DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 are presented for examination.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 3/09/2020. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Title Objection
The title of the invention is not descriptive.  A new title relevant to the invention (e.g. detecting phishing emails using Machine Learning etc.) is required that is clearly indicative of the invention to which the claims are directed. 
Internet Communication Authorization
The examiner recommends filling a written authorization for internet communication in response to the present action. Doing so permits the USPTO to communicate with applicant using internet email to schedule interviews or discuss other aspects of the application. Without a written authorization in place, the USPTO cannot respond to Internet correspondence received from Applicant. The preferred method of providing authorization is by filing form PTO/SB/439, available at: https://www.uspto.gov/patent/forms/forms. See MPEP § 502.03 for other methods of providing written authorization.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 15-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding claim 15, the claim is system claim recite place holder such as “a tokenizer", and “a feature extractor” followed by placed holder “for" along with functional language that invokes 35 U.S.C.112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for the claimed function. It is unclear what means are performing the claimed functions of the network communication. If the specification does not disclose sufficient structure to perform the claimed function of a USC § 112, sixth paragraph, the claim scope will not be clear, and will amount to pure functional claim. Applicant may:
(a) Amend the claim so that the claim limitation will no longer be a means (or step) plus function
limitation under 35 USC § 112, sixth paragraph; or
(b) Amend the written description of the specification such that it expressly recites what structure,
material, or acts perform the claimed function without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or
inherently discloses the corresponding structure, material, or acts so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant is required to clarify the record by either:
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35U.S.C. 132(a)); or
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
For more information, see Supplementary Examination Guidelines for Determining Compliance with 35 U.S.C. 112 and for Treatment of Related Issues in Patent Applications, 76 FR 7162, 7167 (Feb. 9,
2011)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

Claim limitations “a tokenizer for and “a feature extractor for” have been interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because they use a generic placeholder “for” coupled with functional language “separating” and “subjecting” without reciting sufficient structure to achieve the function.  Furthermore, the generic placeholder is not preceded by a structural modifier.
If applicant does not intend to have the claim limitation(s) treated under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112 , sixth paragraph, applicant may amend the claim(s) so that it/they will clearly not invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, or present a sufficient showing that the claim recites/recite sufficient structure, material, or acts for performing the claimed function to preclude application of 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
For more information, see MPEP § 2173 et seq. and Supplementary Examination Guidelines for Determining Compliance With 35 U.S.C. 112 and for Treatment of Related Issues in Patent Applications, 76 FR 7162, 7167 (Feb. 9, 2011).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-4, 6-11, 13-17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bruss et al (US pub, 2019/0349400)
Referring to claim 1, Bruss teaches a method for detecting a phishing attack on a computer device, comprising: 
scanning at least one email message (see para [037], Attack detection server Analyzes or scans incoming one or more emails messages);
separating email parts from the at least one email message ([abs], separate the email into a plurality of email components), in response to scanning the at least one email message (see para [026], separating the email into plurality of component in response to analyzing the email message); 
subjecting the email parts of the at least one email message to a feature extraction operation (see para [049], [050], [055] features derived from one or more URL analysis, header analysis); and 
analyzing email features extracted from the email parts to determine whether or not any of the email features contain suspected phishing content ([037], by iteratively refining or retraining the machine learning algorithms, attack-detection server 140 may quickly adapt to identify new malicious emails (e.g., new types of malicious emails or new approaches of malicious emails), confirmed phishing content and benign email content (see paragraphs [038], [039] attack detection server 140 identifies high risk emails forwarded to analyst for confirming the content as malicious (i.e. confirmed) or benign – also see [057]).
Bruss teaches detecting email based attacks through machine learning by analyzing extracted portions of email features by confirming content as malicious or benign.
Bruss expressly lacks confirming content malicious and benign.
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Bruss’s emails attack detection using machine learning to analyze extracted portions of email features by confirming content as malicious and benign in order to implement effective email-attack detection system that detects, isolate, parse the suspicious and malicious emails.
Referring to claim 2, Bruss teaches the method of claim 1 wherein the email parts are separated from the at least one email message by a tokenizer (see paragraph [049] attack-detection server 140….parse the email into portions (e.g., header, subject line, body text, URLs or other embedded links, etc.)
Referring to claim 3, Bruss teaches the method of claim 1 wherein the email parts separated from the at least one email message comprise at least one of: an email attachment ([049], attachment analysis), an email body, an email text body ([049] body text), an email header (049], header) and a network associated with the at least one email message.
