Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Terminal Disclaimer
The terminal disclaimer filed on 02-23-2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of 16672854 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Response to Amendments
The amended claims 1 – 6, 8, 9 and 11 – 18 were considered under 35 USC 112, 101, double patenting and 103 for patentability over closest and analogous prior arts Chambers et al (US Pub. #: 10104029), hereafter Chambers, Prakash Gagan (US Pub. #: 20160014151), hereafter Prakash, Jakobsson et al (US Pub. #: 20180091476), hereafter Jakob and Bach; Timothy et al (US Pub. #: 20170048273), hereafter Bach have been fully considered and are persuasive. Claims 7, 10 and 19 – 26 are cancelled.

Allowable Subject Matter
1.	Amended claims 1 – 6, 8, 9 and 11 – 18 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment

(Currently Amended) A computer-implemented method comprising:
establishing, via an application programming interface, a connection with a storage medium that includes information regarding digital conduct of employees of an enterprise,
wherein the storage medium is managed by an entity that supports an office suite that is utilized by the employees of the enterprise;
downloading, via the application programming interface, a first series of past communications received by an employee over a first interval of time into a local processing environment;
building a machine learning (ML) model for the employee by providing the first series of past communications to the ML model as training data, so as to train the ML model to understand normal traits and content of communications received by the employee;
receiving, via the application programming interface, a communication addressed to the employee; 
examining the communication to establish at least two email attributes;
generating a statistical profile that includes at least one score by providing the at least two email attributes to the ML model as input,
wherein each said score corresponds to a pair of email attributes formed from the at least two email attributes, and
wherein each said score is based on an analysis of the corresponding pair of email attributes by the ML model; and
establishing whether the communication represents a security risk based on a comparison of each score in the statistical profile to a corresponding threshold that is calibrated based on a target number of false positives and false negatives generated by the ML model for each employee of the enterprise.

(Previously Presented) The computer-implemented method of claim 1, further comprising:
receiving input indicative of an approval from an administrator associated with the enterprise to access the information in the storage medium;
wherein said establishing is performed in response to receiving the input.

(Previously Presented) The computer-implemented method of claim 1, wherein the first series of past communications includes multiple emails that were delivered to the employee.

(Currently Amended) The computer-implemented method of claim 1, further comprising:
examining each past communication in the first series of past communications to establish email attributes of the first series of past communications; and
providing the email attributes derived from the first series of past communications to the ML model as training data.

(Currently Amended) The computer-implemented method of claim 1, further comprising:
determining
characterizing the security risk along multiple dimensions.

(Original) The computer-implemented method of claim 5, wherein the multiple dimensions include:
an attacked party, 
an attack vector, 
an impersonated party, 
an impersonation strategy, and
an attack goal.

(Cancelled)

(Previously Presented) The computer-implemented method of claim 1, wherein the first series of past communications includes all emails received by the employee during the first interval of time.

(Previously Presented) The computer-implemented method of claim 1, further comprising:
downloading, via the application programming interface, a second series of past communications corresponding to a second interval of time that precedes the first interval of time into the local processing environment; and
establishing whether any communications received during the second interval of time represent security risks by applying the ML model to the second series of past communications.

(Cancelled) 

(Currently Amended) A non-transitory computer-readable medium with instructions stored thereon that, when executed by a processor, cause the processor to perform operations comprising:
collecting data related to incoming emails and/or outgoing emails of a customer corresponding to a past interval of time;
generating, based on the data, a communication profile that specifies what constitutes normal behavior with respect to each of multiple individuals with whom the customer communicated over the past interval of time;
receiving an incoming email addressed to the customer;
deriving at least two email attributes of the incoming email; and
determining risk posed by the incoming email :
forming at least one pair of email attributes by combining each email attribute of the at least two email attributes with each other email attribute of the at least two email attributes,
generating a statistical profile by producing at least one score indicative of the degree to which the incoming email deviates from past email activity by comparing each pair of email attributes to the communication profile, and
establishing an amount of risk posed by the incoming email based on a comparison of each said score in the statistical profile to a corresponding threshold that is calibrated based on a target number of false positives and false negatives generated by a machine learning (ML) model for each employee of the enterprise.

