DETAILED ACTION

Currently pending claims are 1, 2, 4 – 10, 12 – 18 and 20.

Response to Arguments
 Applicant's arguments with respect to instant claims have been fully considered but are moot in view of the new ground(s) of rejection necessitated by Applicant's amendment – please see the following section for the detail of rationale to make the corresponding prior-art(s) rejections as set forth below. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



Claims 1, 2, 4 – 10, 12 – 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Himler et al. (U.S. Patent 9,774,626), in view of Wasserblat et al. (U.S. Patent 8,145,562).  


As per claim 1, 9 & 17, Himler teaches a method of providing network security, comprising: 
receiving, via a computer network, an electronic message sent by a sending user of an enterprise to a receiving user (Himler: Figure 1 & Col. 1 Line 11 – 23, Col. 9 Line 29 – 30 and Col. 8 Line 36 – 40: analyzing, using a cybersecurity protection mechanism, on a received message sent from a user (employee) of an oganization (i.e. an enterprise user)); 
analyzing the electronic message using a machine-learned user model describing at least linguistic features (see Wasserblat below) of the sending user's electronic messages, the user model specific to the sending user and generated based at least in part on previous electronic messages sent by the sending user (Himler: see above & Col. 8 Line 1 – 13, Col. 12 Line 59 – 65 and Col. 13 Line 23 – 29: (a) analyzing the received message using (factor-specific) feature values as input characteristics incorporated into a machine learning model to identify (classfy) the sender of the received message for the purpose of cybersecurity protection and (b) one of the input analyzed parameters ((factor-specific) feature values) can include a message log of the sender history), comprising:
However, Himler does not disclose expressly using a machine-learned user model describing at least linguistic features of the sending user's electronic messages, the user model specific to the sending user.
Wasserblat (& Himler) teaches using a machine-learned user model describing at least linguistic features of the sending user's electronic messages, the user model specific to the sending user (Himler: see above) || (Wasserblat: Figure 2 / E-205, Col. 13 Line 2 – 5 / Line 26 – 28, Col. 14 Line 18 – 23 / Line 30 – 38 and Col. 5 Line 21 – 31: (a) utilizing a text lingiustic model for training and analyzing the interactions of textual / linguistic features (i.e. messages exchanged) as input parameters, from the sending users extracted from the associated interactions as received, to assess a similarity level and fraud by determining an identity risk score and checking (comparing) whether the fraud risk score exceeding a predetermined threshold, wherein (b) the behavior features are compared against a user profile of a particular user (i.e. a given user identity) during the analysis process (Col. 5 / Line 21 – 31)).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of using a machine-learned user model describing at least linguistic features of the sending user's electronic messages because Wasserblat’s teaching can alternatively, effectively and securely utilize a text lingiustic model for training and analyzing the interactions of textual / linguistic features (i.e. messages exchanged) as input parameters, from the sending users extracted from the associated interactions as received, to assess a similarity level and fraud by determining an identity risk score and checking (comparing) whether the fraud risk score exceeding a predetermined threshold, wherein (b) the behavior features are compared against a user profile of a particular user (i.e. a given user identity) during the analysis process (see above) within the Himler’s system of analyzing, using a cybersecurity protection mechanism, on a received message sent from a user (employee) of an oganization (i.e. an enterprise user) (see above). 
retrieving a user identity for the sending user, the user identity specific to the sending user and describing a set of prominent features of electronic messages sent by the sending user (Wasserblat: see above & Col. 5 Line 21 – 31 and Col. 14 Line 18 – 23 / Line 30 – 38); 
applying the electronic message to the user model to produce a set of message features (Wasserblat: see above); and 
comparing the set of message features produced by the user model to the set of prominent features described by the user identity (Wasserblat: see above & Col. 5 Line 21 – 31, Col. 10 Line 10 – 15, Col. 13 Line 2 – 5 / Line 26 – 28, Col. 14 Line 18 – 23 / Line 30 – 38: assessing a similarity level and fraud by determining an identity risk score and checking (comparing) whether the fraud risk score exceeding a predetermined threshold, wherein (b) the behavior features are compared against a user profile of a particular user (i.e. a given user identity) during the analysis process (Col. 5 / Line 21 – 31)) || (Himler: see above & Col. 10 Line 36 – 46, Col. 13 Line 23 – 29, Col. 11 Line 43 – 45, Col. 8 Line 1 – 13 and Col. 12 Line 59 – 65: (a) using a probabilitistic hashing or vector space modeling to compare, at least, the text of the message body by using a set of associated feature values and (b) determining whether the target message violates the security policy based on a threshold amount of a similarity score generated from the analysis model); 
determining, based on the analysis, that the electronic message violates a security policy of the enterprise (Himler: see above & Col. 8 Line 58 – 67) || (Wasserblat: see above); and 
performing a security action based on the determination that the electronic message violates the security policy (Himler: see above & Col. 8 Line 60 – 67: (e.g.) deleting the message if the received message violates the security policy) || (Wasserblat: see above).  

