DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The communication is in response to the amendments filed on 02/17/2026. Claims 1-7 are currently pending in the application.
Response to Amendment
Applicant’s amendments to claim 6 have overcome the earlier 112(b) rejections on the application.
Response to Arguments
Applicant's arguments filed on 02/17/2026 regarding claim 1 have been fully considered but they are not persuasive. Applicant argued that GOUTAL (US 20180278627) does not disclose Related Anomaly Score (RAS). This argument is not correct because GOUTAL disclosure in ¶130-¶139 in conjunction with FIG. 2 teaches using Support Vector Machine to calculate maliciousness of emails and set boundary values for the determination of emails’ maliciousness. Applicant also argued that the combination of GOUTAL, Jakobsson, and MAYLOR does not disclose the limitation of “wherein the calculating includes calculating a total count of other emails where a feature vector of the specific email is at least as suspicious as corresponding feature vectors in every dimension” as amended in claim 1. However, it is noted that applicant is silent about the art of Sprosts (US 20070079379) which discloses similar limitation in previous claim 6. Sprosts in ¶0078-¶0085 and some other paragraphs in conjunction with FIG. 2 discloses the above limitation. These paragraphs are incorporated in the rejections made below.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-7 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Applicant recites “wherein the calculating includes calculating a total count of other
emails where a feature vector of the specific email is at least as suspicious as corresponding feature vectors in every dimension” in claims 1, 6, and 7. The boundary/scope of every dimension is not clear. What every dimension is applicant referring to? Applicant states that [each feature vector includes several dimensions associated with a sender of the email and a link of the email] in claim 6. The dimensions are not mentioned and as such, one of ordinary skill may find it difficult to understand the scope of the dimension applicant is claiming. Claims 2-5 are also rejected under 35 U.S.C. 112(b) due to dependency on claim 1.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over US. PGPub. No. 20180278627 to GOUTAL (hereinafter GOUTAL) in view of US PGPub. No. 20070079379 to Sprosts et al. (hereinafter Sprosts) and in view of US. PGPub. No. 20180091478 to Jakobson et al (hereinafter Jakobsson) and further in view of US. PGPub. No. 20170078321 to MAYLOR et al. (hereinafter MAYLOR).
Regarding claim 1, GOUTAL discloses a computer-implemented method in a network security device, on a data communication network, for accelerated detection of spear phishing during email malware detection associated with an enterprise network, the method comprising (¶0031, “Herein, computer-implemented methods, devices and systems are presented that will thwart spear phishing attacks and email spoofing. For ease of reference, such methods, devices and systems are collectively referred to herein by the acronym ESPL (Email Spoofing & spear phishing Protection Layer).”), (¶0010, “The spear phishing attack is unique and is tailored specifically to the targeted enterprise and victim…”):
receiving a specific email from a stream of incoming emails destined for a specific user of a specific organization (¶0050, “…The processing portion 204 may comprise structure and functionality to process emails (receive, generate and send emails, among other functionality), as shown at 208 and to categorize email, as shown at 210…”), (¶0148, “…The binary SINGLE_RECIPIENT value indicates that there is one recipient in To header and no recipient in Cc and Bcc headers. This recipient is the main recipient. In the case of a spear phishing attack, it is common that only one person is targeted…”), wherein the stream of emails are received over a predetermined sliding window (¶0037, “…The period of time during which ESPL (Email Spoofing & spear phishing Protection Layer) acquires data from email traffic to build a model of the contact is called learning phase…”), (¶0057, “A sliding time window may be used in one embodiment. The size of the sliding time window may be greater than the duration of the learning phase…”);
identifying emails suspected to include a spear phishing attack from the stream of incoming emails using a Related Anomaly Score (RAS), (¶0130-¶0139, “Returning to FIG. 2A, during the protection phase, contact models 212 are used, in conjunction with the SVM model 214, to categorize received emails as either likely legitimate or likely malicious, as described in detail herein. Both the SVM model 214 and the contact model may be updated during the protection phase…”, wherein the supervised learning algorithm such as SVM and contact model being used to classify the received emails is interpreted as the claimed Related Anomaly Score), (¶0059, “FIG. 3 is a flowchart illustrating aspects of a computer-implemented method of classifying and handling inbound emails, according to one embodiment…”), wherein the RAS is calculated by identifying feature vectors from the stream of incoming emails associated with a sender of the email and a link of the email (¶0141-¶0144, “The features vector is a vector of numeric values. As shown in FIG. 2B, this features vector 218, along with the SVM model 214, may be input into the SVM classifier 216, which then outputs a probability 218 that the received email belongs to the malicious class C.sub.malicious…As shown, each numeric value of the features vector may be resolved to a value of one of these types…BIN—A binary value i.e. either 0 or 1. The value equals 1 if the condition is respected, 0 otherwise; and…DISP—A dispersion value i.e. a floating number between 0 and 1.”), (¶0060, FIG. 3, “As shown at B34, after following the NO branch of B32, the email address of the sender of the email is extracted from the From header of the received email…”), (¶0147, “As shown in FIG. 4B, the features vector may also include a binary value for TEXT_HTML_PART, which indicates whether the email body has a text/html part…”, wherein the link is embedded in the HTML ), (¶0150, “The features vector may also include the binary value EXTERNAL_DATA, which may be set to logical 1 if the email body contains at least one external data: an email address, a telephone number, a URL or an attached dynamic file. Significantly, according to one embodiment, the signature in the body may be ignored, as it may contain an email address, telephone numbers and URLs. A dynamic file is a file that may contain dynamic content that can be harmful. Examples of dynamic files are PE files, APK files, Javascript files, PDF files, Microsoft Office files or HTML files…”);
