DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.  Using the subject matter eligibility test from page 74621 of the Federal Register Notice titled “2014 Interim Guidance on Patent Subject Matter Eligibility,” a two-step process is performed. Under step 1, the claims are analyzed to determine if the claim is directed to a process, machine, article of manufacture, or composition of matter. In this case, claims 1-18 are directed to a method, which is a process; claim 19 is directed to an apparatus, which is a machine or article of manufacture; and claim 20 is directed to a computer readable medium, which is a machine or article of manufacture. Step 2A (part 1 of the Mayo test), using the guidance from pages 50-57 of the Federal Register Vol. 84 No. 4 from Monday, January 7, 2019, requires applying a two-prong inquiry. In Prong One, examiners evaluate whether the claim recites a judicial exception, determining if the claim is directed to a law of nature, a natural phenomenon, or an abstract idea. In this case, claim 1 recites identifying information or data, determining if a communication is malicious, and initiating remediation, which are mental processes. In Prong Two, examiners evaluate whether the judicial exception is integrated into a practical application that imposes a meaningful limit on the judicial exception. In this case, additional elements such as processor, memory, and computer readable medium are generic computer components, and do not constitute integration into a practical application.
Step 2B (part 2 of the Mayo test) requires analyzing the claims to determine if they recite additional elements that amount to significantly more than the judicial exception. In this case, the claims do not include additional elements that are sufficient to amount to significantly more than the abstract idea itself.  

Regarding claims 1 and 19-20, identifying information or data, determining if a communication is malicious, and initiating remediation are mental processes, which are abstract ideas. Additional limitations of processor, memory, and computer readable medium are generic computer components, and do not constitute integration into a practical application or significantly more.

Regarding claims 2-8, and 15-18, the limitations are further clarifications of the above abstract ideas.

Regarding claim 14, extracting features and making a determination are mental processes, which are abstract ideas without significantly more and without integration into a practical application.

The limitations of the claims, taken alone, do not amount to significantly more than the above-identified judicial exception (the abstract idea). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements individually. Applicable case law cited in the Federal Register includes, but is not limited to: Alice Corp., 134 S. Ct. at 2355-56, Digitech Image Tech., LLC v. Electronics for Imaging, Inc., 758 F.3d 1344 (Fed. Cir. 2014), Benson, 409 U.S. at 63.

See "Preliminary Examination Instructions in view of the Supreme Court Decision in Alice Corporation Pty. Ltd. v. CLS Bank International, et al.," dated June 25, 2014, and the Federal Register notice titled "2014 Interim Guidance on Patent Subject Matter Eligibility" (79 FR 74618).

	
	Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-9 and 14-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Dunn et al. (US 2019/0260780 A1), hereinafter referred to as Dunn.

Regarding claim 1, Dunn teaches:
A method, comprising: 
identifying, by a processing system including at least one processor, a workflow to be protected (para [0030], [0145], where a cyber-threat module and processor analyzes network, computer, and email activity); 
identifying, by the processing system for the workflow, a set of valid resources of the workflow, wherein the set of valid resources includes a set of artifacts and a set of templates (Fig. 4, para [0068-70], where the other emails received are the set of templates, and their contents or properties such as links are the set of artifacts); 
identifying, by the processing system from a dataset associated with the workflow and based on the set of artifacts, a communication associated with the workflow (para [0061], where every email is examined including the artifacts therein, where the dataset is all the emails); 
determining, by the processing system based on an analysis of the communication based on the set of templates, that the communication is malicious (para [0071-72], [0117], where the system determines malicious characteristics by comparison with normal emails); and 
initiating, by the processing system based on the determination that the communication is malicious, a remediation action (Fig. 7, para [0119], where the system takes action against malicious emails).  

Regarding claim 2, Dunn teaches:
The method of claim 1, wherein the workflow is based on at least one of an email, a text message, a voice communication, a video, a website interaction, or an application interaction (Fig. 4, para [0061], where all emails are examined).  

Regarding claim 3, Dunn teaches:
The method of claim 1, wherein the workflow is identified based on an identification of a set of users able to interact with the workflow (para [0033], [0035], where normal behavior of users is analyzed).  

Regarding claim 4, Dunn teaches:
The method of claim 1, wherein the set of artifacts is identified from the set of templates (Fig. 4, para [0068-70], where the contents, links, and properties are extracted from the emails).  

