; [(Figure 7), (Para 0027) “FIG. 7 depicts how the vast majority of incoming messages may be classified as non-malicious while a small percentage of incoming messages may be classified as malicious”, (Para 0077) “In some embodiments, the system 300 detects attacks based on the entire email (e.g., including the content of the body)”, (Para 0161) “For example, a human may label different elements included in a dataset for the purpose of training a ML model.”]
assigning malicious labels to the first set of past emails and the benign labels to the second set of past emails to generate training data; [(Para 102) “The analysis module 312 can instruct the ML models to categorize the deviations in an incoming email as indicating a likely malicious email or a likely non-malicious email, as well as categorize the email according to a possible attack type”, (Para 0161) “For example, a human may label different elements included in a dataset for the purpose of training a ML model.”]
training a risk model unique to an email domain using the training data such that the risk model is trained to output risk scores indicating likelihoods that language in bodies of future emails is malicious or benign; [(Para 0106) “In some embodiments, the training data can include historical threats that have been previously identified in customer inboxes. In some embodiments, different ML models employed have been developed for different known types of attacks. In some embodiments, emails are scored, weighted, or assigned a percentage or numerical value based on using these ML model(s). In some embodiments, if an email scores over the threshold for any of the ML models, it may be flagged, unless a heuristic or other element of the threat detection platform 302 indicates that it should not be flagged”, (Para 0211) “For example, the threat detection platform may parse each email included in the first data to discover one or more attributes, and then the threat detection platform can provide these attributes to the ML model as input for training. Examples of attributes include the sender name, sender email address, subject, etc. Because the personalized ML model is trained using past emails received by the employee”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method of detecting and highlighting malicious emails taught by LaRosa in view of Blumenthal, with the method of labeling using the content of the body of the email taught by Jeyakumar. Simply using different parts of the email to train the machine learning model would have been obvious to one of ordinary skill. Additionally combining the risk models of LaRosa in view of Blumenthal and Jeyakumar yields a predictable result in identifying malicious vs benign emails.
Regarding Claim 3, LaRosa in view of Blumenthal in further view of Jeyakumar teaches the limitations set forth above
While LaRosa teaches the method for detecting attacks, calculating risk, and taking subsequent action, it does not explicitly teach:
wherein annotating the first sequence of words in the email according to the first visual highlighting scheme comprises highlighting the first sequence of words in the email with a first color according to the first visual highlighting scheme
wherein annotating the second sequence of words in the email according to the second visual highlighting scheme comprises highlighting the second sequence of words in the email with a second color, different from the first color, according to the second visual highlighting scheme; and
further comprising, within an email viewer, in response to selection of the email from the quarantine folder: rendering the email with the first sequence of words highlighted in the first color and with the second sequence of words highlighted in the second color; labeling the first color as corresponding to the financial signal; and labeling the second color as corresponding to the action request signal
However, Blumenthal teaches:
wherein annotating the first sequence of words in the email according to the first visual highlighting scheme comprises highlighting the first sequence of words in the email with a first color according to the first visual highlighting scheme [(Figure 1, step 10-11) (Para 0011) “A further object of the invention is to provide a process and system that can be used to annotate many different forms of data, including but not limited to … text” (Para 0012 “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting…”]
wherein annotating the second sequence of words in the email according to the second visual highlighting scheme comprises highlighting the second sequence of words in the email with a second color, different from the first color, according to the second visual highlighting scheme; and [The use of color in highlighting is not a patentable distinction, The claim limitations recite annotating a separate set of data with a visual method, (Figure 1, step 10-11) (Para 0011) “A further object of the invention is to provide a process and system that can be used to annotate many different forms of data, including but not limited to … text” (Para 0012 “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting…”]
further comprising, within an email viewer, in response to selection of the email from the quarantine folder: rendering the email with the first sequence of words highlighted in the first color and with the second sequence of words highlighted in the second color; labeling the first color as corresponding to the financial signal; and labeling the second color as corresponding to the action request signal [The use of different color in highlighting is not a patentable distinction, The claim limitations recite presenting the annotated data visually to the user (Figure 1, step 13) (Para 0025) “presentation step” (Para 0012) “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method taught by LaRosa with the highlighting method taught by Blumenthal. Simply applying the known technique of annotating and highlighting would yield predictable results.
Regarding Claim 4, LaRosa in view of Blumenthal in further view of Jeyakumar teaches the limitations set forth above
LaRosa further teaches:
wherein redirecting the email to the quarantine folder comprises redirecting the email from an email inbox to the quarantine folder within an email account at the recipient address; and [(Figure 5)]
further comprising: in response to selection of the email from the quarantine folder, rendering the email with a risk alert, [(Para 0104) “the system will be put into prevent mode or alert mode depending on the desires of the implementers. Prevent mode will be used to stop and hold suspicious email messages meeting the risk scoring thresholds. Alert mode will allow all messages to pass but will keep copies of messages triggering alerts for investigators to follow up on.”]
intercepting a second email inbound to the recipient address; [(Para 0055) “In one embodiment, a system is running an email server software and is configured to be positioned “inline” in order to monitor email communications” (Figure 3)]
scanning a second body of the second email for the set of language signals; [(Para 0057) “Thus, as presented in FIG. 5, inbound email is analyzed to extract communications components, e.g., header and body information.”]
correlating a third sequence of words, in the second email, with the financial signal; [(Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions, … etc.”]
correlating a fourth sequence of words, in the second email, with the action request signal; [(Para 0053) “A third aspect requiring detection in this scenario is the “ask.” … getting the insider to take action on the objective controlled by the insider.”]
calculating a second risk for the second email representing a second financial attack based on a second combination of the financial signal and the action request signal detected in the second email; [(Para 0064) “The content acquisition engines will extract/lookup/count/calculate the respective elements… [a]ssociated relationships and counts will be calculated based on the schema diagrams from the above two diagrams for use in the risk score calculations and linguistic analytics”]
in response to the second risk falling below the threshold risk: releasing the second email to an email inbox within the email account at the recipient address; and [(Para 0039) “using the risk score parameters in an actions engine in any combination to determine alerting thresholds, notification thresholds, labeling of messages for other integration actions”]
While LaRosa teaches scanning the email for signals and calculating risk, it does not explicitly teach:
with the first sequence of words highlighted according to the first visual highlighting scheme, and with the second sequence of words highlighted according to the second visual highlighting scheme;
annotating the third sequence of words in the second email according to the first visual highlighting scheme associated with the financial signal;
annotating the fourth sequence of words in the second email according to the second visual highlighting scheme associated with the action request signal; and
in response to selection of the second email from the email inbox, rendering the second email with the third sequence of words highlighted according to the first visual highlighting scheme and with the fourth sequence of words highlighted according to the second visual highlighting scheme.
