STATISTICAL MODELING OF EMAIL SENDERS TO DETECT BUSINESS EMAIL COMPROMISE

DETAILED ACTION In a communication received on 17 November 2025, the applicants amended claims 1, 3-9, 11-17, 19, and 20. Claims 1-20 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments with respect to claim(s) 1, 9 and 17 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. With respect to claim 1, the applicants allege, "For at least the reasons presented herein, claim 1 would not have been obvious in view of Jakobsson and Prakash." (page 19) with respect to the claimed limitation(s), "first and second probability values calculated from counts of sender attribute and counts of reference attribute value; aggregating probability values; and performing an action based on threshold for a security action". The examiner respectfully traverses. The arguments/remarks pertain to whether the cited prior art does not disclose features of claimed limitations. The examiner concludes that the cited prior art clearly discloses identifying with a conditional probability determination misuse of an attribute of an email and performing a security action Ascertaining the differences between the prior art and the claims at issue requires interpreting the claim language, and considering both the invention and the prior art references as a whole (See 2141.02 "Differences Between Prior art and Claimed Invention). As best understood by the examiner, the broadest reasonable interpretation of the claims do not require a specific ratio or formula for the determination of probability values. More specifically, the claims recite "calculated using" and "determining, by an aggregating classifier and using" the probability values. Moreover, the specification and claims previously and explicitly defined the determination as conditional probability which is the exact method utilized in Jakobsson. Jakobsson clearly discloses the idea of misused attributes in an email within a given context such as "sent by iPhone" given metadata that indicates the message was sent from a desktop client. This is substantially the conditional probability of misused attributes determination claimed. More specifically, Jakobsson discloses: storing statistics on commonality of combinations of features of messages stored in a data structure including counts of observations of the particular attributes; sender attribute feature MAC client (¶0041, ¶0054, ¶0056); a given past observations related to the sender to determine conditional probability of a set of message aspects; see the bayesian probability of score of a particular observation with reference attribute value being another feature providing a given context; reference attribute feature being MIME version (¶0054, ¶0055, ¶0056); module that combines the component scores; the component scores are combined to determine an overall risk score; the overall risk score utilized to perform classification of different types of risks (¶0053); identifying misuse of "Sent from my iPhone" message signature despite metadata corresponding to a desktop message client based on historical observations about message signatures of the sender (¶0043); and a security risk score determines the security action taken such as disallowing access or receipt by the intended recipient upon determining a phishing risk where there is a mismatch is in aspects of the message corresponding to a threshold level of security risk allowed (¶0064, ¶0067). In conclusion, the applicants argue(s) that the cited prior art does not disclose features of claimed limitations. The examiner traverses because the cited prior art clearly discloses identifying with a conditional probability determination misuse of an attribute of an email and performing a security action. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jakobsson et al. (US 2021/0234870 A1) in view of Jeyakumar et al. (US 2020/0344251 A1). With respect to claim 1, Jakobsson discloses: a method (i.e., a processor coupled to a computer readable medium for performing operations of analyzing email for authenticity in Jakobsson, ¶0024) comprising: analyzing an email sent from a sending device and a sender address sent to a receiving device (i.e., performing analysis of received message including email address and display name to detect risk of spoofing or fraud in Jakobsson, ¶0035-0036); extracting at least a first sender attribute and a second sender attribute from the email (i.e., the devices used, keywords/topics, message signature content corresponding to the sender, email address, display name in Jakobsson, ¶0036, ¶0039, ¶0042, ¶0043); applying the first specialized misuse model to determine a first probability value associated with the first sender attribute that conveys a likelihood that the first sender attribute is a first misused sender attribute (i.e., bayesian probability score corresponding to a model of statistical norm to determine likelihood that sender changed their platform, upgraded their computer system, is using a new machine temporarily corresponding to combinations of metadata/configurations and content of messages from the sender in Jakobsson, ¶0054); applying the second specialized misuse model to determine a second probability value associated with the second sender attribute that conveys the likelihood that the second sender attribute is a second misused sender attribute (i.e., risk score associated with multiple likelihoods of distinct attributes captured by metadata; multiple probabilities and likelihoods of a combination of features/contents/metadata exhibited together in Jakobsson, ¶0054) wherein: the first probability value and the second probability value are each calculated using (i) a count of messages historically observed