Regarding claim 5, Dunn teaches:
The method of claim 1, wherein the communication is identified based on application of a set of filters to the dataset associated with the workflow (para [0087], where normal behaviors are filtered out, and the remaining behaviors are analyzed to determine if they are malicious).

Regarding claim 6, Dunn teaches:
The method of claim 5, wherein the set of filters is created based on the set of artifacts (para [0087], where the activities/events/alerts are artifacts).  

Regarding claim 7, Dunn teaches:
The method of claim 1, wherein the communication is identified based on a determination that the communication is associated with an unknown source and based on a determination that one or more elements of the communication are similar to one or more artifacts of the set of artifacts (para [0066], where the sender is analyzed, and para [0087], where the normal pattern of life information, interpreted as the information being similar, is filtered out and the behaviors are used to detect threats).  

Regarding claim 8, Dunn teaches:
The method of claim 1, wherein the analysis of the communication is based on a learning algorithm (para [0061], where machine learning is used).  

Regarding claim 9, Dunn teaches:
The method of claim 8, wherein the learning algorithm includes at least one of a machine learning (ML) algorithm or a deep learning (DL) algorithm (para [0061], where machine learning is used).  

Regarding claim 14, Dunn teaches:
The method of claim 8, wherein the learning algorithm is configured to: 
extract, from the set of artifacts, a set of features of the artifacts (para [0056], where data is extracted to determine pattern of life data); 
extract, from the communication, a set of features of the communication (para [0072], where metadata is extracted from the emails); and 
determine, based on an analysis of the set of features of the artifacts and the set of features of the communication, that the communication is malicious (para [0072], where the day to day behavior is compared with the email to determine if the email is malicious).  

Regarding claim 15, Dunn teaches:
The method of claim 14, wherein the determination that the communication is malicious is based on a determination that the set of features of the artifacts and the set of features of the communication are similar (para [0087], where the normal pattern of life information, interpreted as the information being similar, is filtered out and the behaviors are used to detect threats).  

Regarding claim 16, Dunn teaches:
The method of claim 1, wherein the analysis of the communication includes at least one of an analysis of a source associated with the communication, an analysis of a domain associated with the communication, or an analysis of a resource identifier associated with the communication (para [0066-67], where the relationship of the sender is analyzed).  

Regarding claim 17, Dunn teaches:
The method of claim 1, wherein the remediation action includes at least one of a case management action, a blocking action for blocking the communication, a takedown action for initiating a takedown of a malicious website indicated within the communication, or a credential reset action for resetting a credential of at least one user associated with the communication (Fig. 7, para [0119], where the system takes action against malicious emails, para [0125], where the email is held or blocked).  

Regarding claim 18, Dunn teaches:
The method of claim 1, wherein the determining that the communication is malicious comprises an early detection of a low-volume targeted attack (para [0104], [0109],  [0120], where targeted email attacks such as phishing, are protected preemptively).  

Regarding claim 19, Dunn teaches:
An apparatus comprising: 
a processing system including at least one processor (para [0145], where a processor is used); and 
a computer-readable medium storing instructions (para [0254], where computing machine readable media is used) which, when executed by the processing system, cause the processing system to perform operations, the operations comprising: 
identifying a workflow to be protected (para [0030], where a cyber-threat module analyzes network, computer, and email activity); 
identifying, for the workflow, a set of valid resources of the workflow, wherein the set of valid resources includes a set of artifacts and a set of templates (Fig. 4, para [0068-70], where the other emails received are the set of templates, and their contents or properties such as links are the set of artifacts); 
identifying, from a dataset associated with the workflow and based on the set of artifacts, a communication associated with the workflow (para [0061], where every email is examined including the artifacts therein, where the dataset is all the emails); 
determining, based on an analysis of the communication based on the set of templates, that the communication is malicious (para [0071-72], [0117], where the system determines malicious characteristics by comparison with normal emails); and 
initiating, based on the determination that the communication is malicious, a remediation action (Fig. 7, para [0119], where the system takes action against malicious emails).  

