Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to the claims filed 1/02/2020.  Claims 1-20 are pending.  Claims 1 (a machine) and 11 (a method) are independent.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claim 1 is directed to a machine; however, no physical elements are contained in the claim.  Thus claim 1 may reasonably be interpreted as a software machine, software being none of a process, manufacture, machine, nor composition of matter for § 101 purposes.

112(f) Means For interpretations.
The modules of claims 1 and 11 have not been interpreted as invoking 112(f) as the modules may be software and software has no “structure”.  As 112(f) requires structure, the modules of claims 1 and 11 do not meet the requirements for a 112(f) interpretation

Priority Date
Applicant claims priority to U.S. provisional applications 62/632,623 (filed 2018-02) and 62/796,507 (filed 2019-01) and also as a CIP of U.S. non-provisional application 16/278,932 (filed 2019-02).
It has been determined that the provisional application 62,632,623 does not provide written description support for independent claims 1 and 11 as required to obtain the effective filing date of 2018-02, see MPEP 211, specifically: “(E) In order to be entitled to the benefit of the prior-filed application, the earlier application must disclose the claimed invention of the later-filed application in the manner provided by 35 U.S.C. 112(a)”.  
As such, the pending claims have a priority date on or after 2019-01 (the filing date of the later filed provisional 62/796,507).  Thus, Applicant’s prior filed US 2017/0230391 (Ferguson) is available as prior art.

Claims 6 and 16
Note that claims 6 and 16 are not rejected in view of the prior art as the prior art does not anticipate or render obvious: “a historical norm state of the layout, including the formatting and the structure for each sender, where the email layout change predictor module is further configured to compare this historical norm state of the layout, the formatting, and the structure every time a new email is seen in order to check whether the new email diverges more than a threshold amount from the historical norm state.”

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

“substantially simultaneous”  - Claims 1, 2, 10, 11, 12, and 20 require “substantially simultaneous time period”.  This time period is discussed in Applicant’s ¶ 67 as: “the substantially simultaneous time period can be equal to or less than a ten second difference in any of i) a time sent for each of the similar emails under analysis, and ii) a time received for each of the similar emails under analysis.” However, this does not provide a “standard for measuring” substantially simultaneous.  As such this feature is an indefinite term of degree.  See MPEP 2173.05(b).I.

“two or more modules” - Claims 1 and 11 require: “two or more modules configured to … receive information … cyber threat module is configured to cooperate with the two or more modules”.  Claims 1 and 11 do not define or distinguish the “two or more modules” from each other; as claimed they appear to be a single module.  It is 
Reviewing the specification, the two or more modules appear to be those described in claim 10.  In other words, Applicant’s specification appears to define the modules as different detectors of abnormal emails; however, claims 1 and 11 do not associate the modules with the detector functionality. For example, the “mass email association detector” is described as a module in claim 10, but described as a detector in claim 1. 
In summary, the use of the term “two or more modules” in claims 1 and 11 is ambiguous as the modules are never defined. 

	Claims 7 and 17 require: “one or more bloom filters that are configured with a nesting structure to wrap bloom filters within each other….”
	A bloom filter is known in the art as an “OR” binary array that is used to “OR” a plurality of hashes.  This allows a fast but necessarily imprecise matching of a test hash to previously seen hashes.  It is unclear how to “nest” or place a bloom filter “within” each other as it is contrary to the definition of a bloom filter.  Also it is unclear how a single bloom filter could be a plurality of bloom filters so wrapped within.  

