Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	This action is in response to the claims filed 2/19/2019.  Claims 1-20 are pending. Claims 1 (a software machine), 11 (a method), and 20 (a non-transitory CRM are independent.

	Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claim 1 sets forth a plurality of “modules”.  The modules are not stated to include physical hardware.  As such, the modules may reasonably be interpreted as software.  Software is none of a process, machine, manufacture, nor composition of matter and is non-statutory for the purposes of 35 U.S.C. § 101.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 7, 8, 17, and 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 7 and 17 require: “allows a cyber professional to ... consider them as an interconnected whole”.  Limitations directed to how a user may perceive the system are ambiguous and, therefore, indefinite.
Claims 8 and 18 require: “where a particular user's network activity is tied to their email activity because the network module observes network activity and the cyber-threat module receives the network module observations to draw that into an understanding of this particular user's email activity to make an appraisal of potential email threats with a resulting threat risk parameter.”
It is unclear how a “user’s network activity” is tied to email activity “because” modules receive observations.  While the limitation is directed to determining potential email threats and a user’s email activity; it does not appear related to a user’s network activity.

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:


Claim 20 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claim 20 (a machine) depends on claim 11 (a method claim).  Infringement for a method claim requires performance of the method steps whereas infringement of a machine claim requires possession of a machine capable of performing said steps.  As claim 20 does not require performance of the steps of claim 11, it fails to further limit claim 11.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 9-12, 19, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kovega et al., US 2018/0295146 (filed 2018-01), in view of Muddu et al., US 2017/0063910 (filed 2015-10).
As to claim 1, 11, and 20, Kovega discloses a system/method comprising:
(with regard to claim 20, see Kovega ¶ 25 disclosing a CRM embodiment)
one or more machine learning models that are trained on a normal behavior of email activity and user activity associated with an email system; (“user interactions may be associated with different scores, each respective score representative of the importance of the respective user interaction, where user interactions that may be indicators of a compromised account (such as sending an email to the entire contact list, changing personal information associated with the account) are associated with a higher score, and where user interactions that are indicators of normal behavior a user may engage in (such as reading an email, sending a single email, deleting an email) are associated with a lower score. Each score associated with a user interaction may be set manually by an administrator of the service provider 306, or by a machine learning algorithm on the tracking server 250” Kovega ¶ 82)
a cyber-threat module … where the cyber-threat module is configured to reference the models that are trained on the normal behavior of email activity and user activity associated with the email system (Kovega ¶ 82, cited above), where the cyber-threat module determines a threat risk parameter that factors in the likelihood that a chain of one or more unusual behaviors of the email activity and user activity under analysis fall outside of derived normal benign behavior; (“a statistical analysis may be performed (as an example with a machine learning algorithm) on the user activity associated with each service, …. from which the tracking server 250 may determine behavior patterns of normal or non-suspicious user activity by looking at the status of a 
where an email module with the one or more machine learning models trained on the normal behavior of email activity and user activity analyze the user activity and the email activity to draw an understanding of the email activity and user activity in the email system; and (“After having determined the normal or usual user activity, a respective first threshold for each one of the email service 225, the social media service 235 and the money transfer service 245 may be set.” Kovega ¶ 103. Later used in detection, Kovega ¶ 112)
an autonomous response module, rather than a human taking an action, configured to cause one or more autonomous actions to be taken to contain the cyber- threat when the threat risk parameter from the cyber-threat module is equal to or above an actionable threshold. (“A determination that the given user exceeds the second threshold may be instrumental into triggering a user challenge procedure for the first user 203 of the first client device 100.” Kovega ¶ 114)

Kovega does not disclose:
with one or more machine learning models trained on cyber threats in the email system,

Muddu discloses:

 trained on cyber threats in the email system, (“a machine learning model can be a label used to refer to the group of model states that are specifically trained by a specific type of anomalies and applied to that type of anomalies.” Muddu ¶ 293. See also Muddu ¶¶ 318, 338 and 628-632) 

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kovega with Muddu by utilizing the additional models trained in anomalous activity in addition to models trained using user activity.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Kovega with Muddu in order to detect specific types of anomalous activity in addition to user specific anomalies; thereby allowing the system to detect unusual or anomalous activities that have not been previously recognized by the system, Muddu ¶ 145.

