Detailed Action
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Amendments filed on 04/20/2026 have been acknowledged. Claims 1-20 are currently pending and have been considered below. Claim 1, 7 and 14 are independent claim. Claim 1-2, 7-8, 14-15 and 20 have been amended.
Priority
No priority is claimed.
Response to Arguments
Applicant's arguments added in the amendment filed on 04/20/2026 have been fully considered but moot in view of new ground of rejection. The reasons set forth below.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Adams (US Patent Application Publication No 2023/0336588 A1) in view of Morris (US Patent No 12,047,416 B1) and further in view of Kras (US Patent Application Publication No 2022/0377101 A1).
Regarding Claim 1, Adams discloses a system for cybersecurity enforcement, the system comprising:
one or more memories (Adams, Fig-1); and
one or more processors, communicatively coupled to the one or more memories (Adams, Fig-1), configured to:
generate a first synthetic phishing attempt that targets a user via a communication mode (Adams, Fig-2A, ¶[0033], the phishing lure generation platform may train a natural language model or algorithm to automatically produce synthetic phishing lures. The phishing lure generation model identifies formats of phishing lures that may be effective for a particular recipient. ¶[0038], in step 204, the phishing lure generation platform may send the simulated synthetic phishing lure to the user device);
identify a user response or non-response to the synthetic phishing attempt (Adams, Fig-2B, ¶[0040], the target user may be tested on how well they may identify and avoid a phishing lure amidst their normal course of business. By displaying the simulated synthetic phishing lure alongside legitimate messages, the target user’s ability to distinguish between legitimate and phishing messages may be tested); and
update, based at least in part on the communication mode and the user response or non-response, a risk score specific to the user (Adams, ¶[0044], ¶[0051], the inbound message filtering system may train the phish detection model using signals indicative of the automated generation of the synthetic lures which may be used to distinguish between synthetic and manually generated lures. ¶[0056], the inbound message filtering system may quarantine the inbound message, route the inbound message to an isolation environment and secure sandbox, modify one or more traffic filtering rules and execute other security actions).
Adams does not explicitly discuss the following limitation that Morris teaches:
wherein a second communication mode for a second synthetic phishing attempt is determined using a machine learning model, the determination based on the first synthetic phishing attempt (Morris, col 23, line 55-65, col 24, line 5-15, if the user environment information shows that the user regularly accesses their devices each morning at 8 am, the system may generate a user specific phishing lure that is deployed to the user at or near 8 am. If the user environment information shows that the user is consuming content instead of creating content at particular times of the day or after taking particular actions, the anti-phishing system can deploy a phishing lure at those particular times of the day when the user is more likely to see the incoming digital communication. Thus generating user specific phishing lures from user environment information is mapped to second mode of communication. Col 17, line 5-10, user feedback can indicate when a user identifies as a threat a piece of digital communication that was not flagged as a threat by the system. This user feedback can be used to further refine the system, such as by improving one or more templates or further training one or more machine learning models);
and enable a security limitation on user interactions via the first communication mode based on the risk score, wherein the security limitation limits the user interactions via the first communication mode more than other user interactions via the second communication mode (Morris, col 13, line 50-55, the user asset risk score can be a score indicative of the level of risk of the user being susceptible to a threat. Col 14, Fig-2, line 45-60, deploying the threat abatement procedure can include generating and presenting an alert to a user. Col 21, line 45-60. Col 23, line 5-10).
Adams in view of Morris are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “anti-phishing security and monitoring content to protect against phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Adams in view of Morris to include the idea of determining that the digital communication is a threat based at least in part on the user specific network behavior information associated with the assets and employing a threat-abatement procedure with respect to the digital communication (Morris, col 2, line 5-10).
Adams in view of Morris does not explicitly discuss the following limitation that Kras teaches:
wherein the first communication mode comprises a first technology by which the first synthetic phishing attempt targets the user (Kras, ¶[0070], a messaging application may be an instance of an application that allows viewing of a desired message type, such as any web browser, a Gmail application, Microsoft Outlook, WhatsApp , a text messaging application. User device may receive simulated phishing messages via messaging application. ¶[0076], simulated phishing message may be email, SMS message, IM message, voice message. ¶[0078]);
wherein the second communication mode comprises a second technology by which the second synthetic phishing attempt targets the user (Kras, ¶[0070], a messaging application may be an instance of an application that allows viewing of a desired message type, such as any web browser, a Gmail application, Microsoft Outlook, WhatsApp , a text messaging application. User device may receive simulated phishing messages via messaging application. ¶[0076], simulated phishing message may be email, SMS message, IM message, voice message. ¶[0078]).
