Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Applicant’s amendment filed on 5/2/2022 has been entered. Applicant has amended claims 1, 7-8, 11-19, 21, 24-25 and 27. Currently claims 1-27 are pending in this application.

 Response to Arguments
Applicant's arguments filed on 5/2/2022 have been fully considered but they are not persuasive. 
Applicant argued:

    PNG
    media_image1.png
    267
    588
    media_image1.png
    Greyscale




    PNG
    media_image2.png
    734
    598
    media_image2.png
    Greyscale

	In reply, examiner would like to point out that the claim language requires “automatically generate a plurality of insight events based on the detected attack and insert the plurality of insight events in an insight queue”. Please note that the generation step needs to be automated and Kolingivadi clearly discloses system automatically generate a plurality of insight events based on the detected attack and insert the plurality of insight events in an insight queue (See, Paragraph 0066, “The search tab 520 may also present a form input 530, a message ID input 532, and a subject input 534 that each may be used to input respective threat indicators to be searched in the indicated search location in the search location option 528. The form input 530, the message ID input 532, and/or the subject input 534 may be automatically filled from identified threat indicators using the select action button 424. The form input 530, the message ID input 532, and/or the subject input 534 may be populated by a template or saved search that has been generated by a security administrator to enable the security analyst to use pre-created queries. Additionally or alternatively, the form input 530, the message ID input 532, and/or the subject input 534 may enable entry of manual values into the phishing attempt search interface. The search tab 520 may include cancel buttons 536 that may be used to clear out the form input 530, the message ID input 532, and the subject input 534. In some embodiments, a first selection of a cancel button 536 may cause the value in the corresponding input to be cleared, and a second selection of the cancel button 536 may cause the threat indicator input to completely be removed from the search tab 520. The search tab 520 may also include an auto-create observables button 537 to automatically generate observables from the values in the form input 530, the message ID input 532, and/or the subject input 534” and Paragraph 0086, “As previously noted, a phishing message may affect many users, and the security analyst may want to link the user incidents together. The message may be deemed an incident or security incident, and the related affected users discovered from a search based on the message from one user may be all associated together with the related affected users deemed as child incidents of the incident for the one user”). Please note that paragraph 0066 discloses generating step in details and paragraph 0088 provides detail of linking the incidents and as recited in paragraph 0066 steps of generation involves automated steps. Furthermore, applicant should note that even if the manual entry is required for search field, the actual generation of search result is automated and not manual as the person is not manually checking similar messages in the message logs. As a result, arguments are not persuasive and the rejection is maintained.

Applicant further argues:

