DETAILED ACTION
This Office Action is in response to the application 19/186,179 filed on 04/22/2025.
Claims 1-17 have been examined and are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This Action is made Non-FINAL.
Priority
This application claims the benefit of United States Provisional Patent Application No. 63/638,561, filed on April 25, 2024.
Claim Objections
Claims 2-3 are objected to because of the following informalities:
Claims 2-3 are objected to as the acronym “URL” is recited without spelling out in full at its first occurrence in the claim. Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-17 are rejected under 35 U.S.C 101 as being directed to an abstract idea without being integrated into a practical application or being significantly more.
Regarding claims 1, 16 and 17, the claims recite the limitations “determining a pattern,” “determining .. that share the pattern,” “determining a number of…features.” Broadly interpreted, the aforementioned steps are directed to mental processes as said steps could be performed in the human mind. Therefore, the claims recite an abstract idea.
Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that could be considered that the abstract idea is being integrated into a practical application. However, said steps are not sufficient to consider that the abstract idea is being interpreted into a practical application as the steps are recited at a high level of generality in gathering/processing/storing information, which are a form of insignificant extra-solution activity.
It’s also noted that the claims recite additional limitation/elements (i.e., “processor,” “non-transitory computer-readable medium,” etc.). However, said additional elements are recited at a high-level of generality (i.e., as a generic computing device in a generic network and performing generic computing functions/workflows) such that it amounts no more than mere instructions to apply the exception or abstract idea using generic computer components. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. It is noted that the claim recites some additional elements such as “emails” and “determining…emails belong to…phishing.” However, these additional elements, taken individually and as a combination, do not result in the claim amounting to significantly more than the abstract idea because “emails” and “determining…emails belong to…phishing” in a network is recited as performing generic computer functions routinely used in information processing and anomaly detection (Abbasi et al, US 20240333761, filed Mar 27, 2023, at [0003]. Cybercriminals gain access to corporate user mailbox credentials using various means such as, for example, obtaining compromised credentials from online dumps, purchasing compromised credentials from dark web marketplaces, targeting corporate users with operating system software suite (e.g., Microsoft® 365) credential phishing, attempting password cracking on corporate user business operating system software suite accounts, targeting corporate users with malware to steal their credentials, etc. Threat actors leverage these compromised corporate accounts to further send email lures like phishing, scam, BEC, malware, etc., both internally within an organization and externally to partners of the organization and other targets to further extend their sphere of influence.). Generic computer components recited as performing generic computer functions that are well-understood, routine, and conventional activities amounts to no more than implementing the abstract idea with a computerized system. Therefore, the claim is directed to non-statutory subject matter.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to the integration of abstract idea into a practical application, the additional element of “emails” and “determining…emails belong to…phishing” amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. Therefore, these claims are not patent eligible.
Regarding claims 2-15, claims 2-15 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea and the claims do not positively recite any other operations that could be considered as the abstract idea is being integrated into a practical application or significantly more. It’s noted that claim 2 recites the limitations: “pattern is determined in the dataset,” claim 3 recites “plurality of data fields for which the number of unique features is determined…,” claim 4 recites “evaluating a similarity,” claim 5 recites “computing a harmonic mean,” claim 6 recites “determining that the cluster of emails is a valid cluster…[based on] a threshold number…,” claim 7 recites “replacing numbers…” claim 8 recites “tokenizing data,” claim 10 recites “generating nodes,…scoring nodes… determining the pattern…” etc. Said steps are either directed to mental processes and/or in a form of insignificant extra-solution activities; The aforementioned steps are not sufficient to consider that the abstract idea is being integrated into a practical application or significantly more.
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. Therefore, these claims are directed to non-statutory subject matter.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4, 12-17 are rejected under 35 U.S.C. 103 as being unpatentable over Haworth et al. (“Haworth,” US 20230224327, published July 13, 2023) in view of Burgis et al. (“Burgis,” US 20220116415, published April 14, 2022).