Adams in view of Morris and Kras are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “anti-phishing security and monitoring content to protect against phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Adams in view of Morris and Kras to include the idea of receiving a selection of the user to be in one of a single user mode or a multi-user mode of the simulated self-phishing system. The multi-user mode of the simulated self-phishing system is configured to display the score of the user with scores of other users in an enumerated list of scores (Kras, ¶[0006]).
Regarding claim 2, Adams in view of Morris and Kras discloses the system of claim 1, wherein the first communication mode is email and the second communication mode is text (Kras, ¶[0070], a messaging application may be an instance of an application that allows viewing of a desired message type, such as any web browser, a Gmail application, Microsoft Outlook, WhatsApp , a text messaging application. User device may receive simulated phishing messages via messaging application. ¶[0076], simulated phishing message may be email, SMS message, IM message, voice message. ¶[0078]).
Regarding claim 3, Adams in view of Morris and Kras discloses the system of claim 1, wherein the one or more processors are further configured to:
receive an indication that the user has opted in to synthetic phishing attempts (Adams, ¶[0040], the target user may be tested on how well they may identify and avoid a phishing lure amidst their normal course of business. By displaying the simulated synthetic phishing lure alongside legitimate messages, the target user’s ability to distinguish between the legitimate and phishing messages may be tested).
Regarding claim 4, Adams in view of Morris and Kras discloses the system of claim 1, wherein the one or more processors are further configured to:
generate the first synthetic phishing attempt based at least in part on a previous phishing attempt targeting the user (Adams, ¶[0044], the phishing lure generation platform may update the phishing lure generation model using the feedback information. ¶[0045], may leverage engagement feedback to dynamically refine models/algorithm).
Regarding Claim 5, Adams in view of Morris and Kras discloses the system of claim 1, wherein the risk score is specific to the first communication mode (Morris, col 13, line 50-55, the user asset risk score can be a score indicative of the level of risk of the user being susceptible to a threat. Col 14, Fig-2, line 45-60, deploying the threat abatement procedure can include generating and presenting an alert to a user. Col 21, line 45-60. Col 23, line 5-10).
Regarding Claim 6, Adams in view of Morris and Kras discloses the system of claim 1, wherein the one or more processors are further configured to:
perform a cybersecurity action based at least in part on the risk score, wherein the cybersecurity action comprises enablement of the security limitation (Morris, col 13, line 50-55, the user asset risk score can be a score indicative of the level of risk of the user being susceptible to a threat. Col 14, Fig-2, line 45-60, deploying the threat abatement procedure can include generating and presenting an alert to a user. Col 21, line 45-60. Col 23, line 5-10).
Regarding Claim 7, Adams discloses a method of cybersecurity enforcement, comprising:
generating a first synthetic phishing attempt that targets a user via a first communication mode (Adams, Fig-2A, ¶[0033], the phishing lure generation platform may train a natural language model or algorithm to automatically produce synthetic phishing lures. The phishing lure generation model identifies formats of phishing lures that may be effective for a particular recipient. ¶[0038], in step 204, the phishing lure generation platform may send the simulated synthetic phishing lure to the user device); and
updating, based at least in part on the first communication mode, a risk profile specific to the user (Adams, ¶[0044], ¶[0051], the inbound message filtering system may train the phish detection model using signals indicative of the automated generation of the synthetic lures which may be used to distinguish between synthetic and manually generated lures. ¶[0056], the inbound message filtering system may quarantine the inbound message, route the inbound message to an isolation environment and secure sandbox, modify one or more traffic filtering rules and execute other security actions).