mapping the suspicious spear phishing emails by feature vectors and prioritizing according to map position (abstract, “… If the determined statistical dispersion is lower than a dispersion threshold, the received email may be evaluated in the processor against a plurality of conditions associated with email spoofing and spear phishing attacks, using the generated contact model, to generate a features vector that is constituted of a plurality of binary values and a plurality of dispersion values between 0 and 1, and using at least the generated features vector to classify with a supervised learning algorithm the received email as a likely legitimate email or as a likely malicious email spear phishing attack…”), (¶0149, “As shown in FIG. 4C, the binary URGENCY_IN_SUBJECT value indicates that the email Subject header contains a keyword that creates a sense of urgency such as, for example, urgent, important, critical and the like. A large number of spear phishing attacks attempt to create a false sense of urgency so that the victim acts immediately, without much aforethought…”), (¶0156-¶0176, “FIG. 5 is a table that classifies the constituent elements of the features vector according to one embodiment, according their intended use. The first row of the table of FIG. 5 lists exemplary features vector elements that may be used to detect email spoofing, whereas the second row of the table of FIG. 5 lists features vector elements that may find utility in detecting spear phishing…”);
However, GOUTAL does not disclose the following limitation:
wherein the calculating includes calculating a total count of other emails where a feature vector of the specific email is at least as suspicious as corresponding feature vectors in every dimension”;
checking relative distance between suspicious emails, and:
if a relative distance between the specific email and prioritized suspicious emails exceeds a predetermined distance threshold, take a first security action based on spear phishing rules on the filtered highest suspicious emails, and;
if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis.
Sprosts discloses wherein the calculating includes calculating a total count of other emails where a feature vector of the specific email is at least as suspicious as corresponding feature vectors in every dimension” (¶0045, “…a method comprising receiving an electronic mail message having a destination address for a recipient account; determining a virus score value for the message based upon one or more rules that specify attributes of messages that are known to contain computer viruses, wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures”), (¶0063, “…virus information source 104 generates counts of received messages that have suspicious attachments, and provides the counts to virus information processor 108, or allows an external process to retrieve the counts and store them in a specialized database. Messaging gateway 107 also may serve as a virus information source by detecting messages that have indications that are associated with viruses or that are otherwise suspicious, creating a count of suspicious messages received in a particular time period, and periodically providing the count to virus information processor 108.”), (¶0118, “… A virus score value for a particular time period refers to a score value based on the number of messages received at a particular source that have suspicious file attachments. A message is considered to have a suspicious attachment if the attachment satisfies one or more metrics, such as a particular file size, file type, etc., or if the network address of the sender is known to be associated with prior virus outbreaks. The determination may be based on attachment file size or file type or extension.”), (¶0078-¶0085, FIG. 2, “… if the message is suspicious, then a count of suspicious messages for the current time period is incremented. For example, if the message has an EXE attachment, a count of messages with EXE attachments is incremented by one.”, wherein the determination that a message is suspicious is made after comparing the message characteristics as enumerated in paragraphs 82-84 to a known spam or virus in every dimension).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the medium of GOUTAL to include a count of suspicious messages as disclosed by Sprosts and be motivated in doing so in order to update a database with the report of the count of suspicious emails-Sprosts ¶0086 in parts.
The combination of GOUTAL and Sprosts does not disclose the following limitations:
checking relative distance between suspicious emails, and:
if a relative distance between the specific email and prioritized suspicious emails exceeds a predetermined distance threshold, take a first security action based on spear phishing rules on the filtered highest suspicious emails, and;
if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis.
Jakobsson discloses checking relative distance between suspicious emails (¶0028, “…By determining the measure of similarity, a risk of likelihood of confusion by the message recipient that the message is from a trusted contact of the user is able to be determined. An example of the measure of similarity is a string distance between an email address or a display name of the sender of the message and an email address or an associated display name of a trusted contact.”),
if a relative distance between the specific email and prioritized suspicious emails exceeds a predetermined distance threshold, take a first security action based on spear phishing rules on the filtered highest suspicious emails (¶0109, “In some embodiments, message meets the first criteria if a measure of similarity (e.g., string distance measure) meets a threshold value. For example, if any string distance measure determined for a list of trusted contacts (e.g., determined in 702) is greater than a threshold value, the message is identified as potentially an impersonation attack message and it is determined that the message meets the first criteria.”), (¶0144, “…If SUM(Bi*Ri)/G>t1, where t1 is a first threshold, then a first action is taken. This action may be to block emails from the sender of E, remove E from the inbox of all recipients, and determine whether any of the users who appear to have opened E have had their computers corrupted or credentials stolen…”), (¶0155, “At 1204, triggering of the rule is detected and the associated message account is secured. For example, when the rule is triggered and a threat is detected for the account, then all messages from the account to other accounts of a protected enterprise are treated as being high-risk. This results in modification or blocking of at least a portion of messages…”),
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of GOUTAL and Sprosts to include distance between the emails as disclosed by Jakobsson and be motivated in doing so in order to determine a risk likelihood of the received emails-Jakobsson ¶0028 in parts.