However, Blumenthal teaches:
with the first sequence of words highlighted according to the first visual highlighting scheme, and with the second sequence of words highlighted according to the second visual highlighting scheme; [(Figure 1, step 10-11) (Para 0011) “A further object of the invention is to provide a process and system that can be used to annotate many different forms of data, including but not limited to … text” (Para 0012 “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting…” ]
annotating the third sequence of words in the second email according to the first visual highlighting scheme associated with the financial signal [(Figure 1, step 10-11) (Para 0011) “A further object of the invention is to provide a process and system that can be used to annotate many different forms of data, including but not limited to … text” (Para 0012 “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting…” ]
annotating the fourth sequence of words in the second email according to the second visual highlighting scheme associated with the action request signal; and [The claim limitations recite annotating a separate set of data with a visual method, (Figure 1, step 10-11) (Para 0011) “A further object of the invention is to provide a process and system that can be used to annotate many different forms of data, including but not limited to … text” (Para 0012 “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting…”
in response to selection of the second email from the email inbox, rendering the second email with the third sequence of words highlighted according to the first visual highlighting scheme and with the fourth sequence of words highlighted according to the second visual highlighting scheme. [The claim limitations recite presenting the annotated data visually to the user (Figure 1, step 13) (Para 0025) “presentation step” (Para 0012) “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method taught by LaRosa with the highlighting method taught by Blumenthal. Simply applying the known technique of annotating and highlighting would yield predictable results.
Regarding Claim 5, LaRosa in view of Blumenthal in further view of Jeyakumar teach the limitations set forth above
LaRosa further teaches:
wherein redirecting the email to the quarantine folder comprises redirecting the email from an email inbox to the quarantine folder within an email account at the recipient address; and further comprising: loading the email into an administrator folder [(Para 0104) “the system will be put into prevent mode or alert mode depending on the desires of the implementers. Prevent mode will be used to stop and hold suspicious email messages meeting the risk scoring thresholds. Alert mode will allow all messages to pass but will keep copies of messages triggering alerts for investigators to follow up on.”]
in response to manual identification of the email as malicious within the administrator email viewer prior to review of the email in the quarantine folder, discarding the email from the quarantine folder within the email account at the recipient address [(Para 108-115) “the passing or blocking of emails will occur based on one or more of the following steps:… [q]uarantining… [r]eviewing messages to determine validity…[r]eviewing held messages for legitimacy and making a decision as to handling”]
While LaRosa teaches directing emails for viewing and analysis, it does not explicitly teach:
within an administrator email viewer, in response to selection of the email from the administrator folder: rendering the email with the first sequence of words highlighted in a first color according to the first visual highlighting scheme and with the second sequence of words highlighted in the second color; according to the second visual highlighting scheme; labeling the first color as corresponding to the financial signal; and labeling the second color as corresponding to the action request signal
However, Blumenthal teaches:
within an administrator email viewer, in response to selection of the email from the administrator folder: rendering the email with the first sequence of words highlighted in a first color according to the first visual highlighting scheme and with the second sequence of words highlighted in the second color; according to the second visual highlighting scheme; labeling the first color as corresponding to the financial signal; and labeling the second color as corresponding to the action request signal [The use of different color in highlighting is not a patentable distinction, The claim limitations recite presenting the annotated data visually to the user (Figure 1, step 13) (Para 0025) “presentation step” (Para 0012) “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method taught by LaRosa with the highlighting method taught by Blumenthal. Simply applying the known technique of annotating and highlighting would yield predictable results.
Regarding Claim 6, LaRosa in view of Blumenthal in further view of Jeyakumar teaches the limitations set forth above
LaRosa further teaches:
wherein redirecting the email to the quarantine folder comprises redirecting the email from an email inbox to the quarantine folder within an email account at the recipient address; and further comprising: loading the email into an administrator folder: [(Para 0104) “the system will be put into prevent mode or alert mode depending on the desires of the implementers. Prevent mode will be used to stop and hold suspicious email messages meeting the risk scoring thresholds. Alert mode will allow all messages to pass but will keep copies of messages triggering alerts for investigators to follow up on.”]
in response to manual identification of the email as benign within the administrator email viewer prior to review of the email in the quarantine folder, transferring the email from the quarantine folder to the email inbox within the email account at the recipient address [(Para 108-115) “the passing or blocking of emails will occur based on one or more of the following steps:… [q]uarantining… [r]eviewing messages to determine validity…[r]eviewing held messages for legitimacy and making a decision as to handling”]
While LaRosa teaches directing and transferring emails, it does not explicitly teach:
within an administrator email viewer, in response to selection of the email from the administrator folder: rendering the email with the first sequence of words highlighted in a first color according to the first visual highlighting scheme and with the second sequence of words highlighted in the second color; according to the second visual highlighting scheme labeling the first color as corresponding to the financial signal; and labeling the second color as corresponding to the action request signal;
However, Blumenthal teaches:
within an administrator email viewer, in response to selection of the email from the administrator folder: rendering the email with the first sequence of words highlighted in a first color according to the first visual highlighting scheme and with the second sequence of words highlighted in the second color; according to the second visual highlighting scheme labeling the first color as corresponding to the financial signal; and labeling the second color as corresponding to the action request signal; [The use of different color in highlighting is not a patentable distinction, The claim limitations recite presenting the annotated data visually to the user (Figure 1, step 13) (Para 0025) “presentation step” (Para 0012) “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method taught by LaRosa with the highlighting method taught by Blumenthal. Simply applying the known technique of annotating and highlighting would yield predictable results.
Regarding Claim 7, LaRosa in view of Blumenthal in further view of Jeyakumar teach the limitations set forth above
LaRosa further teaches:
Further comprising: scanning for email attachments; [(Para 0048) “A linguistics-profiling engine analyzes both the spoken communications as well as any included attachments containing machine-readable text.”]
In response to detecting an attachment in the email: extracting a set of characters from the attachment; and scanning the set of characters for the set of language signals; [(Para 0048) “A linguistics-profiling engine analyzes both the spoken communications as well as any included attachments containing machine-readable text.”]
correlating a third sequence of words, in the attachment, with a third signal in the set of language signals; and [(Para 0048) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions, supply chain activity, header/footer mismatches, abnormal increases in the use of formality, etc.”]
wherein calculating the risk for the email comprises calculating the risk for the email based on the combination of: the financial signal and the action request signal detected in the email; and the third signal detected in the set of characters extracted from the attachment. [(Para 0049) “to proactively predict the types of communications these terms are related to so they can be contextually labeled, for example, money transfer, mergers and acquisitions, product development, etc. As the linguistics profiling occurs and labels and weights are assigned to the linguistics profiles based on the importance of certain phrases and terms, this increases the relative importance of the types of linguistic communications occurring in the conversations to be used in the scoring process for prevention of criminal activity.”]