Claims 10 and 20 require: “from each of the following two or more modules…”; however, what follows is a listing of five modules.  It is unclear whether the required amount of modules is two, or all five. 
 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 11, and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ferguson et al., US 2017/0230391 (published 2017-08) in view of Benishti et al., US 2017/0244736 (filed 2015-10), and Gmach et al., US 2017/0048261 (filed 2014-04).
As to claims 1 and 11, Ferguson discloses the machine/method of claims 1 and 11, comprising:
two or more modules configured to utilize a set of machine learning models (“The anomalous behavior system has the ability to self-learn and detect normality in order to spot true anomalies” Ferguson ¶ 67) as well as communicate with a cyber threat module (“FIG. 1 illustrates a network of computer system 100 using an anomalous behavior detection system.” Ferguson ¶ 60. The cyber threat module being the anomalous behavior detection system of ferguson.), where the two or more modules also are configured to receive information from a set of detectors to provide at least a range of metadata (“The anomalous behavior detection system disclosed herein may take input from probes in the form of a number of metrics.” Ferguson ¶ 17. See also ¶ 25) from observed email communications in the email domain (“The entities themselves (and  …, where the cyber threat module analyzes with the machine learning models trained on a normal behavior of email activity and user activity associated with the network and its email domain (“such as sending emails” Ferguson ¶ 111. Emails are a user activity. “FIG. 3 shows an example of the possible conditional dependencies between modeled entities within an anomalous behavior detection system: the user (U), devices (D), activities (A) and the observed network traffic data (N).” Ferguson ¶ 152, see also ¶ 153) in order to determine when a deviation from the normal behavior of email activity and user activity associated with the network and its email domain is occurring (“Let A be thfata.” Ferguson ¶ 159); and 
…
emails being i) sent from or ii) received (Ferguson ¶ 111, also ¶ 153) by a collection of two or more individual users (“allowing organizations of all sizes to understand the behavior of users” Ferguson ¶ 67) in the email domain in … time frame (“an intelligent approach that is able to see patterns in the information and activity and build an understanding of what is normal at any one time, and what is genuinely 


Ferguson does not disclose:
the range of metadata from the observed email communications
a substantially simultaneous
a mass email association detector configured to determine a similarity between two or more similar emails … mathematical models are used to determine similarity weighing in order to derive a similarity score between compared emails.

Benishti discloses:
the range of metadata from the observed email communications (Benishti ¶¶ 78-85, scoring similarity of messages based on “address, message headers, message subject, body, links—name and address, attachments type name, signatures and any other metadata that is extractable from the structure of the message”)
a mass email association detector configured to determine a similarity between two or more similar emails (“Comparing the signatures and features to previous reports (step 33), and scoring the message based on features similarity” Benishti ¶ 82) … mathematical models are used to determine similarity weighing (“Each feature has a 

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Ferguson with Benishti by incorporating the malicious email detection of Benishti.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Ferguson with Benishti in order to detect polymorphic malicious email messages in a network.

Ferguson in view of Benishti does not disclose: a substantially simultaneous

Gmach discloses: substantially simultaneous
(“relevant events are detected within a specific time window. … The conditions of the rule can be as follows: “identify any sequence of 10 malformed HTTP requests from the same IP address made within a one-minute window.”” Gmach ¶ 20)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have modified Ferguson in view of Benishti with Gmach by limiting the email similarity determination of Benishti to a small time window (Gmach).  It would have been obvious to a person of ordinary skill in the art before the effective filing date 

As to claims 3 and 13, Ferguson in view of Benishti and Gmach discloses the machine/method of claims 1 and 11 and further discloses:
one or more mathematical models are configured to determine similarity weighing in order to derive the similarity score between compared emails; (“Each feature has a predefined, configurable, score, that is added (step 33) to the overall score of the message.” Benishti ¶ 82) 
an email similarity scoring module configured to cooperate with the one or more mathematical models in order to compare an incoming email, (“Comparing the signatures and features to previous reports (step 33), and scoring the message based on features similarity” Benishti ¶ 82) based on a semantic similarity of multiple aspects of the incoming email (“If the message's overall score is above a predefined threshold (step 34), the message is treated as suspicious (step 35)” Benishti ¶ 84)

Ferguson in view of Benishti and Gmach, as combined above, does not disclose:
 to a cluster of different metrics derived from known bad emails to derive the similarity score between an email under analysis and the cluster of different metrics derived from known bad emails.

Benishti further discloses:


A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Ferguson in view of Benishti and Gmach with Benishti by performing comparisons to known malicious emails of Benishti.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further combine Ferguson in view of Benishti and Gmach with Benishti in order to detect polymorphic malicious email messages in a network.