Regarding claim 20, Dunn teaches:
A non-transitory computer-readable medium (para [0254], where computing machine readable media is used) storing instructions which, when executed by a processing system including at least one processor (para [0145], where a processor is used), cause the processing system to perform operations, the operations comprising: 
identifying a workflow to be protected (para [0030], where a cyber-threat module analyzes network, computer, and email activity); 
identifying, for the workflow, a set of valid resources of the workflow, wherein the set of valid resources includes a set of artifacts and a set of templates (Fig. 4, para [0068-70], where the other emails received are the set of templates, and their contents or properties such as links are the set of artifacts); 
identifying, from a dataset associated with the workflow and based on the set of artifacts, a communication associated with the workflow (para [0061], where every email is examined including the artifacts therein, where the dataset is all the emails); 
determining, based on an analysis of the communication based on the set of templates, that the communication is malicious (para [0071-72], [0117], where the system determines malicious characteristics by comparison with normal emails); and 
initiating, based on the determination that the communication is malicious, a remediation action (Fig. 7, para [0119], where the system takes action against malicious emails).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 10-11 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dunn, in view of Sreenivasan et al. (US 2022/0020482 A1), hereinafter referred to as Sreenivasan.

Regarding claim 10, Dunn teaches:
The method of claim 8, wherein the communication has text data associated therewith (para [0077], where text is included in links in the email),
Dunn does not teach:
wherein the learning algorithm is based on at least one of a recurrent neural network (RNN) or a latent semantic indexing.
Sreenivasan teaches:
wherein the learning algorithm is based on at least one of a recurrent neural network (RNN) or a latent semantic indexing (para [0025], where an RNN is used).  
The prior art contained a device (method, product, etc.) which differed from the claimed device by the substitution of some components (machine learning) with other components (RNN); the substituted components and their functions were known in the art; one of ordinary skill in the art could have substituted one known element for another, and the results of the substitution would have been predictable.

Regarding claim 11, Dunn teaches:
The method of claim 8, wherein the communication has image data associated therewith (para [0127], where an image is attached),
Dunn does not teach:
wherein the learning algorithm is based on a convolutional neural network (CNN).
Sreenivasan teaches:
wherein the learning algorithm is based on a convolutional neural network (CNN) (para [0025], where a CNN is used).  
The prior art contained a device (method, product, etc.) which differed from the claimed device by the substitution of some components (machine learning) with other components (CNN); the substituted components and their functions were known in the art; one of ordinary skill in the art could have substituted one known element for another, and the results of the substitution would have been predictable.

Regarding claim 13, Dunn teaches:
The method of claim 8,
Dunn does not teach:
wherein the communication has video data associated therewith, wherein the learning algorithm is based on a recurrent neural network (RNN).
Sreenivasan teaches:
wherein the communication has video data associated therewith (para [0022], where video is used), wherein the learning algorithm is based on a recurrent neural network (RNN) (para [0025], where an RNN is used).  
The prior art contained a device (method, product, etc.) which differed from the claimed device by the substitution of some components (email, machine learning) with other components (video, RNN); the substituted components and their functions were known in the art; one of ordinary skill in the art could have substituted one known element for another, and the results of the substitution would have been predictable.

Claim(s) 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dunn, in view of Clark et al. (US 2020/0074985 A1), hereinafter referred to as Clark.

Regarding claim 12, Dunn teaches:
The method of claim 8,
Dunn does not teach:
wherein the communication has voice data associated therewith, wherein the learning algorithm is based on a spectrogram- based auto-encoder. 
Clark teaches:
wherein the communication has voice data associated therewith (para [0034], where speech is input), wherein the learning algorithm is based on a spectrogram- based auto-encoder (para [0079], where a spectrogram based autoencoder is used).  
The prior art contained a device (method, product, etc.) which differed from the claimed device by the substitution of some components (email, machine learning) with other components (voice, autoencoder); the substituted components and their functions were known in the art; one of ordinary skill in the art could have substituted one known element for another, and the results of the substitution would have been predictable. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 2022/0092765 para [0095-96] teaches use of RNN and CNN for processing inputs such as text, video, and image; US 11,297,101 B1 Abstract teaches detection of phishing websites to protect users.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN S BLANKENAGEL whose telephone number is (571)270-0685. The examiner can normally be reached 8:00am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Richemond Dorvil can be reached on 571-272-7602. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BRYAN S BLANKENAGEL/Primary Examiner, Art Unit 2658