Regarding claim 1, Haworth discloses
A method of detecting phishing campaigns, comprising (Haworth [0030]. The cyber-threat analyst module 125 is configured to detect cyber threats and conduct hypotheses about potential threats and conduct investigations to prove or disprove a hypothesis of a possible cyber threat attack. Each hypothesis of typical cyber threats, e.g. human user insider attack/inappropriate network and/or phishing emails, malicious software/malware attack, etc., can have various supporting points of data and other metrics associated with that possible cyber threat, and a machine learning algorithm will look at the relevant points of data to support or refute that particular hypothesis of what the suspicious activity and/or abnormal behavior related for each hypothesis on what the suspicious activity and/or abnormal behavior relates to.):
determining a pattern in a dataset of inbound emails, the pattern comprising a constant component and a variable component (Haworth FIG. 2A, [0071], [0075], [0077], [0079], [0152]. FIG. 2A shows multiple example comparisons and decisions/output results made at each stage by the machine learning for determining a nature of an email. Thus, in general the addr-spec field indicates, for example, a sender of an email message. Every email address consists of 3 elements: a local-part, @ symbol (pronounced as “at”), and a domain name. The local-part (e.g. locally interpreted string) is placed before the @ symbol, and the domain name is placed after the @ symbol. For example, a human display-name of “John Smith” from the example email address “dfigbhrep8gyrgri@gmail.com” of an email. Some complete mismatches will be straightforward to identify, e.g., a human display-name of “John Smith” from the example email address “dfigbhrep8gyrgri@gmail.com. Some nexuses will be straightforward to identify, e.g., “john smith john.smith@gmail.com”. Others, such as “smith, john william—company president jwsmitty8955@gmail.com”, require careful consideration of both fields in order to determine whether or not it is reasonable to say that nexus exists such that the display-name matches the addr-spec. FIG. 4 illustrates a block diagram of an embodiment of the cyber security appliance referencing one or more machine learning models trained on gaining an understanding of a plurality of characteristics on an email itself and its related data including classifying the properties of the email and its metadata.);
determining a cluster of emails that share the pattern among the inbound emails (Haworth [0047], [0099]. The email campaign detector 130 can use machine learning to cluster similar emails deemed malicious. The email campaign detector 130 has 1) an email similarity classifier 140 configured to analyze a group of emails, under analysis, in order to cluster emails with similar characteristics in the group of emails. The email campaign detector 130 has 2) a targeted campaign classifier 150 configured to i) analyze the clustered emails with similar characteristics to check whether the clustered emails with similar characteristics are a) coming from a same threat actor b) going to a same intended recipient, and c) any combination of both. The targeted campaign classifier 150 will also verify whether the clustered emails with similar characteristics are deemed malicious. An email campaign detector 130 working in a corporate environment is configured to cluster inbound emails that have similar indices/metrics as well as from a same source. The email similarity classifier 140 can be configured to analyze the group of emails based on a set of multiple similar indices for the clustered emails with similar characteristics.);
determining a number of [unique] features for a plurality of data fields among the cluster of emails (Haworth [0105]. The email campaign detector 130 tracks a wide range of indices that include three or more indices such as the from header, the subject line, the URLs, the attachments in the emails, the links in the emails, the length and format of the body of the email, etc. When an email arrives, the email similarity classifier 140 checks these indices for similarities to other recent emails—adding the email to an existing cluster or forming a new cluster if it considers the email similar to another email that does not already belong to a cluster. Thus, all these email addresses, all these links, all these subject lines, etc., and they can all be very different, and yet the email similarity classifier 140 can have the confidence to say it still constitutes a single campaign because it saw enough similarities in the composite set of tracked indices. The email similarity classifier 140 saw these different characteristics change one by one, but always maintaining some similarity to the entire [malicious] campaign.).
