Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the claims filed 3/12/2025. Claims 21-41 are pending. Claims 21 (a machine), 33 (a non-transitory CRM), and 41 (a method) are independent.
Effective Filing Date
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 119(e) as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA 35 U.S.C. 112, except for the best mode requirement. See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994).
The disclosure of the prior-filed application, Application No. 62/632,623, fails to provide adequate support or enablement in the manner provided by 35 U.S.C. 112(a) or pre-AIA 35 U.S.C. 112, first paragraph for one or more claims of this application.
Provisional Application 62/632,623 does not support each and every element of the pending independent claims 21, 33, and 41. Therefore, the earliest effective filing date of the present claims appears to be 2/19/2019. For example, the claimed templates and natural language prose does not appear to be discussed in ‘623.
Response to Arguments
Applicant's arguments filed 2/20/2026 have been fully considered but they are not persuasive.
On pages 9-11 of the remarks, Applicant discusses the § 101 abstract idea rejection and asserts that filling out natural language forms is not an abstract idea.
Filling out human readable textual forms is a human mental activity, performed with pen and paper. Applicant’s claims attempt to capture the human mental activity by “applying it’ using a computer; however, there are no special steps that tailor the method of filling in human readable forms for performance by a computer.
Applicant asserts that “communicate with one or more AI models” and “derive a normal pattern of life of entities in the network” integrates the claims into a practical application. However, “communicate with one or more AI models” excludes the AI model itself from the claimed system – humans can communicate with AI models. Additionally, humans can determine a normal pattern of life for email user’s using their inherent human mental intuition to detect phishing and spoofed emails.
As to Applicant’s discussion of ‘format and output’ as a transformation; humans can obvious format data and fill out forms with pencil and paper. As discussed in Applicant’s ¶ 88, as filed, the formatting is selection of an appropriate template/form. Humans can select appropriate forms for administrative filings such as job applications, reports, customer reviews, etc.
On page 11 of the remarks, Applicant asserts that the combination of claimed acts is non-conventional. This is not persuasive, the specifics of the claim and organization of the limitations are directed to filling out forms, a human activity. Other aspects such as detecting threats or cooperating with AI are discussed with no explanation; strongly implying these features (AI and threat detection) are conventional and need not be described.
With regard to the 112(b) discussion on page 11, this is due to a 112(f) interpretation of the claim phrasing “module … configured … to”. Which appears to invoke a 112(f) interpretation and require some articulation of which elements of the specification are intended to be interpreted as covered by the claim, see 35 U.S.C. § 112(f). As the phrasing persists in the presently presented claims, the issue remains.
On page 12 of the remarks, Applicant states that the cited art (Shenoy, US 2019/0098037, in view of Song, US 2015/0261745, and Pourmohammad, US 2019/0095820) does not disclose a formatting module configured to format and output the email threat report in a selected medium from a plurality of mediums. Per, Applicant’s specification ¶ 88, the ‘medium’ is a ‘template’, which is already required by the claim. A plurality of report types is disclosed at least in Shenoy ¶ 168 and Song ¶ 178.
On page 12 of the remarks, Applicant states that the cited art does not disclose the entirety of the “wherein the autonomous email-report composer is configured, …” clause. However, no particular limitations or citations to the prior art are discussed. Examiner references the rejection detailed below.
On page 12 of the remarks, Applicant states that the cited art does not disclose the “wherein the formatting module … clause.
This argument is persuasive due to “breach of the AI models”. However, as to the other limitations, the previously cited references disclose the other limitations as detailed below.
Applicant’s further remarks are not persuasive for the reasons stated above.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claim 41 is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 of U.S. Patent No. 12,063,243 (formerly U.S. App. No. 16/941,878). Although the claims at issue are not identical, they are not patentably distinct from each other because the presently presented claims are a subset and therefore anticipated by the patented claims 1 in U.S. Pat. No. ‘243. While the statutory class of the claims might differ, such is not viewed as a distinction in scope and if so would be an obvious variant.
Presently presented claim
Patented claim of ‘243
41
1
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 21-41 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) a mental process of reporting anomalous emails – a collecting information, analyzing information, and displaying certain results of the collection and analysis, MPEP 2106.III.A. This judicial exception is not integrated into a practical application because the combination of limitations claimed in independent claims 21, 33, and 41 do not (1) improve the functioning of a computer or technology, (2) implement the exception using a particular machine or manufacture, or (3) apply the judicial exception in a meaningful way beyond linking the use of the exception to a network environment. Rather the features individually and as a whole merely “apply it”, see MPEP 2106.04(d).I; see below. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the combination of limitations claimed in independent claims 21, 33, and 41 do not (1) improve the functioning of a computer or technology, (2) implement the exception using a particular machine or manufacture, or (3) apply the judicial exception in a meaningful way beyond linking the use of the exception to a network environment. Rather the features individually and as a whole merely “apply it”, see MPEP 2106.04(d).I; see below.