    PNG
    media_image3.png
    80
    575
    media_image3.png
    Greyscale


    PNG
    media_image4.png
    285
    583
    media_image4.png
    Greyscale



    PNG
    media_image5.png
    152
    589
    media_image5.png
    Greyscale

	In reply, examiner would like to point out that Kolingivadi clearly discloses “insights engine configured to…search the repository to identify said set of un-remediated attacks against the user accounts of the same or different tenants on the electronic communication platform for each of the plurality of insight events (See, Paragraph 0007, “Systems, methods, and media described herein are used to identify phishing attacks. A notification of a phishing attempt with a parameter associated with a recipient of the phishing attempt is received at a security management node. In response, an indication of the phishing attempt is presented in a phishing attempt search interface. The phishing attempt search interface may be used to search for additional recipients of the attack, identify which recipients have been successfully targeted, and provide a summary of the recipients. Using this information, appropriate security measures in response to the phishing attempt may be performed.” and Paragraph 0086, “As previously noted, a phishing message may affect many users, and the security analyst may want to link the user incidents together. The message may be deemed an incident or security incident, and the related affected users discovered from a search based on the message from one user may be all associated together with the related affected users deemed as child incidents of the incident for the one user” and Paragraph 0089, “The computing system 10 may also provide a summary of the recipient and the additional recipients as attempted targets (e.g., affected users) or a phished target (e.g., victim users) (block 910). The computing system 10 may also be used to perform security measures in response to the phishing attempt for the attempted targets or the phished targets (block 912). The security measures may be automated and/or security analyst-initiated”). As a result, the arguments are not persuasive and the rejection is maintained. 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 2, 4, 5, 7-14, 16, 18-25 and 27 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Kolingivadi et al. (US 2020/0358820 A1), “Kolingivadi”.
Regarding Claims 1 and 19, Kolingivadi discloses a system and a corresponding method to support autonomous attack identification, comprising: 
a remediation engine (See, Paragraph 0035, “In some implementations, the cloud-based platform 16 may be a security operations (Sec Ops) platform that may be used to track and/or report incidents in the client network 12 and/or connected devices”) configured to 
accept an incident creation request for a detected attack via a suspicious electronic message at one user account with one tenant on an electronic communication platform (See, Paragraph 0054, “When a message is flagged, a notification may be generated. For instance, the notification may be generated by sending or forwarding the suspect message to a security analyst who may access the message/notification in the phishing attempt search interface. For instance, a scanner node may scan messages (e.g., electronic mail) for potential threat indicators and send such messages to a security management node of the computing system 10. Additionally or alternatively, a user receiving a suspect message may forward the message to specific target address or the user may select a report message button that sends the message to a security analyst for analysis. Upon opening the reported email (e.g., via the investigations item 408), an email tab 414 may open in the pane 403”); 
create an incident for the detected attack and collect electronic messages related to the incident from a repository (See, Paragraph 0086, “a phishing message may affect many users, and the security analyst may want to link the user incidents together. The message may be deemed an incident or security incident, and the related affected users discovered from a search based on the message from one user may be all associated together with the related affected users deemed as child incidents of the incident for the one user” and Paragraph 0096, “When the pertinent observables (e.g., the phishing sample) indicates a new incident (e.g., one that is not currently active), a new phishing incident may be created (block 1058). For example, if a rule is set up to generate an incident when the sender is phiser@phiser.com and the subject contains “Invoice: Inveesion” and no such incident has yet been generated, a new incident may be generated”); 
automatically generate a plurality of insight events based on the detected attack and insert the plurality of insight events to an insights queue (See, Paragraph 0066, “The search tab 520 may also present a form input 530, a message ID input 532, and a subject input 534 that each may be used to input respective threat indicators to be searched in the indicated search location in the search location option 528. The form input 530, the message ID input 532, and/or the subject input 534 may be automatically filled from identified threat indicators using the select action button 424. The form input 530, the message ID input 532, and/or the subject input 534 may be populated by a template or saved search that has been generated by a security administrator to enable the security analyst to use pre-created queries. Additionally or alternatively, the form input 530, the message ID input 532, and/or the subject input 534 may enable entry of manual values into the phishing attempt search interface. The search tab 520 may include cancel buttons 536 that may be used to clear out the form input 530, the message ID input 532, and the subject input 534. In some embodiments, a first selection of a cancel button 536 may cause the value in the corresponding input to be cleared, and a second selection of the cancel button 536 may cause the threat indicator input to completely be removed from the search tab 520. The search tab 520 may also include an auto-create observables button 537 to automatically generate observables from the values in the form input 530, the message ID input 532, and/or the subject input 534” and Paragraph 0086, “As previously noted, a phishing message may affect many users, and the security analyst may want to link the user incidents together. The message may be deemed an incident or security incident, and the related affected users discovered from a search based on the message from one user may be all associated together with the related affected users deemed as child incidents of the incident for the one user”));
remediate the detected attack and a set of un-remediated attacks against user accounts in the same or different tenants on the electronic communication platform, (See, Paragraph 0034, “In response, an indication of the phishing attempt is presented in a phishing attempt search interface. The phishing attempt search interface may be used to search for additional recipients, identify which recipients have been successfully targeted, and provide a summary of the recipients. Using this information, appropriate security measures in response to the phishing attempt for the recipients may be performed”), wherein the set of un-remediated attacks share one or more characteristics with the detected attack or happen to other tenants on the other tenants on the electronic communication platform ; 
an insights engine (See, Figs. 12, 13 and 14) configured to 812
retrieve each of the plurality of insight events from the insights queue (See, Paragraph 0085, “As illustrated, the web interactions tab 758 includes a list of interaction entries 781 corresponding to the user's interactions with threat indicators present in the messages used/discovered in the email search. Each interaction entry 781 may include an observable field 782 that may be used to track the interaction. For instance, in the illustrated embodiment, the observable field 782 includes a URL provided in the message. The interaction entries 781 may also include an observable type field 784 indicating a type of observable, such as a URL, domain name, an IP address, a file accessed, and the like”);