Haworth does not explicitly disclose: determining whether the cluster of emails belong to a phishing campaign based on an evaluation of the number of unique features.
However, in an analogous art, Burgis discloses a method, comprising the step of: determining whether the cluster of emails belong to a phishing campaign based on an evaluation of the number of unique features (Burgis [0028], [0087]. The analysis system may classify a customer input into one or more fraud categories based on matching the customer input to one or more known (or stored) fraud patterns. The analysis system may also identify new fraud campaigns not yet known. In some embodiments, the analysis system may detect common victim patterns in user accounts that have been exposed to fraud. Based on the detected patterns, the analysis system may invoke risk rules to prevent fraudulent activities associated with the user account. For example, the analysis system may detect that a customer input is associated with a phishing scheme. In some aspects, each of the second clusters corresponds to a unique pattern of activity associated with the particular type of activity in the first actionable insight category. In some implementations, the second pass fraud detection module 270 may utilize the cluster engine 286 to generate the second clusters. The second pass fraud detection module 270 may determine whether the unique pattern of activity includes the one or more anomalies for the particular type of activity. In some aspects, the second pass fraud detection module 270 determines that the particular type of activity represents malicious activity when the unique pattern of activity is determined to include the one or more anomalies.).
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Burgis and Haworth to include the step of: determining whether the cluster of emails belong to a phishing campaign based on an evaluation of the number of unique features. One would have been motivated to provide users with a means for detecting a set of phishing messages based on detection of unique characteristics associated with a cluster of emails. (See Burgis [0028].)
Regarding claim 2, Haworth and Burgis disclose the method of claim 1.
Haworth further discloses: wherein the pattern is determined in the dataset that is one of: attachment names, subject lines, and URLs of the inbound emails (Haworth [0105]. The email campaign detector 130 tracks a wide range of indices that include three or more indices such as the from header, the subject line, the URLs, the attachments in the emails, the links in the emails, the length and format of the body of the email, etc. When an email arrives, the email similarity classifier 140 checks these indices for similarities to other recent emails—adding the email to an existing cluster or forming a new cluster if it considers the email similar to another email that does not already belong to a cluster. Thus, all these email addresses, all these links, all these subject lines, etc., and they can all be very different, and yet the email similarity classifier 140 can have the confidence to say it still constitutes a single campaign because it saw enough similarities in the composite set of tracked indices. The email similarity classifier 140 saw these different characteristics change one by one, but always maintaining some similarity to the entire [malicious] campaign.).
Regarding claim 3, Haworth and Burgis disclose the method of claim 1. Haworth further discloses wherein the plurality of data fields for which the number of [unique] features is determined comprise two or more of: sender address, recipient address, attachment names, subject lines, URLs, and email times, and includes a data field corresponding to the dataset comprising the pattern (Haworth [0105], [0148]. The email campaign detector 130 tracks a wide range of indices that include three or more indices such as the from header, the subject line, the URLs, the attachments in the emails, the links in the emails, the length and format of the body of the email, etc. When an email arrives, the email similarity classifier 140 checks these indices for similarities to other recent emails—adding the email to an existing cluster or forming a new cluster if it considers the email similar to another email that does not already belong to a cluster. Thus, all these email addresses, all these links, all these subject lines, etc., and they can all be very different, and yet the email similarity classifier 140 can have the confidence to say it still constitutes a single campaign because it saw enough similarities in the composite set of tracked indices. The email similarity classifier 140 saw these different characteristics change one by one, but always maintaining some similarity to the entire [malicious] campaign. The user interface displays an example email that when undergoing analysis exhibits characteristics, such as header, address, subject line, sender, recipient, domain, etc. and/or behavior that are not statistically consistent with the normal email activity for this user in this email domain.).