Regarding Claim 8, LaRosa in view of Blumenthal in further view of Jeyakumar teach the limitations set forth above
LaRosa further teaches:
further comprising: intercepting a second email inbound to the recipient address from a sender at a second time; [(Para 0055) “In one embodiment, a system is running an email server software and is configured to be positioned “inline” in order to monitor email communications”]
scanning a second body of the second email for the set of language signals; [(Para 0057) “Thus, as presented in FIG. 5, inbound email is analyzed to extract communications components, e.g., header and body information.”]
correlating a third sequence of words, in the second email, with a third signal in the set of language signals; [(Para 0049) “As the social networks are created, simultaneously the linguistics profiling of the messages and attachments are occurring.”]
correlating a fourth sequence of words, in the second email, with a fourth signal in the set of language signals; [(Para 0049) “As the social networks are created, simultaneously the linguistics profiling of the messages and attachments are occurring.”]
calculating a second risk for the second email representing a second financial attack based on a second combination of the third signal and the fourth signal detected in the second email; and [(Para 0049) “ As the linguistics profiling occurs and labels and weights are assigned to the linguistics profiles based on the importance of certain phrases and terms, this increases the relative importance of the types of linguistic communications occurring in the conversations to be used in the scoring process for prevention of criminal activity.”]
in response to the second risk falling below the threshold risk, releasing the second email to an email inbox within an email account at the recipient address; [(Para 0039) “using the risk score parameters in an actions engine in any combination to determine alerting thresholds, notification thresholds, labeling of messages for other integration actions”]
wherein accessing the email comprises intercepting the email inbound to the recipient address from the sender at a first time succeeding the second time; [(Para 0055) “In one embodiment, a system is running an email server software and is configured to be positioned “inline” in order to monitor email communications”]
further comprising identifying the first email and the second email as forming an email thread; [(Para 0048) “As the communications occur, the social network is learned and continuously updated with all of the relevant parameters of the individuals communicating with each other.” (Para 0049) “creating a labeled and graphed relationship of the communications directionally from the sender to the recipient of both the spoken communications and any attachments.”]
wherein calculating the risk for the email comprises, in response to identifying the first email and the second email as forming the email thread, calculating the risk for the email thread based on the combination of: the financial signal and the action request signal detected in the email; and the third signal detected in the second email; and [(Para 0064) “The content acquisition engines will extract/lookup/count/calculate the respective elements… [a]ssociated relationships and counts will be calculated based on the schema diagrams from the above two diagrams for use in the risk score calculations and linguistic analytics”]
further comprising, in response to the risk exceeding the threshold risk, transferring the second email from the email inbox to the quarantine folder within the email account at the recipient address. [(Figure 5)]
Regarding Claim 9, LaRosa in view of Blumenthal in further view of Jeyakumar teach the limitations set forth above
La Rosa further teaches:
wherein correlating the first sequence of words, in the email, with the financial signal comprises: accessing a first natural language processing model trained on a financial services and financial transaction lexicon; [(Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring… a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] based on the first natural language processing model, identifying the first sequence of words, related to financial transactions, in the email; [(Figure 2), (Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions”] normalizing the first sequence of words to a first standard financial transaction language concept; and [(Para 0049) “Applying the Levenshtein distance algorithm, to proactively predict the types of communications these terms are related to so they can be contextually labeled”] representing the first standard financial transaction language concept in the financial signal; [(Figure 2), (Para 0050) “The labeling process is one component allowing the users of the system to build in self-supplied linguistics intelligence”]
further comprising: based on the first natural language processing model, identifying a third sequence of words, related to financial transactions, in the email; [(Figure 2), (Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions”] normalizing the third sequence of words to a second standard financial transaction language concept; and [(Para 0049) “Applying the Levenshtein distance algorithm, to proactively predict the types of communications these terms are related to so they can be contextually labeled”] representing the second standard financial transaction language concept in a second financial signal; [The limitations recite a learned method of identifying potential words or similar phrases that align with a signal type, that can be repeatedly iterated; (Figure 2), (Para 0050) “The labeling process is one component allowing the users of the system to build in self-supplied linguistics intelligence”]
wherein correlating the second sequence of words, in the email, with the action request signal comprises: accessing a second natural language processing model trained on an action request and prompt lexicon; [(Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring…. a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] based on the second natural language processing model, identifying the second sequence of words, describing an action request, in the email; [(Figure 2), (Para 0053 “A third aspect requiring detection in this scenario is the ‘ask.’… [g]etting the insider to take action”)] normalizing the second sequence of words to a standard action request language concept; and [(Para 0049) “Applying the Levenshtein distance algorithm, to proactively predict the types of communications these terms are related to so they can be contextually labeled”] representing the standard action request language concept in the action request signal; [The limitations recite a learned method of identifying potential words or similar phrases that align with a signal type, that can be repeatedly iterated (Figure 2), (Para 0050) “The labeling process is one component allowing the users of the system to build in self-supplied linguistics intelligence”]
wherein calculating the risk for the email comprises calculating the risk for the email based on the combination of the financial signal, the second financial signal, and the action request signal detected in the email. [[(Para 0017) “analyze one or more parameters of the communication; extrapolate and characterize each of one or more relationships among the sender and one or more recipients of the communication as a function of the analyzed one or more parameters”, (Para 0064) “Associated relationships and counts will be calculated based on the schema diagrams from the above two diagrams for use in the risk score calculations”]
While LaRosa teaches using database to teach a natural language processing model, and further iteratively training the model, it does not teach:
further comprising annotating the third sequence of words in the email according to the first visual highlighting scheme;
However, Blumenthal teaches:
further comprising annotating the third sequence of words in the email according to the first visual highlighting scheme; [(Figure 1, step 10-11) (Para 0011) “A further object of the invention is to provide a process and system that can be used to annotate many different forms of data, including but not limited to … text” (Para 0012 “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting…” ]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method taught by LaRosa with the highlighting method taught by Blumenthal. Simply applying the known technique of annotating and highlighting would yield predictable results.
Regarding Claim 10, LaRosa in view of Blumenthal in further view of Jeyakumar teach the limitations set forth above
LaRosa further teaches:
wherein correlating the first sequence of words, in the email, with the financial signal comprises: accessing a first natural language processing model trained on a financial services and financial transaction lexicon; [(Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring…. a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] based on the first natural language processing model, identifying the first sequence of words, related to financial transactions, in the email; [(Figure 2), (Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions”] normalizing the first sequence of words to a first standard financial transaction language concept; and [(Para 0049) “Applying the Levenshtein distance algorithm, to proactively predict the types of communications these terms are related to so they can be contextually labeled”] representing the first standard financial transaction language concept in the financial signal; [(Figure 2), (Para 0050) “The labeling process is one component allowing the users of the system to build in self-supplied linguistics intelligence”]
wherein correlating the second sequence of words, in the email, with the action request signal comprises: accessing a second natural language processing model trained on an action request and prompt lexicon; [(Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring… a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] based on the second natural language processing model, identifying the second sequence of words, describing an action request, in the email; [(Figure 2), (Para 0053 “A third aspect requiring detection in this scenario is the ‘ask.’… [g]etting the insider to take action”)] normalizing the second sequence of words to a standard action request language concept; and [(Para 0049) “Applying the Levenshtein distance algorithm, to proactively predict the types of communications these terms are related to so they can be contextually labeled”] representing the standard action request language concept in the action request signal; [The limitations recite a learned method of identifying potential words or similar phrases that align with a signal type, that can be repeatedly iterated (Figure 2), (Para 0050) “The labeling process is one component allowing the users of the system to build in self-supplied linguistics intelligence”]
further comprising: accessing a third natural language processing model trained on a sensitive data lexicon; [(Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring… a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] based on the third natural language processing model, identifying a third sequence of words, describing sensitive personal information, in the email; [(Figure 2), (Para 0028) “In addition, the system detects confidential and sensitive information”] normalizing the third sequence of words to a standard sensitive data language concept; [(Para 0049) “Applying the Levenshtein distance algorithm, to proactively predict the types of communications these terms are related to so they can be contextually labeled”] representing the standard sensitive data language concept in a sensitive data signal; and [The limitations recite a learned method of identifying potential words or similar phrases that align with a signal type, that can be repeatedly iterated (Figure 2), (Para 0050) “The labeling process is one component allowing the users of the system to build in self-supplied linguistics intelligence”]
wherein calculating the risk for the email comprises calculating the risk for the email based on the combination of the financial signal, the action request signal, and the sensitive data signal detected in the email. [(Para 0017) “analyze one or more parameters of the communication; extrapolate and characterize each of one or more relationships among the sender and one or more recipients of the communication as a function of the analyzed one or more parameters” (Para 0064) “Associated relationships and counts will be calculated based on the schema diagrams from the above two diagrams for use in the risk score calculations”]
While LaRosa teaches using database to teach a natural language processing model, and further iteratively training the model, it does not teach:
annotating the third sequence of words in the email according to a third visual highlighting scheme associated with the sensitive data signal, the third visual highlighting scheme different from the first visual highlighting scheme and the second visual highlighting scheme;
However, Blumenthal teaches:
annotating the third sequence of words in the email according to a third visual highlighting scheme associated with the sensitive data signal, the third visual highlighting scheme different from the first visual highlighting scheme and the second visual highlighting scheme; [(Figure 1, step 10-11) (Para 0011) “A further object of the invention is to provide a process and system that can be used to annotate many different forms of data, including but not limited to … text” (Para 0012 “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting…”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method taught by LaRosa with the highlighting method taught by Blumenthal. Simply applying the known technique of annotating and highlighting would yield predictable results.
