DETERMINING UNAUTHORISED REQUESTS FROM SENDERS OF AN ELECTRONIC COMMUNICATION

DETAILED ACTION Claims 1-18 remain for examination. The amendment filed 11/26/25 amended claims 1, 12, and 18. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments, see pages 14-16 of the amendment filed 11/26/25, with respect to the rejection of claims 12-17 under 35 USC 112(b) have been fully considered and are persuasive. The rejection of claims 12-17 under 35 USC 112(b) has been withdrawn. Applicant’s arguments, see page 17 of the amendment filed 11/26/25, with respect to the rejection(s) of claim(s) 1, 12, & 18 under 35 USC 102 in view of Wright – specifically, pertaining to the amended limitation that the pseudo account is specific to the recipient – have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of the newly discovered reference to Wang. Claim Rejections - 35 USC § 103 The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action. Claims 1-6, 11-16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Wright (U.S. Patent 11,316,895) in view of Wang (U.S. Patent Publication 2018/0173891). Regarding claim 1: Wright discloses a method of determining unauthorised requests, from a sender, for data pertaining to a recipient of an electronic communication, the recipient being a user of, and having an authorized account with, a server system, wherein the server system comprises at least a remote server and a storage system, and maintains accounts for a plurality of users (Figure 1A, and col. 3, lines 1-5), the method comprising: receiving, at the remote server, the electronic communication addressed to the recipient (element 111 of Figure 1B, and col. 6, lines 58-67: “In a first step 111, a member-user receives a phishing email containing a hyperlink…”; see also col. 8, lines 35-37: “Security appliances 203 may also use the threat intelligence server 205 to monitor different users reporting phishing email or other contact purporting to be legitimate”); determining, by the remote server, that the electronic communication is a potentially malicious communication (col. 8, lines 19-51), and in response to determining that the electronic communication addressed to the recipient is potentially malicious: instantiating, by the remote server, a first pseudo account with associated login credentials of a first type, wherein the remote server maintains the first pseudo account in the storage system as a separate account from the authorized account of the recipient, and wherein the first pseudo account is unused by the recipient and contains no data (col. 2, lines 14-48; and col. 8, lines 1-13: “In the exemplary system 200, a security appliance 203 may be configured to generate a unique set of so-called ‘honey credentials’ that resemble actual member credentials and/or personal information, but are not actually associated with a member…”; see also the honey credential database at col. 7,8, lines 52-62 which teaches that the pseudo account information is stored in a separate database from the real accounts); transmitting, to the sender of the electronic communication, by the remote server, at least the login credentials of the first type (Ibid; see also col. 8, lines 64-67: “In a next step 215, the attacker server 209 harvests or otherwise captures the honey credential submitted from the security appliance 203 and then sends the honey credential to the attacker device 201 as a ‘phished credential,’ unbeknownst to the attacker”); monitoring, by the remote server, access to the first pseudo account by a given user of the server system, using the login credentials of the first type, wherein the given user is not associated with any of the accounts maintained by the server system (col. 2, Ibid; col. 7, lines 35-67: “Threat intelligence servers 205 may be internal or external computing devices configured to identify, store, and monitor data identifying or otherwise associated with potential attackers…”; and col. 9, line 58 – col. 10, line 15: “In a next step 315, the security appliance 303 queries fraud systems 309 (e.g., web server logs) to identify and correlate other supposed member login attempts from this attacker using the uniquely identifying information from the attacker device 301 and the honey credentials…Security appliance 303 (or any other server in charge of the operations associated with the phishing victim members) may then flag the member account and start monitoring the member account activity”); and associating, by the remote server and in the storage system, at least one characteristic of the access, by the given user of the server system, to the first pseudo account with the login credentials of the first type, wherein the at least one characteristic of the access to the first pseudo account is used in determining unauthorised requests for the data (Ibid; see also col. 8, line 63 – col. 9, line 5: “When the attacker later attempts to access the enterprise device 207, information about that attacker and attacker device 201 may be captured and stored into various databases, such as credential database and databases utilized by fraud detection devices of the enterprise”; and col. 9, lines 33-45 regarding the invention storing characteristics about each attacker in the credential database). The honey accounts disclosed by Wright are not specific to the recipient of the phishing email that triggers the deployment of the honey credential to the attacker. However, Wang discloses a related invention for cybersecurity wherein the use of pseudo accounts that are specifically related to a real user account for determing if said real user account has been compromised has been known in the art (Wang, paragraph 0145; cf. Wright at col. 9, lines 33-45: “A record of a honey credential will store data about an attacker that will facilitate tracking and cross-correlating past attacks with the attacker. Data fields of a honey credential and/or of an attacker device 301 may include one or more identifiers of an attacker device 301, one or more identifiers of an attacker server (not shown), one or more member identifiers for member accounts attempted to be accessed by the attacker…”, i.e. Wright can correlate the use of the honey credentials with other real accounts [not including the account of the