Burgis further discloses unique features (Burgis [0087]. The analysis system may classify a customer input into one or more fraud categories based on matching the customer input to one or more known (or stored) fraud patterns. The analysis system may also identify new fraud campaigns not yet known. In some embodiments, the analysis system may detect common victim patterns in user accounts that have been exposed to fraud. Based on the detected patterns, the analysis system may invoke risk rules to prevent fraudulent activities associated with the user account. For example, the analysis system may detect that a customer input is associated with a phishing scheme. In some aspects, each of the second clusters corresponds to a unique pattern of activity associated with the particular type of activity in the first actionable insight category. In some implementations, the second pass fraud detection module 270 may utilize the cluster engine 286 to generate the second clusters. The second pass fraud detection module 270 may determine whether the unique pattern of activity includes the one or more anomalies for the particular type of activity. In some aspects, the second pass fraud detection module 270 determines that the particular type of activity represents malicious activity when the unique pattern of activity is determined to include the one or more anomalies.).
The motivation is the same as that of claim 1 above.
Regarding claim 4, Haworth and Burgis disclose the method of claim 1. Haworth further discloses wherein the evaluation of the number of [unique] features comprises evaluating a similarity between the number of unique features for each of the plurality of data fields (Haworth [0105], [0148]. The email campaign detector 130 tracks a wide range of indices that include three or more indices such as the from header, the subject line, the URLs, the attachments in the emails, the links in the emails, the length and format of the body of the email, etc. When an email arrives, the email similarity classifier 140 checks these indices for similarities to other recent emails—adding the email to an existing cluster or forming a new cluster if it considers the email similar to another email that does not already belong to a cluster. Thus, all these email addresses, all these links, all these subject lines, etc., and they can all be very different, and yet the email similarity classifier 140 can have the confidence to say it still constitutes a single campaign because it saw enough similarities in the composite set of tracked indices. The email similarity classifier 140 saw these different characteristics change one by one, but always maintaining some similarity to the entire [malicious] campaign. The user interface displays an example email that when undergoing analysis exhibits characteristics, such as header, address, subject line, sender, recipient, domain, etc. and/or behavior that are not statistically consistent with the normal email activity for this user in this email domain.).
Burgis further discloses unique features (Burgis [0087]. The analysis system may classify a customer input into one or more fraud categories based on matching the customer input to one or more known (or stored) fraud patterns. The analysis system may also identify new fraud campaigns not yet known. In some embodiments, the analysis system may detect common victim patterns in user accounts that have been exposed to fraud. Based on the detected patterns, the analysis system may invoke risk rules to prevent fraudulent activities associated with the user account. For example, the analysis system may detect that a customer input is associated with a phishing scheme. In some aspects, each of the second clusters corresponds to a unique pattern of activity associated with the particular type of activity in the first actionable insight category. In some implementations, the second pass fraud detection module 270 may utilize the cluster engine 286 to generate the second clusters. The second pass fraud detection module 270 may determine whether the unique pattern of activity includes the one or more anomalies for the particular type of activity. In some aspects, the second pass fraud detection module 270 determines that the particular type of activity represents malicious activity when the unique pattern of activity is determined to include the one or more anomalies.).
The motivation is the same as that of claim 1 above.
Regarding claim 12, Haworth and Burgis disclose the method of claim 1. Haworth further discloses wherein the inbound emails are received over a preceding predetermined amount of time (Haworth [0049], [0056]. The targeted campaign classifier 150 can determine a likelihood that two or more highly similar emails would be i) sent from or ii) received by a collection of users in the email domain under analysis in the same communication or in multiple communications within a substantially simultaneous time period. The email campaign detector 130 examines both the longer time frame as well as individual time periods within that longer time frame. The example time frame may be 8 hours and selected example shorter time periods within that 8 hour time frame may be, for example, over 20 minutes, 30 minutes, 60 minutes to look at both the normal rates of autonomous response to detected bad emails and the level of severity of the responses to the emails.).