As to claims 2 and 12, Kovega in view of Muddu discloses a system/method of claims 1 and 11 and further discloses:
one or more machine learning models trained on gaining an understanding of a plurality of characteristics on an email itself and its related data; (“user interactions may be associated with different scores, each respective score representative of the importance of the respective user interaction, where user interactions that may be machine learning algorithm on the tracking server 250” Kovega ¶ 82)
and where the cyber-threat module can also reference the machine learning models trained on an email itself and its related data to determine if an email under analysis has potentially malicious characteristics, (can then is non-limiting because it makes the following limitations optional, but see Kovega as cited below) 

As to claims 9 and 19, Kovega in view of Muddu discloses a system/method of claims 1 and 11 and further discloses:
wherein the one or more machine learning models trained on the normal behavior of users and their emails use data from (“The service provider 305 may manage the tracking server 250, and the tracking server 250 may track user activity” Kovega ¶ 79) … to train on; (“user interactions may be associated with different scores, each respective score representative of the importance of the respective user a machine learning algorithm on the tracking server 250” Kovega ¶ 82. “As events related to the given user arrive, versions of a machine learning model are initiated, trained, activated, (optionally) continually updated, and finally expired.” Muddu ¶ 234)
and therefore, regularly update what a base line for the normal behavior is. (“the first threshold and the second threshold can be updated from time to time or on a regular basis.” Kovega ¶ 88, also ¶ 82)

Kovega in view of Muddu does not disclose:
the probes.

Muddu further discloses
the probes (“incoming event data from various data sources is evaluated” Muddu ¶ 147)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Kovega in view of Muddu with Muddu by 

As to claim 10, Kovega in view of Muddu discloses a system/method of claim 1 and further discloses:
wherein the cyber-threat module's configured cooperation with the autonomous response module, to cause one or more autonomous actions to be taken to contain the cyber threat, (“A determination that the given user exceeds the second threshold may be instrumental into triggering a user challenge procedure for the first user 203 of the first client device 100.” Kovega ¶ 114) improves computing devices in the email system by limiting an impact of the cyber-threat from consuming CPU cycles, memory space, and power consumption in the computing devices via responding to the cyber- threat (“responsive to the user challenge procedure response from the first client device not matching the user activity during the first time period, blocking access to the plurality of application services on the client device” Kovega ¶ 146) ….

Kovega in view of Muddu does not disclose:
 without waiting for some human intervention. 

Muddu additionally discloses:

 (“The anomalies and threats detected by the real-time processing path may be employed to automatically trigger an action, such as stopping the intrusion, shutting down network access, locking out users, preventing information theft or information transfer, shutting down software and or hardware processes, and the like.” Muddu ¶ 151)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Kovega in view of Muddu with Muddu by blocking the user/terminal access to the service automatically without requiring the response to the user challenge procedure.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to perform the blocking of Kovega ¶ 146 prior to receiving the user challenge response in order to prevent detected malicious use of the network without requiring a response to the user challenge, thereby avoiding the use case where the malicious user or bot simply ignores the authentication challenge. 