Regarding Claim 11, LaRosa in view of Blumenthal in further view of Jeyakumar teach the limitations set forth above
LaRosa further teaches:
wherein correlating the first sequence of words, in the email, with the financial signal comprises: accessing a first natural language processing model trained on a financial services and financial transaction lexicon; [(Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring… a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] based on the first natural language processing model, identifying the first sequence of words, related to financial transactions, in the email; [(Figure 2), (Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions”] normalizing the first sequence of words to a first standard financial transaction language concept; and [(Para 0049) “Applying the Levenshtein distance algorithm, to proactively predict the types of communications these terms are related to so they can be contextually labeled”] representing the first standard financial transaction language concept in the financial signal; [(Figure 2), (Para 0050) “The labeling process is one component allowing the users of the system to build in self-supplied linguistics intelligence”]
wherein correlating the second sequence of words, in the email, with the action request signal comprises: accessing a second natural language processing model trained on an action request and prompt lexicon; [(Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring…. a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] based on the second natural language processing model, identifying the second sequence of words, describing an action request, in the email; [(Figure 2), (Para 0053 “A third aspect requiring detection in this scenario is the ‘ask.’… [g]etting the insider to take action”)] normalizing the second sequence of words to a standard action request language concept; and [(Para 0049) “Applying the Levenshtein distance algorithm, to proactively predict the types of communications these terms are related to so they can be contextually labeled”] representing the standard action request language concept in the action request signal; [The limitations recite a learned method of identifying potential words or similar phrases that align with a signal type, that can be repeatedly iterated (Figure 2), (Para 0050) “The labeling process is one component allowing the users of the system to build in self-supplied linguistics intelligence”]
further comprising: accessing a third natural language processing model trained on an urgency and deadline lexicon; [(Para 0049) “a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] based on the third natural language processing model, identifying a third sequence of words, describing urgency of the standard action request, in the email; [The limitations continue to recite identifying more sequences of data, whether the words/signal are financial, action, urgency, etc. the phrases describe the intended result making it non-functional descriptive material; (Figure 2), (Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers”] normalizing the third sequence of words to a standard urgency language concept; [(Para 0049) “Applying the Levenshtein distance algorithm, to proactively predict the types of communications these terms are related to so they can be contextually labeled”] representing the standard urgency language concept in an urgency data signal; and [The limitations recite a learned method of identifying potential words or similar phrases that align with a signal type, that can be repeatedly iterated. (Figure 2), (Para 0050) “The labeling process is one component allowing the users of the system to build in self-supplied linguistics intelligence”]
wherein calculating the risk for the email comprises calculating the risk for the email based on the combination of the financial signal, the action request signal, and the urgency signal detected in the email. [(Para 0017) “analyze one or more parameters of the communication; extrapolate and characterize each of one or more relationships among the sender and one or more recipients of the communication as a function of the analyzed one or more parameters” (Para 0064) “Associated relationships and counts will be calculated based on the schema diagrams from the above two diagrams for use in the risk score calculations”]
While LaRosa teaches using database to teach a natural language processing model, and further iteratively training the model, it does not teach:
annotating the third sequence of words in the email according to a third visual highlighting scheme associated with the urgency signal, the third visual highlighting scheme different from the first visual highlighting scheme and the second visual highlighting scheme;
However Blumenthal teaches:
annotating the third sequence of words in the email according to a third visual highlighting scheme associated with the urgency signal, the third visual highlighting scheme different from the first visual highlighting scheme and the second visual highlighting scheme; [(Figure 1, step 10-11) (Para 0011) “A further object of the invention is to provide a process and system that can be used to annotate many different forms of data, including but not limited to … text” (Para 0012 “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting…”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method taught by LaRosa with the highlighting method taught by Blumenthal. Simply applying the known technique of annotating and highlighting would yield predictable results.
Regarding Claim 14, LaRosa in view of Blumenthal in further view of Jeyakumar teach the limitations set forth above
LaRosa further teaches
wherein correlating the first sequence of words, in the email, with the financial signal comprises: accessing a first natural language processing model trained on a financial services and financial transaction lexicon; [(Para 0049) “a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] based on the first natural language processing model, identifying the first sequence of words, related to financial transactions, in the email; [(Figure 2), (Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions”] normalizing the first sequence of words to a first standard financial transaction language concept; and [(Para 0049) “Applying the Levenshtein distance algorithm, to proactively predict the types of communications these terms are related to so they can be contextually labeled”] representing the first standard financial transaction language concept in the financial signal; [(Figure 2), (Para 0050) “The labeling process is one component allowing the users of the system to build in self-supplied linguistics intelligence”]
wherein correlating the second sequence of words, in the email, with the action request signal comprises: accessing a second natural language processing model trained on an action request and prompt lexicon;[(Para 0049) “a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] based on the second natural language processing model, identifying the second sequence of words, describing an action request, in the email; [(Figure 2), (Para 0053 “A third aspect requiring detection in this scenario is the ‘ask.’… [g]etting the insider to take action”)] normalizing the second sequence of words to a standard action request language concept; and [(Para 0049) “Applying the Levenshtein distance algorithm, to proactively predict the types of communications these terms are related to so they can be contextually labeled”] representing the standard action request language concept in the action request signal; [The limitations recite a learned method of identifying potential words or similar phrases that align with a signal type, that can be repeatedly iterated; (Figure 2), (Para 0050) “The labeling process is one component allowing the users of the system to build in self-supplied linguistics intelligence”]
further comprising: extracting a sender address from the email; [Para (0065 & 0066)] querying a historical email database for a frequency of historical email communications between the sender address and the recipient addresses; and [(Para 0048) “As the communications occur, the social network is learned and continuously updated with all of the relevant parameters of the individuals communicating with each other. For example, things like frequency of the communications,” (Para 0073) “The DNS extract engine will take the extracted elements from the Header_Extract engine's routine and will use the DNS resolver to query for specific record information”] representing the frequency of historical email communications in a historical communication signal; and [(Figure 4) (Para 0048) “As the communications occur, the social network is learned and continuously updated with all of the relevant parameters of the individuals communicating with each other. For example, things like frequency of the communications,”
wherein calculating the risk for the email comprises calculating the risk for the email based on the combination of: the financial signal and the action request signal detected in the email; and the historical communication signal. [(Para 0017) “extrapolate and characterize each of one or more relationships among the sender and one or more recipients of the communication as a function of the analyzed one or more parameters… generate a risk score for the communication as function of the comparison to the stored relationships and associated characterizations”]
Regarding Claim 15, LaRosa in view of Blumenthal in further view of Jeyakumar teach the limitations set forth above
LaRosa further teaches
The method of Claim 1: further comprising accessing a database of attack templates, each attack template in the database of attack templates: representing a known attack type; [(Para 0042) “learning content based analytics used in communications between parties over time provides communications patterns that are dissected to detail relevant ‘hot patterns’ relating to known targeted electronics communications by criminals based on specific organizational threats”] labeled with a risk score; and [(Para 0046) “Customizable scoring of suspicious behavior in order to trigger actions to be taken is provided.”] specify a set of signals indicative of an email-based attack of the known attack type; and [(Para 0105) “the scores of each individual parameter check can be completely customized, whitelisted, blacklisted or turned off, for certain scenarios of combinations of data elements collected.”]