Adams does not explicitly discuss the following limitation that Morris teaches:
wherein a second communication mode for a second synthetic phishing attempt is determined using a machine learning model, the determination based on the first synthetic phishing attempt (Morris, col 23, line 55-65, col 24, line 5-15, if the user environment information shows that the user regularly accesses their devices each morning at 8 am, the system may generate a user specific phishing lure that is deployed to the user at or near 8 am. If the user environment information shows that the user is consuming content instead of creating content at particular times of the day or after taking particular actions, the anti-phishing system can deploy a phishing lure at those particular times of the day when the user is more likely to see the incoming digital communication. Thus generating user specific phishing lures from user environment information is mapped to second mode of communication. Col 17, line 5-10, user feedback can indicate when a user identifies as a threat a piece of digital communication that was not flagged as a threat by the system. This user feedback can be used to further refine the system, such as by improving one or more templates or further training one or more machine learning models);
and enable a security limitation on user interactions via the first communication mode based on the risk score, wherein the security limitation limits the user interactions via the first communication mode more than other user interactions via second communication mode (Morris, col 13, line 50-55, the user asset risk score can be a score indicative of the level of risk of the user being susceptible to a threat. Col 14, Fig-2, line 45-60, deploying the threat abatement procedure can include generating and presenting an alert to a user. Col 21, line 45-60. Col 23, line 5-10).
Adams in view of Morris are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “anti-phishing security and monitoring content to protect against phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Adams in view of Morris to include the idea of determining that the digital communication is a threat based at least in part on the user specific network behavior information associated with the assets and employing a threat-abatement procedure with respect to the digital communication (Morris, col 2, line 5-10).
Adams in view of Morris does not explicitly discuss the following limitation that Kras teaches:
wherein the first communication mode comprises a first technology by which the first synthetic phishing attempt targets the user (Kras, ¶[0070], a messaging application may be an instance of an application that allows viewing of a desired message type, such as any web browser, a Gmail application, Microsoft Outlook, WhatsApp , a text messaging application. User device may receive simulated phishing messages via messaging application. ¶[0076], simulated phishing message may be email, SMS message, IM message, voice message. ¶[0078]);
wherein the second communication mode comprises a second technology by which the second synthetic phishing attempt targets the user (Kras, ¶[0070], a messaging application may be an instance of an application that allows viewing of a desired message type, such as any web browser, a Gmail application, Microsoft Outlook, WhatsApp , a text messaging application. User device may receive simulated phishing messages via messaging application. ¶[0076], simulated phishing message may be email, SMS message, IM message, voice message. ¶[0078]).
Adams in view of Morris and Kras are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “anti-phishing security and monitoring content to protect against phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Adams in view of Morris and Kras to include the idea of receiving a selection of the user to be in one of a single user mode or a multi-user mode of the simulated self-phishing system. The multi-user mode of the simulated self-phishing system is configured to display the score of the user with scores of other users in an enumerated list of scores (Kras, ¶[0006]).
Regarding Claim 8, Adams in view of Morris and Kras discloses the method of claim 7, wherein the first communication mode is email and the second communication mode is phone (Kras, ¶[0070], a messaging application may be an instance of an application that allows viewing of a desired message type, such as any web browser, a Gmail application, Microsoft Outlook, WhatsApp , a text messaging application. User device may receive simulated phishing messages via messaging application. ¶[0076], simulated phishing message may be email, SMS message, IM message, voice message. ¶[0078])).
Regarding Claim 9, Adams in view of Morris and Kras discloses the method of claim 7, further comprising:
receiving an indication that the user has opted in to synthetic phishing attempts (Adams, ¶[0040], the target user may be tested on how well they may identify and avoid a phishing lure amidst their normal course of business. By displaying the simulated synthetic phishing lure alongside legitimate messages, the target user’s ability to distinguish between the legitimate and phishing messages may be tested).
Regarding Claim 10, Adams in view of Morris and Kras discloses the method of claim 7, further comprising:
generating the first synthetic phishing attempt based at least in part on a previous phishing attempt targeting the user (Adams, ¶[0044], the phishing lure generation platform may update the phishing lure generation model using the feedback information. ¶[0045], may leverage engagement feedback to dynamically refine models/algorithm).