In more detail, the limitations: “libraries of sets of prewritten text templates and, visual representations” are similar to human “worksheets” and “charts” or “graph paper” representations and are performable by a human with pen and paper. MPEP 2106.04(a)(1).III discussing mental processes.
The further additional elements:
Processing units
Non-transitory CRM,
Data store,
Cooperate/communicate with AI models,
amount to an “apply it” as they may all be performed on a generic computer. Additionally, the level of generality of these terms absent specific technical implementations implies that the claim is merely an instruction to “apply it” (the mental process) to a computer.
Note that cooperate or communicate with AI models does not require performance of the model itself and only communication with an entity external to the claim. Since communicating over a network is well-understood, routine, or conventional activity (MPEP 2106.05(d)) this action is not significantly more than the abstract idea itself.
As to dependent claims 22-32 and 34-40. Further limitations are presented in a generic manner without technical implementation requirements and either instruct a person on how to ‘think’ about the mental process or instruct the reader to “apply it” to a generic computer. Therefore, the dependent claims also do not present a practical application or significantly more than the abstract idea itself.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 21-40 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Independent claims 21 and 33 now require: “a breach of the AI models”. Applicant’s specification does not disclose detecting or attacking an AI model. Although identical terminology is found in Applicant’s specification in ¶ 93, as filed; this appears to be a typographical error as it is out of context and unrelated to the surround disclosure or the specification as a whole.
Dependent claims 22-32 and 34-40 are rejected due to their dependence on claims 21 and 33, respectively.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims interpreted as invoking 112(f)
Claims 21-40 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
In claims 21, 22, 24, 25, 28, 29, 33, 34, 36, 37, 39, 40;
(and the dependent claims due to their dependency on claims 21 and 33, respectively.)
Claim limitations:
“formatting module configured to format, present, and output the email threat report”
“gatherer module and the data store are configured to cooperate to store data points on an inbound email flow received over a period of time as well as one or more autonomous response actions performed by the autonomous response module on the inbound email flow”
“analyzer module is configured to cooperate with the one or more AI models trained with machine learning on a normal email pattern of life for entities in the email network to detect (1) anomalous email that is outside the normal pattern of life for an entity of the email network, or (2) suspicious email that exhibits traits suggesting a malicious intent in order to determine i) a purpose or ii) a targeted group of an email attack, and then cooperate with the autonomous email-report composer to populate in the email threat report associated with one or both of the purpose or the targeted group the email attack.”
“autonomous response module to remediate the email attack”
has been evaluated under the three-prong test set forth in MPEP § 2181, subsection I, but the result is inconclusive. Thus, it is unclear whether this limitation should be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because (a) the term “means” or generic placeholder is modified by a word, which is ambiguous regarding whether it conveys structure or function. Alternatively, it is unclear if the claim comprises sufficient structure to accomplish the asserted function.
The boundaries of this claim limitation are ambiguous; therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph.
In response to this rejection, applicant must clarify whether this limitation should be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Mere assertion regarding applicant’s intent to invoke or not invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph is insufficient. Applicant may:
(a) Amend the claim to clearly invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, by reciting “means” or a generic placeholder for means, or by reciting “step.” The “means,” generic placeholder, or “step” must be modified by functional language, and must not be modified by sufficient structure, material, or acts for performing the claimed function;
(b) Present a sufficient showing that 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, should apply because the claim limitation recites a function to be performed and does not recite sufficient structure, material, or acts to perform that function;
(c) Amend the claim to clearly avoid invoking 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, by deleting the function or by reciting sufficient structure, material or acts to perform the recited function; or
(d) Present a sufficient showing that 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, does not apply because the limitation does not recite a function or does recite a function along with sufficient structure, material or acts to perform that function.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 41 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shenoy et al., US 2019/0098037 (priority date 2017-09), in view of Song et al., US 2015/0261745 (filed 2015-05), and Pourmohammad, US 2019/0095820 (priority dates in 2018).
