SYSTEM AND METHOD FOR DETECTING AND PREVENTING MALFEASANT TARGETING OF INDIVIDUAL USERS IN A NETWORK

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This office action is in response to the communication filed on 12/2/2025. Claims 1-6, 8-13, 15-19 are pending. Response to Arguments Applicant's arguments on the 35 U.S.C. 103 rejection have been fully considered but are moot in view of new ground(s) of rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-6, 8-13, 15-19 is/are rejected under AIA 35 U.S.C. 103 as being unpatentable over Sambamoorthy et al. (US 2022/0279015, “Sambamoorthy”) in view of Grealish (US 2021/0075827, “Grealish”) and Kras (US 2022/0377101). As to claim 1, Sambamoorthy discloses a system for detecting and preventing malfeasant targeting of individual users in a network, the system comprising: at least one non-transitory storage device containing instructions; and at least one processing device coupled to the at least one non-transitory storage device, wherein the at least one processing device, upon execution of the instructions ([0135]), is configured to: identify a malfeasant communication data packet in a network, wherein the malfeasant communication data packet is directed to a target user of one or more users in the network (fig. 4, S120-121-122, [0009], identifying attack (malfeasant) signals in an incoming email to a recipient); analyze one or more previously accessed portions of the network by the target user to determine an access level of the target user ([0094], analyzing a duration of time that the recipient has been affiliated (accessed) with the domain (network portions) or being a member of the domain) cause a transmission of a malfeasant report for the target user based on the malfeasant communication data packet, wherein the malfeasant report comprises information relating to one or more previous malfeasant communication data packets directed to the target user and one or more user access attributes relating to the target user, wherein the one or more user access attributes comprise the access level to the network for the target user (fig. 1A-3B, [0093], [0095], calculating/reporting a risk threshold for an email based on recipient attributes such as experience level and role or access level (administration, security personnel, human resource or accounting) in a domain/ organization, [0094] setting risk threshold proportional to: a duration of time that the recipient has been affiliated with the domain or a member of the domain; a time since the recipient was last a victim of a successful email-based attack; and/or a time since the computer system quarantined a last email to the recipient. Thus, the system can set a low risk threshold if the recipient is new to the domain or was recently a victim of a successful email-based attack), based on the malfeasant report and the malfeasant communication data packet, determine a malfeasant threat level, wherein the malfeasant threat level indicates a threat of a malfeasant communication to the target user and a scope of damage associated with the malfeasant communication data packet; and cause a transmission of a malfeasant threat level alert in an instance in which the malfeasant threat level meets or exceeds a predetermined threat threshold, wherein the malfeasant threat level meets or exceeds a predetermined threat threshold in an instance in which a predetermined number of the one or more previous malfeasant communication data packets has been reached or the access level of the target user is at or above a predetermined access threshold ([0009], S142; calculating a risk for the email representing an attack based on a combination of the set of language signals, the communication frequency signal; S150; in response to the risk exceeding a threshold, enacting a remediation for the email; [0013], [0014], presenting the email to a security analyst in S162; [0092]-[0099], calculating an aggregated risk based on the recipient attributes (access levels, such as human resources, accounting, payroll…) and types of attacks in the message and history of past attacks at the recipient. The “scope of damage” is read as determined type of damage such as payroll fraud, and users impacted such as payroll users at armorblox.ai in fig. 1B, or VIP impersonation with users impacted Barty Crouch in fig. 2C, see further Analysis report in fig. 2C). Sambamoorthy does not disclose the at least one processing device, upon execution of the instructions, is configured to: designate the target user as a vulnerable user in an instance in which the target user has received a predetermined amount of the one or more previous malfeasant communication data packets; and cause a transmission of one or more training actions to the target user in an instance in which the target user is designated as a vulnerable user, wherein the one or more training actions comprise a fabricated malfeasant communication data packet, wherein the fabricated malfeasant communication data packet is designed to emulate a malfeasant communication data packet. Grealish discloses designate the target user as a vulnerable user in an instance in which the target user has received a predetermined amount of the one or more previous malfeasant communication data packets ([0044], [0045], determining an attacked (vulnerable) person by attack communication history the person received (such as a number of phishing emails received)); and cause a transmission of one or more training actions to the target user in an instance in which the target user is designated as a vulnerable user, wherein the one or more training actions comprise a fabricated malfeasant communication data packet, wherein the fabricated malfeasant communication data packet is designed to emulate a malfeasant communication data packet ([0079], launching a phishing training module including generated phishing messages for the attacked person). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Grealish’s teachings of vulnerable user identification and security training enforcement to Sambamoorthy’s teachings in order to provide remediation such as vulnerable user training and therefore increase security awareness of the user. Sambamoorthy-YY does not disclose the access level comprises portions of the network the target user may access. Kras discloses an access level comprises portions of the network the target user may access ([0079], risk score calculation based on a size of a network of a user and a user current position in an organization). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Kras’s teachings of certain specific access level attributes to Sambamoorthy’s teachings of access level attributes in order to expand Sambamoorthy’s access level to include these known access level attributes such as a size of a network (portions) that the user can access within an organization to calculate risk based on the size of the network. As to claim 2, Sambamoorthy discloses the at least one processing device, upon execution of the instructions, is configured to determine one or more malfeasant communication attributes relating to the malfeasant communication data packet, wherein the one or more malfeasant communication attributes comprises the target user of the one or more users in the network ([0093], [0095]) and a malfeasance type ([0074], [0090], [0092]). As to claim 3, Sambamoorthy discloses the malfeasant threat level is higher in an instance in which at least one of the one or more previous malfeasant communication data packets are the same malfeasance type as the malfeasance communication data packet ([0073], risk is increased with matching attack type and attack frequency). As to claim 4, Sambamoorthy discloses the one or more user access attributes comprise at least one of a job title or job department of the target user, wherein the malfeasant threat level is higher in an instance in which the target user is assigned to a job title that is designated as one of one or more vulnerable job titles or the target user is assigned to a job department that is designated as one of one or more vulnerable job departments ([0095]). As to claim 5, Sambamoorthy discloses the at least one processing device, upon execution of the instructions, is configured to determine at least one of the one or more vulnerable job titles or one or more vulnerable job departments, wherein the at least one of the one or more vulnerable job titles or one or more vulnerable job departments are determined based on one or more previous malfeasant attacks on users assigned to the given job title or job department ([0095], calculating risk based on malicious targeting frequency of recipients represented by the unique combination of recipient attributes (such as roles) within the email domain, [0082], [0083], detecting jobs/departments under risk of being attacks). As to claim 6, Sambamoorthy discloses the at least one of the one or more vulnerable job titles or one or more vulnerable job departments are determined based on access levels of one or more users assigned to the given job title or job department ([0095], [0096]). Claims 8-13 are rejected for the same rationale in claims 1-6 respectively. Claims 15-19 are rejected for the same rationale in claims 1-4, 6 respectively. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is included in form PTO 892. Any inquiry concerning this communication or earlier communications from the examiner should be directed to HIEU T HOANG whose telephone number is (571) 270-1253. The examiner can normally be reached Mon-Fri 9 AM -5 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /HIEU T HOANG/Primary Examiner, Art Unit 2449