Referring to claim 4, Bruss teaches the method of claim 1 wherein analyzing email features extracted from the email parts further comprises analyzing HTML body data and text data associated with the at least one email message (see paragraph [055], analyzing HTML elements, and raw text).
Referring to claim 6, Bruss teaches the method of claim 1 wherein scanning the at least one email message further comprises scanning the at least one email message on a continuous basis (see paragraph [037], analyzing iterative = continuous basis using machine learning).
Referring to claim 7, Bruss teaches the method of claim 1 wherein analyzing the email features extracted from the email parts further comprises: collecting the email features extracted from the email parts; and subjecting the email features after the feature extraction operation to Al (Artificial Intelligence) and machine learning model training prior to (see para [026]) determining if any of the email features contain suspected phishing content (see para [050], The embedded text may then be fed into a neural network classifier along with meta-features (e.g., features derived from URL analysis, header analysis and attachment analysis) at the same time), confirmed phishing content and benign email content (see paragraph [038], [039], malicious or benign).
Referring to claim 8, Bruss teaches a system for detecting a phishing attack on a computer device, comprising: at least one processor (see paragraph [007], processor); and a non-transitory computer-usable medium embodying computer program code, the computer-usable medium capable of communicating with the at least one processor, the computer program code comprising instructions executable by the at least one processor and configured for: scanning at least one email message (see para [037], Attack detection server Analyzes or scans incoming one or more emails messages);
separating email parts from the at least one email message ([abs], separate the email into a plurality of email components), in response to scanning the at least one email message (see para [026], separating the email into plurality of component in response to analyzing the email message);
subjecting the email parts of the at least one email message to a feature extraction operation (see para [049], [050], [055] features derived from one or more URL analysis, header analysis); and 
analyzing email features extracted from the email parts to determine whether or not any of the email features contain suspected phishing content ([037], by iteratively refining or retraining the machine learning algorithms, attack-detection server 140 may quickly adapt to identify new malicious emails (e.g., new types of malicious emails or new approaches of malicious emails), confirmed phishing content and benign email content (see paragraphs [038], [039] attack detection server 140 identifies high risk emails forwarded to analyst for confirming the content as malicious (i.e. confirmed) or benign – also see [057]).
Bruss teaches detecting email based attacks through machine learning by analyzing extracted portions of email features by confirming content as malicious or benign.
Bruss expressly lacks confirming content malicious and benign.
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Bruss’s emails attack detection using machine learning to analyze extracted portions of email features by confirming content as malicious and benign in order to implement effective email-attack detection system that detects, isolate, parse the suspicious and malicious emails.
Referring to claim 9, Bruss teaches the system of claim 8 wherein the instructions for separating the email parts from the at least one email message, further comprise instructions configured for separating the email parts from the at least one email message by a tokenizer ([049] attack-detection server 140….parse the email into portions (e.g., header, subject line, body text, URLs or other embedded links, etc.).
Referring to claim 10, Bruss teaches the system of claim 8 wherein email parts separated from the at least one email message comprise at least one of: an email attachment ([049], attachment analysis), an email body, an email text body ([049] body text), an email header (049], header), and a network associated with the at least one email message. 
Referring to claim 11, Bruss teaches the system of claim 8 wherein the instructions configured for analyzing email features extracted from the email parts, further comprise instructions configured for analyzing HTML body data and text data associated with the at least one email message (see paragraph [055], analyzing HTML elements, and raw text).
Referring to claim 13, Bruss teaches the system of claim 8 wherein the instructions for scanning the at least one email message further comprise instructions configured for scanning the at least one email message on a continuous basis (see paragraph [037], analyzing iterative = continuous basis using machine learning). 
Referring to claim 14, The system of claim 8 wherein the instructions configured for analyzing the email features extracted from the email parts (see para [026]), further comprise instructions configured for:  collecting the email features extracted from the email parts ([026],  separate the email into a plurality of email components) and subjecting the email features after the feature extraction operation to Al (Artificial Intelligence) and machine learning model training prior to determining if any of the email features contain suspected phishing content, confirmed phishing content and benign email content (see para [050], The embedded text may then be fed into a neural network classifier along with meta-features (e.g., features derived from URL analysis, header analysis and attachment analysis) at the same time) determining if any of the email features contain suspected phishing content (see para [050], The embedded text may then be fed into a neural network classifier along with meta-features (e.g., features derived from URL analysis, header analysis and attachment analysis) at the same time), confirmed phishing content and benign email content (see paragraph [038], [039], malicious or benign).
