DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with David Xue on 9/7/21.

The application has been amended as follows: 

What is claimed is: 

(Currently Amended) A system to support electronic message account takeover detection and monitoring, comprising:
an artificial intelligence (AI) engine running on a host, which in operation, is configured to

compute and maintain one or more of statistics on popularity of domains across the internet and likelihood of the domains being legitimate for the entity based on appearance of the domains in internal communications more than a certain number of times over a certain period of time;
analyze the collected electronic message to extract a plurality of features and/or signals from the electronic message to determine if the electronic message is malicious for electronic message account takeover detection;
determine if the electronic message account has been compromised by an electronic message account takeover attack based on one or more of the plurality of extracted features and/or signals in the electronic message including popularity of a domain in the electronic message;
notify a user, one or more intended recipients of the electronic message and/or an administrator of the electronic messaging system of the electronic message account takeover attack;
continuously monitor in real time electronic messages sent from the electronic message account that has been compromised by the electronic message account takeover attack.

(Original) The system of claim 1, wherein:


(Original) The system of claim 1, wherein:
each user is either a person or a system or component configured to send and receive the electronic messages.

(Original) The system of claim 1, wherein:
the AI engine is configured to monitor current state of one or more electronic message accounts of the electronic messaging system, wherein the current state indicates one or more of an activity level, an access pattern, and content behavior of each of the one or more electronic message accounts.

(Original) The system of claim 1, wherein:
the AI engine is configured to continuously monitor new login attempt and/or new mailbox rule changes to the electronic message account in real time in addition to the electronic messages sent from the electronic message account that has been compromised by the electronic message account takeover attack.

(Original) The system of claim 1, wherein:
the AI engine is configured to quarantine the electronic messages sent from the electronic message account that has been compromised by the electronic message 

(Original) The system of claim 1, wherein:
the AI engine is configured to identify one or more communication patterns of each user based on the continuously monitored electronic messages sent from the electronic message account that has been compromised by the electronic message account takeover attack over a certain period time.

(Original) The system of claim 1, wherein:
the plurality of extracted features and/or signals include one or more of identifications of sender and recipients of the collected electronic message, email addresses and/or domains of the sender and the recipients, timestamp, and metadata of the electronic message, forwarding rules and IP logins to the electronic message account, information about links embedded in the emails as a function of how likely the links are to appear in the entity, number of embedded links in the electronic message sent by the electronic message account, length of the longest URL in the electronic message, how likely is every single word in the electronic associated with a malicious email, how likely is any of the domains in the electronic message likely to be malicious, IP logins to the electronic message account, and mailbox rule changes to the electronic message account.

(Original) The system of claim 1, wherein:


(Canceled)

(Original) The system of claim 1, wherein:
the AI engine is configured to detect one or more anomalous signals/features in attributes, metadata and/or content of the collected electronic message for electronic message account takeover detection.

(Original) The system of claim 11, wherein:
the anomalous signals/features include one or more of: same sender using another email address for the first time or from an unpopular domain, replying to someone else in an electronic message chain, and sudden change in number of recipients of an electronic message.

(Original) The system of claim 1, wherein:
the AI engine is configured to continuously monitor the electronic messages that are a part of a conversation that includes more than one electronic message from the electronic message account that has been compromised by the electronic message account takeover attack.
(Original) The system of claim 1, wherein:
the AI engine is configured to delete and/or reset one or more malicious mailbox rules that the electronic message account takeover attack has setup on the compromised electronic message account.

(Currently Amended) A computer-implemented method to support electronic message account takeover detection and monitoring, comprising:
collecting an electronic message sent from an electronic message account of a user in an entity to another user in the entity automatically in real time via an application programming interface (API) call to an electronic messaging system of the entity;
computing and maintaining in a database one or more of statistics on popularity of domains across the internet and likelihood of the domains being legitimate for the entity based on appearance of the domains in internal communications more than a certain number of times over a certain period of time;
analyzing the collected electronic message to extract a plurality of features and/or signals from the electronic message to determine if the electronic message is malicious for electronic message account takeover detection;
determining if the electronic message account has been compromised by an electronic message account takeover attack based on one or more of the plurality of extracted features and/or signals in the electronic message including popularity of a domain in the electronic message;
notifying a user, one or more intended recipients of the electronic message and/or an administrator of the electronic messaging system of the electronic message account takeover attack;
continuously monitoring in real time electronic messages sent from the electronic message account that has been compromised by the electronic message account takeover attack.

(Original) The computer-implemented method of claim 15, further comprising:
monitoring current state of one or more electronic message accounts of the electronic messaging system, wherein the current state indicates one or more of an activity level, an access pattern, and content behavior of each of the one or more electronic message accounts.

(Original) The computer-implemented method of claim 15, further comprising:
continuously monitoring new login attempt and/or new mailbox rule changes to the electronic message account in real time in addition to the electronic messages sent from the electronic message account that has been compromised by the electronic message account takeover attack.

(Original) The computer-implemented method of claim 15, further comprising:
quarantining the electronic messages sent from the electronic message account that has been compromised by the electronic message account takeover attack in real time before one or more intended recipients of the electronic message in the entity receive the electronic message.

(Original) The computer-implemented method of claim 15, further comprising:
identifying one or more communication patterns of each user based on the continuously monitored electronic messages sent from the electronic message account that has been compromised by the electronic message account takeover attack over a certain period time.

(Original) The computer-implemented method of claim 15, further comprising:
computing offline and maintaining in a database term frequency-inverse document frequency (TF-IDF) of each word based on a corpus of labeled malicious emails and a corpus of innocent emails to determine the likelihood of the word in the electronic message being malicious.

(Canceled)

(Original) The computer-implemented method of claim 15, further comprising:
detecting one or more anomalous signals/features in attributes, metadata and/or content of the collected electronic message for electronic message account takeover detection.

(Original) The computer-implemented method of claim 15, further comprising:
continuously monitoring the electronic messages that are a part of a conversation that includes more than one electronic message from the electronic message account that has been compromised by the electronic message account takeover attack.

(Original) The computer-implemented method of claim 15, further comprising:
deleting and/or resetting one or more malicious mailbox rules that the electronic message account takeover attack has setup on the compromised electronic message account.

Reasons for Allowance

The following is an examiner’s statement of reasons for allowance:  A Terminal Disclaimer was filed on 9/7/2021 to overcome Non-Statutory Double Patenting against claims 1-25 to commonly owned US Pat. 10,778,717.

The prior art of record fails to teach or suggest: compute and maintain one or more of statistics on popularity of domains across the internet and likelihood of the domains being legitimate for the entity based on appearance of the domains in internal communications more than a certain number of times over a certain period of time;
analyze the collected electronic message to extract a plurality of features and/or signals from the electronic message to determine if the electronic message is malicious for electronic message account takeover detection; determine if the electronic message account has been compromised by an electronic message account takeover attack based on one or more of the plurality of extracted features and/or signals in the electronic message including popularity of a domain in the electronic message
 Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM A CORUM JR whose telephone number is (303)297-4234.  The examiner can normally be reached on Mon. - Fri. 8 AM - 5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/WILLIAM A CORUM JR/Examiner, Art Unit 2433        

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433