Regarding claim 13, Haworth and Burgis disclose the method of claim 1. Haworth further discloses further comprising determining whether the cluster of emails belong to the phishing campaign based on an email frequency and/or email seasonality of the emails in the cluster of emails (Haworth [0030], [0049]. Each hypothesis of typical cyber threats, e.g. human user insider attack/inappropriate network and/or phishing emails, malicious software/malware attack, etc., can have various supporting points of data and other metrics associated with that possible cyber threat, and a machine learning algorithm will look at the relevant points of data to support or refute that particular hypothesis of what the suspicious activity and/or abnormal behavior related for each hypothesis on what the suspicious activity and/or abnormal behavior relates to. The targeted campaign classifier 150 can determine a likelihood that two or more highly similar emails would be i) sent from or ii) received by a collection of users in the email domain under analysis in the same communication or in multiple communications within a substantially simultaneous time period.).
Regarding claim 14, Haworth and Burgis disclose the method of claim 1. Haworth further discloses one or more of flagging, blocking, and quarantining the emails in the cluster of emails when it is determined that the cluster of emails belongs to the phishing campaign (Haworth [0030], [0202]. Each hypothesis of typical cyber threats, e.g. human user insider attack/inappropriate network and/or phishing emails, malicious software/malware attack, etc., can have various supporting points of data and other metrics associated with that possible cyber threat, and a machine learning algorithm will look at the relevant points of data to support or refute that particular hypothesis of what the suspicious activity and/or abnormal behavior related for each hypothesis on what the suspicious activity and/or abnormal behavior relates to. Junk action: The autonomous response module 135 will ensure the email classified as junk or other malicious email is diverted to the recipient's junk folder, or other nominated destination such as ‘quarantine’.).
Regarding claim 15, Haworth and Burgis disclose the method of claim 1. Haworth further discloses when it is determined that the cluster of emails belongs to the phishing campaign, analyzing subsequent inbound emails for the pattern in the dataset, and performing one or more of flagging, blocking, and quarantining the subsequent inbound emails having the pattern in the dataset (Haworth [0030], [0202]. Each hypothesis of typical cyber threats, e.g. human user insider attack/inappropriate network and/or phishing emails, malicious software/malware attack, etc., can have various supporting points of data and other metrics associated with that possible cyber threat, and a machine learning algorithm will look at the relevant points of data to support or refute that particular hypothesis of what the suspicious activity and/or abnormal behavior related for each hypothesis on what the suspicious activity and/or abnormal behavior relates to. Junk action: The autonomous response module 135 will ensure the email classified as junk or other malicious email is diverted to the recipient's junk folder, or other nominated destination such as ‘quarantine’.).
Regarding claim 16, claim 16 is directed to a system corresponding to the method of claim 1. Claim 16 is similar to claim 1 and is therefore rejected under similar rationale.
Regarding claim 17, claim 17 is directed to a non-transitory computer readable medium corresponding to the method of claim 1. Claim 17 is similar to claim 1 and is therefore rejected under similar rationale.
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Haworth et al. (“Haworth,” US 20230224327, published July 13, 2023) in view of Burgis et al. (“Burgis,” US 20220116415, published April 14, 2022) and Ahn (“Ahn,” US 20080184369, published July 31, 2008).
Regarding claim 5, Haworth and Burgis disclose the method of claim 4. Haworth and Burgis do not explicitly disclose: wherein the similarity is evaluated by computing a harmonic mean of the number of unique features for each of the plurality of data fields.
However, in an analogous art, Ahn discloses a method, comprising the step of:
wherein the similarity is evaluated by computing a harmonic mean of the number of unique features for each of the plurality of data fields (Ahn [0055]-[0056], [0062]. A similarity value denotes a difference or similarity of two predetermined features. Specifically, calculating a similarity value numerically expresses the difference or similarity of the two features, and denotes the difference or similarity of the two features in which the calculated similarity value is numerically expressed. A similarity value may be calculated using an Euclidean distance method, a Harmonic means method. The intrusion code determination unit 130 extracts features from the collected data, calculates a similarity value of the extracted features and features of the immune database 140, and determines the data as an intrusion code when the calculated similarity value is greater than a predetermined threshold value.).