Although Jakobsson discloses further analysis/scrutinization of the messages, the combination of GOUTAL, Sprosts, and Jakobsson does not explicitly disclose the limitation of:
if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis
MAYLOR discloses if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis (¶0110-¶0111, “…One or more embodiments may use any distance function or similarity metric, or any other method to compare identities to determine the degree of similarity. One or more embodiments may compare any form of identity, including for example any portion of the email address or any other name, identifier, number, string, or value associated with a sender or a contact. In this example the email addresses are compared using a Levenshtein distance function, which counts the number of character changes needed to transform one string into another string. The result 1803 is compared to threshold 1804; because the similarity metric is positive and below the threshold 1804, the message is classified as a potential threat. The threat protection system transforms message 1602 into modified message 1805, with warnings inserted into the subject line and the message text…”), (¶0113, “…Therefore, the threat detection system determines that the message may be a potential threat 180A07 since the sender's identity is similar to, but not identical to, that of a known contact, taking into account both the fingerprint and the email address. Transformed message 18A08 provides a warning that the sender may be an imposter who has, for example, stolen the fingerprint identity to appear to be the known contact, but who is using a falsified email address as part of an attack.”), (¶0100, FIG. 14, “…This analysis may check for any kind of threat, including for example, without limitation, phishing attacks, spear-phishing attacks, whaling attacks, malware, viruses, worms, Trojans, spam, adware, spyware, or denial of service attacks…”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of GOUTAL, Sprosts, and Jakobsson to include taking a security action when the relative distance between emails does not exceed a threshold distance as disclosed by MAYLOR and be motivated in doing so in order to transform a message into modified message with warnings inserted into the subject line and the message text-MAYLOR ¶0110 in parts.
Regarding claim 2, GOUTAL in view of Sprosts and further in view of Jakobsson and further in view of MAYLOR discloses the method of claim 1.
GOUTAL further discloses wherein the sliding window is defined by at least one of a limited time or a limited volume (¶0037, “The period of time during which ESPL acquires data from email traffic to build a model of the contact is called learning phase. According to one embodiment, when enough data is acquired to build the model of the contact; that is, when ESPL has enough data to detect an impersonation of the contact, ESPL may switch from the learning phase to a protection phase.”), (Claim 4, “wherein generating the contact model comprises building the contact model using received emails from the sender during a learning phase over a period of time and thereafter transitioning the contact model to a protection phase during which the built contact model is used to classify the received email as likely legitimate or likely malicious.”), (Claim 5, “updating the contact model using a sliding time window by: adding thereto data from recent received emails from the sender of the email and deleting data from emails older than a predetermined period of time”), (¶0108-¶0110, “The model of the contact will be considered built once the following conditions are both respected: A condition on the number of emails analyzed; and A condition on the length of the learning phase”)
Regarding claim 3, GOUTAL in view of Sprosts in view of Jakobsson and further in view of MAYLOR discloses the method of claim 1.
Sprosts further discloses wherein prioritizing according to map position comprises counting a number of suspicious emails wherein the feature vector is at least as suspicious as the corresponding feature vector in every dimension (¶0045, “…a method comprising receiving an electronic mail message having a destination address for a recipient account; determining a virus score value for the message based upon one or more rules that specify attributes of messages that are known to contain computer viruses, wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures”), (¶0063, “…virus information source 104 generates counts of received messages that have suspicious attachments, and provides the counts to virus information processor 108, or allows an external process to retrieve the counts and store them in a specialized database. Messaging gateway 107 also may serve as a virus information source by detecting messages that have indications that are associated with viruses or that are otherwise suspicious, creating a count of suspicious messages received in a particular time period, and periodically providing the count to virus information processor 108.”), (¶0118, “… A virus score value for a particular time period refers to a score value based on the number of messages received at a particular source that have suspicious file attachments. A message is considered to have a suspicious attachment if the attachment satisfies one or more metrics, such as a particular file size, file type, etc., or if the network address of the sender is known to be associated with prior virus outbreaks. The determination may be based on attachment file size or file type or extension.”), (¶0079-¶0085, FIG. 2, “FIG. 2 is a flow diagram of a process of generating a count of suspicious messages, according to an embodiment. In one implementation, the steps of FIG. 2 may be performed by a virus information source, such as virus information source 104 in FIG. 1…”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of GOUTAL, Jakobsson, and MAYLOR to include a count of suspicious messages as disclosed by Sprosts and be motivated in doing so in order to update a database with the report of the count of suspicious emails-Sprosts ¶0086 in parts.
Regarding claim 4, GOUTAL in view of Sprosts and further in view of Jacobsson and further in view of MAYLOR discloses the method of claim 1.
GOUTAL further discloses wherein each of the feature vectors includes several dimensions (¶0156-¶0176, “FIG. 5 is a table that classifies the constituent elements of the features vector according to one embodiment, according their intended use. The first row of the table of FIG. 5 lists exemplary features vector elements that may be used to detect email spoofing, whereas the second row of the table of FIG. 5 lists features vector elements that may find utility in detecting spear phishing…”, wherein the constituent elements of the features vector is interpreted as the dimensions of the feature vectors).