As to claim 41, Shenoy discloses a method comprising:
configuring an autonomous email-report composer to cooperate with one or more Shenoy ¶ 27)
Artificial Intelligence (AI) models, (Shenoy ¶ 77) modules of an email protection system, (Shenoy ¶¶ 43, 83, 108, 110, 126, and 209), and visual (Shenoy ¶ 169)
configuring the autonomous email-report composer to cooperate with the one or more AI models (Shenoy ¶ 77) and a data store (Shenoy ¶ 106) to compose content in the email threat report (Shenoy ¶ 106) that comprises details on cyber threats including a summary on different types of cyber threats occurring (Shenoy ¶ 106) within an email network (Shenoy ¶¶ 43, 83, 108, 110, 126, and 209) during a period of time covered by the email threat report; and (any period of time presented in the report)
(Shenoy ¶ 106) along with a trend indicator that indicates whether one of the types of cyber threats has (Shenoy ¶¶ 161 and 238.)
Configuring the formatting module to communicate with the one or more AI models (Shenoy ¶ 77) to format and output the email threat report in a selected medium being part of a plurality of mediums available for selection by the formatting module. (“An alert can include information about a detected event such as, for example, an event identifier, a date, a time, a risk level, an event category, a user account and/or security controls associated with the event, a service associated with the event, a description of the event, a remediation type (e.g., manual or automatic), and/or an event status (e.g., open, closed) among other information.” Shenoy ¶ 168)
Shenoy does not disclose:
and a set of one or more libraries of sets of prewritten text … to populate on templates of pages in the email threat report, wherein each template comprises two or more sections, including (i) standard pre-written sentences written in a natural language prose and …
configuring the autonomous email-report composer to cooperate with the one or more libraries of sets of prewritten text templates and visual representations with i) one or more standard pre-written sentences written in a natural language prose derived from previously generated email threat reports or ii) one or more of the prewritten text templates with fillable blanks that are populated with data for …
increased, decreased, or remained constant during the period of time
Song discloses:
and a set of one or more libraries of sets of prewritten text … to populate on templates of pages in the email threat report, wherein each template comprises two or more sections, including (i) standard pre-written sentences written in a natural language prose and (“templates may be obtained from domain experts, template libraries, or from other suitable sources.” Song ¶ 178. “a template-based NLG system. A known template-based system creates a template where empty slots are replaced by specific information. For example, a template sentence may be “The temperature is <value>.” The <value> is the empty slot where specific temperature information may be replaced.” Song ¶ 6. See also Song ¶¶ 45, 58, 64, and 88 discussing template structure)
…
configuring the autonomous email-report composer to cooperate with the one or more libraries of sets of prewritten text templates and visual representations with i) one or more standard pre-written sentences written in a natural language prose derived from previously generated email threat reports or ii) one or more of the prewritten text templates with fillable blanks that are populated with data for (“templates may be obtained from domain experts, template libraries, or from other suitable sources.” Song ¶ 178. “a template-based NLG system. A known template-based system creates a template where empty slots are replaced by specific information. For example, a template sentence may be “The temperature is <value>.” The <value> is the empty slot where specific temperature information may be replaced.” Song ¶ 6. See also Song ¶¶ 91, 163-173)
Configuring the formatting module to communicate with the one or more AI models to format and output the email threat report in a selected medium being part of a plurality of mediums available for selection by the formatting module. (“These original templates are used to identify sentences that are syntactically similar to the original templates from a large corpus.” Song ¶ 178. “a set of matching templates is identified, via training module 142, from the one or more templates within a given conceptual unit.” Song ¶ 65)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combine Shenoy with Song by including the domain specific natural language template generation and use of Song in the reports of Shenoy. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Shenoy with Song in order to provide human perceptible reports using a domain adaptable natural language processor (Song ¶ 7), thereby increasing the ease of understanding and use of the provided reports.
Shenoy in view of Song does not explicitly disclose:
increased, decreased, or remained constant during the period of time,
Pourmohammad discloses a system for reporting on cybersecurity trends (¶¶ 318 and ):
Pourmohammad discloses:
increased, decreased, or remained constant during the period of time,
(“The monitoring client 128 can be configured to determine whether the risk score has risen and/or fallen over a predefined time period and can provide the risk card 2502 with an indication of the amount that the risk score has risen or fallen.” Pourmohammad ¶ 401, Pourmohammad Fig. 27. See numerical indication 2706 which can be constant. And Figs. 21, 22, and 31).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Shenoy in view of Song with the GUI displays of Pourmohammad by incorporating the noted trend displays of Pourmohammad. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Shenoy in view of Song with Pourmohammad in order to provide easy to review summaries of the trend risks of Shenoy in view of Song, thereby increasing ease of use and customer satisfaction with the system.