Claims 2 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ferguson et al., US 2017/0230391 (published 2017-08) in view of Benishti et al., US 2017/0244736 (filed 2015-10), Gmach et al., US 2017/0048261 (filed 2014-04), and Dulitz et al., US 7,693,945 (filed 2004-06).
As to claims 2 and 12, Ferguson in view of Benishti and Gmach discloses the machine/method of claims 1 and 11 and further discloses:

 based on at least …, and ii) how rare (“The Bayesian model may comprise one of the conditional probability terms: P(U/T); P(D/U,T); P(A/D,U,T); and P(N/A,D,U,T).” Ferguson ¶ 27) the collection of users under analysis all would send and/or receive this similar email (“Let A be the set of normal activities of a person. Let A′ represent the set of abnormal or anomalous activities. The pattern of normal activities is actively learned from user data.” Ferguson ¶ 159) in roughly the substantially simultaneous time frame (“relevant events are detected within a specific time window. … The conditions of the rule can be as follows: “identify any sequence of 10 malformed HTTP requests from the same IP address made within a one-minute window.”” Gmach ¶ 20), where the mass email association module uses the normal behavior (“The anomalous behavior system has the ability to self-learn and detect normality in order to spot true anomalies” Ferguson ¶ 67) of email activity and user activity associated with the network and its email domain (“such as sending emails” Ferguson ¶ 111, also ¶ 153. Emails are a user activity.) …

Ferguson in view of Benishti and Gmach does not disclose:
i) historical patterns of communication between those users
to create a map of associations between users in the email domain to generate the likelihood that the two or more users would be included in the similar emails determined by the mass email association detector.

Dulitz discloses:
i) historical patterns of communication between those users (“FIG. 4 is a table of possible communication activity conditions that may exist and as might be displayed in a template or list of statistics …. condition in column 401 reads, “User has sent email to Sender” …. third condition listed in column 401 reads, “User has replied to email from Sender”.” Dulitz cols. 10-11)
to create a map of associations between users in the email domain (“At act 504 in this embodiment processor 206 functions as a data aggregator and retrieves statistical values for conditions found to exist” Dulitz col. 12, ln. 23) to generate the likelihood that the two or more users would be included in the similar emails determined by the mass email association detector. (“At act 505, processor 206 may perform a calculation involving the aggregated values to derive a single value that may be compared against a threshold in order to classify the message being processed.” Dulitz col. 12, ln. 27)

.

Claims 4, 5, 10, 14, 15, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ferguson et al., US 2017/0230391 (published 2017-08) in view of Benishti et al., US 2017/0244736 (filed 2015-10), Gmach et al., US 2017/0048261 (filed 2014-04), and Adir et al., US 2019/0238571 (filed 2018-01).
As to claims 4 and 14, Ferguson in view of Benishti and Gmach discloses the machine/method of claims 1 and 11 and but does not disclose:
an email layout change predictor module configured to analyze changes in an email layout of an email of a user in that email domain to assess whether malicious activity is occurring to an email account of that user, based on the changes in the email layout of the email deviating from a historical norm. 

Adir discloses:
an email layout change predictor module configured to analyze changes in (“each new message may be analyzed against these models and outliers may be 
(the layout being: 
“text analysis may be used to extract features from many or all email messages, including features such as keywords and overall mood. Examples of other features may include sender's email address and role within the organization, CC email addresses and roles, sender's IP address if available, sender's location if available, a non-binary phishing score for the email's content, mood, roles, security issues” Adir ¶ 18.
“a non-binary phishing score indicating a likelihood of phishing behavior may be generated. Examples of such patterns may include a technical email sent from a source other than the organization's IT, a donation request which is delivered to many users in the organization, an email that is addressed to a variety of unconnected roles within the organization (e.g. sales, IT, research and cleaning departments), an email from a senior VP of one department to a lower ranking employee from another department with a 

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Ferguson in view of Benishti and Gmach by incorporating the anomaly analysis of Adir in the abnormality detection of Ferguson.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Ferguson in view of Benishti and Gmach with Adir in order to identify fishing attacks with a classifier that improves performance by detecting anomalies in the content of the emails.