(Original) The non-transitory computer-readable medium of claim 11, wherein the customer is an enterprise for which the communication profile is generated. 

(Original) The non-transitory computer-readable medium of claim 11, wherein the customer is an employee of an enterprise for whom the communication profile is generated. 

(Original) The non-transitory computer-readable medium of claim 11, wherein said generating comprises:
deriving at least one attribute from each email corresponding to the past interval of time; and
building the communication profile based on the derived attributes. 

(Currently Amended) The non-transitory computer-readable medium of claim 11, the operations further comprising:
providing deviations in the incoming email to the ML model as input; and
determining whether the incoming email is representative of a security risk based on an output produced by the ML model.

(Original) The non-transitory computer-readable medium of claim 15, the operations further comprising:
performing a remediation action responsive to determining that the incoming email is representative of a security risk.

(Original) The non-transitory computer-readable medium of claim 11, wherein the one or more email attributes include a primary attribute and a secondary attribute.

(Original) The non-transitory computer-readable medium of claim 17, wherein said deriving comprises:
extracting the primary attribute from the incoming email; and
determining the secondary attribute based on the primary attribute and additional information associated with the customer.

19. - 26.	(Cancelled)

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Chambers teaches Col. 2 lines 40-42: the aggregator retrieves the historical email data from the storage (col. 7 lines 25-37), which includes emails associated with a user (fig. 6) at a particular point in time (col. 11 lines 64-65, fig. 8) via data transport means using a network connectivity; Col. 8 lines 30-38: behavioral patterns and trusted trends are generated using various machine learning algorithms such as heuristic methods, artificial intelligence systems, neural networks, or other experience-based (trainable) techniques for determining general trends, behavioral data, and other characteristics by assessing the aggregated historical data; Col. 7 lines 39-42: the system builds a user profile based on the derived user side attributes; Col. 8 lines 39-50: the circles of trust includes information with  

Further, a second prior art of record Prakash teaches: [0062] "recipient background information" comprises information associated with a recipient such as but not limited to third party authentication credentials for online social networks, access rights or authentication tokens to access online social networks on behalf of a recipient, information taken from an online social network, patterns, profiles, messages posted on the social network to the recipient or to others… [0227] one or more anti-phishing server is coupled to a database, [0087] importing a plurality of the received messages received by the recipient over a predetermined time interval... The predetermined time interval may comprise any time interval defined by the system or user through a user interface. 

Further, a third prior art of record Jakob teaches Abstract: measure of similarity between an identifier of a sender of the message and each identifier of one or more identifiers of each trusted contact of a plurality of trusted contacts of a recipient of the message is determined. In the event the sender of the message is not any of the trusted contacts but at least one of the measure of similarity between the identifier of the sender of the message and a selected identifier of a 

Further, a fourth prior art of record Bach teaches Abstract: threat detection system receives links from emails opened in web browsers. The received links are compared with a whitelist of trusted links and blacklisted links associated with security threats. The threat detection system sends trusted identifiers when the received links are identified in the whitelist and sends block identifiers back to the web browsers when the received links are identified in the blacklist. The trusted identifiers cause the web browsers to display a trusted message and the block identifiers cause the web browsers to remove the received link and display a warning message. The threat detection system may receive threat reports for suspected links from employees of a same enterprise and allow an enterprise security administrator to asynchronously update the blacklists and whitelists based on the threat reports received from the enterprise users.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: a connection is established to the storage medium and a machine learning (ML) model is fed with the email messages in batches to train normal and potentially risky behaviors of employees of an organization. When a new message comes in for a given employee, a set of at least two email attributes are fed into the ML and a statistical profile with a score is generated. Based on the comparison of the score with a threshold it is determined if the email is a security risk or not. The threshold is 

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claims 11 mutatis mutandis.  Claims 7, 10 and 19 – 26 are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2438.