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Ahn, Haworth and Burgis to include the step of: wherein the similarity is evaluated by computing a harmonic mean of the number of unique features for each of the plurality of data fields. One would have been motivated to provide users with a means for detecting intrusion or possible malicious codes through calculating a threshold similarity value with the harmonic mean method. (See Ahn [0062].)
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Haworth et al. (“Haworth,” US 20230224327, published July 13, 2023) in view of Burgis et al. (“Burgis,” US 20220116415, published April 14, 2022) and Chayes et al. (“Chayes,” US 20040267686, published Dec. 30, 2004).
Regarding claim 6, Haworth and Burgis disclose the method of claim 1. Haworth and Burgis do not explicitly disclose: further comprising determining that the cluster of emails is a valid cluster when a number of emails in the cluster exceeds a threshold number.
However, in an analogous art, Chayes discloses a method, comprising the step of: determining that the cluster of emails is a valid cluster when a number of emails in the cluster exceeds a threshold number (Chayes [0016], [0073], [0084]. The results from the weighted cluster graph can either be returned as final output or can be used as input to other processing components such as search engines, newsgroup browsers or email programs. At 410, a weighted graph is recursively segmented into clusters of suitable size. Segmenting a weighted graph is discussed in greater detail infra. At 412, clusters created via segmentation are reviewed to determine whether merging two cluster would be beneficial. At 414, remaining clusters are reviewed to determine if cluster size and quality are acceptable. If one or more clusters are not of a sufficient size, they can be merged into another cluster with which they have substantial relation based upon the number of cross-postings between such two clusters. The threshold t should be chosen to create final clusters of a desired size and/or quality, wherein quality is determined by some measure of relatedness within each segment (e.g., a sufficient degree of cross-posting exists between newsgroups within each cluster).).
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Chayes, Haworth and Burgis to include the step of: determining that the cluster of emails is a valid cluster when a number of emails in the cluster exceeds a threshold number. One would have been motivated to provide users with a means for creating clusters of sufficient size for statistical analysis and classification. (See Chayes [0084].)
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Haworth et al. (“Haworth,” US 20230224327, published July 13, 2023) in view of Burgis et al. (“Burgis,” US 20220116415, published April 14, 2022) and Sawyer (“Sawyer,” US 20230222103, published July 13, 2023).
Regarding claim 7, Haworth and Burgis disclose the method of claim 1. Haworth and Burgis do not explicitly disclose preprocessing the dataset by replacing numbers with a generic number tag and/or by replacing names with a generic name tag.
However, in an analogous art, Sawyer discloses a method, comprising the step of: preprocessing the dataset by replacing numbers with a generic number tag and/or by replacing names with a generic name tag (Sawyer [0056]. The one or more illegal characters in the original filename for the file can be detected and a replacement character can be substituted for each of the one or more illegal characters in the original filename for the file. For example, a “□” symbol, i.e., Unicode U+25A1, can be substituted for a “<” symbol, “>” symbol, or other non-permitted symbol on the file system of client device 315B. The Unicode U+25A1 character is defined as “may be used to indicate a missing symbol.” Generally speaking, this two-way synchronization process will allow the file to appear on the file system of the second client device 315B using the replacement filename having the replacement characters in place of the illegal or impermissible characters of the original filename. It will also allow synchronization of this file back to the first client device when changes are made by the second client device 315B.).
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Saywer, Haworth and Burgis to include the step of: preprocessing the dataset by replacing numbers with a generic number tag and/or by replacing names with a generic name tag. One would have been motivated to provide users with a means for synchronizing data format before file processing. (See Sawyer [0056].)