wherein calculating the risk for the email comprises: matching the financial signal and the action request signal detected in the email to a set of set of signals specified in a particular attack template in the database of attack templates; reading a particular risk score from the particular attack template; and [The limitations recite using customized parameter/signal settings for scoring; (Para 0105-0106)] calculating the risk for the email based on the particular risk score. [(Para 0017) “extrapolate and characterize each of one or more relationships among the sender and one or more recipients of the communication as a function of the analyzed one or more parameters… generate a risk score for the communication as function of the comparison to the stored relationships and associated characterizations”]
Regarding Claim 16, LaRosa in view of Blumenthal in further view of Jeyakumar teach the limitations set forth above
LaRosa further teaches
The method of Claim 1: wherein accessing the email comprises intercepting the email inbound to the recipient address within an email domain; further comprising: accessing a corpus of past emails inbound to recipients within the email domain, [(Para 0017) “obtain each communication going to and from the first domain”] the corpus of past emails comprising a first subset of past emails labeled as malicious and a second subset of past emails labeled as benign; [(Para 118) “marking the fraudulent email address as a known malicious email address for future risk scoring consideration”] detecting financial signals and action request signals in the corpus of past emails; and [The limitations recite detecting signals. The signal type is an intended result making the signal type nonfunctional descriptive material; (Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions” (Para 0053) “getting the insider to take action”] training a risk model based on the first subset of past emails labeled as malicious, the second subset of past emails labeled as benign, and financial signals and action request signals detected in emails in the corpus of past emails, the risk model configured to return a risk score based on financial signals and action request signals detected in an inbound email; and [The limitations recite training a model based on previous data sets, each with parameter/signal characteristics, to return a score based on the parameters/signal of a new email; (Para 0107) “Pre-supplied corpus material used to train predictive model and are coupled with example data provided by customer to strengthen accuracy. 0 = 0% probability communication related to financial transactions, 1000 = extremely high probability communication is related to financial transactions”]
wherein calculating the risk for the email comprises inserting the financial signal and the action request signal, extracted from the email, into the risk model to calculate the risk for the email. [(Para 0017) “analyze one or more parameters of the communication; extrapolate and characterize each of one or more relationships among the sender and one or more recipients of the communication as a function of the analyzed one or more parameters” (Para 0064) “Associated relationships and counts will be calculated based on the schema diagrams from the above two diagrams for use in the risk score calculations”]
Regarding Claim 17, LaRosa in view of Blumenthal in further view of Jeyakumar teach the limitations set forth above
LaRosa further teaches:
initializing the risk model based on the first subset of past emails labeled as malicious, the second subset of past emails labeled as benign, and financial signals and action request signals detected in the corpus of past emails; [(Para 118) “marking the fraudulent email address as a known malicious email address for future risk scoring consideration” (Para 0093) “classifier which will take and apply corpuses of known communications linguistics and learned patterns”] selecting a third subset of past emails, in the corpus of past emails, excluding malicious and benign labels; [(Figure 4, Figure 5 step 4 comparison to nearest neighbor)]
for each past email in the third subset of past emails: scanning a past body of the past email for language signals; and [(Para 0048) “A linguistics-profiling engine analyzes both the spoken communications as well as any included attachments containing machine-readable text.”] inserting language signals, extracted from the past email, into the risk model to calculate a past risk for the past email; [(Para 0107) “Pre-supplied corpus material used to train predictive model and are coupled with example data provided by customer] identifying a fourth subset of past emails, from the third subset of past emails, associated with past risks exceeding the threshold risk; [The limitations recite identifying another set of potentially malicious emails from old data/past emails. Whether the method trains and identifies emails based on new or old data has no patentable weight on the claims as the same steps can be applied to new or old emails. (Para 0039) “using the risk score parameters in an actions engine in any combination to determine alerting thresholds, notification thresholds, labeling of messages for other integration actions and blocking of communications.”]
for each past email in the fourth subset of past emails: generating a prompt to investigate the past email; serving the prompt to an administrator; and labeling the past email according to a response supplied by the administrator; and [(Para 104); Paragraph discusses triggering alerts for investigators to follow up)] retraining the risk model based on the first subset of past emails, the second subset of past emails, the fourth subset of past emails, and financial signals and action request signals detected in emails in the corpus of past emails. [The limitations recite using processed data to train a model. The data being new data or processed data has no patentable weight on the claims as the function of the model remains the same “(Para 0107) “Pre-supplied corpus material used to train predictive model and are coupled with example data provided by customer to strengthen accuracy.”]
Regarding Claim 18, LaRosa teaches
A method for detecting financial attacks in emails comprising: intercepting an email inbound to a recipient address; the recipient address associated with a recipient attribute [(Para 0055) “In one embodiment, a system is running an email server software and is configured to be positioned “inline” in order to monitor email communications”]
retrieving the recipient attribute of a recipient associated with the recipient address; [(Para 0016) “obtain each communication going to and from the first domain and: analyze one or more parameters of the obtained communication; store the analyzed one or more parameters of the obtained communication with respect to a sender of the obtained communication and one or more recipients of each obtained communication”, (Para 0017) “for each communication going to or coming from the first domain, to:”, (Figure 4)]
accessing a risk schedule specifying a set of threshold risks, each threshold risk in the set of threshold risks associated with a unique combination of recipient attributes and based on malicious targeting frequency of recipients represented by the unique combination of recipient attributes within the email domain; [(Para 0017) “generate a risk score for the communication as function of the comparison to the stored relationships and associated characterizations; and process the communication as function of a comparison of the generated risk score to one more predetermined threshold values comprising: an alerting threshold value, a notification threshold value, and a communications labeling threshold value.”]