As per claim 2, 10 and 18, Himler teaches wherein the retrieved user model is specific to the sending user and trained using previous electronic messages sent by the sending user to the receiving user (Himler: see above & Col. 8 Line 1 – 13 and Col. 12 Line 59 – 65: (a) analyzing the received message based on a machine learning model to identify (classfy) the sender of the received message for the purpose of cybersecurity protection and (b) one of the input analyzed parameters (feature values) can include a message log of the sender history) || (Wasserblat: see above).

As per claim 4, 12 and 20, Himler teaches determining whether the electronic message conforms with other electronic messages sent by the sending user, and wherein determining whether the electronic message violates a security policy comprises determining that the electronic message violates the security policy responsive to determining that the electronic message does not conform with other electronic messages sent by the sending user (Himler: see above & Col. 12 Line 59 – 65, Col. 13 Line 23 – 29 and Col. 13 Line 4 – 9: comparing the received sender’s message with the previously sent messages (history) from the sender and determining whether the message violates the security policy based on a threshold of a similarity score (resemblance) to analyze its conformance with its previously sent messages (Col. 12 Line 59 – 65)) || (Wasserblat: see above). 


As per claim 5 and 13, Himler teaches determining a purported identity of the sending user; retrieving the user model from a data store, the retrieved user model describing electronic messaging behavior of the sending user having the purported identity; analyzing the electronic message using the retrieved user model to determine whether the electronic message conforms with the electronic messaging of the sending user having the purported identity (Himler: see above & Col. 4 Line 48 – 49, Col. 13 Line 23 – 29, Col. 11 Line 43 – 45 and Col. 12 Line 6 – 14: verifying the identity of a sender of the message using  (factor-specific) feature values as inputs to a machine learning model) || (Wasserblat: see above).  

As per claim 6 and 14, Himler teaches:
detecting a trigger within the electronic message, the trigger indicating a new security policy for the enterprise based on the electronic message (Himler: see above & Col. 6 Line 46 – 49 / Line 29 – 32 and Col. 7 Line 26 – 28, Col. 8 Line 34 – 40 / Line 52 – 54 / Line 57 – 58: (a) the trigger can be an email address of the analyzer server to which the malicious message to be forwarded for analysis – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0056] Line 1 – 5 & Last sentence), wherein (b) detecting the forwarded email address (i.e. as a trigger within the forwarded malicious message) such that the analyzer entity, as the recipient, can activate a new security policy as a result of analysis to (e.g.) (i) quarantine the received message or (ii) change (adjust) the setting of the messaging client such that the user cannot open the received message until the system’s analysis is complete because the malicious message may be originated from a source of untrusted entity) || (Wasserblat: see above); 
analyzing the electronic message to determine parameters of the new security policy (Himler: see above: based on a machine learning model and the result of the analysis) || (Wasserblat: see above); 
creating the new security policy based on the determined parameters (Himler: see above & Col. 8 Line 58 – 67: the created new security policy can be either (i) deleting the received message if the received message is malicious or (ii) release the received message in response to a user acknowledgement to a system prompt if the received message is legitimate) || (Wasserblat: see above); and 
saving the new security policy to a data store, wherein the new security policy is applied against subsequent electronic messages sent by users of the enterprise (see above and Col. 7 Line 29 – 32: (a) the new security policy is applied against subsequent messages originated from the source of said untrusted entity (see above) – and besides, (e.g.) including (b) an update of the blacklists of malware repositories or entities) || (Wasserblat: see above).  


As per claim 7 and 15, Himler teaches:
receiving the electronic message at a policy definition address of the enterprise (Himler: see above & Col. 6 Line 29 – 32: (a) an analyzer server for a malicious message constitutes a policy definition entity that can generate an adjusted policy as a result of the analysis (see above – claim 6) and (b) the email address of the analyzer server to which the malicious message to be forwarded for analysis constitutes a policy definition address – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0056] Line 1 – 5 & Last sentence) || (Wasserblat: see above); and 
checking the electronic message for the presence of the trigger responsive to receiving the electronic message at the policy definition address, wherein the trigger is detected responsive to the checking (Himler: see above & Col. 6 Line 46 – 49 / Line 29 – 32 and Col. 7 Line 26 – 28: causing the malicious message to be analyzed) || (Wasserblat: see above).  

As per claim 8 and 16, Himler teaches:
generating a score indicating severity of the security policy violation by the electronic message, the score indicating a risk to the enterprise associated with the security policy violation (Himler: see above & Col. 10 Line 38 – 46: generating a similarity score) || (Wasserblat: see above); 
determining, based on the score, to report the security policy violation to an administrator of the enterprise (Himler: see above & Col. 7 Line 12 – 14 and Col. 6 Line 25 – 32) || (Wasserblat: see above); and  
37receiving, from the administrator in response to the report, an indication of the security action to perform on the electronic message (Himler: see above & Col. 6 Line 58 – 65) || (Wasserblat: see above).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  




A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788.  The examiner can normally be reached on Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2254 – 2021
---------------------------------------------------