Claim(s) 21-29, 31, and 33-40 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shenoy et al., US 2019/0098037 (priority date 2017-09), in view of Song et al., US 2015/0261745 (filed 2015-05), Pourmohammad, US 2019/0095820 (priority dates in 2018), and Anderson et al., US 2019/0251479 (filed 2/9/2018).
As to claims 21 and 33, Shenoy discloses a machine/CRM comprising:
one or more processing units; and
a non-transitory computer readable medium including information accessible by the one or more processing units, the information comprises (i) an autonomous email-report composer configured to cooperate (“one or more processing units (e.g., processors cores), hardware, or combinations thereof. The software may be stored in a memory (e.g., on a memory device, on a non-transitory computer-readable storage medium).” Shenoy ¶ 27) with one or more Artificial Intelligence (Al) models (“The learning system 178 can apply various machine learning algorithms to data collected by the security monitoring and control system 102. The information learned about the data can then be used, for example, by the data analysis system 136 to make determinations about user activities in using services provided by the service provider 110.” Shenoy ¶ 77)
and visual representations to populate on (“data in the analytics and threat intelligence repository 211 can further be used to generate reports that may be presented visually to a system administrator via a user interface and to generate analytics for determining threat levels, detecting specific threats, and predicting potential threats, among other things.” Shenoy ¶ 106)
templates of pages (“Categories of reports can include, for example, authentication and authorization, network and device, systems and change data” Shenoy ¶ 104) in an email threat report, (“individuals and organizations can subscribe to services provided by different service providers. For example, an organization can use an email service (e.g. Gmail from Google®) from one service provider” Shenoy ¶ 43. “blocking email messages or senders” Shenoy ¶ 108. “determine whether actions by users of the tenant 220 in using a service of the service provider 230 constitute a network threat.” Shenoy ¶ 83. See also Shenoy ¶¶ 110, 126, 168, and 209 discussing email threats reports and remediation results)
and (ii) a formatting module configured to format and output the email threat report in a selected medium from a plurality of mediums, (“An alert can include information about a detected event such as, for example, an event identifier, a date, a time, a risk level, an event category, a user account and/or security controls associated with the event, a service associated with the event, a description of the event, a remediation type (e.g., manual or automatic), and/or an event status (e.g., open, closed) among other information.” Shenoy ¶ 168)
wherein the autonomous email-report composer is configured, when executed by the one or more processing units, to compose the email threat report (Shenoy ¶¶ 43, 108, 110, 126, 209 discussing email threats and protections) that comprises details on cyber threats including a summary on different types of cyber threats occurring within an email network during a period of time covered by the email threat report, (“data in the analytics and threat intelligence repository 211 can further be used to generate reports that may be presented visually to a system administrator via a user interface and to generate analytics for determining threat levels, detecting specific threats, and predicting potential threats, among other things….” Shenoy ¶ 106)
(“data in the analytics and threat intelligence repository 211 can further be used to generate reports that may be presented visually to a system administrator via a user interface and to generate analytics for determining threat levels, detecting specific threats, and predicting potential threats, among other things….” Shenoy ¶ 106)
along with a trend indicator that indicates whether one of the types of cyber threats has (““big data” is generally used to refer to extremely large data sets that can be stored and manipulated by analysts and researchers to visualize large amounts of data, detect trends, and/or otherwise interact with the data. The analysis the cloud infrastructure system 1002 can perform may involve using, analyzing, and manipulating large data sets to detect and visualize various trends” Shenoy ¶¶ 161 and 238.)
wherein the formatting module and the autonomous email-report composer are configured to communicate with the one or more Al models (Shenoy ¶ 77. “the aggregation of activity information in the analytics and threat intelligence repository 211” Shenoy ¶ 106) (i) to compose content in the email threat report (Shenoy ¶ 106) and (ii) derive a normal pattern of life of entities in the network (“These may incorporate machine learning algorithms to generate threat models, such as, for example, deviations from base line expectations, rare and infrequent events, and behavior analytics to derive suspicious behavior of a user, among others.” Shenoy ¶ 162) so that a (“An alert can include information about a detected event such as, for example, an event identifier, a date, a time, a risk level, an event category, a user account and/or security controls associated with the event,” Shenoy ¶ 168)
Shenoy does not disclose:
and one or more libraries of sets of prewritten text templates
…
wherein the autonomous email-report composer is configured, when executed by the one or more processing units, to compose, without human user intervention, with the one or more libraries of sets of prewritten text templates and visual representations with i) one or more standard pre-written sentences written in a natural language prose derived from previously generated email threat reports or ii) one or more of the prewritten text templates with fillable blanks that are populated with data
…
increased, decreased, or remained constant during the period of time,
breach of the AI models
are used to map specific incidents into one of more of the fillable blanks.