Regarding claim 5, GOUTAL in view of Sprosts and further in view of Jacobsson and further in view of MAYLOR discloses the method of claim 1.
Jakobsson further discloses wherein the relative distance between the specific suspicious emails is defined by mapping positions (¶0083, “determining the measure of similarity includes determining a string similarity measure (e.g., string distance) using a string matching algorithm (e.g., Jaro-Winkler). For each trusted contact in a group of trusted contacts, string similarity measures may be determined between an address of the trusted contact and/or a display name of the trusted contact with an address of the sender of the message (e.g., string in a “From:” field of the message between “<” and “>” characters), a display name of the sender of the message (e.g., string in a “From:” field of the message prior to “<” character), and/or a subject of the message..”), (¶0085, “prior to performing the string comparison to determine the measure of similarity, element portions of the strings are sorted (e.g., alphabetically sorted) based on a predetermined order. The element portions of the string may be delimited by a space character or other special characters (e.g., comma, period, etc.). For example, strings “Bob Bigboss” and “Bigboss Bob” may be determined to be not similar in string distance despite them being a simple reversal of the order of the first/last names. Thus, the element portions “Bob” “Bigboss” in “Bob Bigboss” can be alphabetically sorted as “Bigboss Bob” prior to being used in the string comparison.”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of GOUTAL, Jakobsson, and MAYLOR to include mapping position in calculating the relative distance between emails as disclosed by Jakobsson and be motivated in doing so in order to detect masquerade attempts in which the actual sender uses deceptive display names and/or subject lines to trick recipients that emails are from a trusted sender-Jakobsson ¶0084 in parts.
Regarding claim 6, GOUTAL discloses a non-transitory computer-readable medium in a network security device, on a data communication network, that, when executed by a processor, cause the processor to perform a method (¶0178, FIG. 6), for accelerated detection of spear phishing during email malware detection associated with an enterprise network (¶0179, “Embodiments of the present invention are related to the use of computing devices to detect phishing attacks in electronic messages such as emails”), (¶0031, “Herein, computer-implemented methods, devices and systems are presented that will thwart spear phishing attacks and email spoofing. For ease of reference, such methods, devices and systems are collectively referred to herein by the acronym ESPL (Email Spoofing & spear phishing Protection Layer).”), (¶0010, “The spear phishing attack is unique and is tailored specifically to the targeted enterprise and victim…”) the method comprising:
monitoring receiving a specific email from a stream of incoming emails destined for a specific user of a specific organization (¶0050, “…The processing portion 204 may comprise structure and functionality to process emails (receive, generate and send emails, among other functionality), as shown at 208 and to categorize email, as shown at 210…”), (¶0148, “…The binary SINGLE_RECIPIENT value indicates that there is one recipient in To header and no recipient in Cc and Bcc headers. This recipient is the main recipient. In the case of a spear phishing attack, it is common that only one person is targeted…”), wherein the stream of emails are received over a predetermined sliding window (¶0037, “…The period of time during which ESPL (Email Spoofing & spear phishing Protection Layer) acquires data from email traffic to build a model of the contact is called learning phase…”), (¶0057, “A sliding time window may be used in one embodiment. The size of the sliding time window may be greater than the duration of the learning phase…”);
identifying emails suspected to include a spear phishing attack from the stream of incoming emails using a Related Anomaly Score (RAS) (¶0130-¶0139, “Returning to FIG. 2A, during the protection phase, contact models 212 are used, in conjunction with the SVM model 214, to categorize received emails as either likely legitimate or likely malicious, as described in detail herein. Both the SVM model 214 and the contact model may be updated during the protection phase…”, wherein the supervised learning algorithm such as SVM that is used to classify the received emails is interpreted as the claimed Related Anomaly Score), (¶0059, “FIG. 3 is a flowchart illustrating aspects of a computer-implemented method of classifying and handling inbound emails, according to one embodiment…”), wherein the RAS is calculated by identifying feature vectors from the stream of incoming emails [each feature vector includes several dimensions associated with a sender of the email and a link of the email (¶0141-¶0144, “The features vector is a vector of numeric values. As shown in FIG. 2B, this features vector 218, along with the SVM model 214, may be input into the SVM classifier 216, which then outputs a probability 218 that the received email belongs to the malicious class C.sub.malicious…As shown, each numeric value of the features vector may be resolved to a value of one of these types…BIN—A binary value i.e. either 0 or 1. The value equals 1 if the condition is respected, 0 otherwise; and…DISP—A dispersion value i.e. a floating number between 0 and 1.”), (¶0060, FIG. 3, “As shown at B34, after following the NO branch of B32, the email address of the sender of the email is extracted from the From header of the received email…”), (¶0147, “As shown in FIG. 4B, the features vector may also include a binary value for TEXT_HTML_PART, which indicates whether the email body has a text/html part…”, wherein the link is embedded in the HTML ), (¶0150, “The features vector may also include the binary value EXTERNAL_DATA, which may be set to logical 1 if the email body contains at least one external data: an email address, a telephone number, a URL or an attached dynamic file. Significantly, according to one embodiment, the signature in the body may be ignored, as it may contain an email address, telephone numbers and URLs. A dynamic file is a file that may contain dynamic content that can be harmful. Examples of dynamic files are PE files, APK files, Javascript files, PDF files, Microsoft Office files or HTML files…”), (¶0156-¶0176, “FIG. 5 is a table that classifies the constituent elements of the features vector according to one embodiment, according their intended use. The first row of the table of FIG. 5 lists exemplary features vector elements that may be used to detect email spoofing, whereas the second row of the table of FIG. 5 lists features vector elements that may find utility in detecting spear phishing…”, wherein the constituent elements of the features vector is interpreted as the dimensions of the feature vectors);