search the repository to identify said set of un-remediated attacks against the user accounts of the same or different tenants on the electronic communication platform for each of the plurality of insight events(See, Paragraph 0007, “Systems, methods, and media described herein are used to identify phishing attacks. A notification of a phishing attempt with a parameter associated with a recipient of the phishing attempt is received at a security management node. In response, an indication of the phishing attempt is presented in a phishing attempt search interface. The phishing attempt search interface may be used to search for additional recipients of the attack, identify which recipients have been successfully targeted, and provide a summary of the recipients. Using this information, appropriate security measures in response to the phishing attempt may be performed.” and Paragraph 0086, “As previously noted, a phishing message may affect many users, and the security analyst may want to link the user incidents together. The message may be deemed an incident or security incident, and the related affected users discovered from a search based on the message from one user may be all associated together with the related affected users deemed as child incidents of the incident for the one user” and Paragraph 0089, “The computing system 10 may also provide a summary of the recipient and the additional recipients as attempted targets (e.g., affected users) or a phished target (e.g., victim users) (block 910). The computing system 10 may also be used to perform security measures in response to the phishing attempt for the attempted targets or the phished targets (block 912). The security measures may be automated and/or security analyst-initiated”); 
automatically generate and report insight on the set of un-remediated attacks (See, Paragraph 0087, “In some embodiments, a show child incidents option may be selected in the screen 800 that causes the display of a table of child incidents including details about each of the child incidents. For instance, the table may include an identifier for each child incident record, a risk score scoring how likely (e.g., degree of correlation to a known attack) or how severe a danger is posed in the incident, a short description, a category of record, an identifier of a parent incident, a last period of update, and/or other information about the child incident records linked to the user entry 730f”).
Regarding Claim 2, the rejection of claim 1 is incorporated and Kolingivadi further discloses the suspicious electronic message is an email, a text message, an online chat, or an instant message (See, Paragraph 0052).  
Regarding Claims 4 and 20, the rejection of claims 1 and 19 is incorporated and Kolingivadi further discloses wherein: the remediation engine is configured to utilize an entire pool of related data stored in a remediation database of incidents of attacks happened in the past or behind the scenes to identify or detect the attack received at the one user account (See, Paragraphs 0052 and 0065).  
Regarding Claim 5, the rejection of claim 1 is incorporated and Kolingivadi further discloses the repository is a cloud-based archiving service that enables secured preserving, searching, and accessing of metadata and content of electronic messages of the users within a plurality of tenants on the electronic communication platform in the cloud (See, Fig. 1, Numeral 16 and Paragraphs 0035, 0039 and 0050).  
Regarding Claims 7 and 21, the rejection of claims 1 and 19 is incorporated and Kolingivadi further discloses wherein: the remediation engine is configured to create one insight event for the incident of the detected attack in order to gain insights on other attacks happening in the one tenant (See, Paragraph 0105).  
Regarding Claims 8 and 22, the rejection of claims 1 and 19 is incorporated and Kolingivadi further discloses wherein: the remediation engine is configured to retrieve a set of active tenant identifications and related account data from an account database one at a time; create one insight event for each of the active tenant identifications in order to gain insights on other attacks happening in those tenants (See, Fig. 10 and Paragraphs 0081-0084).
Regarding Claims 9 and 23, the rejection of claims 1 and 19 is incorporated and Kolingivadi further discloses the remediation engine is configured to preemptively prevent attacks on the user accounts before the attacks actually happen or cause any damages to the users by taking the one or more remedial measures (See, Paragraph 0089).  
Regarding Claim 10, the rejection of claim 1 is incorporated and Kolingivadi further discloses Page 13105-12900-000-US the automatically-generated insight informs the tenant of attacks that have not been reported or detected by an administrator and/or user of the tenant (See, Paragraph 0071).  
Regarding Claims 11 and 24, the rejection of claims 1 and 19 is incorporated and Kolingivadi further discloses the insights engine is configured to automatically generate two types of insight, a similar insight on similar attacks that share the one or more characteristics with the detected attack (See, Paragraphs 0052 and 0066) and adjacent insight on attacks happening in other tenants on the electronic communication platform (See, Paragraphs 0065 and 0086).  
Regarding Claims 12 and 25, the rejection of claims 11 and 24 is incorporated and Kolingivadi further discloses the insights engine is configured to conduct an expanded search by adjusting search criteria to include and detect the similar attacks happened in the past in the entity that have been missed (See, Paragraphs 0052 and 0067).  
Regarding Claim 13, the rejection of claim 11 is incorporated and Kolingivadi further discloses the similar attacks happen in accounts owned by other users of the tenant based on likelihood that these accounts face similar attacks (See, Paragraphs 0069 and 0078).  
Regarding Claim 14, the rejection of claim 11 is incorporated and Kolingivadi further discloses the similar attacks are originated by different senders from the same domain or a different domain from the detected attack (See, Paragraph 0052).  
Regarding Claim 16, the rejection of claim 1 is incorporated and Kolingivadi further discloses wherein: the characteristics include one or more of sender and/or recipient address, content pattern, intent, and type of an emails or text message (See, Kolingivadi, Paragraph 0052).  
Regarding Claims 18 and 27, the rejection of claims 11 and 24 is incorporated and Kolingivadi further discloses the insights engine is configured to conduct an expanded search of the entire repository containing electronic communications at multiple tenants to identify adjacent attacks of the detected attack that have happened at other tenants on the electronic communication platform for the adjacent insight (See, Paragraphs 0052 and 0065).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Kolingivadi in view of Stolarz et al. (US 2018/0097841 A1), hereinafter, “Stolarz”. 
Regarding Claim 3, the rejection of claim 1 is incorporated and Kolingivadi does not explicitly disclose the suspicious electronic message is a voice message converted to an electronic text format.
Stolarz discloses attack detection system wherein a suspicious electronic message is a voice message converted to an electronic text format (See, Paragraph 0164).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to detect and convert, in the system of Kolingivadi, a suspicious electronic message that is a voice message converted to an electronic text format so that a potential social engineering attack may be detected if a voice message and an email message are received from the same source, e.g., within a 24-hour period where the text transcript of the phone call instructs the user to read the email message and where the source of the communication is not a usual communicator of the user (See, Stolarz, Paragraph 0164).