Song discloses:
and one or more libraries of sets of prewritten text templates (“templates may be obtained from domain experts, template libraries, or from other suitable sources.” Song ¶ 178. “a template-based NLG system. A known template-based system creates a template where empty slots are replaced by specific information. For example, a template sentence may be “The temperature is <value>.” The <value> is the empty slot where specific temperature information may be replaced.” Song ¶ 6. See also Song ¶¶ 45, 58, 64, and 88 discussing template structure)
…
wherein the autonomous email-report composer is configured, when executed by the one or more processing units, to compose, without human user intervention, with the one or more libraries of sets of prewritten text templates and visual representations with i) one or more standard pre-written sentences written in a natural language prose derived from previously generated email threat reports or ii) one or more of the prewritten text templates with fillable blanks that are populated with data (“templates may be obtained from domain experts, template libraries, or from other suitable sources.” Song ¶ 178. “a template-based NLG system. A known template-based system creates a template where empty slots are replaced by specific information. For example, a template sentence may be “The temperature is <value>.” The <value> is the empty slot where specific temperature information may be replaced.” Song ¶ 6. See also Song ¶¶ 91, 163-173)
are used to map specific incidents into one of more of the fillable blanks. (Song ¶ 6. See also Song ¶¶ 91, 163-173, and 181-182)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combine Shenoy with Song by including the domain specific natural language template generation and use of Song in the reports of Shenoy. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Shenoy with Song in order to provide human perceptible reports using a domain adaptable natural language processor (Song ¶ 7), thereby increasing the ease of understanding and use of the provided reports.
Shenoy in view of Song does not explicitly disclose:
increased, decreased, or remained constant during the period of time,
breach of the AI models
Pourmohammad discloses a system for reporting on cybersecurity trends (¶¶ 318 and ):
Pourmohammad discloses:
increased, decreased, or remained constant during the period of time,
(“The monitoring client 128 can be configured to determine whether the risk score has risen and/or fallen over a predefined time period and can provide the risk card 2502 with an indication of the amount that the risk score has risen or fallen.” Pourmohammad ¶ 401, Pourmohammad Fig. 27. See numerical indication 2706 which can be constant. And Figs. 21, 22, and 31).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Shenoy in view of Song with the GUI displays of Pourmohammad by incorporating the noted trend displays of Pourmohammad. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Shenoy in view of Song with Pourmohammad in order to provide easy to review summaries of the trend risks of Shenoy in view of Song, thereby increasing ease of use and customer satisfaction with the system.
Shenoy in view of Song and Pourmohammad does not disclose detecting the AI models being compromised, as claimed:
so that a breach of the AI models
Anderson discloses detecting AI model poisoning, see Anderson figures 8 and 9 along with associated disclosure.
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Shenoy in view of Song and Pourmohammad with Anderson by detecting malicious poisoning data and preventing compromise of the AI models as described in Anderson. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Shenoy in view of Song and Pourmohammad with Anderson in order to identify and prvent threats to the AI models as well as obtain threat intelligence of possible threat actors, Anderson ¶¶ 17 and 18.
As to claims 22 and 34, Shenoy in view of Song and Pourmohammad discloses the machine/CRM of claims 21 and 33 and further discloses:
a formatting module configured to format, present, and output the email threat report, from a first template of a plurality of report templates, that is outputted for the selected medium being one of the plurality of mediums including (1) a printable report, (2) presented digitally on a user interface on a display screen, or (3) in a machine readable format for further use in machine-learning reinforcement and refinement. (“The template with the highest overall score is selected and filled with matching entity tags (also known as one or more input pieces) from the input data and appended to the generated text…. keep the entity for one or more additional sentence generations.” See Song ¶¶ 163-173 discussing “one or more automated natural language sentences.”)