Claims 8-9 is rejected under 35 U.S.C. 103 as being unpatentable over Haworth et al. (“Haworth,” US 20230224327, published July 13, 2023) in view of Burgis et al. (“Burgis,” US 20220116415, published April 14, 2022) and Jagota et al. (“Jagota,” US 20180165281, published June 14, 2018).
Regarding claim 8, Haworth and Burgis disclose the method of claim 1. Haworth and Burgis do not explicitly disclose: wherein determining the pattern in the dataset of inbound emails comprises tokenizing the data in the dataset, and determining the pattern based on tokens of the tokenized data.
However, in an analogous art, Jagota discloses a method, comprising the step of: wherein determining the pattern in the dataset of [inbound emails] comprises tokenizing the data in the dataset, and determining the pattern based on tokens of the tokenized data (Jagota [0085]-[0086]. FIG. 4 is an operational flow diagram illustrating a high level overview of a method 400 for match index creation. Values stored in a corresponding field by records are tokenized, block 402. The database system tokenizes record field values to create a trie that will be used during record indexing and record lookup. Tokenizing can be the process of dividing a stream of text up into words, phrases, symbols, or other meaningful elements, which may be referred to as tokens. Having tokenized the database records' values, a trie is built from the tokenized values, each branch in the trie labeled with a corresponding tokenized value, each node storing a corresponding count indicating a number of the records associated with a corresponding tokenized value sequence beginning from a root of the trie, block 404. The database system will use the trie during record indexing and record lookup. By way of example and without limitation, this can include the database system creating a trie that includes a branch labelled national from the trie root to a first sequential node.).
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Jagota, Haworth and Burgis to include the step of: wherein determining the pattern in the dataset of [inbound emails] comprises tokenizing the data in the dataset, and determining the pattern based on tokens of the tokenized data. One would have been motivated to provide users with a means for tokening data and organizing the tokenized data for search, processing and retrieval. (See Jagota [0086].)
Regarding claim 9, Haworth, Burgis and Jagota disclose the method of claim 1.
Jagota further discloses wherein determining the pattern comprises determining the constant component as a largest common string of the tokens (Jagota FIG. 3, [0086]. Having tokenized the database records' values, a trie is built from the tokenized values, each branch in the trie labeled with a corresponding tokenized value, each node storing a corresponding count indicating a number of the records associated with a corresponding tokenized value sequence beginning from a root of the trie, block 404. The database system will use the trie during record indexing and record lookup. By way of example and without limitation, this can include the database system creating a trie that includes a branch labelled national from the trie root to a first sequential node; branches labelled institute, cancer, science from the first sequential node to the second sequential nodes; branches labelled of, center, and board from the second sequential nodes to the third sequential nodes, and a branch labelled health from a third sequential node to a fourth sequential node, as depicted in FIG. 3. The first sequential node stores the count 3 for the 3 organization names that include national, the second sequential nodes each store the count 1 for the 1 corresponding organization name that includes institute, cancer, or science, the third sequential nodes each store the count 1 for the 1 corresponding organization name that includes of, center, or board, and the fourth sequential node stores the count 1 for the 1 organization name that includes health.).
The motivation is the same as that of claim 8 above.
Claims 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over Haworth et al. (“Haworth,” US 20230224327, published July 13, 2023) in view of Burgis et al. (“Burgis,” US 20220116415, published April 14, 2022), Jagota et al. (“Jagota,” US 20180165281, published June 14, 2018) and Nossal et al. (“Nossal,” US 20170061085, published Mar. 2, 2017).
Regarding claim 10, Haworth, Burgis and Jagota disclose the method of claim 8.
Haworth further discloses inbound email (Haworth [0047]. The email campaign detector 130 can use machine learning to cluster similar emails deemed malicious. An email campaign detector 130 working in a corporate environment is configured to cluster inbound emails that have similar indices/metrics as well as from a same source.).
