DETAILED ACTION
Continued Examination Under 37 CFR 1.114
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 03/05/2026 has been entered.
As per instant Amendment, Claims 7, 16, and 18 are canceled; Claims 1-2, 6, 8, 15, and 17 have been amended; Claims 1, 15, and 17 are independent claims. Claims 1-6, 8-15, 17, and 19-20 have been examined and are pending. This Action is made Non-Final.
Response to Arguments
The rejections of claims 1-6, 9-12, and 14-19 under 35 U.S.C. § 102(a)(1) is withdrawn as the claims have been amended and Applicant’s Arguments are persuasive.
Applicants’ arguments with respect to claim 15 has been considered but is moot in view of the new ground(s) of rejection, which was necessitated by amendment.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 2016/0014151) in view of Haworth et al. (US 2023/0007042; Hereinafter “Haworth”).
Regarding claim 15, Prakash teaches a method for detecting a malicious mail performed by at least one processor, the method comprising:
obtaining transmission and/or reception history information of an account of a user (Prakash: Para. [0116], One example embodiment of this method 500a comprises receiving a received message by a recipient from a sender at 510a, obtaining one or more message characteristic by parsing the received message based on at least one of a set of predetermined message characteristics at 520a, the message characteristic comprising one or more of a sender message characteristic or a recipient message characteristic, storing the message characteristic in a database at 540a, applying a classification engine to the message characteristic to define a message characteristic pattern at 550a);
detecting a reception of a detection target mail in the account of the user (Prakash: Para. [0100], The method comprises receiving a received message by a recipient from a sender at 410, Para. [0116], receiving a new received message at 560a,); and
detecting whether the detection target mail is a malicious mail based on the transmission and/or reception history information of the account of the user and a pre-designated risk keyword (Prakash: Para. [0116], applying the classification engine to the new received message to define a new received message characteristic pattern at 570a, comparing the new received message characteristic pattern to the message characteristic pattern to determine whether the new received message characteristic pattern is similar to the message characteristic pattern at 580a and using the results of the comparison to influence the likelihood of the received message being a phishing message at 590a. Para. [0070], a message characteristic may comprise at least one message characteristic from or representing the message, its metadata, a portion of the message or a portion of its metadata or a value computed or derived or cross-referenced via a third party from the message or its metadata. For example and not for limitation, the message characteristic may comprise at least one of message characteristics selected from the group consisting of: statistical measures such as a use and/or a frequency of a character, a punctuation, a word, a phrase, a number of words, a length of words, a capitalization of words, a similar spelling, a misspelling, an average number of letters in each word, Para. [0070], a volume of messages received by the recipient; a volume of messages received by recipient organization);
wherein the detecting whether the detection target mail is the malicious mail based on the transmission and/or reception history information of the mail of the user comprises (Prakash: Para. [0116], Para. [0070]):
calculating a score, which represents a contextual relationship between a thread of a mail already received in the account of the user and the detection target mail, the thread of the mail being included in the transmission and/or reception history information (Prakash: Para. [0080], Some embodiments of the methods may further comprise determining a degree of variance of each message characteristic when compared with the similar characteristic associated with one or more of the recipient or sender from messages having a high statistical distribution, establishing a score based on the determined degree of variance for each message characteristic and a pre-assigned weight for each characteristic and obtaining a combined score by adding scores of one or more of the message characteristics in the received message based on a pre-assigned weight. Para. [0177], receiving a reply message from the recipient address at the custom address, inspecting the reply message from the recipient to determine whether the questionable phishing message is a phishing message, quarantining the reply message or forwarding the reply message for manual inspection if the questionable phishing message is the phishing message and delivering the reply to the original Reply-To address if the questionable phishing message is not the phishing message. A questionable phishing message may comprise a received message having some message characteristics consistent with a phishing message but not all message characteristics consistent with a phishing message. For example, one embodiment illustrating the process of changing the Reply-To comprises receiving a new message from a hypothetical sender—John Smith—jsmith@jsmithco.com to a hypothetical recipient Dagny Taggardtaggart@taggarttc.com. [thread may include original message and all reply messages]); and
determining the detection target mail as the malicious mail based on a threshold value (Prakash: Para. [0177], In some embodiments, a threshold of message characteristics is used to determine whether a received message is not a phishing message, a questionable phishing message or phishing message.).
Prakash does not explicitly teach determining the detection target mail as the malicious mail based on the calculated score being a threshold value or less.
