DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	This Office Action is in response to the application filed on 11/27/2019.
3.	The IDSs submitted on 05/08/2020, 08/19/2021 and 11/02/2021 have been considered.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

4.	Claims 1-2, 12-16, and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Jeyakumar et al (US 20200204572 A1) which claims priority from provisional application No. 62/807,888 filed on Feb. 20, 2019.
Jeyakumar is directed to threat detection platforms for detecting, characterizing, and remediating email-based threats in real time.

As per claim 1, Jeyakumar discloses a  computing platform (0023] FIG. 3 depicts an example of a system for detecting email-based threats that includes a customer network (also referred to as an “enterprise network”) and a threat detection platform. Fig. 3) comprising: 
at least one processor; a communication interface communicatively coupled to the at least one processor; and memory storing computer-readable instructions that, when executed by the at least one processor ([0158] FIG. 17 includes a high-level architectural depiction of a threat detection platform able to perform generate/update the data used for real-time processing of incoming emails via batch processing ) cause the computing platform to: 
generate, based on email data received from a plurality of user accounts, a plurality of user identification models, wherein each of the plurality of user identification models is specific to one of the user accounts ([0067] The system 300 can function to acquire email usage data of a customer (also referred to as an “enterprise” or “entity”), generate a profile based on the email usage data that includes a number of received or inferred behavioral traits, monitor incoming emails, and, for each email. Also see [0081, 0082 and 0083]);
intercept a first email message from a first user account of the plurality of user accounts to a second user account of the plurality of user accounts ([0060] Initially, the threat detection platform 214 may receive an email addressed to an employee of an enterprise. Upon receiving the email, the threat detection platform 214 may apply a first model 204 to the email to produce a first output indicative of whether the email is representative of a malicious email. 
apply a first model of the plurality of user identification models to the first email message to calculate a first plurality of feature vectors for the first email message, wherein the first model of the plurality of user identification models is specific to the first user account of the plurality of user accounts ([0022] FIG. 2 illustrates how a threat detection platform may apply a multi-tiered ensemble model comprised of multiple sub-models to incoming emails received via the Internet to determine which emails, if any, should be prevented from reaching their intended destination. [0042] FIG. 20 depicts a flow diagram of a process for applying a personalized machine learning (ML) model to emails received by an employee of an enterprise to detect security threats. [0132] FIG. 13 provides an example matrix of the stages that may be performed by a threat detection platform as it processes data, extracts features, determines whether an event is representative of an attack, etc. [0046] By establishing what constitutes normal behavior traits and/or normal email content, the enterprise can be protected against new, sophisticated attacks such as employee impersonation, vendor impersonation, fraudulent invoices, email account compromise, and account takeover).
 apply one or more impersonation algorithms to the first plurality of feature vectors, wherein applying the one or more impersonation algorithms to the first plurality of feature vectors indicates that the first email message is an impersonated message ([0046] Introduced here are threat detection platforms designed to collect and examine emails in order to identify security threats to an enterprise. At a high level, the technologies described herein can function to build a model representative of the normal email behavior of an enterprise (or an individual employee of the enterprise) and then look for deviations to identify abnormalities by applying the model to incoming emails. By establishing what constitutes normal behavior traits and/or normal email content, the enterprise can be protected against new, sophisticated attacks such as employee impersonation, vendor impersonation, fraudulent invoices, email account compromise, and account takeover. Also see [0128]); and
 based on results of the one or more impersonation algorithms, modify delivery of the first email message ([0095] For example, upon discovering a compromised account, the threat detection platform 302 may invoke API(s) to block the compromised account, reset connections with services/databases, or change the password through a workflow. Additionally or alternatively, remediation steps can include moving the email from the junk folder back into the inbox (e.g., in response to determination that the email was not an attack).

As per claim 2, Jeyakumar further discloses that the computing platform of claim 1, wherein applying the one or more impersonation algorithms to the first plurality of feature vectors results in a confidence score indicative of a likelihood that the first email message is an impersonated message ([0110] In some embodiments, each analysis module is specific to an attack type, where the plurality of outputs from the plurality of analysis modules is further analyzed (e.g., by a master detector) to determine whether the email is an attack. In other embodiments, the analysis module detects multiple attack types (e.g., outputs multiple output values, each corresponding to a different attack type, where the output can be a likelihood and/or confidence in the corresponding attack type), and the email can be labeled as an attack when the output value exceeds a predetermined threshold for the corresponding attack type. However, the attack can be otherwise detected.

