DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments

Applicant's arguments filed 12/17/2020 have been fully considered but they are not persuasive.
As to Applicant’s argument that, “Barai does not describe any model or logic that receives the input (one or more attributes of the user and the one or more responses of the user) and provides output (type of exploit) as recited in the Claims nor any campaign controller interfacing or communicating with any models to do the same. The only model that Barai describes is a graph model which does not take the two inputs of user attribute(s) and user response(s) and responsive to those inputs provide a type of exploit as output to user for that user” (Remarks, p. 5), the Examiner respectfully disagrees. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). More to the point, the Barai reference cites numerous models that take into 
As to Applicant’s argument that, “Both Barai and Flores only mention using artificial intelligence and a neural network in passing without any description of the structure and function of a model comprising a neural network or how such a neural network will be trained and with what data and what inputs and output such a neural network would have” (Remarks, pp. 4-5), the Examiner respectfully disagrees. The Examiner has provided as much specificity about neural networks as the Applicant has provided in the claims. “The model comprises a neural network” (claim 1, line 6, claim 16, line 6, and claim 31, lines 2, 6, 16-18, and 22) does not show any structure or description. The Specification describes a neural network as tool used for artificial intelligence that is “modeled after the neurons in the human brain, where a trained algorithm determines an output response for input signals” (Specification, [0079]) and further states, “The neural network architecture consists of an input layer, which inputs data to the network; an output layer, which produces the resulting guess from the network; and a series of one or more hidden layers, which assist in propagating” (Specification, [0182]). As detailed above and below in the rejection section, Barra as modified teaches these limitations. Therefore, the rejection is maintained. 
The 35 USC 112(b) rejections in the last Office Action have been withdrawn as they do not apply to this application and were inadvertently added by the Examiner. Apologies for any confusion this may have caused.
The double patenting question is addressed below.

Response to Amendment

Claim 30 has been cancelled.
Claims 1-29 and 31 are pending.

Claim Rejections - 35 USC § 103

Claims 1-29 and 31 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 8,464,346 to Barai, et al (hereinafter Barai) as applied to claim 1 and claim 16 respectively above, and further in view of US PG Pub. No. 2012/0124671 to Fritzson et al. (hereinafter Fritzson) in view of US PG Pub. No. 2013/0347116 to Flores et al. (hereinafter Flores).

As to claims 1, 16, and 31, Barai teaches:
a.	Training a model by applying machine learning on at least one or more attributes of a plurality of users and one or more responses of a plurality of users from results of simulated attacks (scan controller and master agent gather information and initiate simulated attacks on systems according to vulnerabilities 
Barai teaches simulating hacking attacks, but does not expressly mention phishing attacks. However, in an analogous art, Fritzson teaches phishing communications (tracking responses to phishing e-mail messages) (Fritzson, [0032]) using a plurality of types of exploits (types of exploits) (Barai, 7:51-60), the model comprising a neural network trained to take as input at least one or more attributes of a user and one or more responses of the user and provides as output a type of exploit to use for that user responsive to the input (criterion is selected which determines the type of attack to use on the user) (Barai, 9:24-10:58) .
Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the simulated hacking attacks of Barai with the tracking and analyzing of user responses to the simulated phishing attacks of Fritzson in order to improve system security through attack awareness training as suggested by Fritzson (Fritzson, [0003]).
Barai as modified uses artificial intelligence and/or machine learning techniques in training the model, but does not explicitly recite a “neural network”. However, in an analogous art, Flores teaches the use of neural networks in developing phishing simulations for training purposes (Flores, [0078]).
Therefore, one of ordinary skill in the art at the time the invention was made would have been motivated to implement the simulated hacking attacks of Barai as 
Barai as modified further teaches establishing, by a campaign controller, the model for selecting the type of exploit from a plurality of exploits to use in a simulated phishing communication to the user (criterion is selected which determines the type of attack to use on the user) (Barai, 9:24-10:58).
b.	Identifying, by the campaign controller, the user for which to communicate the simulated phishing communication and one or more attributes of the user and one or more responses of the user to one or more simulated phishing communications (attack strategy identifies which users to target with what kind of attack) (Barai, 12:20-67).
c.	Providing, by the campaign controller, each of the one or more attributes of the user and one or more responses of the user to one or more simulated phishing communications (at least the human profile model data is used for input for devising the attack strategy) (Barai, 12:20-67).
d.	Receiving, from the model, by the campaign controller responsive to providing the input, an output identifying a first type of exploit from the plurality of types of exploits to use for the user in the simulated phishing communication (attributes of at least the Network, user behavior, and user input (security mistakes) are used to continuously update and refine simulated attacks) (Barai, 12:20-67).
e.	Selecting, by the campaign controller the first type of exploit from the plurality of types of exploits, identified by the campaign controller from the output 
f.	Communicating, by the campaign controller, to the one or more devices of the user the simulated phishing communication comprising the first type of exploit selected by the campaign controller from the output of the model (attack is initiated) (Barai, 8:7-18, 9:24-10:58, and 12:1-9).