user who reported the phishing email that initiated the method of Wright’s invention] that were also accessed by the attacker device). It would have been obvious prior to the effective filing date of the instant application for Wright to correlate a given honey account/pseudo ID with the user who reported the phishing email that triggered the Wright invention into performing its disclosed method, as doing so would help the invention determine if the target account has already been compromised (Wang, Ibid; Wright, Ibid). Regarding claims 12 and 18: The rejection of claim 1 applies mutatis mutandis to each of claims 12 and 18. Regarding claims 2 and 13: Wright further discloses wherein the login credentials of the first type are login credentials comprising characters which have been randomly generated for use in accessing the first pseudo account (col. 8, lines 52-62; see also Wright, claim 8). Regarding claims 3 and 14: Wright further discloses: instantiating, by the remote server, at least a second pseudo account with associated login credentials of a second type, the second pseudo account being associated with, and unused by, the recipient, and wherein: the second pseudo account is different to the authorized account and the first pseudo account (col. 2, lines 14-48; and col. 8, lines 1-13: “In the exemplary system 200, a security appliance 203 may be configured to generate a unique set of so-called ‘honey credentials’ that resemble actual member credentials and/or personal information, but are not actually associated with a member…”; see also col. 9, lines 52-57: “And then, in a next step 313, the security appliance 303 queries the credentials database 305 to identify which phishing site correlates to the honey credentials received from the attacker device 301”, which implies that the Wright invention maintains a plurality of honey credentials in order to track and identify which of a plurality of attackers is attempting to access the system); the second pseudo account comprises dummy data representative of a given account of the server system (col. 2, lines 14-48; and col. 8, lines 1-13: “In the exemplary system 200, a security appliance 203 may be configured to generate a unique set of so-called ‘honey credentials’ that resemble actual member credentials and/or personal information, but are not actually associated with a member…”); and the login credentials of the second type represent dummy login credentials for accessing the given account (Ibid); transmitting, to the sender of the electronic communication, by the remote server, the login credentials of the second type (col. 8, lines 64-67: “In a next step 215, the attacker server 209 harvests or otherwise captures the honey credential submitted from the security appliance 203 and then sends the honey credential to the attacker device 201 as a ‘phished credential,’ unbeknownst to the attacker”); monitoring, by the remote server, access to the second pseudo account by the given user of the server system, with the login credentials of the second type (col. 2, Ibid; col. 7, lines 35-67: “Threat intelligence servers 205 may be internal or external computing devices configured to identify, store, and monitor data identifying or otherwise associated with potential attackers…”; and col. 9, line 58 – col. 10, line 15: “In a next step 315, the security appliance 303 queries fraud systems 309 (e.g., web server logs) to identify and correlate other supposed member login attempts from this attacker using the uniquely identifying information from the attacker device 301 and the honey credentials…Security appliance 303 (or any other server in charge of the operations associated with the phishing victim members) may then flag the member account and start monitoring the member account activity”); and associating by the remote server, and in the storage system, at least one characteristic of the access by the given user of the server system, to the second pseudo account with the login credentials of the second type, wherein the at least one characteristic of the access to the second pseudo account is used in determining unauthorised requests for the data (Ibid; see also col. 8, line 63 – col. 9, line 5: “When the attacker later attempts to access the enterprise device 207, information about that attacker and attacker device 201 may be captured and stored into various databases, such as credential database and databases utilized by fraud detection devices of the enterprise”; and col. 9, lines 33-45 regarding the invention storing characteristics about each attacker in the credential database). Regarding claims 4 and 15: Wright further discloses determining whether access, by the given user, to the first pseudo account or the second pseudo account is automated, based on a comparison of the at least one characteristic of the access to the first pseudo account by the given user, and the at least one characteristic of the access to the second pseudo account by the given user, wherein the at least one characteristic of the access to the first pseudo account and the at least one characteristic of the access to the second pseudo account are indicative of at least whether the login credentials are of the first type or the second type (col. 10, lines 16-48, including “For example, a fraud detection system (e.g., server) may query through any number of web log entries (e.g., database storing Internet traffic data), containing the usernames that were logged in from the particular device (e.g., attacker device 301), to identify which other member usernames, if any, the particular attacker device 301 attempted to access”). Regarding claims 5 and 16: Wright further discloses analysing data that is accessible via the Internet from one or more repositories (the credential database of col. 9, lines 33-45, and element 305 of Figure 3A), to determine whether at least: the login credentials of the first type, associated with the first pseudo account have been made available via the one or more repositories; or the login credentials of the second type, associated with the second pseudo account have been made available via the one or more repositories (col. 9, lines 52-57: “…the security appliance 303 queries the credentials database 305 to identify which