selecting a threshold risk, from the risk schedule, based on the recipient attribute; [(Para 0060) “Users identified as “High Risk” will have the Boolean value of 1 set in the attribute called “High Risk” on the Node in the graph database”, (Para 0047) “A rules engine provides for customized alerting based on user defined thresholds that are based on organizational risk tolerance”, (Para 0039) “using the risk score parameters in an actions engine in any combination to determine alerting thresholds, notification thresholds”]
scanning a body of the email for a set of language signals; [(Para 0057) “Thus, as presented in FIG. 5, inbound email is analyzed to extract communications components, e.g., header and body information.”] correlating, using a first natural language processing (NLP) model trained on a financial services and financial transaction lexicon, a first sequence of words, in the email, with a financial signal in the set of language signals; [The limitations recite corelating words with a signal type, the signal type (financial, action, urgency, etc.) describes an intended result and is non-functional descriptive data; (Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions, supply chain activity, header/footer mismatches, abnormal increases in the use of formality, etc.”, (Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring… a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] correlating, using a second NLP model trained on an action request and prompt lexicon a second sequence of words, in the email, with an action request signal in the set of language signals; [The limitations recite corelating words with a signal type, the signal type (financial, action, urgency, etc.) describes an intended result and is non-functional descriptive data; (Para 0053) “A third aspect requiring detection in this scenario is the “ask.” Once the outsider has established communications and gained the trust of the insider, the last step is getting the insider to take action on the objective controlled by the insider.”, (Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring… a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”]
correlating a third sequence of words, in the email, with an urgency signal in the set of language signals; [The limitations recite corelating words with a signal type, the signal type (financial, action, urgency, etc.) describes an intended result and is non-functional descriptive data; (Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions, supply chain activity, header/footer mismatches, abnormal increases in the use of formality, etc.” (Para 0017) “analyze one or more parameters of the communication; extrapolate and characterize each of one or more relationships among the sender and one or more recipients of the communication as a function of the analyzed one or more parameters” ] calculating the risk model trained on past emails, for the email representing a financial attack based on a combination of the financial signal, the action request signal, and the urgency signal detected in the email; and [(Para 0029) “profiling electronic communications creating patterns of behavior from the various elements of the electronic communications identifying risk elements of the communications used to determine impersonations of the communications”, (Para 0064) “Associated relationships and counts will be calculated based on the schema diagrams from the above two diagrams for use in the risk score calculations”]
redirecting the email away from an email inbox associated with the recipient address. [(Figure 6), (Para 0039) “using the risk score parameters in an actions engine in any combination to determine alerting thresholds, notification thresholds, labeling of messages for other integration actions and blocking of communications.”]
While LaRosa teaches the method for detecting attacks, calculating risk, and taking subsequent action, it does not explicitly teach:
obtaining a first set of past emails that include first language in first bodies of the first set of past emails identified as being malicious; obtaining a second set of past emails that include second language in second bodies of the second set of past emails identified as being benign;
assigning malicious labels to the first set of past emails and the benign labels to the second set of past emails to generate training data;
training a risk model unique to an email domain using the training data such that the risk model is trained to output risk scores indicating likelihoods that language in bodies of future emails is malicious or benign;
in response to the risk exceeding the selected threshold risk: annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal, wherein the first visual highlighting scheme visually distinguishes the first sequence of words corresponding to the financial signal;
annotating the second sequence of words in the email according to a second visual highlighting scheme associated with the action request signal, the second visual highlighting scheme different from the first visual highlighting scheme, wherein the second visual highlighting scheme visually distinguishes the second sequence of words corresponding to the action request signal from the first sequence of words;
annotating the third sequence of words in the email according to a third visual highlighting scheme associated with the urgency signal, the third visual highlighting scheme different from the first visual highlighting scheme and the second visual highlighting scheme;
rendering, within an email viewer, the email with the first sequence of words highlighted according to the first visual highlighting scheme, with the second sequence of words highlighted according to the second visual highlighting scheme, and with the third sequence of words highlighted according to the third visual highlighting scheme;
However, Blumenthal teaches:
in response to the risk exceeding the selected threshold risk: annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal, wherein the first visual highlighting scheme visually distinguishes the first sequence of words corresponding to the financial signal; annotating the second sequence of words in the email according to a second visual highlighting scheme associated with the action request signal, the second visual highlighting scheme different from the first visual highlighting scheme, wherein the second visual highlighting scheme visually distinguishes the second sequence of words corresponding to the action request signal from the first sequence of words; annotating the third sequence of words in the email according to a third visual highlighting scheme associated with the urgency signal, the third visual highlighting scheme different from the first visual highlighting scheme and the second visual highlighting scheme; [(Para 0007) “The invention is a process that automatically annotates arbitrary collections of data” (Para 0012) “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting, graphics, audio or video indications, highlighting, etc.”, (Para 0059) “The presence of an annotation could be indicated by a superscript, a subscript, format change (possibly but not necessarily including italics, bold text, typeface or size changes, highlighting, etc”]
rendering, within an email viewer, the email with the first sequence of words highlighted according to the first visual highlighting scheme, with the second sequence of words highlighted according to the second visual highlighting scheme, and with the third sequence of words highlighted according to the third visual highlighting scheme; [(Para 0051) “FIG. 3 shows an example of a webpage which has undergone analysis and annotation step 11, and has been displayed to the user in presentation step 13. In this example, the annotations are indicated by highlighted text”, (Para 0006) “Rather, the invention provides for distinctive types of annotation”, (Para 0052) “A user could select one or more annotations, all annotations simultaneously, or set up an automated process to select a particular type of annotation (e.g., references to case law, intransitive verbs, etc.)”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method taught by LaRosa with the highlighting method taught by Blumenthal. Simply applying the known technique of annotating and highlighting would yield predictable results. One of ordinary skill would have recognized that rendering different signals taught by LaRosa with different highlighting schemes taught by Blumenthal would help visually distinguish the signals.
While La Rosa in view of Blumenthal teach a Risk model that labels emails, and visual highlighting scheme, they do not explicitly the labeling using the content of the body of the email:
obtaining a first set of past emails that include first language in first bodies of the first set of past emails identified as being malicious; obtaining a second set of past emails that include second language in second bodies of the second set of past emails identified as being benign;
assigning malicious labels to the first set of past emails and the benign labels to the second set of past emails to generate training data;
training a risk model unique to an email domain using the training data such that the risk model is trained to output risk scores indicating likelihoods that language in bodies of future emails is malicious or benign;
However, Jeyakumar teaches:
obtaining a first set of past emails that include first language in first bodies of the first set of past emails identified as being malicious; obtaining a second set of past emails that include second language in second bodies of the second set of past emails identified as being benign; [(Figure 7), (Para 0027) “FIG. 7 depicts how the vast majority of incoming messages may be classified as non-malicious while a small percentage of incoming messages may be classified as malicious”, (Para 0077) “In some embodiments, the system 300 detects attacks based on the entire email (e.g., including the content of the body)”, (Para 0161) “For example, a human may label different elements included in a dataset for the purpose of training a ML model.”]
assigning malicious labels to the first set of past emails and the benign labels to the second set of past emails to generate training data; [(Para 102) “The analysis module 312 can instruct the ML models to categorize the deviations in an incoming email as indicating a likely malicious email or a likely non-malicious email, as well as categorize the email according to a possible attack type”, (Para 0161) “For example, a human may label different elements included in a dataset for the purpose of training a ML model.”]
training a risk model unique to an email domain using the training data such that the risk model is trained to output risk scores indicating likelihoods that language in bodies of future emails is malicious or benign; [(Para 0106) “In some embodiments, the training data can include historical threats that have been previously identified in customer inboxes. In some embodiments, different ML models employed have been developed for different known types of attacks. In some embodiments, emails are scored, weighted, or assigned a percentage or numerical value based on using these ML model(s). In some embodiments, if an email scores over the threshold for any of the ML models, it may be flagged, unless a heuristic or other element of the threat detection platform 302 indicates that it should not be flagged”, (Para 0211) “For example, the threat detection platform may parse each email included in the first data to discover one or more attributes, and then the threat detection platform can provide these attributes to the ML model as input for training. Examples of attributes include the sender name, sender email address, subject, etc. Because the personalized ML model is trained using past emails received by the employee”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method of detecting and highlighting malicious emails taught by LaRosa in view of Blumenthal, with the method of labeling using the content of the body of the email taught by Jeyakumar. Simply using different parts of the email to train the machine learning model would have been obvious to one of ordinary skill. Additionally combining the risk models of LaRosa in view of Blumenthal and Jeyakumar yields a predictable result in identifying malicious vs benign emails.