mapping the suspicious spear phishing emails by feature vectors and prioritizing according to map position (abstract, “… If the determined statistical dispersion is lower than a dispersion threshold, the received email may be evaluated in the processor against a plurality of conditions associated with email spoofing and spear phishing attacks, using the generated contact model, to generate a features vector that is constituted of a plurality of binary values and a plurality of dispersion values between 0 and 1, and using at least the generated features vector to classify with a supervised learning algorithm the received email as a likely legitimate email or as a likely malicious email spear phishing attack…”), (¶0149, “As shown in FIG. 4C, the binary URGENCY_IN_SUBJECT value indicates that the email Subject header contains a keyword that creates a sense of urgency such as, for example, urgent, important, critical and the like. A large number of spear phishing attacks attempt to create a false sense of urgency so that the victim acts immediately, without much aforethought…”), (¶0156-¶0176, “FIG. 5 is a table that classifies the constituent elements of the features vector according to one embodiment, according their intended use. The first row of the table of FIG. 5 lists exemplary features vector elements that may be used to detect email spoofing, whereas the second row of the table of FIG. 5 lists features vector elements that may find utility in detecting spear phishing…”);
However, GOUTAL does not disclose the following limitation:
wherein the calculating includes calculating a total count of other emails where a feature vector of the specific email is at least as suspicious as corresponding feature vectors in every dimension”;
checking relative distance between suspicious emails, and:
if a relative distance between the specific email and prioritized suspicious emails exceeds a predetermined distance threshold, take a first security action based on spear phishing rules on the filtered highest suspicious emails, and;
if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis.
Sprosts discloses wherein the calculating includes calculating a total count of other emails where a feature vector of the specific email is at least as suspicious as corresponding feature vectors in every dimension” Sprosts discloses wherein the calculating includes calculating a total count of other emails where a feature vector of the specific email is at least as suspicious as corresponding feature vectors in every dimension” (¶0045, “…a method comprising receiving an electronic mail message having a destination address for a recipient account; determining a virus score value for the message based upon one or more rules that specify attributes of messages that are known to contain computer viruses, wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures”), (¶0063, “…virus information source 104 generates counts of received messages that have suspicious attachments, and provides the counts to virus information processor 108, or allows an external process to retrieve the counts and store them in a specialized database. Messaging gateway 107 also may serve as a virus information source by detecting messages that have indications that are associated with viruses or that are otherwise suspicious, creating a count of suspicious messages received in a particular time period, and periodically providing the count to virus information processor 108.”), (¶0118, “… A virus score value for a particular time period refers to a score value based on the number of messages received at a particular source that have suspicious file attachments. A message is considered to have a suspicious attachment if the attachment satisfies one or more metrics, such as a particular file size, file type, etc., or if the network address of the sender is known to be associated with prior virus outbreaks. The determination may be based on attachment file size or file type or extension.”), (¶0078-¶0085, FIG. 2, “… if the message is suspicious, then a count of suspicious messages for the current time period is incremented. For example, if the message has an EXE attachment, a count of messages with EXE attachments is incremented by one.”, wherein the determination that a message is suspicious is made after comparing the message characteristics as enumerated in paragraphs 82-84 to a known spam or virus in every dimension).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the medium of GOUTAL to include a count of suspicious messages as disclosed by Sprosts and be motivated in doing so in order to update a database with the report of the count of suspicious emails-Sprosts ¶0086 in parts.
However, GOUTAL in view of Sprosts does not disclose the following limitation:
checking relative distance between suspicious emails, and:
if a relative distance between the specific email and prioritized suspicious emails exceeds a predetermined distance threshold, take a first security action based on spear phishing rules on the filtered highest suspicious emails, and;
if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis.
Sprosts discloses wherein the calculating includes calculating a total count of other emails where a feature vector of the specific email is at least as suspicious as corresponding feature vectors in every dimension” (¶0045, “…a method comprising receiving an electronic mail message having a destination address for a recipient account; determining a virus score value for the message based upon one or more rules that specify attributes of messages that are known to contain computer viruses, wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures”), (¶0063, “…virus information source 104 generates counts of received messages that have suspicious attachments, and provides the counts to virus information processor 108, or allows an external process to retrieve the counts and store them in a specialized database. Messaging gateway 107 also may serve as a virus information source by detecting messages that have indications that are associated with viruses or that are otherwise suspicious, creating a count of suspicious messages received in a particular time period, and periodically providing the count to virus information processor 108.”), (¶0118, “… A virus score value for a particular time period refers to a score value based on the number of messages received at a particular source that have suspicious file attachments. A message is considered to have a suspicious attachment if the attachment satisfies one or more metrics, such as a particular file size, file type, etc., or if the network address of the sender is known to be associated with prior virus outbreaks. The determination may be based on attachment file size or file type or extension.”), (¶0078-¶0085, FIG. 2, “… if the message is suspicious, then a count of suspicious messages for the current time period is incremented. For example, if the message has an EXE attachment, a count of messages with EXE attachments is incremented by one.”, wherein the determination that a message is suspicious is made after comparing the message characteristics as enumerated in paragraphs 82-84 to a known spam or virus in every dimension).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the medium of GOUTAL to include a count of suspicious messages as disclosed by Sprosts and be motivated in doing so in order to update a database with the report of the count of suspicious emails-Sprosts ¶0086 in parts.