As per claim  12. The computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: 
intercept a second email message from a third user account of the plurality of user accounts to the second user account of the plurality of user accounts ([0168] Thereafter, the threat detection platform may receive second data related to an email received by the employee (step 2004). 
apply a second model of the plurality of user identification models to the second email message to calculate a second plurality of feature vectors for the second email message ([0168]The threat detection platform can establish whether the email is representative of a security risk by applying the personalized ML model to the second data (step 2005). Also see [0170]); 
wherein the second model of the plurality of user identification models is specific to the third user account of the plurality of user accounts; apply the one or more impersonation algorithms to the second plurality of feature vectors, wherein applying the one or more impersonation algorithms to the second plurality of feature vectors indicates that the second email message is a legitimate message ([0046] Introduced here are threat detection platforms designed to collect and examine emails in order to identify security threats to an enterprise. At a high level, the technologies described herein can function to build a model representative of the normal email behavior of an enterprise (or an individual employee of the enterprise) and then look for deviations to identify abnormalities by applying the model to incoming emails. By establishing what constitutes normal behavior traits and/or normal email content, the enterprise can be protected against new, sophisticated attacks such as employee impersonation, vendor impersonation, fraudulent invoices, email account compromise, and account takeover ); and based on results of the one or more impersonation algorithms, permit delivery of the second email message ([0049] Accordingly, embodiments may include a machine-readable medium having instructions that may be used to program a computing device to perform a process for receiving input indicative of an approval to access email messages that were delivered to, or sent by, employees of an enterprise over a given interval of time, [0171] The first model serves as the first level of threat detection, and therefore may be tuned/designed to permit most email (e.g., upwards of 90, 95, or 99 percent of all incoming email) to reach the intended destination).

As per claim 13, Jeyakumar further discloses that the computing platform of claim 1, wherein the email data comprises one or more of: a number of blank lines, a total number of lines, an average sentence length, an average word length, a vocabulary richness score, stop word frequency, a number of times one or more distinct words are used a single time, a total number of characters, a total number of alphabetic characters, a total number of upper-case characters, a total number of digits, a total number of white-space characters, a total number of tabs, a total number of punctuation marks, a word length frequency distribution, or a parts of speech frequency distribution ([0079] Primary attributes are preferably attributes or features extracted directly from a communication, but could be otherwise determined. [0080] Secondary attributes are preferably attributes that are determined from the primary attributes and/or customer data (e.g., as determined from the threat detection datastore 310), but can be otherwise determined. [0080] determining a mismatch between one or more primary attributes that should match; employee attributes (e.g., name, title, whether the entity is employed, whether the entity has a high attack risk, whether the entity is suspicious, whether the entity has been attacked before, etc.); vendor attributes (e.g., vendor name, whether the vendor is an exact match with a known vendor, whether there is a vendor Unicode lookalike, etc.); whether the body of the communication includes one of a set of high-risk words, phrases, sentiments, or other content (e.g., whether the communication includes financial vocabulary, credential theft vocabulary, engagement vocabulary, non-ASCII content, attachments, links, etc. see [0085]).

As per claim 14, Jeyakumar further discloses that the computing platform of claim 13, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: determine the vocabulary richness score by determining a number of distinct words and a number of total words; and dividing the number of distinct words by the number of total words. ([0080]The secondary attributes can be extracted, inferred, calculated, or otherwise determined. Examples of secondary attributes can include: whether the body of the communication includes one of a set of high-risk words, phrases, sentiments, or other content (e.g., whether the communication includes financial vocabulary, credential theft vocabulary, engagement vocabulary, non-ASCII content, attachments, links, etc. also see [0085]).
As per claims 15-16, these method claims include limitations similar to that of claims 1 and 2, respectively, thus are rejected under the similar citations given to  the system claims 1 and 2.
As per claim 20,  this non-transitory computer-readable media claim includes limitations similar to that of claim 1, thus is rejected under the similar citations given to  the system claim 1. 

Allowable Subject Matter
5.	Claims 3-11, and 17-19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. In particular the combination of claimed features of claims 3 (system) and 17 (method) recite a combinations of features that are not taught in any prior art of records as arranged in these claims. Furthermore, since the remaining clams above depend on these claims,  these claims are also allowable for the similar rationales.  

CONCLUSION

6.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Jakobsson et al  (US 2018/0375877) is directed to evaluating security of requested data using message context. 
Zhao et al (US 2020/0134009 A1) this disclosure provides for systems and methods that generate personalized electronic messages for members of a networked communication service. The personalized electronic messages are generated according to commonalities between member profiles.
7.	It is noted that any citation to specific pages, columns, figures, or lines in the prior art references any interpretation of the references should not be considered to be limiting in any way. A reference is relevant for all it contains and may be relied upon for all that it would have reasonably suggested to one having ordinary skill in the art. In re Heck, 699 F.2d 1331-33, 216 USPQ 1038-39 (Fed. Cir. 1983) (quoting In re Lemelson, 397 F.2d 1006, 1009, 158 USPQ 275, 277 (CCPA 1968)).
8.	Information regarding the status of an application may be obtained from the patent application information retrieval (PAIR) system. Status information for published application may be obtained from either Private –PAIR or Public-PAIR. Status information for unpublished applications is available through Private-PAIR only. For more information about the PAIR system, please see pair-direct.uspto.gov web site. Should you have questions regarding access to the PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
9.	Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Tadesse Hailu, whose telephone number is (571) 272-4051, e-mail address tadesse.hailu@uspto.gov, and the Fax number is (571) 273-4051. The Examiner can normally be reached on M-F from 10:30 – 7:00 ET. If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Kieu Vu, can be reached at (571) 272-4057 Art Unit 2173. 
/TADESSE HAILU/Primary Examiner, Art Unit 2173