Claims 3, 4, 13, and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kovega et al., US 2018/0295146 (filed 2018-01), in view of Muddu et al., US 2017/0063910 (filed 2015-10), and Celik, US 2019/0028510 (filed 2017-09).
As to claims 3 and 13, Kovega in view of Muddu discloses a system/method of claims 1 and 11 but does not disclose:


Celik discloses:
a user interface with an inbox-style view of emails coming in/out of the email system (see Celik Figure 2) and cyber security characteristics known about one or more emails under analysis, (“The system may also be configured to present a percentage of possibility 24, including a graphical display of a phish-o-meter 24, that presents a probability that the current email is a phishing attempt.” Celik ¶ 37, describing figure 2) where the user interface with the inbox-style view of emails (“The application may be implemented as a plugin for various e-mail clients, such as Microsoft Outlook” Celik ¶ 10, see figure 2) has a first window that displays the one or more emails under analysis and a second window with security characteristics known about those one or more emails under analysis. (see Celik Figure 2).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kovega in view of Muddu with Celik by providing a user interface to display the information of Kovega in view of Muddu.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Kovega in view of Muddu with Celik in order to provide a 

As to claims 4 and 14, Kovega in view of Muddu and Celik discloses a system/method of claims 3 and 13 and further discloses:
wherein the user interface for the cyber-threat defense system is configured to allow emails in the e-mail system to be filterable, searchable, and sortable to customize and target the one or more emails under analysis in the first window alongside the relevant security characteristics known about those one or more emails (“The application may be implemented as a plugin for various e-mail clients, such as Microsoft Outlook” Celik ¶ 10, see figure 2), where these two windows displaying their respective information on the same display screen with this user interface allows a cyber professional analyzing the emails under analysis to better assess whether those one or more emails are in fact a cyber threat. (see figure 2)

Claims 5, 6, 15, and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kovega et al., US 2018/0295146 (filed 2018-01), in view of Muddu et al., US 2017/0063910 (filed 2015-10), and Chasin et al., US 2007/0107059 (filed 2006-08).
As to claims 5 and 15, Kovega in view of Muddu discloses a system/method of claims 1 and 11 and further discloses:
where the autonomous response module is configurable to know when the response module should take the autonomous actions to contain the cyber-threat when 
when the cyber-threat module indicates the threat risk parameter is equal to or above the actionable threshold, (“The user activity on the at least one service exceeding a second global threshold may indicate that the user account (e.g. the user account 307) or the client device (e.g. the first client device 100) has been compromised, and trigger a user challenge procedure” Kovega ¶ 85. See also ¶ 114) selectable by the cyber professional, (“Different user interactions may be associated with different scores, …. Each score associated with a user interaction may be set manually by an administrator of the service provider 306” Kovega ¶ 82.) that the one or more emails under analysis are at least highly likely to be malicious. (“the scores associated with the user interactions may be continuously updated depending on the results obtained, such as if a user reports that his account was compromised when the tracking server 250 did not detect abnormal activity or vice versa.” Kovega ¶ 82)

Kovega in view of Muddu does not disclose:


Chasin discloses:
 (“Policies may specify allowed or disallowed member Internet protocol (IP) addresses which may submit traffic to the member message transfer node, allowed message domain names contained in the email envelope, group-level or user-level filtering rules, and others. Members may configure message filtering policies to be performed based on one or more criteria, such as, but not limited to, attachment types, sizes and frequencies and message content, member reputation, sender, recipient, and a combination of sender and recipient.” Chasin ¶ 51) where the autonomous response module has an administrative tool, configurable through the user interface, to set what autonomous actions the autonomous response module can take, (“Member network administrators can create and modify policies through a web portal.” Chasin ¶ 51. See also Chasin ¶¶ 137 and 168) including types of actions and specific actions the autonomous response module is capable of, (Chasin ¶¶ 137-163, discussing policies) 

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kovega in view of Muddu with Chasin by allowing administrators to select multiple policies for disposition of detected anomalies.  It would have been obvious to a person of ordinary skill in the art before the effective filing date 

As to claims 6 and 16, Kovega in view of Muddu and Chasin discloses a system/method of claims 5 and 15 and further discloses:
wherein the autonomous response module has a library of response actions types of actions and specific actions the autonomous response module is capable of, (Chasin ¶¶ 137-146, discussing policies) including focused response actions selectable through the user interface that (“Member network administrators can create and modify policies through a web portal.” Chasin ¶ 51. See also Chasin ¶¶ 137 and 168) 

Kovega in view of Muddu and Chasin does not disclose:
are contextualized to autonomously act on specific email elements of a malicious email, rather than a blanket quarantine or block approach on that email, to avoid disruption to a particular user of the email system.