As to claims 5 and 15, Ferguson in view of Benishti and Gmach discloses the machine/method of claims 4 and 14 and further discloses:
where the email layout change predictor module is further configured to detect anomaly deviations by considering two or more parameters of an email selected from group consisting of a layout of the email, a formatting of the email, a structure of an email body including any of content (“a technical email sent from a source other than the organization's IT” Adir ¶ 19. See also ¶ 20), language-usage (“keywords and overall mood” Adir ¶ 19), subjects (“a lower ranking employee from another department with a subject that is unrelated to both” Adir ¶ 19), and sentence construction (“keywords and overall mood” Adir ¶ 19) within the email body in order to detect a change in behavior of a sender of the email under analysis that is indicative of their email account being 


As to claims 10 and 20, Ferguson in view of Benishti and Gmach discloses the machine/method of claims 1 and 11 and further discloses:
where the cyber threat module is configured to receive an input from each of the following two or more modules, which include: (“FIG. 1 illustrates a network of computer system 100 using an anomalous behavior detection system.” Ferguson ¶ 60. The cyber threat module being the anomalous behavior detection system of ferguson.)
…
an email similarity scoring module configured to compare an incoming email, based on a semantic similarity of multiple aspects (Benishti ¶¶ 78-85) of the incoming email to a cluster of different metrics derived from known bad emails to derive a similarity score between an email under analysis (“Comparing the signatures and features to previous reports (step 33), and scoring the message based on features similarity” Benishti ¶ 82) and the cluster of different metrics derived from known bad emails; (“extracting features and properties from a message that is currently reported as suspicious, wherein the extraction include any extractable data from the message's structure, content and metadata; creating signatures based on said extracted features and properties; and comparing said extracted features and properties and said signatures to suspicious messages reported by other sources and/or users;” Benishti ¶¶ 16-20).

where the cyber threat module is configured to factor in the input from each of these analyses above in the range of metadata (Benishti ¶¶ 78-85, scoring similarity of messages based on “address, message headers, message subject, body, links—name and address, attachments type name, signatures and any other metadata that is extractable from the structure of the message”) from observed email communications to detect and determine when the deviation from the normal behavior of email activity (“an unsupervised mathematical model used for detecting behavioral change.” Ferguson ¶ 16) and user activity associated with the network and its email domain is occurring and then determine what action to take to remedy against a potentially malicious email. (“If the message's overall score is above a predefined threshold (step 34), the message is treated as suspicious (step 35)” Benishti ¶ 84.  See Benishti ¶¶ 78, 102-114 for actions taken by a security manager to messages matched using similarity algorithm).

Ferguson in view of Benishti and Gmach does not disclose:
a mass email association module configured to determine a likelihood that two or more similar emails would be i) sent from or ii) received by a collection of users in the email domain under analysis in the substantially simultaneous time period, where the substantially simultaneous time period is equal to or less than a ten second difference in any of i) a time sent for each of the similar emails under analysis, and ii) a time received for each of the similar emails under analysis; 
an email layout change predictor module configured to analyze changes in an email layout of an email of a user in that email domain to assess whether malicious 
an image-tracking link module configured to cooperate with an image-tracking link detector to analyze link properties that describe the tracking link’s visual style and appearance accompanying the tracking link to detect whether the tracking link is intentionally being hidden as well as a type of query requests made by the tracking link to determine whether this tracking link is a suspicious covert tracking link; and 

Adir discloses:
an email layout change predictor module configured to analyze changes in (“each new message may be analyzed against these models and outliers may be detected.” Adir ¶ 19) an email layout (see Adir ¶¶ 18 and 19 for examples of layout) of an email of a user in that email domain to assess whether malicious activity is occurring to an email account of that user (“new email messages are malicious email messages using features extracted from the plurality of new email messages and using information relating to features of emails among users in the organization.” Adir ¶ 7), based on the changes in the email layout of the email deviating from a historical norm; (“At 204, a behavioral model may be constructed for each user and for the entire organization, based on, for example, traffic analysis and the extracted features. Examples of other behavioral models may include typical contacts per email subject, person, role or group within the organization, typical CC list per subject, person, role or group, location analysis, etc.” Adir ¶ 18, behavioral model being a historical norm.)

.