Regarding Claim 19, LaRosa teaches
A method for detecting financial attacks in emails comprising: intercepting an email inbound to a recipient address, the recipient address associated with a recipient attribute; [(Para 0055) “In one embodiment, a system is running an email server software and is configured to be positioned “inline” in order to monitor email communications”]
retrieving the recipient attribute of a recipient associated with the recipient address; [(Para 0016) “obtain each communication going to and from the first domain and: analyze one or more parameters of the obtained communication; store the analyzed one or more parameters of the obtained communication with respect to a sender of the obtained communication and one or more recipients of each obtained communication”, (Para 0017) “for each communication going to or coming from the first domain, to:”, (Figure 4)]
accessing a risk schedule specifying a set of threshold risks, each threshold risk in the set of threshold risks associated with a unique combination of recipient attributes and based on malicious targeting frequency of recipients represented by the unique combination of recipient attributes within the email domain; [(Para 0017) “generate a risk score for the communication as function of the comparison to the stored relationships and associated characterizations; and process the communication as function of a comparison of the generated risk score to one more predetermined threshold values comprising: an alerting threshold value, a notification threshold value, and a communications labeling threshold value.”]
selecting a threshold risk, from the risk schedule, based on the recipient attribute; [(Para 0060) “Users identified as “High Risk” will have the Boolean value of 1 set in the attribute called “High Risk” on the Node in the graph database”, (Para 0047) “A rules engine provides for customized alerting based on user defined thresholds that are based on organizational risk tolerance”, (Para 0039) “using the risk score parameters in an actions engine in any combination to determine alerting thresholds, notification thresholds”]
scanning a body of the email for a set of language signals; [(Para 0057) “Thus, as presented in FIG. 5, inbound email is analyzed to extract communications components, e.g., header and body information.”] correlating, using a first natural language processing (NLP) model trained on a financial services and financial transaction lexicon, a first sequence of words, in the email, with a first signal in the set of language signals; correlating using a second NLP model trained on an action request and prompt lexicon, a second sequence of words, in the email, with a second signal in the set of language signals; [(Para 0099) “As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions, supply chain activity, header/footer mismatches, abnormal increases in the use of formality, etc.”, (Para 0049) “simultaneously the linguistics profiling of the messages and attachments are occurring… a corpus database is consulted of pre-built terms and phrases supplied both by the users of the system and the makers of the system”] calculating using the risk model trained on past emails, a risk for the email representing a financial attack based on a combination of the first signal and the second signal detected in the email; [(Para 0029) “profiling electronic communications creating patterns of behavior from the various elements of the electronic communications identifying risk elements of the communications used to determine impersonations of the communications” (Para 0064) “Associated relationships and counts will be calculated based on the schema diagrams from the above two diagrams for use in the risk score calculations”] redirecting the email away from an email inbox associated with the recipient address; and [(Figure 6), (Para 0039) “using the risk score parameters in an actions engine in any combination to determine alerting thresholds, notification thresholds, labeling of messages for other integration actions and blocking of communications.”]
While LaRosa teaches the method for detecting attacks, calculating risk, and taking subsequent action, it does not explicitly teach:
obtaining a first set of past emails that include first language in first bodies of the first set of past emails identified as being malicious; obtaining a second set of past emails that include second language in second bodies of the second set of past emails identified as being benign;
assigning malicious labels to the first set of past emails and the benign labels to the second set of past emails to generate training data;
training a risk model unique to an email domain using the training data such that the risk model is trained to output risk scores indicating likelihoods that language in bodies of future emails is malicious or benign;
in response to the risk exceeding the selected threshold risk: annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal, wherein the first visual highlighting scheme visually distinguishes the first sequence of words corresponding to the financial signal;
annotating the second sequence of words in the email according to a second visual highlighting scheme associated with the action request signal, the second visual highlighting scheme different from the first visual highlighting scheme, wherein the second visual highlighting scheme visually distinguishes the second sequence of words corresponding to the action request signal from the first sequence of words;
and in response to selection of the email within an email viewer, rendering the email with the first sequence of words highlighted according to the first visual highlighting scheme and with the second sequence of words highlighted according to the second visual highlighting scheme.
However, Blumenthal teaches:
in response to the risk exceeding the selected threshold risk: annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal wherein the first visual highlighting scheme visually distinguishes the first sequence of words corresponding to the financial signal; annotating the second sequence of words in the email according to a second visual highlighting scheme associated with the action request signal, the second visual highlighting scheme different from the first visual highlighting scheme, wherein the second visual highlighting scheme visually distinguishes the second sequence of words corresponding to the action request signal from the first sequence of words; and [(Para 0007) “The invention is a process that automatically annotates arbitrary collections of data” (Para 0012) “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting, graphics, audio or video indications, highlighting, etc.”, (Para 0059) “The presence of an annotation could be indicated by a superscript, a subscript, format change (possibly but not necessarily including italics, bold text, typeface or size changes, highlighting, etc”] in response to selection of the email within an email viewer, rendering the email with the first sequence of words highlighted according to the first visual highlighting scheme and with the second sequence of words highlighted according to the second visual highlighting scheme. [The use of different color in highlighting is not a patentable distinction, The claim limitations recite presenting the annotated data visually to the user (Figure 1, step 13) (Para 0025) “presentation step” (Para 0012) “A further object of the invention is to provide a process and system that can annotate data in many different ways, including but not limited to highlighting”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method taught by LaRosa with the highlighting method taught by Blumenthal. Simply applying the known technique of annotating and highlighting would yield predictable results.