Jagota further discloses wherein determining the pattern in the dataset of [inbound emails comprises, for each inbound email]:
generating nodes for each token; scoring the nodes according to the number of unique [inbound emails] that each respective node is present in (Jagota FIG. 3, [0086]. Having tokenized the database records' values, a trie is built from the tokenized values, each branch in the trie labeled with a corresponding tokenized value, each node storing a corresponding count indicating a number of the records associated with a corresponding tokenized value sequence beginning from a root of the trie, block 404. The database system will use the trie during record indexing and record lookup. By way of example and without limitation, this can include the database system creating a trie that includes a branch labelled national from the trie root to a first sequential node; branches labelled institute, cancer, science from the first sequential node to the second sequential nodes; branches labelled of, center, and board from the second sequential nodes to the third sequential nodes, and a branch labelled health from a third sequential node to a fourth sequential node, as depicted in FIG. 3. The first sequential node stores the count 3 for the 3 organization names that include national, the second sequential nodes each store the count 1 for the 1 corresponding organization name that includes institute, cancer, or science, the third sequential nodes each store the count 1 for the 1 corresponding organization name that includes of, center, or board, and the fourth sequential node stores the count 1 for the 1 organization name that includes health.).
Haworth, Burgis and Jagota do not explicitly disclose: and determining the pattern in the dataset based on a largest node having a score above a threshold value.
However, in an analogous art, Nossal discloses a method, comprising the step of: and determining the pattern in the dataset based on a largest node having a score above a threshold value (Nossal [0028]. After the computing system adds a layer of nodes to the current depth level of the trie, the computing system prunes (i.e. removes) nodes from the trie that do not meet one or more criteria. Pruning may be based on one or more criteria such as a threshold count for the histogram of each code (e.g., a code may be dropped from a node if the count of a node's histogram is below a threshold number or the node may be removed from the trie of the count is zero) or a number of enterprises associated with each node (e.g., a node associated with fewer enterprises such as only a single hospital, the node may be the result of a template at that enterprise and less useful than a node from multiple enterprises). Pruning nodes reduces the search space associated with the trie, as well as the memory consumption of the trie.).
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Nossal, Jagota, Haworth and Burgis to include the step of: and determining the pattern in the dataset based on a largest node having a score above a threshold value. One would have been motivated to provide users with a means for creating a criteria that can enable more efficient data processing through cutting the number of insignificant nodes from a trie and focusing resources on nodes with more significant connections. (See Nossal [0028].)
Regarding 11, Haworth, Burgis, Jagota and Nossal disclose the method of claim 10. Jogota further discloses wherein generating the nodes for each token comprises building a trie tree structure (Jagota FIG. 3, [0086]. Having tokenized the database records' values, a trie is built from the tokenized values, each branch in the trie labeled with a corresponding tokenized value, each node storing a corresponding count indicating a number of the records associated with a corresponding tokenized value sequence beginning from a root of the trie, block 404. The database system will use the trie during record indexing and record lookup. By way of example and without limitation, this can include the database system creating a trie that includes a branch labelled national from the trie root to a first sequential node; branches labelled institute, cancer, science from the first sequential node to the second sequential nodes; branches labelled of, center, and board from the second sequential nodes to the third sequential nodes, and a branch labelled health from a third sequential node to a fourth sequential node, as depicted in FIG. 3. The first sequential node stores the count 3 for the 3 organization names that include national, the second sequential nodes each store the count 1 for the 1 corresponding organization name that includes institute, cancer, or science, the third sequential nodes each store the count 1 for the 1 corresponding organization name that includes of, center, or board, and the fourth sequential node stores the count 1 for the 1 organization name that includes health.).
The motivation is the same as that of claim 10 above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is (571)272-8961. The examiner can normally be reached on Monday to Friday, 9 AM - 6 PM EST (Alternate Fridays).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/EDWARD LONG/
Examiner, Art Unit 2439
/LUU T PHAM/ Supervisory Patent Examiner, Art Unit 2439