The combination of GOUTAL and Sprosts does not disclose the following limitations:
checking relative distance between suspicious emails, and:
if a relative distance between the specific email and prioritized suspicious emails exceeds a predetermined distance threshold, take a first security action based on spear phishing rules on the filtered highest suspicious emails, and;
if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis.
Jakobsson discloses checking relative distance between suspicious emails (¶0028, “…By determining the measure of similarity, a risk of likelihood of confusion by the message recipient that the message is from a trusted contact of the user is able to be determined. An example of the measure of similarity is a string distance between an email address or a display name of the sender of the message and an email address or an associated display name of a trusted contact.”),
if a relative distance between the specific email and prioritized suspicious emails exceeds a predetermined distance threshold, take a first security action based on spear phishing rules on the filtered highest suspicious emails (¶0109, “In some embodiments, message meets the first criteria if a measure of similarity (e.g., string distance measure) meets a threshold value. For example, if any string distance measure determined for a list of trusted contacts (e.g., determined in 702) is greater than a threshold value, the message is identified as potentially an impersonation attack message and it is determined that the message meets the first criteria.”), (¶0144, “…If SUM(Bi*Ri)/G>t1, where t1 is a first threshold, then a first action is taken. This action may be to block emails from the sender of E, remove E from the inbox of all recipients, and determine whether any of the users who appear to have opened E have had their computers corrupted or credentials stolen…”), (¶0155, “At 1204, triggering of the rule is detected and the associated message account is secured. For example, when the rule is triggered and a threat is detected for the account, then all messages from the account to other accounts of a protected enterprise are treated as being high-risk. This results in modification or blocking of at least a portion of messages…”),
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of GOUTAL and Sprosts to include distance between the emails as disclosed by Jakobsson and be motivated in doing so in order to determine a risk likelihood of the received emails-Jakobsson ¶0028 in parts.
Although Jakobsson discloses further analysis/scrutinization of the messages, the combination of GOUTAL, Sprosts, and Jakobsson does not explicitly disclose the limitation of:
if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis
MAYLOR discloses if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis (¶0110-¶0111, “…One or more embodiments may use any distance function or similarity metric, or any other method to compare identities to determine the degree of similarity. One or more embodiments may compare any form of identity, including for example any portion of the email address or any other name, identifier, number, string, or value associated with a sender or a contact. In this example the email addresses are compared using a Levenshtein distance function, which counts the number of character changes needed to transform one string into another string. The result 1803 is compared to threshold 1804; because the similarity metric is positive and below the threshold 1804, the message is classified as a potential threat. The threat protection system transforms message 1602 into modified message 1805, with warnings inserted into the subject line and the message text…”), (¶0113, “…Therefore, the threat detection system determines that the message may be a potential threat 180A07 since the sender's identity is similar to, but not identical to, that of a known contact, taking into account both the fingerprint and the email address. Transformed message 18A08 provides a warning that the sender may be an imposter who has, for example, stolen the fingerprint identity to appear to be the known contact, but who is using a falsified email address as part of an attack.”), (¶0100, FIG. 14, “…This analysis may check for any kind of threat, including for example, without limitation, phishing attacks, spear-phishing attacks, whaling attacks, malware, viruses, worms, Trojans, spam, adware, spyware, or denial of service attacks…”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of GOUTAL, Sprosts, and Jakobsson to include taking a security action when the relative distance between emails does not exceed a threshold distance as disclosed by MAYLOR and be motivated in doing so in order to transform a message into modified message with warnings inserted into the subject line and the message text-MAYLOR ¶0110 in parts.