As to claims 23 and 35, Shenoy in view of Song and Pourmohammad discloses the machine/CRM of claims 21 and 33 and further discloses:
wherein a template of the templates of pages in the email threat report comprises two or more sections, including i) standard pre-written sentences written in the natural language prose and (Song ¶ 6. See also Song ¶¶ 163-173. “threat intelligence repository 211 can be used to generate a variety of reports. Categories of reports can include, for example, authentication and authorization, network and device, systems and change data, resource access and availability, malware activity, and failures and critical errors, among others.” Shenoy ¶ 104. “reports include analytics generated on the data.” Shenoy ¶ 105) ii) one or more of the visual representations. (“data in the analytics and threat intelligence repository 211 can further be used to generate reports that may be presented visually to a system administrator via a user interface and to generate analytics for determining threat levels, detecting specific threats, and predicting potential threats, among other things.” Shenoy ¶ 106. Also Shenoy ¶¶ 161-169, various report ‘sections’.)
As to claims 24 and 36, Shenoy in view of Song and Pourmohammad discloses the machine/CRM of claims 21 and 33 and further discloses:
wherein the email protection system further comprises a gatherer module, an autonomous response module, an analyzer module, and the data store to cooperate with the autonomous email-report composer, wherein the gatherer module and the data store are configured to cooperate to store data points on an inbound email flow received over a period of time (“the data loader application 206 can store retrieved activity data in the analytics and threat intelligence repository 211.” Shenoy ¶ 102) as well as one or more autonomous response actions performed by the autonomous response module on the inbound email flow, wherein the analyzer module is configured to cooperate with the one or more AI models trained with machine learning on a normal (“These may incorporate machine learning algorithms to generate threat models, such as, for example, deviations from base line expectations, rare and infrequent events, and behavior analytics to derive suspicious behavior of a user, among others.” Shenoy ¶ 162) email pattern of life for entities in the email network to detect (1) anomalous email (“individuals and organizations can subscribe to services provided by different service providers. For example, an organization can use an email service (e.g. Gmail from Google®) from one service provider” Shenoy ¶ 43. “blocking email messages or senders” Shenoy ¶ 108. “determine whether actions by users of the tenant 220 in using a service of the service provider 230 constitute a network threat.” Shenoy ¶ 83) that is outside the normal pattern of life for an entity of the email network, (Shenoy ¶ 162) or (2) suspicious email that exhibits traits suggesting a malicious intent in order to determine i) a purpose or ii) a targeted group of an email attack, and then cooperate with the autonomous email-report composer to populate in the email threat report associated with one or both of the purpose or the targeted group the email attack. (“An alert can include information about a detected event such as, for example, an event identifier, a date, a time, a risk level, an event category, a user account and/or security controls associated with the event, a service associated with the event, a description of the event, a remediation type (e.g., manual or automatic), and/or an event status (e.g., open, closed) among other information.” Shenoy ¶ 168. See also Shenoy ¶ 161)
As to claims 25 and 37, Shenoy in view of Song and Pourmohammad discloses the machine/CRM of claims 24 and 36 and further discloses:
wherein the analyzer module and the autonomous email-report composer are configured to cooperate with the data store to identify and supply a list of users in the email network that are at a most risk from emails over the period of time, wherein the autonomous email-report composer is configured to cooperate with the analyzer module, the one or more libraries of templates, and the one or more AI models to compose at least a page in the current email threat report (“An alert can include information about a detected event such as, for example, an event identifier, a date, a time, a risk level, an event category, a user account and/or security controls associated with the event, a service associated with the event, a description of the event, a remediation type (e.g., manual or automatic), and/or an event status (e.g., open, closed) among other information.” Shenoy ¶ 168. See also Shenoy ¶ 161) to represent the most at-risk users. (“Examples of reports that can be generated include, for example, login statistics (e.g., users with the most failed logins, IP address-based login history including consideration of IP reputation, geolocation, and other factors), user statistics (e.g., users with the most resources [files, EC2 machines, etc.]” Shenoy ¶ 161. “the threat detection engine 302 can compute a risk score for a user, a group or category of users, a service, and/or a service provider. A risk score can indicate a degree of security risk.” Shenoy ¶ 154)
As to claims 26 and 38, Shenoy in view of Song and Pourmohammad discloses the machine/CRM of claims 21 and 33 and further discloses:
wherein the autonomous email-report composer is configured to cooperate with an AI model of the one or more AI models trained (“These may incorporate machine learning algorithms to generate threat models, such as, for example, deviations from base line expectations, rare and infrequent events, and behavior analytics to derive suspicious behavior of a user, among others.” Shenoy ¶ 162) on composing threat reports to compose the email threat report (Shenoy ¶ 168. See also Shenoy ¶ 161) in the human-readable format with the natural language prose, (“In step 226, a set of natural language text is generated via ranking module 143 and stored in content database 124. The generation of natural language text includes inserting a set of information associated with a record into the first statistically generated template.” Song ¶ 88) terminology, (“the systems and method of the present invention were used to illustrate semantic term extraction and domain tagging application for clustering purposes to create templates” Song ¶ 91) and a prescribed level of detail on the cyber threats aimed at a selected target audience. (the details of Shenoy in view of Song being the prescribed level.)