Referring to claim 15, Bruss teaches a system for detecting a phishing attack on a computer device, comprising:
a tokenizer for separating email parts from at least one email message, in response to scanning the at least one email message (see paragraph [049] attack-detection server 140….parse the email into portions (e.g., header, subject line, body text, URLs or other embedded links, etc.); and
a feature extractor (see para [070], module) for subjecting the email parts of the at least one email message to a feature extraction operation (see para [049], [050], [055] features derived from one or more URL analysis, header analysis),
wherein email features extracted from the email parts are analyzed to determine whether or not any of the email features contain suspected phishing content, confirmed phishing content and benign email content (see paragraphs [038], [039] attack detection server 140 identifies high risk emails forwarded to analyst for confirming the content as malicious (i.e. confirmed) or benign – also see [057]).
Bruss teaches detecting email based attacks through machine learning by analyzing extracted portions of email features by confirming content as malicious or benign.
Bruss expressly lacks confirming content malicious and benign.
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Bruss’s emails attack detection using machine learning to analyze extracted portions of email features by confirming content as malicious and benign in order to implement effective email-attack detection system that detects, isolate, parse the suspicious and malicious emails.
Referring to claim 16, Bruss teaches the system of claim 15 wherein the email parts separated from the at least one email message comprise at least one of: an email attachment ([049], attachment analysis), an email body, an email text body ([049] body text), an email header ([049], header), and a network associated with the at least one email message.
Referring to claim 17,  Bruss teaches the system of claim 15 wherein HTML body data and text data associated with the at least one email message are further analyzed  (see paragraph [055], analyzing HTML elements, and raw text) to determine whether or not any of the email features contain the suspected phishing content, the confirmed phishing content and the benign email content (see paragraphs [055], [057]).
Referring to claim 19, Bruss teaches the system of claim 15 wherein the scanning of the at least one email message further comprises scanning the at least one email message on a continuous basis (see paragraph [037], analyzing iterative = continuous basis using machine learning).
Referring to claim 20, Bruss teaches the system of claim 15 wherein analyzing the email features extracted from the email parts further comprises: collecting the email features extracted from the email parts ([026],  separate the email into a plurality of email components); and subjecting the email features after the feature extraction operation to Al (Artificial Intelligence) and machine learning model training prior to determining if any of the email features contain suspected phishing content (see para [050], The embedded text may then be fed into a neural network classifier along with meta-features (e.g., features derived from URL analysis, header analysis and attachment analysis) at the same time), confirmed phishing content and benign email content (see paragraph [038], [039], malicious or benign).
Claims 5, 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Bruss et al (US pub, 2019/0349400) in view of Birch (US 2021/0211462)
Referring to claim 5, Bruss teaches the method of claim 1 but expressly lacks scanning email message on an on-demand basis.
However, Birch teaches malicious email mitigation process providing safe handling of email. Furthermore, Birch teaches wherein scanning the at least one email message further comprises scanning the at least one email message on an on-demand basis ([007]software and stored data……..operate autonomously, on-demand, and/or spontaneously).
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Bruss’s emails attack detection using machine learning to analyze extracted portions of email features by confirming content as malicious to include malicious email mitigation mechanism of Birch in order to implement effective email-attack detection system that detects, isolate, parse the suspicious and malicious emails.
Referring to claim 12, Bruss and Birch teaches the system of claim 8 wherein the instructions configured for scanning the at least one email message, further comprise instructions configured for scanning the at least one email message on an on-demand basis (see Birch [007]software and stored data……..operate autonomously, on-demand, and/or spontaneously)
Referring to claim 18, Bruss and Birch teaches the system of claim 15 wherein the scanning of the at least one email message further comprises scanning the at least one email message on an on-demand basis (see Birch [007]software and stored data……..operate autonomously, on-demand, and/or spontaneously).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The examiner also requests, when responding to this office action, support be shown for language added to any original claims on amendment and any new claims. That is, indicate support for newly added claim language by specifically pointing to page(s) and line no(s) in the specification and/or drawing figure(s). This will assist the examiner in prosecuting the application. Applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of the art disclosed by the references cited or the objections made. He or she must also show how the amendments avoid such references or objections See 37 CFR 1.111 (c).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFTAB N. KHAN whose telephone number is (571)270-5172.  The examiner can normally be reached on Monday-Friday 8AM-5PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton Burgess can be reached on 571-272-3949.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/AFTAB N. KHAN/
Primary Examiner, Art Unit 2454