with a particular sender attribute value (i.e., statistics on commonality of combinations of messages stored in a data structure including counts of observations of the particular attributes; sender attribute feature MAC client in Jakobsson, ¶0041, ¶0054, ¶0056) and (ii) a reference attribute value and a total count of messages historically observed with the reference attribute value (i.e., a given past observations related to the sender to determine conditional probability of a set of message aspects; see the bayesian probability of score of a particular observation with reference attribute value being another feature providing a given context; reference attribute feature MIME version in Jakobsson, ¶0054, ¶0055, ¶0056); and determining, by an aggregating classifier and using the first probability value and the second probability value an overall probability value (i.e., module that combines the component scores; the component scores are combined to determine an overall risk score; the overall risk score utilized to perform classification of different types of risks in Jakobsson, ¶0053); associated with a likelihood of classifying the email as having at least one misused sender attribute to enable identifying at least misuse of the sender address to a sender's signature (i.e., identifying misuse of "Sent from my iPhone" message signature despite metadata corresponding to a desktop message client based on historical observations about message signatures of the sender in Jakobsson, ¶0043); in response to the overall probability value exceeding a configurable threshold, causing an action that prevents at least forwarding the email to the receiving device (i.e., a security risk score determines the security action taken such as disallowing access or receipt by the intended recipient upon determining a phishing risk where there is a mismatch is in aspects of the message corresponding to a threshold level of security risk allowed in Jakobsson, ¶0064, ¶0067). Jakobsson discloses a data structure to store counts of observed header configurations with more than one attribute; the counts can be observed over a window of time or threshold time period (¶0041). Jakobsson do(es) not explicitly disclose the following. Jeyakumar, in order to improve accuracy and efficiency of detecting security threats imposed by incoming emails (¶0188), discloses: identifying , from a key-value database storing aggregated historical co-occurrence counts of sender attribute combinations observed over a sliding time window, a first specialized misuse model and a second specialized misuse model associated with the sending device (i.e., a Redis database corresponds to querying by signature for corresponding counts; the signature corresponding to a combination of attributes; one or more analysis modules specific to a type/class of attack can be dynamically selected for a set of attacks that can be executed in parallel in Jeyakumar, ¶0099-0100, ¶0187); and the first specialized misuse model and the second specialized misuse model are executing at least partly in parallel within a Cognitive Anti-Phishing Engine (CAPE) (i.e., analysis modules executed in parallel in classifying a specific threat in Jeyakumar, ¶0100). Based on Jakobsson in view of Jeyakumar, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Jeyakumar to improve upon those of Jakobsson in order to improve accuracy and efficiency of detecting security threats imposed by incoming emails. With respect to claim 2, Jakobsson discloses: the method of claim 1, further comprising: assigning the action based on classifying of the email to the receiving device comprising at least one of indicating the email is suspicious, preventing delivery of the email, or authorizing delivery of the email (i.e., determining message is not suspicious and allowed to be accessed by intended recipient; or quarantining or blocking access to recipient if identified phishing risk in Jakobsson, ¶0060, ¶0064). With respect to claim 3, Jakobsson discloses: the method of claim 1, further comprising: identifying one or more detectors for detecting data of the first sender attribute (i.e., mechanism for tracking components of the message and observe and track likelihood of their occurrence together in Jakobsson, ¶0042); and using data detected of the first sender attribute for computing the first probability value model that convey the likelihood that the first sender attribute is misused (i.e., determining risk value of the components of the message, the risk scores correspond to a likelihood of or probability of consistency indicating if the attribute of the message is suspicious in Jakobsson, ¶0046, ¶0053-¶0054). With respect to claim 4, Jakobsson discloses: the method of claim 1, further comprising: identifying one or more detectors for detecting data of the second sender attribute; and (i.e., analyzing and detecting message traffic and characteristics corresponding to the sender in the message to detect compromised message accounts in Jakobsson, ¶0030) using data detected of the second sender attribute for computing the second probability value that convey the likelihood that the second sender attribute is misused (i.e., determining risk value of the components of the message, the risk scores correspond to a likelihood of or probability of consistency indicating if the attribute of the message is suspicious in Jakobsson, ¶0046, ¶0053-¶0054) With respect to claim 5, Jakobsson discloses: the method of claim 4, further comprising: extracting the first sender attribute that comprises at least one of a sender domain (i.e., domain associated with the sender for analysis in Jakobsson, ¶0044), a sender address (i.e., determining the sender email address to