Claims 7 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ferguson et al., US 2017/0230391 (published 2017-08) in view of Benishti et al., US 2017/0244736 (filed 2015-10), Gmach et al., US 2017/0048261 (filed 2014-04), and Cohen et al., “Spectral Bloom Filters” (published 2003).
As to claims 7 and 17, Ferguson in view of Benishti and Gmach discloses the machine/method of claims 1 and 11 and further discloses:
…a method of storing commonality data for any of i) domains, ii) hostnames, and iii) other information regarding observed in email traffic (Benishti ¶¶ 78-85, scoring similarity of messages based on “address, message headers, message subject, body, links—name and address, attachments type name, signatures and any other metadata that is extractable from the structure of the message”) …
intelligence known from the network about email traffic (Benishti ¶¶ 78-85)

Ferguson in view of Benishti and Gmach does not disclose:

…
using the bloom filters and then being able to look up and retrieve that data (Cohen § 2.2 Querying the SBF), where the bloom filters are used to store …, all of which is stored in a compressed manner due to the nesting structure of the bloom filters. (“Bloom Filters are space efficient data structures which allow for membership queries over a given set” Cohen § 1)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Ferguson in view of Benishti and Gmach with Cohen by utilizing the Spectral Bloom Filter disclosed by Cohen to store the extracted metadata of Ferguson in view of Benishti and Gmach.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Ferguson in view of Benishti and Gmach with Cohen in order to efficiently store data in a structure that allows for a sliding window representation and deletions from the data structure, thereby providing a size efficient structure (bloom filter) that provides access during finite windows (Gmach).

Claims 8, 9, 18, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ferguson et al., US 2017/0230391 (published 2017-08) in view of Benishti et al., US 2017/0244736 (filed 2015-10), Gmach et al., US 2017/0048261 (filed 2014-04), and Klos et al., 2010/0287246 (filed 2009-12).
As to claims 8 and 18, Ferguson in view of Benishti and Gmach discloses the machine/method of claims 1 and 11 but does not disclose:
an image-tracking link detector configured to detect a tracking link based on visual properties of the tracking link as well as a purpose of any query parameters from that link. 

Klos discloses:
an image-tracking link detector configured to detect a tracking link based on visual properties of the tracking link as well as a purpose of any query parameters from that link. (“Hidden link—any link, URL or other codification of an internet location which is encoded within the email as the location actually accessed when a user clicks on a particular item within the email (this can be triggered via other methods as well). Hidden links are generally not easily viewable by the recipient and are often different from the visible link they're encoded with in phishing emails.” Klos ¶ 130. “the receiving e-mail system may analyze incoming e-mail messages for the presence of malicious code, e.g., in the form of javascript code and the like. Suspect code may include code that attempts to: open a window on a recipients computer or connect a recipient's computer to another computer; hide, alter or otherwise modify a link, URL or other text in the 

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Ferguson in view of Benishti and Gmach with Klos by using a hidden link analysis disclosed in Klos Figure 12, to determine if a mail is potentially malicious and replacing malicious links with security warnings.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Ferguson in view of Benishti and Gmach with Klos in order to prevent users from selecting links that are hidden and would misdirect the user to a malicious or phishing address, thereby increasing security. 

As to claims 9 and 19, Ferguson in view of Benishti, Gmach, and Klos discloses the machine/method of claims 8 and 18 and further discloses:
an image-tracking link module configured to cooperate with the image-tracking link detector to analyze the tracking link’s properties that describe the tracking link’s visual style and appearance accompanying the tracking link to detect whether the tracking link is intentionally being hidden as well as a type of query requests made by the tracking link, (“Hidden link—any link, URL or other codification of an internet location which is encoded within the email as the location actually accessed when a user clicks on a particular item within the email (this can be triggered via other methods as well). Hidden links are generally not easily viewable by the recipient and are often different from the visible link they're encoded with in phishing emails.” Klos ¶ 130. “If they both .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Stolfo et al., US 2003/0167402 discloses a method for detecting malicious email transmissions.
Mehr et al., US 2006/0168024 discloses determining a sender reputation for spam prevention. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/           Examiner, Art Unit 2492