While La Rosa in view of Blumenthal teach a Risk model that labels emails, and visual highlighting scheme, they do not explicitly the labeling using the content of the body of the email:
obtaining a first set of past emails that include first language in first bodies of the first set of past emails identified as being malicious; obtaining a second set of past emails that include second language in second bodies of the second set of past emails identified as being benign;
assigning malicious labels to the first set of past emails and the benign labels to the second set of past emails to generate training data;
training a risk model unique to an email domain using the training data such that the risk model is trained to output risk scores indicating likelihoods that language in bodies of future emails is malicious or benign;
However, Jeyakumar teaches:
obtaining a first set of past emails that include first language in first bodies of the first set of past emails identified as being malicious; obtaining a second set of past emails that include second language in second bodies of the second set of past emails identified as being benign; [(Figure 7), (Para 0027) “FIG. 7 depicts how the vast majority of incoming messages may be classified as non-malicious while a small percentage of incoming messages may be classified as malicious”, (Para 0077) “In some embodiments, the system 300 detects attacks based on the entire email (e.g., including the content of the body)”, (Para 0161) “For example, a human may label different elements included in a dataset for the purpose of training a ML model.”]
assigning malicious labels to the first set of past emails and the benign labels to the second set of past emails to generate training data; [(Para 102) “The analysis module 312 can instruct the ML models to categorize the deviations in an incoming email as indicating a likely malicious email or a likely non-malicious email, as well as categorize the email according to a possible attack type”, (Para 0161) “For example, a human may label different elements included in a dataset for the purpose of training a ML model.”]
training a risk model unique to an email domain using the training data such that the risk model is trained to output risk scores indicating likelihoods that language in bodies of future emails is malicious or benign; [(Para 0106) “In some embodiments, the training data can include historical threats that have been previously identified in customer inboxes. In some embodiments, different ML models employed have been developed for different known types of attacks. In some embodiments, emails are scored, weighted, or assigned a percentage or numerical value based on using these ML model(s). In some embodiments, if an email scores over the threshold for any of the ML models, it may be flagged, unless a heuristic or other element of the threat detection platform 302 indicates that it should not be flagged”, (Para 0211) “For example, the threat detection platform may parse each email included in the first data to discover one or more attributes, and then the threat detection platform can provide these attributes to the ML model as input for training. Examples of attributes include the sender name, sender email address, subject, etc. Because the personalized ML model is trained using past emails received by the employee”]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method of detecting and highlighting malicious emails taught by LaRosa in view of Blumenthal, with the method of labeling using the content of the body of the email taught by Jeyakumar. Simply using different parts of the email to train the machine learning model would have been obvious to one of ordinary skill. Additionally combining the risk models of LaRosa in view of Blumenthal and Jeyakumar yields a predictable result in identifying malicious vs benign emails.
Regarding Claim 21, La Rosa in view of Blumenthal in further view of Jeyakumar teach the limitations set forth above.
While La Rosa in view of Blumenthal teach a Risk model that labels emails, and visual highlighting scheme, they do not explicitly teach locking of a recipient account:
further comprising: locking a recipient email account associated with the recipient address such that a user of the recipient email account is unable to access the recipient email account.
However, Jeyakumar teaches:
further comprising: locking a recipient email account associated with the recipient address such that a user of the recipient email account is unable to access the recipient email account. [(Para 0104) “resetting the password of the affected employee, ending all sessions, pushing signatures to a firewall or an endpoint protection system, pushing signatures to an endpoint protection system to lock one or more computing devices, etc. For example, upon discovering a compromised account, the threat detection platform 302 may invoke API(s) to block the compromised account”
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method of detecting and highlighting malicious emails taught by LaRosa in view of Blumenthal, with the method of locking a recipient account taught by Jeyakumar. One of ordinary skill would have recognized locking a compromised email account would be beneficial to prevent malicious intent.
Claim 12 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over LaRosa in view of Blumenthal in view of Jeyakumar (US 20200344251 A1) in further view of Verma (US 2016344770).
Regarding Claim 12, LaRosa in view of Blumenthal in view of Jeyakumar teach the limitations set forth above
While LaRosa in view of Blumenthal in view of Jeyakumar teach training the natural language processing model for various signals with lexicons and learned signals overtime, it does not teach:
wherein calculating the risk for the email comprises: aggregating the financial signal, the action request signal, and the urgency signal into a target vector;
accessing a corpus of stored vectors representing and labeled with known email-based attack types;
identifying a particular vector, in the corpus of stored vectors, nearest the target vector in a multi-dimensional feature space;
characterizing a distance between the particular vector and the target vector in the multi-dimensional feature space; and calculating the risk for the email inversely proportional to the distance.
However, Verma teaches:
wherein calculating the risk for the email comprises: aggregating the financial signal, the action request signal, and the urgency signal into a target vector; [The limitations recite converting signals into target vector, the signals are identified from analysis of words and language. The signal type can be interchanged and the function remains the same, therefore are considered nonfunctional data; (Para 0073) “the TF-IDF scheme converts a vector of words to a vector of real values”]
accessing a corpus of stored vectors representing and labeled with known email-based attack types; [(Para 0054) “The computer-implemented method further comprises developing a context history database containing the extracted information and phishing and/or non-phishing label for each received email configured to determining a new email as a phishing email or non-phishing email based on similarity between the new email and information in the context history database.”]
identifying a particular vector, in the corpus of stored vectors, nearest the target vector in a multi-dimensional feature space; [(Para 0074) “Then the similarity computation is performed between the email vector ev and the corresponding vector for each email in the context”]
characterizing a distance between the particular vector and the target vector in the multi-dimensional feature space; and calculating the risk for the email inversely proportional to the distance. [(Para 0074); “Then the similarity computation is performed… [t]he smaller the .theta., the greater the similarity between two emails.” ]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the method taught by LaRosa in view of Blumenthal in view of Jeyakumar, with the risk calculation method taught by Verma. Both arts relate to the detection of malicious electronic communications and are in the same field of endeavor. It would have been obvious to implement the risk calculation method of Verma, in the email analysis method of LaRosa to yield predictable results.
Regarding Claim 13, LaRosa in view of Blumenthal in view of Jeyakumar in further view or Verma teach the limitations set forth above
LaRosa further teaches:
wherein accessing the email comprises intercepting the email inbound to the recipient address within an email domain; and further comprising: retrieving an attribute of a recipient associated with the recipient address; [(Para 0017) “obtain each communication going to and from the first domain and: analyze one or more parameters of the obtained communication; store the analyzed one or more parameters of the obtained communication with respect to a sender of the obtained communication and one or more recipients of each obtained communication”]
accessing a corpus of risk profiles, each risk profile in the corpus of risk profiles: associated with a set of attributes; [(Para 0059) “A connector to Active Directory is built to dynamically pull the following information from Active Directory as email messages are received in order to add the following additional attributes”
and specifying risk thresholds for a set of known email-based attack types based on the set of attributes; [(Para 0017) “generate a risk score for the communication as function of the comparison to the stored relationships and associated characterizations”
associating the recipient address with a particular risk profile, in the corpus of risk profiles, based on the attribute; [(Para 0017) “compare the analysis of the one or more parameters and the extrapolated and characterized relationships to a store of extrapolated relationships and associated characterizations of previously received or sent communications associate with the first domain”
and reading the risk threshold from the particular risk profile based on a particular email-based attack type represented by the particular vector. [Vectors are simply a collection of values, the limitations recite interpreting the risk threshold of a specific profile, by comparing it to an attack type represented by a vector (i.e. attack type collection of values); (Para 0017) “compare the analysis of the one or more parameters and the extrapolated and characterized relationships to a store of extrapolated relationships … and process the communication as function of a comparison of the generated risk score to one more predetermined threshold values”.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Examiner Benjamin Truong, whose telephone number is 703-756-5883. The examiner can normally be reached on Monday-Friday from 9 am to 5 pm (EST)
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nathan Uber SPE can be reached on 571-270-3923. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300 Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/B.L.T./
Examiner, Art Unit 3636
/NATHAN C UBER/Supervisory Patent Examiner, Art Unit 3626