Claims 15 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Kolingivadi in view of Schlatter et al. (US 10,284587 B1), hereinafter, “Schlatter”.
Regarding Claims 15 and 26, the rejection of claim 12 is incorporated and Kolingivadi does not explicitly disclose the insights engine is configured to loosen or expand the search criteria for identifying the similar attacks to include variance of the detected attack in order to search for attacks in other user accounts that are not identical to the detected attack.  
Schlatter discloses an insights engine that is configured to loosen or expand the search criteria for identifying the similar attacks to include variance of the detected attack in order to search for attacks in other user accounts that are not identical to the detected attack (See, Column 11, lines 4-15 and Column 12, lines 10-31).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to detect and convert, in the system of Kolingivadi, an insights engine that is configured to loosen or expand the search criteria for identifying the similar attacks to include variance of the detected attack in order to search for attacks in other user accounts that are not identical to the detected attack, as taught by Schlatter “in order to create an actionable list of security incidents while still retaining a measure of specificity” (See, Schlatter, Column 12, lines 14-15).
Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Kolingivadi in view of Schlatter and further in view of Stolarz.
Regarding Claim 17, the rejection of claim 15 is incorporated and the combination of Kolingivadi and Schlatter does not explicitly disclose Page 14105-12900-000-US the one or more characteristics include one or more of frequency, tone, and speed of a voice message.  
Stolarz discloses a system of identifying social engineering attack using message characteristics scanning wherein the characteristics include one or more of frequency, tone, and speed of a voice message (See, Paragraphs 0027 and 0187).
 Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use, in the system of Kolingivadi and Schlatter, one or more of frequency, tone, and speed of a voice message as a characteristic to detect suspicious communication as taught by Stolarz in order to detect and avoid social engineering attacks that uses phone call as well as written communication such as e-mail and text messages.

Allowable Subject Matter
Claim 6 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 





	

Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOGESH PALIWAL whose telephone number is (571)270-1807. The examiner can normally be reached M-F 9:00AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph P Hirl can be reached on 5712723685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/YOGESH PALIWAL/Primary Examiner, Art Unit 2435