Regarding Claim 11, Adams in view of Morris and Kras discloses the method of claim 7, wherein updating the risk profile includes updating the risk profile based at least in part on a user response or non-response to the first synthetic phishing attempt (Adams, ¶[0044], ¶[0051], the inbound message filtering system may train the phish detection model using signals indicative of the automated generation of the synthetic lures which may be used to distinguish between synthetic and manually generated lures. ¶[0056], the inbound message filtering system may quarantine the inbound message, route the inbound message to an isolation environment and secure sandbox, modify one or more traffic filtering rules and execute other security actions).
Regarding Claim 12, Adams in view of Morris and Kras discloses the method of claim 7, wherein the risk profile includes a risk score that is specific to the first communication mode (Morris, col 13, line 50-55, the user asset risk score can be a score indicative of the level of risk of the user being susceptible to a threat. Col 14, Fig-2, line 45-60, deploying the threat abatement procedure can include generating and presenting an alert to a user. Col 21, line 45-60. Col 23, line 5-10).
Regarding Claim 13, Adams in view of Morris and Kras discloses the method of claim 7, further comprising:
performing a cybersecurity action based at least in part on the risk profile, wherein the cybersecurity action comprises enabling the security limitation (Morris, col 13, line 50-55, the user asset risk score can be a score indicative of the level of risk of the user being susceptible to a threat. Col 14, Fig-2, line 45-60, deploying the threat abatement procedure can include generating and presenting an alert to a user. Col 21, line 45-60. Col 23, line 5-10).
Regarding Claim 14, Adams discloses a non-transitory computer-readable medium storing a set of instructions, the set of instructions comprising:
one or more instructions that, when executed by one or more processors of a cybersecurity enforcement system, cause the cybersecurity enforcement system to (Adams, Fig-1):
generate a first synthetic phishing attempt that targets a user via a first communication mode (Adams, Fig-2A, ¶[0033], the phishing lure generation platform may train a natural language model or algorithm to automatically produce synthetic phishing lures. The phishing lure generation model identifies formats of phishing lures that may be effective for a particular recipient. ¶[0038], in step 204, the phishing lure generation platform may send the simulated synthetic phishing lure to the user device); and
update, based at least in part on the first communication mode, a risk score specific to the user (Adams, ¶[0044], ¶[0051], the inbound message filtering system may train the phish detection model using signals indicative of the automated generation of the synthetic lures which may be used to distinguish between synthetic and manually generated lures. ¶[0056], the inbound message filtering system may quarantine the inbound message, route the inbound message to an isolation environment and secure sandbox, modify one or more traffic filtering rules and execute other security actions).
Adams does not explicitly discuss the following limitation that Morris teaches:
wherein a second communication mode for a second synthetic phishing attempt is determined using a machine learning model, the determination based on the first synthetic fishing attempt (Morris, col 23, line 55-65, col 24, line 5-15, if the user environment information shows that the user regularly accesses their devices each morning at 8 am, the system may generate a user specific phishing lure that is deployed to the user at or near 8 am. If the user environment information shows that the user is consuming content instead of creating content at particular times of the day or after taking particular actions, the anti-phishing system can deploy a phishing lure at those particular times of the day when the user is more likely to see the incoming digital communication. Thus generating user specific phishing lures from user environment information is mapped to second mode of communication. Col 17, line 5-10, user feedback can indicate when a user identifies as a threat a piece of digital communication that was not flagged as a threat by the system. This user feedback can be used to further refine the system, such as by improving one or more templates or further training one or more machine learning models);
and enable a security limitation on user interactions via the first communication mode based on the risk score, wherein the security limitation limits the user interactions via the first communication mode more than other user interactions via the second communication mode (Morris, col 13, line 50-55, the user asset risk score can be a score indicative of the level of risk of the user being susceptible to a threat. Col 14, Fig-2, line 45-60, deploying the threat abatement procedure can include generating and presenting an alert to a user. Col 21, line 45-60. Col 23, line 5-10).
Adams in view of Morris are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “anti-phishing security and monitoring content to protect against phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Adams in view of Morris to include the idea of determining that the digital communication is a threat based at least in part on the user specific network behavior information associated with the assets and employing a threat-abatement procedure with respect to the digital communication (Morris, col 2, line 5-10).