As to claims 2 and 17, Barai as modified teaches receiving by the campaign controller, a response from the user to the simulated phishing communication (tracking responses to phishing e-mail messages) (Fritzson, [0032]).

As to claims 3 and 18, Barai as modified teaches selecting, by the campaign controller based on at least the response, a second type of exploit for a second simulated phishing communication to be communicated to the one or more devices of the user, and communicating to the one or more devices of the user the second simulated phishing communication comprising the second type of exploit (the attacks are performed in multiple stages and test different exploits) (Barai, 7:49-8:32).

As to claims 4 and 19, Barai as modified teaches selecting, by the campaign controller, a first template of a plurality of templates for the second simulated phishing 

As to claims 5 and 20, Barai as modified teaches selecting, by the campaign controller, a timing for the second simulated phishing communication (simulated attacks run for a predefined time and the attacks can have multiple parts that have to be executed before the time expires) (Barai, 7:42-45).

As to claims 6 and 21, Barai as modified teaches the model is a personal model trained to represent a certain type of persona or personality (myriad personal attributes are including to represent certain personalities including naiveté, diffidence, curiosity, position in the organization, human relationships) (Barai, 12:1-67).

As to claims 7 and 22, Barai as modified teaches applying, by the campaign controller, to select the first type of exploit one of artificial intelligence or machine learning to one or more of the following: one or more attributes of the user and one or more responses from the user (Barai, 12:1-67).

As to claims 8 and 23, Barai as modified teaches selecting, by the campaign controller, a first template of a plurality of templates for the simulated phishing communication, the first template comprising the template type of exploit (each attack has its own template in the attack template repository) (Barai, 14:41-46).



As to claims 10 and 25, Barai as modified teaches the first template comprises a sequence of a plurality of simulated phishing communications, each of the plurality of simulated phishing communications comprising a different type of exploit of the plurality of types of exploits and a simulated phishing communication of the plurality of simulated phishing communications comprising the first type of exploit (Barai, 12:1-67 and 14:41-46).

As to claims 11 and 26, Barai as modified teaches the first template comprises a sequence of a plurality of simulated phishing communications, each of the plurality of simulated phishing communications comprising a different timing between the simulated phishing communications (simulated attacks run for a predefined time and the attacks can have multiple parts that have to be executed before the time expires) (Barai, 7:42-45).

As to claims 12 and 27, Barai as modified teaches the plurality of types of exploit comprise one of a macro, an executable, a document with the executable or a link (Barai, 12:33-45).



As to claims 14 and 29, Barai as modified teaches communicating, by the campaign controller, to the one or more devices of the second user the second simulated phishing communication comprising the second type of exploit (scan controller and master agent gather information and initiate simulated attacks on systems according to vulnerabilities found within the systems) (Barai, 6:1-7:38).

As to claim 15, Barai as modified teaches determining, by the campaign controller, a third type of exploit to communicate via a third simulated phishing communication to the second user responsive to a response from the second user to the second simulated phishing communication (a first user is attacked and compromised and the information gathered from that attack leads to more attacks on other users and so on) (Barai, 5:45-67).

Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-29and 31 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-30 of U.S. Patent No. 9,894,092. Although the claims at issue are not identical, they are not patentably distinct from each other because the limitations of the instant application are merely broader in scope than the limitations of the patented claims. The ‘092 patent is concerned specifically with simulated phishing e-mail attacks while the instant application is concerned with simulated phishing attacks in general, which includes phishing e-mails along with the use of generally available tools that help to automate the execution of the patented limitations. The instant application uses artificial intelligence algorithms and neural network models in determining what exploits to use against a user while the patented claims are more general in nature and does not use the terms models, artificial intelligence, and neural networks. 
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM S POWERS whose telephone number is (571)272-8573.  The examiner can normally be reached on M-F 7:30-17:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on 571 270 3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/WILLIAM S POWERS/           Primary Examiner, Art Unit 2419