identify the profile of the sender in Jakobsson, ¶0036-0037), or a displayed text (i.e., analyzing the content of the message to previous historical message content corresponding to the sender in Jakobsson, ¶0036-0037). With respect to claim 6, Jakobsson discloses: the method of claim 1, further comprising: extracting the second sender attribute that comprises at least one of a sender signature or an email closing from content of the email (i.e., determining message signature text to compare to historical observations and the current message in Jakobsson, ¶0043) using a Natural Language Processing (NLP) process (i.e., analyzing the content of messages, includes determining context including synonyms and related words for determining a risk of the user responding to the message in Jakobsson, ¶0070). With respect to claim 7, Jakobsson discloses: the method of claim 6, further comprising: determining, the likelihood of a first misuse sender attribute for computing a conditional probability based on detection of the first sender attribute from an email and probability data stored in a database (i.e., determining a likelihood or probability of changes in message sender attributes and creating a score to determine message authenticity in Jakobsson, ¶0042). With respect to claim 8, Jakobsson discloses: the method of claim 7, further comprising: determining, the likelihood of a second misuse sender attribute for computing a conditional probability based on detection of the second sender attribute from email and probability data stored in a database (i.e., determining mail client probability based on a 75% historical documentation of sending with a first mail client vs roughly 25% with a secondary mail client; the probabilities are used to indicate or determine whether the email is safe and authentic in Jakobsson, ¶0056). With respect to claim 9, the limitation(s) of claim 9 are similar to those of claim(s) 1. Therefore, claim 9 is rejected with the same reasoning as claim(s) 1. Jakobsson further discloses: a system comprising: one or more processors (i.e., an analysis server computer for processing received messages and verifying authenticity in Jakobsson, ¶0030); and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations (i.e., a processor coupled to a computer readable medium for performing operations of analyzing email for authenticity in Jakobsson, ¶0024). Jakobsson discloses storing of observations to determines changes as a function of time; track information about senders repeated periodically and stored in a data structure (¶0042). Jakobsson do(es) not explicitly disclose the following. Jeyakumar, in order to improve accuracy and efficiency of detecting security threats imposed by incoming emails (¶0188), discloses: in a synchronous real-time processing path (i.e., processes can be performed in series in Jeyakumar, ¶0116); in an asynchronous batch processing path performed in parallel with the synchronous real-time processing path, periodically updating the aggregated historical counts in the database based on sender attributes extracted from a plurality of previously processed emails (i.e., processes can be performed in parallel; batch processing to update the data used for real-time processing in Jeyakumar, ¶0116, ¶0180, ). Based on Jakobsson in view of Jeyakumar, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings of Jeyakumar to improve upon those of Jakobsson in order to improve accuracy and efficiency of detecting security threats imposed by incoming emails. With respect to claim 10, the limitation(s) of claim 10 are similar to those of claim(s) 2. Therefore, claim 10 is rejected with the same reasoning as claim(s) 2. With respect to claim 11, the limitation(s) of claim 11 are similar to those of claim(s) 3. Therefore, claim 11 is rejected with the same reasoning as claim(s) 3. With respect to claim 12, the limitation(s) of claim 12 are similar to those of claim(s) 4. Therefore, claim 12 is rejected with the same reasoning as claim(s) 4. With respect to claim 13, the limitation(s) of claim 13 are similar to those of claim(s) 5. Therefore, claim 13 is rejected with the same reasoning as claim(s) 5. With respect to claim 14, the limitation(s) of claim 14 are similar to those of claim(s) 6. Therefore, claim 14 is rejected with the same reasoning as claim(s) 6. With respect to claim 15, the limitation(s) of claim 15 are similar to those of claim(s) 7. Therefore, claim 15 is rejected with the same reasoning as claim(s) 7. With respect to claim 16, the limitation(s) of claim 16 are similar to those of claim(s) 8. Therefore, claim 16 is rejected with the same reasoning as claim(s) 8. With respect to claim 17, the limitation(s) of claim 17 are similar to those of claim(s) 1 and 9. Therefore, claim 17 is rejected with the same reasoning as claim(s) 1 and 9. With respect to claim 18, the limitation(s) of claim 18 are similar to those of claim(s) 2. Therefore, claim 18 is rejected with the same reasoning as claim(s) 2. With respect to claim 19, the limitation(s) of claim 19 are similar to those of claim(s) 3. Therefore, claim 19 is rejected with the same reasoning as claim(s) 3. With respect to claim 20, the limitation(s) of claim 20 are similar to those of claim(s) 4. Therefore, claim 20 is rejected with the same reasoning as claim(s) 4. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHERMAN L LIN whose telephone number is (571)270-7446. The examiner can normally be reached Monday through Friday 9:00 AM - 5:00 PM (Eastern). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached on 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Sherman Lin 2/21/2026 /S. L./Examiner, Art Unit 2447 /JOON H HWANG/Supervisory Patent Examiner, Art Unit 2447