phishing site correlates to the honey credentials received from the attacker device 301”). Regarding claim 6: Wright further discloses wherein the at least one characteristic of the access to the first pseudo account and the at least one characteristic of the access to the second pseudo account comprises information associated with one or more actions undertaken by the given user (col. 10, lines 16-48, including “Security appliance 303 (or any other server in charge of the operations associated with the phishing victim members) may then flag the member account and start monitoring the member account activity”). Regarding claim 11: Wright further discloses: identifying previous access characteristics stored in the storage system, the previous access characteristics being associated with previous accesses to one or more accounts of the server system (col. 10, lines 16-48, including “The security appliance 303 or fraud detection system 309 may query the various event logs stored in one or more fraud detection systems 309 in order to enrich the alert, by correlating the instant attacker device data with related information from past access attempts, based on matching or similar data”); comparing the previous access characteristics to the characteristics associated with the access to the first pseudo account by the given user of the server system to determine a similarity between the previous access to the one or more accounts of the server system and the access to the first pseudo account by the given user (Ibid: “For example, a fraud detection system (e.g., server) may query through any number of web log entries (e.g., database storing Internet traffic data), containing the usernames that were logged in from the particular device (e.g., attacker device 301), to identify which other member usernames, if any, the particular attacker device 301 attempted to access. Moreover, the security appliance 303 and/or fraud detection systems 309 may be dynamically or manually configured to maintain that alert so that any future traffic and/or login attempt from that particular username or particular attacker device 301, is automatically flagged in the web logs”); and transmitting an indication to the recipient based on the comparison (lbid: “The server may also generate and transmit different notifications (comprising information regarding the affected user and the corresponding user account and user device or the restrictions imposed upon the account) and transmit the notification via an electronic message (e.g., email, text, push notification, and the like)”). Claims 7, 8, 10, & 17 are rejected under 35 U.S.C. 103 as being unpatentable over Wright in view of Wang as applied to claims 3 & 14 above, and further in view of Larkins (U.S. Patent 9,027,126). Regarding claims 7 and 17: Wright further discloses wherein the at least one characteristic of the access to the first pseudo account, and the at least one characteristic of the access to the second pseudo account is any of: identification information associated with the given user accessing the first pseudo account with the login credentials of the first type or the given user accessing the second pseudo account with the login credentials of the second type (col. 9, lines 32-57); but neither Wright nor Wang explicitly disclose another characteristic being a time associated with the access, by the given user, to the first pseudo account with the login credentials of the first type or the access to the second pseudo account with login credentials of the second type. However, Larkins discloses a related invention for cybersecurity – and in particular, defeating phishing scams such as those also faced by Wright (e.g. col. 4, line 65 – col. 5, line 3) – wherein the invention can not only provide fake credentials to a phishing attacker (Larkins, col. 5, lines 35-50, including: “The system is able to open a browser, launch the phishing website, and populate the requested fields, such as name, street address, or username, passwords with the fake information”) but additionally records inter alia the exact time the phishing website attempts to access one’s systems (Larkins, col. 7, lines 15-26). It would have been obvious prior to the effective filing date of the instant application for Wright to record the time when an attacker attempted to use the honey credentials to access one’s system, as this was clearly a known option within the grasp of a person of ordinary skill in the art, in order to record the relevant information about fraudulent access attempts that have been detected by the system (cf. Wright at col. 9, lines 1-45 regarding storing data about past access attempts by attackers). If recording the time of each fraudulent access as part of Wright’s record keeping would lead to success, it would be the result not of innovation but of ordinary skill and common sense. Regarding claim 8: The combination further discloses determining a difference between a transmission time of the login credentials of the first type or the login credentials of the second type to the sender, and the time associated with the access to the first pseudo account or the access to the second pseudo account by the given user (Larkins, col. 7, lines 15-26: “Also, metrics, such as how soon before a phishing site is removed from the internet should a site be baited to be effective, how effective is baiting as soon as the site is detected versus waiting before baiting the website, could be compiled if baiting was done using an exacting process”). Regarding claim 10: The combination further discloses determining a time period between the time associated with the access to the first pseudo account or the access to the second pseudo account by the given user, and an action time associated with an action undertaken by the given user in the first pseudo account or the second pseudo account (Larkins, Ibid). Allowable Subject Matter Claim 9 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Thomas A Gyorfi whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at 571-270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. THOMAS A. GYORFI Examiner Art Unit 2435 /THOMAS A GYORFI/Examiner, Art Unit 2435 3/31/2026 /AMIR MEHRMANESH/Supervisory Patent Examiner, Art Unit 2435