Adams in view of Morris does not explicitly discuss the following limitation that Kras teaches:
wherein the first communication mode comprises a first technology by which the first synthetic phishing attempt targets the user (Kras, ¶[0070], a messaging application may be an instance of an application that allows viewing of a desired message type, such as any web browser, a Gmail application, Microsoft Outlook, WhatsApp , a text messaging application. User device may receive simulated phishing messages via messaging application. ¶[0076], simulated phishing message may be email, SMS message, IM message, voice message. ¶[0078]);
wherein the second communication mode comprises a second technology by which the second synthetic phishing attempt targets the user (Kras, ¶[0070], a messaging application may be an instance of an application that allows viewing of a desired message type, such as any web browser, a Gmail application, Microsoft Outlook, WhatsApp , a text messaging application. User device may receive simulated phishing messages via messaging application. ¶[0076], simulated phishing message may be email, SMS message, IM message, voice message. ¶[0078]).
Adams in view of Morris and Kras are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “anti-phishing security and monitoring content to protect against phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Adams in view of Morris and Kras to include the idea of receiving a selection of the user to be in one of a single user mode or a multi-user mode of the simulated self-phishing system. The multi-user mode of the simulated self-phishing system is configured to display the score of the user with scores of other users in an enumerated list of scores (Kras, ¶[0006]).
Regarding Claim 15, Adams in view of Morris and Kras discloses the non-transitory computer-readable medium of claim 14, wherein the first communication mode includes one or more of email, phone, or text (Kras, ¶[0070], a messaging application may be an instance of an application that allows viewing of a desired message type, such as any web browser, a Gmail application, Microsoft Outlook, WhatsApp , a text messaging application. User device may receive simulated phishing messages via messaging application. ¶[0076], simulated phishing message may be email, SMS message, IM message, voice message. ¶[0078]).
Regarding claim 16, Adams in view of Morris and Kras discloses the non-transitory computer-readable medium of claim 14, wherein the one or more instructions further cause the cybersecurity enforcement system to:
receive an indication that the user has opted in to synthetic phishing attempts (Adams, ¶[0040], the target user may be tested on how well they may identify and avoid a phishing lure amidst their normal course of business. By displaying the simulated synthetic phishing lure alongside legitimate messages, the target user’s ability to distinguish between the legitimate and phishing messages may be tested).
Regarding claim 17, Adams in view of Morris and Kras discloses the non-transitory computer-readable medium of claim 14, wherein the one or more instructions further cause the cybersecurity enforcement system to:
generate the first synthetic phishing attempt based at least in part on a previous phishing attempt targeting the user (Adams, ¶[0044], the phishing lure generation platform may update the phishing lure generation model using the feedback information. ¶[0045], may leverage engagement feedback to dynamically refine models/algorithm).
Regarding claim 18, Adams in view of Morris and Kras discloses the non-transitory computer-readable medium of claim 14, wherein the one or more instructions, that cause the cybersecurity enforcement system to update the risk score, cause the cybersecurity enforcement system to update the risk score based at least in part on a user response or non-response to the first synthetic phishing attempt (Morris, col 13, line 50-55, the user asset risk score can be a score indicative of the level of risk of the user being susceptible to a threat. Col 14, Fig-2, line 45-60, deploying the threat abatement procedure can include generating and presenting an alert to a user. Col 21, line 45-60. Col 23, line 5-10).
Regarding claim 19, Adams in view of Morris and Kras discloses the non-transitory computer-readable medium of claim 14, wherein the risk score is specific to the first communication mode (Morris, col 13, line 50-55, the user asset risk score can be a score indicative of the level of risk of the user being susceptible to a threat. Col 14, Fig-2, line 45-60, deploying the threat abatement procedure can include generating and presenting an alert to a user. Col 21, line 45-60. Col 23, line 5-10).
Regarding claim 20, Adams in view of Morris and Kras discloses the system of claim 1, wherein the risk score is included in a matrix of risk scores and wherein the matrix of risk scores is based on the first communication mode and the user response or non-response (Kras, ¶[0005], generating score based on user interaction data. ¶[0079]- ¶[0080], risk score calculator 238 may store the risk scores and scores from the simulated self-phishing systems of the users in user score storage).
Conclusion
THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to WASIKA NIPA whose telephone number is (571)272-8923. The examiner can normally be reached on M-F (7:30 - 5:00).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JEFFRY PWU can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/WASIKA NIPA/ Primary Examiner, Art Unit 2433