Chasin further discloses
are contextualized to autonomously act on specific email elements of a malicious email, rather than a blanket quarantine or block approach on that email, to avoid disruption to a particular user of the email system. (“Possible dispositions could include automatic message delivery after a designated time period, automatic non-delivery and 

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kovega in view of Muddu with Chasin by allowing administrators to select multiple policies for disposition of detected anomalies.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Kovega in view of Muddu with Chasin in order to allow the system to deal with user anomalies in multiple ways beyond those disclosed in Kovega, thereby preventing malicious incoming emails as well as other insiders that could avoid the countermeasures of Kovega. 

Claims 7, 8, 17, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kovega et al., US 2018/0295146 (filed 2018-01), in view of Muddu et al., US 2017/0063910 (filed 2015-10), and Filippi et al., US 2018/0121566 (filed 2016-10).
As to claims 7 and 17, Kovega in view of Muddu discloses a system/method of claims 1 and 11 and further discloses:
a network module that has one or more machine learning models trained on a normal behavior of users, devices, and interactions between them, on a network, which 

Kovega in view of Muddu does not disclose:
where a user interface has one or more windows to display network data and one or more windows to display emails and cyber security details about those emails through the same user interface on a display screen, which allows a cyber professional to pivot between network data and email cyber security details within one platform, and 

Filippi discloses:
where a user interface has one or more windows to display network data and one or more windows to display emails and cyber security details about those emails  through the same user interface on a display screen, (“a first data model object may define a broad set of data pertaining to e-mail activity generally, and another data model Examples of data models can include electronic mail, authentication, databases, intrusion detection, malware, application state, alerts, compute inventory, network sessions, network traffic, performance, audits, updates, vulnerabilities, etc. Data models and their objects can be designed by knowledge managers in an organization, and they can enable downstream users to quickly focus on a specific set of data. For example, a user can simply select an “e-mail activity” data model object to access a dataset relating to e-mails generally (e.g., sent or received), or select an “e-mails sent” data model object (or data sub-model object) to access a dataset relating to e-mails sent.” Filippi ¶ 151) which allows a cyber professional to pivot between network data and email cyber security details within one platform, and 

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kovega in view of Muddu with Filippi by utilizing the visualizations of Filippi to display the gathered data of Kovega in view of Muddu.  It 

As to claims 8 and 18, Kovega in view of Muddu and Filippi discloses a system/method of claims 7 and 17 and further discloses:
wherein the network module and its machine learning models being utilized to determine potentially unusual network activity (“As events related to the given user arrive, versions of a machine learning model are initiated, trained, activated, (optionally) continually updated, and finally expired.” Muddu ¶ 234. See also Muddu ¶¶ 318, 338 and 628-632) provides an additional input of information into the cyber-threat module to determine the threat risk parameter, (“The first table of user activity 410 may be associated with the email service 225, the second table of user activity 510 may be associated with the social media service 235 and the third table of user activity 610 may be associated with the money transfer service 245, …. The first table of user activity 410, the second table of user activity 510 and the third table of user activity 610 may be used to determine a respective first threshold of user activity and a second threshold of user activity for the first user 203.” Kovega ¶¶ 84-85) where a particular user's network activity is tied to their email activity because the network module observes network activity and the cyber-threat module receives the network module observations to draw that into an understanding of this particular user's email activity to make an appraisal of potential email threats with a resulting threat risk parameter. (“After having determined 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Higbee et al., US 9,906,554, discloses an administrator user interface for reviewing and configuring a malicious email detection system. 
Edwards et al., US 2019/0020682 discloses an email phishing detection system. 
Kirti et al., US 2017/0251013 discloses a system for configuring remediation workflow actions by an administrator.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/           Examiner, Art Unit 2492