In an analogous art, Haworth teaches determining the detection target mail as the malicious mail based on the calculated score being a threshold value or less (Haworth: Para. [0087], Next, the email module has at least a first email probe to inspect an email at the point it transits through the email application, such as Office 365, and extracts hundreds of data points from the raw email content and historical email behavior of the sender and the recipient. These metrics are combined with pattern of life data of the intended recipient, or sender, sourced from the data store. The combined set of the metrics are passed through machine learning algorithms to produce a single anomaly score of the email, and various combinations of metrics will attempt to generate notifications which will help define the ‘type’ of email. Para. [0089], In conjunction with the specific threat alerts and the anomaly score, the system may provoke actions upon the email designed to prevent delivery of the email or to neutralize potentially malicious content. Para. [0091]-[0092], Para. [0247], Inducement Classifier 172 classifies the received email with one or more of the plurality of malign categories based on the extracted plurality of characteristics and the one or more machine learning models 174. At step S12, a score is determined for the probability of a match between the email characteristics and each of the plurality of malign categories. Then at step S13, the autonomous response module 176 determines whether one of these scores is above a threshold; if the score determined for the one or more malign categories is above the threshold, the autonomous response module 176 causes one or more actions to contain the malign nature of the received email to be initiated as discussed above. Para. [0283]).
It would have been obvious to a person having ordinary skill in the art, before the effective filing date of the claimed invention, combine the teachings of Haworth with the system and method of Prakash to modify the threshold value of message characteristics used to determine whether a received message is not a phishing message, a questionable phishing message or phishing message as taught in Prakash to include determining a score for an email based on a plurality of extracted characteristics and then determining whether the score is above or below a threshold to cause one or more actions to be initiated for containing the malign nature of the received email because such a modification would have been obvious to try. More specifically, determining a score for an email based on a plurality of extracted characteristics and then determining whether the score is above or below a threshold to cause one or more actions to be initiated containing the malign nature of the received email is one of a predictable and ascertainable group of similar features, which are: in the event that the determined score is above the threshold, perform a first action that either does or does not contain the malign nature of the email or in the event that the score is below the threshold, perform a different action that either does or does not contain the malign nature of the email. This group addresses the design need and recognized problem of designing a system that extracts characteristics of an email including hundreds of data points from the raw email content and historical email behavior of the sender and the recipient and determines a score which is subsequently unitized by comparing the calculated score to a threshold value and performing an action to prevent malicious cyber threats when the score is either above or below the threshold with a reasonable level of success. As a result, it would have been obvious to try to modify the threshold value of message characteristics used to determine whether a received message is not a phishing message, a questionable phishing message or phishing message as taught in Prakash to include determining a score for an email based on a plurality of extracted characteristics and then determining whether the score is above or below a threshold to cause one or more actions to be initiated for containing the malign nature of the received email since there are a finite number of identified, predictable potential solutions to the recognized need (as discussed above) and one of ordinary skill in the art could have pursued the known potential solutions with a reasonable expectation of success.
Allowable Subject Matter
Claims 1-6, 8-14, 17, and 19-20 are allowed over the cited prior art.
The following is an Examiner’s statement of reasons for allowance:
The closest prior art includes Jakobsson et al. (US 2024/0089285; Hereinafter “Jakobsson”), of Sampath et al. (US 2022/0400094; Hereinafter “Sampath”), Prakash (US 2016/0014151), and Haworth et al. (US 2023/0007042; Hereinafter “Haworth”). However, none of Jakobsson, Sampath, Prakash, and Haworth teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims 1 and 17. For example, none of the cited prior art teaches or suggest the steps of “wherein the account characteristic information includes a risk keyword usage frequency indicating a frequency at which a pre-designated risk keyword is used in the account of the user, and the detecting whether the detection target mail is the malicious mail comprises determining the account of the user as a risk candidate account based on the risk keyword usage frequency in the account of the user exceeding a threshold usage frequency” as recited in claim 1 and “calculate a risk keyword usage frequency indicating a frequency at which a pre-designated risk keyword is used in the account of the user, determine the account of the user as a risk candidate account when the risk keyword usage frequency exceeds a threshold usage frequency, and detect whether the detection target mail received in the account of the user is a malicious mail based on the determination that the account of the user is the risk candidate account, by using the account characteristic information” as recited in claim 17. As a result, the claims are allowable over the cited prior art.
Conclusion
The following prior art made of record is not relied upon, but is considered pertinent to applicant's disclosure.
US Patent Application Publication No.: US 2025/0267161 by Greevy.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nelson Giddins whose telephone number is (571) 272-7993. The examiner can normally be reached on Monday - Friday, 9:00 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached at (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NELSON S. GIDDINS/Primary Examiner, Art Unit 2408