Regarding claim 7, GOUTAL discloses a network security device (FIG.1), on a data communication network (¶0050, FIG. 2, “As shown in FIG. 2A, ESPL component 202 (also shown in FIG. 1 at 110, 114 and 118) is configured, as shown previously, to communicate with the centralized ESPL service 108 over a computer network that may include, for example, the Internet and/or other public or private networks…”) for accelerated detection of spear phishing during email malware detection associated with an enterprise network network (¶0179, “Embodiments of the present invention are related to the use of computing devices to detect phishing attacks in electronic messages such as emails”), (¶0031, “Herein, computer-implemented methods, devices and systems are presented that will thwart spear phishing attacks and email spoofing. For ease of reference, such methods, devices and systems are collectively referred to herein by the acronym ESPL (Email Spoofing & spear phishing Protection Layer).”), (¶0010, “The spear phishing attack is unique and is tailored specifically to the targeted enterprise and victim…”) comprising:
a processor (¶0050, FIG. 6, processor 602);
a network interface communicatively coupled to the processor and to a data communication network (¶178, FIG. 6, “…The computing device of FIG. 6 may be coupled, via a communication interface (e.g., modem, network interface card or NIC) to the network 626.”), (Claim 10, “…a network interface coupled to the at least one processor and to a computer network…”); and
a memory, communicatively coupled to the processor and storing (FIG. 6, Main memory 604 and processor 602):
a queueing module to receive a specific email from a stream of incoming emails destined for a specific user of a specific organization (¶0043, FIG. 1, email server (also known as the mail transfer agent (MTA) 112, 116 and 120, respectively”), wherein the stream of emails are received over a predetermined sliding window (¶0037, “…The period of time during which ESPL (Email Spoofing & spear phishing Protection Layer) acquires data from email traffic to build a model of the contact is called learning phase…”), (¶0057, “A sliding time window may be used in one embodiment. The size of the sliding time window may be greater than the duration of the learning phase…”);
an RAS module (FIG. 2A, module 206) to identify emails suspected to include a spear phishing attack from the stream of incoming emails using a Related Anomaly Score (RAS) (¶0130-¶0139, “Returning to FIG. 2A, during the protection phase, contact models 212 are used, in conjunction with the SVM model 214, to categorize received emails as either likely legitimate or likely malicious, as described in detail herein. Both the SVM model 214 and the contact model may be updated during the protection phase…”, wherein the supervised learning algorithm such as SVM and contact model being used to classify the received emails is interpreted as the claimed Related Anomaly Score), (¶0059, “FIG. 3 is a flowchart illustrating aspects of a computer-implemented method of classifying and handling inbound emails, according to one embodiment…”), wherein the RAS is calculated by identifying feature vectors from the stream of incoming emails (¶0141-¶0144, “The features vector is a vector of numeric values. As shown in FIG. 2B, this features vector 218, along with the SVM model 214, may be input into the SVM classifier 216, which then outputs a probability 218 that the received email belongs to the malicious class C.sub.malicious…As shown, each numeric value of the features vector may be resolved to a value of one of these types…BIN—A binary value i.e. either 0 or 1. The value equals 1 if the condition is respected, 0 otherwise; and…DISP—A dispersion value i.e. a floating number between 0 and 1.”), (¶0060, FIG. 3, “As shown at B34, after following the NO branch of B32, the email address of the sender of the email is extracted from the From header of the received email…”), (¶0147, “As shown in FIG. 4B, the features vector may also include a binary value for TEXT_HTML_PART, which indicates whether the email body has a text/html part…”, wherein the link is embedded in the HTML ), (¶0150, “The features vector may also include the binary value EXTERNAL_DATA, which may be set to logical 1 if the email body contains at least one external data: an email address, a telephone number, a URL or an attached dynamic file. Significantly, according to one embodiment, the signature in the body may be ignored, as it may contain an email address, telephone numbers and URLs. A dynamic file is a file that may contain dynamic content that can be harmful. Examples of dynamic files are PE files, APK files, Javascript files, PDF files, Microsoft Office files or HTML files…”), (¶0156-¶0176, “FIG. 5 is a table that classifies the constituent elements of the features vector according to one embodiment, according their intended use. The first row of the table of FIG. 5 lists exemplary features vector elements that may be used to detect email spoofing, whereas the second row of the table of FIG. 5 lists features vector elements that may find utility in detecting spear phishing…”, wherein the constituent elements of the features vector is interpreted as the dimensions of the feature vectors);
an email prioritizing module (FIG. 2A, contact models 212) to map the suspicious spear phishing emails by feature vectors and prioritizing according to map position (abstract, “… If the determined statistical dispersion is lower than a dispersion threshold, the received email may be evaluated in the processor against a plurality of conditions associated with email spoofing and spear phishing attacks, using the generated contact model, to generate a features vector that is constituted of a plurality of binary values and a plurality of dispersion values between 0 and 1, and using at least the generated features vector to classify with a supervised learning algorithm the received email as a likely legitimate email or as a likely malicious email spear phishing attack…”), (¶0149, “As shown in FIG. 4C, the binary URGENCY_IN_SUBJECT value indicates that the email Subject header contains a keyword that creates a sense of urgency such as, for example, urgent, important, critical and the like. A large number of spear phishing attacks attempt to create a false sense of urgency so that the victim acts immediately, without much aforethought…”), (¶0156-¶0176, “FIG. 5 is a table that classifies the constituent elements of the features vector according to one embodiment, according their intended use. The first row of the table of FIG. 5 lists exemplary features vector elements that may be used to detect email spoofing, whereas the second row of the table of FIG. 5 lists features vector elements that may find utility in detecting spear phishing…”);
However, GOUTAL does not disclose the following limitation:
wherein the calculating includes calculating a total count of other emails where a feature vector of the specific email is at least as suspicious as corresponding feature vectors in every dimension”;
a clustering module to check relative distance between suspicious emails, and a security action module to:
if a relative distance between the specific email and prioritized suspicious emails exceeds a predetermined distance threshold, take a first security action based on spear phishing rules on the filtered highest suspicious emails, and;
if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis.