As to claim 27, Shenoy in view of Song and Pourmohammad discloses the machine/CRM of claims 21 and 33 and further discloses:
wherein the autonomous email-report composer (Shenoy ¶¶ 161, 168) is configured to cooperate with the library of templates, wherein the first template (“In step 226, a set of natural language text is generated via ranking module 143 and stored in content database 124. The generation of natural language text includes inserting a set of information associated with a record into the first statistically generated template.” Song ¶ 88) for the email threat report comprises two or more sections, (“templates may be obtained from domain experts, template libraries, or from other suitable sources.” Song ¶ 178. “a template-based NLG system. A known template-based system creates a template where empty slots are replaced by specific information. For example, a template sentence may be “The temperature is <value>.” The <value> is the empty slot where specific temperature information may be replaced.” Song ¶ 6) each section spans one or more pages in the email threat report, (“Categories of reports can include, for example, authentication and authorization, network and device, systems and change data, resource access and availability, malware activity, and failures and critical errors, among others.” Shenoy ¶ 104) each section includes its own set of (i) standard pre-written sentences written in the natural language prose in the one or more prewritten text templates, (Song ¶¶ 45, 58, and 64) (ii) visual representations, (Shenoy ¶ 106. Also Shenoy ¶ 169)and (iii) any combination of these, that are presented in each of those sections making up the email threat report. (Shenoy ¶ 106)
As to claims 28 and 39, Shenoy in view of Song and Pourmohammad discloses the machine/CRM of claims 21 and 33 and further discloses:
wherein the autonomous email-report composer is configured to cooperate with the data store and an autonomous response module to collect data points (“the security monitoring and control system 102 can include a learning system 178. The learning system 178 can apply various machine learning algorithms to data collected by the security monitoring and control system 102…, the learning system 178 can generate models that capture patterns that the learning system 178 has learned, which can be stored in the storage 122 along with other data for an organization.” Shenoy ¶ 77) and compose an information needed to populate one or more pages for an analysis of one or more specific autonomous response actions taken by the autonomous response module. (“an incident remediation application 213 can be used to coordinate and/or perform remediation actions in response to detected threats…. In some examples, the incident remediation application 213 can be used to store the results of a manual or automated remediation action… the incident remediation application 213 can track the status of the remediation action and whether the remediation action is complete.” Shenoy ¶ 111. “The graphical user interface can further provide reports of security events and suggest remediation actions, and/or report on the outcome of remediation actions that the security management and control system 102 automatically performs.” Shenoy ¶ 80)
As to claims 29 and 40, Shenoy in view of Song and Pourmohammad discloses the machine/CRM of claims 24 and 33 and further discloses:
wherein the autonomous email-report composer is configured to cooperate with an autonomous action module, the data store, and an AI model of the one or more AI models on cyber threats to list actionable actions to take in light of the cyber threats, and then to populate suggested actionable actions to take into the email threat report (“The graphical user interface can further provide reports of security events and suggest remediation actions, and/or report on the outcome of remediation actions that the security management and control system 102 automatically performs.” Shenoy ¶ 80) as well as generate a detailed explanation into one or more email incidents for a write up including details about at least a targeted user of an email attack, (“For example, using the analytics visualization console 216, the tenant 220 can view reports of security incidents involving the tenant's users and a service to which the tenant 220 is subscribing.” Shenoy ¶ 85. “Detection may involve evaluating the velocity of failed login attempts and patterns in event activities to predict a brute force attack.” Shenoy ¶ 115, the events including suspected attacks.) one or more autonomous actions taken by the autonomous response module to remediate the email attack, and a textual discussion on incident triage with details of a resolution taken. (“The graphical user interface can further provide reports of security events and suggest remediation actions, and/or report on the outcome of remediation actions that the security management and control system 102 automatically performs.” Shenoy ¶ 80).
As to claim 31, Shenoy in view of Song and Pourmohammad discloses the machine/CRM of claims 24 and 33 and further discloses:
wherein the autonomous email-report composer is configured to cooperate with the data store to represent complex metrics in a visually engaging way with the visual representations including (i) graphs (ii) contact links to a user, (iii) pie charts, (iv) bar charts, (v) bubbles, and (vi) any combination of these in one or more sections of the current email-threat report (“counts of events in different event categories over time can be provided as a graphical visualization, such as a chart. The chart may display, for example, a count of events by date in each of the color coded categories such as activities at an unusual time” Shenoy ¶ 169) while also providing a textual analysis. (“the recommendation engine 308 can raise alerts 322, make recommendations 324, automatically perform actions 326, and provide visualizations 328 that an organization can use to understand the organization's use of a cloud service,” Shenoy ¶ 166).
Claim(s) 30 and 32, is/are rejected under 35 U.S.C. 103 as being unpatentable over Shenoy et al., US 2019/0098037 (priority date 2017-09), in view of Song et al., US 2015/0261745 (filed 2015-05), Pourmohammad, US 2019/0095820 (priority dates in 2018), Anderson et al., US 2019/0251479 (filed 2/9/2018), and Muddu et al., US 2017/0063910 (filed 2015-10).
As to claim 30, Shenoy in view of Song, Pourmohammad, and Anderson discloses the machine/CRM of claims 21 and 33 and further discloses:
wherein the autonomous email-report composer is configured to cooperate with the one or more AI models trained with machine learning on a normal email pattern of life for entities (“These may incorporate machine learning algorithms to generate threat models, such as, for example, deviations from base line expectations, rare and infrequent events, and behavior analytics to derive suspicious behavior of a user, among others.” Shenoy ¶ 162) in the email network (Shenoy ¶¶ 43 and 108) in order to draw links between email incidents to identify trends (Shenoy ¶¶ 161 and 238).
Shenoy in view of Song and Pourmohammad and Anderson does not disclose:
between (i) current users affected by the email incidents and (ii) other users with a high similarity to the current users affected, wherein the autonomous email-report composer is then configured to generate a write up on the links between the current users affected by the email incidents and the highly similar users.
Muddu discloses:
between (i) current users affected by the email incidents and (ii) other users with a high similarity to the current users affected, (“a user profile box 4720 indicating, for example, the user's HR (human resources) status, Department in the organization (e.g., “Sales”), email address, login ID, Phone number, Address, and AD groups. The profile box may also include information concerning Similar Users,” Muddu ¶ 498. See Muddu Fig. 45A showing multiple user’s associated to a single threat.) wherein the autonomous email-report composer is then configured to generate a write up on the links between the current users affected by the email incidents and the highly similar users. (see Muddu Fig. 45A, 45E, 47D)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Shenoy in view of Song and Pourmohammad and Anderson with Muddu by including a diagram or textual description of related user’s to a threat. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Shenoy in view of Song and Pourmohammad with Muddu in order to provide readers of the report with information related to events so that all relevant entities/users are known to the reader for better understanding of the relationships between the entities, Muddu ¶ 439.
As to claim 32, Shenoy in view of Song, Pourmohammad, and Anderson discloses the machine/CRM of claims 21 and 33 and further discloses:
wherein the autonomous email-report composer is configured to cooperate with the user interface to make the email threat report (“These may incorporate machine learning algorithms to generate threat models, such as, for example, deviations from base line expectations, rare and infrequent events, and behavior analytics to derive suspicious behavior of a user, among others.” Shenoy ¶ 162. See also Shenoy ¶¶ 43 and 108)
Shenoy in view of Song, Pourmohammad, and Anderson does not disclose:
customizable for an end user to select what sections of the current email-threat report they want to appear in a presented and outputted email-threat report.
Muddu discloses:
customizable for an end user to select what sections of the current email-threat report they want to appear in a presented and outputted email-threat report.
(“In the described GUI, graphs, timelines, maps, charts, lists and other visualization features are generated to illustrate trends, recent activity, and relationships between different data. The GUI can provide views that are automatically configured via default settings, or the GUI can enable a user to customize a view, for example, to filter out data points that are less critical, distracting, or unnecessary, to zoom in and out, or re-format the view (e.g., from a line chart to a bar chart).” Muddu ¶ 439).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Shenoy in view of Song, Pourmohammad, and Anderson with Muddu by including a diagram or textual description of related user’s to a threat. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Shenoy in view of Song and Pourmohammad with Muddu in order to provide readers of the report with information related to events so that all relevant entities/users are known to the reader for better understanding of the relationships between the entities, Muddu ¶ 439.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Crabtree et al., US 12,500,920, disclosing a method for cybersecurity threat analysis using federated machine learning.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL W CHAO/ Primary Examiner, Art Unit 2492