Sprosts discloses wherein the calculating includes calculating a total count of other emails where a feature vector of the specific email is at least as suspicious as corresponding feature vectors in every dimension” (¶0045, “…a method comprising receiving an electronic mail message having a destination address for a recipient account; determining a virus score value for the message based upon one or more rules that specify attributes of messages that are known to contain computer viruses, wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures”), (¶0063, “…virus information source 104 generates counts of received messages that have suspicious attachments, and provides the counts to virus information processor 108, or allows an external process to retrieve the counts and store them in a specialized database. Messaging gateway 107 also may serve as a virus information source by detecting messages that have indications that are associated with viruses or that are otherwise suspicious, creating a count of suspicious messages received in a particular time period, and periodically providing the count to virus information processor 108.”), (¶0118, “… A virus score value for a particular time period refers to a score value based on the number of messages received at a particular source that have suspicious file attachments. A message is considered to have a suspicious attachment if the attachment satisfies one or more metrics, such as a particular file size, file type, etc., or if the network address of the sender is known to be associated with prior virus outbreaks. The determination may be based on attachment file size or file type or extension.”), (¶0078-¶0085, FIG. 2, “… if the message is suspicious, then a count of suspicious messages for the current time period is incremented. For example, if the message has an EXE attachment, a count of messages with EXE attachments is incremented by one.”, wherein the determination that a message is suspicious is made after comparing the message characteristics as enumerated in paragraphs 82-84 to a known spam or virus in every dimension).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the medium of GOUTAL to include a count of suspicious messages as disclosed by Sprosts and be motivated in doing so in order to update a database with the report of the count of suspicious emails-Sprosts ¶0086 in parts.
However, GOUTAL in view of Sprosts does not disclose the following limitation:
a clustering module to check relative distance between suspicious emails, and a security action module to:
if a relative distance between the specific email and prioritized suspicious emails exceeds a predetermined distance threshold, take a first security action based on spear phishing rules on the filtered highest suspicious emails, and;
if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis.
Jakobsson discloses a clustering module to check relative distance between suspicious emails, (FIG. 1, Analysis Server, ¶0033) checking relative distance between suspicious emails (¶0028, “…By determining the measure of similarity, a risk of likelihood of confusion by the message recipient that the message is from a trusted contact of the user is able to be determined. An example of the measure of similarity is a string distance between an email address or a display name of the sender of the message and an email address or an associated display name of a trusted contact.”), and a security action module (FIG. 1, gateway 110, ¶0120) to:
if a relative distance between the specific email and prioritized suspicious emails exceeds a predetermined distance threshold, take a first security action based on spear phishing rules on the filtered highest suspicious emails (¶0109, “In some embodiments, message meets the first criteria if a measure of similarity (e.g., string distance measure) meets a threshold value. For example, if any string distance measure determined for a list of trusted contacts (e.g., determined in 702) is greater than a threshold value, the message is identified as potentially an impersonation attack message and it is determined that the message meets the first criteria.”), (¶0144, “…If SUM(Bi*Ri)/G>t1, where t1 is a first threshold, then a first action is taken. This action may be to block emails from the sender of E, remove E from the inbox of all recipients, and determine whether any of the users who appear to have opened E have had their computers corrupted or credentials stolen…”), (¶0155, “At 1204, triggering of the rule is detected and the associated message account is secured. For example, when the rule is triggered and a threat is detected for the account, then all messages from the account to other accounts of a protected enterprise are treated as being high-risk. This results in modification or blocking of at least a portion of messages…”),
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the device of GOUTAL and Sprosts to include distance between the emails as disclosed by Jakobsson and be motivated in doing so in order to determine a risk likelihood of the received emails-Jakobsson ¶0028 in parts
Although Jakobsson discloses further analysis/scrutinization of the messages, the combination of GOUTAL, Sprosts, and Jakobsson does not explicitly disclose the limitation of:
if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis
MAYLOR discloses if the relative distance does not exceed the predetermined distance threshold, take a second security action including forwarding the specific email for standard phishing analysis (¶0110-¶0111, “…One or more embodiments may use any distance function or similarity metric, or any other method to compare identities to determine the degree of similarity. One or more embodiments may compare any form of identity, including for example any portion of the email address or any other name, identifier, number, string, or value associated with a sender or a contact. In this example the email addresses are compared using a Levenshtein distance function, which counts the number of character changes needed to transform one string into another string. The result 1803 is compared to threshold 1804; because the similarity metric is positive and below the threshold 1804, the message is classified as a potential threat. The threat protection system transforms message 1602 into modified message 1805, with warnings inserted into the subject line and the message text…”), (¶0113, “…Therefore, the threat detection system determines that the message may be a potential threat 180A07 since the sender's identity is similar to, but not identical to, that of a known contact, taking into account both the fingerprint and the email address. Transformed message 18A08 provides a warning that the sender may be an imposter who has, for example, stolen the fingerprint identity to appear to be the known contact, but who is using a falsified email address as part of an attack.”), (¶0100, FIG. 14, “…This analysis may check for any kind of threat, including for example, without limitation, phishing attacks, spear-phishing attacks, whaling attacks, malware, viruses, worms, Trojans, spam, adware, spyware, or denial of service attacks…”).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the device of GOUTAL, Sprosts, and Jakobsson to include taking a security action when the relative distance between emails does not exceed a threshold distance as disclosed by MAYLOR and be motivated in doing so in order to transform a message into modified message with warnings inserted into the subject line and the message text-MAYLOR ¶0110 in parts.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 11962608, 20250337778.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495
/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495