DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are pending in this application.
Claims 4 and 14 are currently amended.
The IDS submitted on 07/18/2022 has been considered.

Claim Objections
The previous objection to claims 4 and 14 has been withdrawn in response to the amendment.

Claim Rejections - 35 USC § 112
The previous rejection to claims 4 and 14 has been withdrawn in response to the amendment.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9, 11-16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Higbee (US 2021/0021612 A1) in view of Kalinin et al. (US 2020/0195694 A1) (hereinafter, “Kalinin”).

Claims 11, Higbee discloses a system for identifying other instances of messages corresponding to a reported malicious message, the system comprising: 
one or more servers comprising one or more processors, coupled to memory and configured to: receive a report of a malicious message from a user of a plurality users using a messaging system (“When a message is received on a computing device of an individual, the user may report the message as a possible phishing attack. When reported, a network server device then receives a notification indicating that the one or more users has reported the message as a possible phishing attack. Such notification may be received via email (e.g., the suspicious email forwarded to a network administrator of network server device) or by an out-of-band means, using any protocol sufficient to transmit the notification. In one embodiment, a plug-in built into an email client (e.g., Microsoft™, Outlook™, IBM™ Lotus Notes™, etc.) or a web-based email client (Gmail™ from Google™, Yahoo!™ Mail™ from Yahoo!™) may provide users of the mail client with a toolbar and/or graphical user interface element that, when selected or activated, automatically reports an email as a suspicious message (and more specifically, as a possible phishing attack) to the network server device (or administrator thereof) or a network device other than the network server device (e.g., an email security analysis engine).” -e.g. see, [0262], see also, Fig. 17, [0270]; herein, the system may receive a message identified as a potential phishing attack in stage 704); 
provide, responsive to the report of the malicious message, … content selected from the malicious message (“In some embodiments, the system can use a plagiarism detection system, n-gram analysis, or comparable system to identify similar phishing stories, flag corresponding messages as suspicious, and cluster messages so identified as embodying a similar phishing story.” -e.g. see, [0158]; see also Fig. 17; which discloses reporting of a malicious message); 
execute the query in the messaging system for one or more other malicious messages corresponding to the reported malicious message … with one or more match criteria (“In stage 806 (step I2), the inbound mail server can run a search on the existing mail stores and identify matching messages that have been sent to other users.” -e.g. see, [0336]; see also, Fig. 20; Higbee further discloses: “In some embodiments, the system can use a plagiarism detection system, n-gram analysis, or comparable system to identify similar phishing stories, flag corresponding messages as suspicious, and cluster messages so identified as embodying a similar phishing story.” -e.g. see, [0158]); and 
identify in the messaging system the one or more other malicious messages corresponding to the reported malicious message (“In some embodiments, the system can use a plagiarism detection system, n-gram analysis, or comparable system to identify similar phishing stories, flag corresponding messages as suspicious, and cluster messages so identified as embodying a similar phishing story.” -e.g. see, [0158]; see also, “In stage 806 (step I2), the inbound mail server can run a search on the existing mail stores and identify matching messages that have been sent to other users.” -e.g. see, [0336]).  
Higbee may not explicitly disclose provide, plain text of content selected from the malicious message;
select one or more segments of the plain text as key content for construction of a query; 
execute the query using the selected one or more segments of the plain text with one or more match criteria;
However, in an analogous art, Kalinin discloses provide, plain text of content selected from the malicious message (“ … (ii) compares a suspicious user message with each of the received user messages using at least one known method for comparing text data, for example, by character-by-character comparison, comparison by keywords that can be extracted from each user message using, for example, a special pre-programmed classifier embedded in the analyzing module 220, … .” -e.g. see, [0158]; herein, plain text (i.e. keywords) of content (i.e. message) selected from the malicious message (i.e., a suspicious user message));
select one or more segments of the plain text as key content for construction of a query (“ … in messaging systems 110, 120, the analyzing module 220 (i) receives from each of the messaging systems 110, 120 all user messages stored respectively in the message databases 116, 126, each received user message being associated with a unique identifier of a respective messaging system and unique identifier of a specific user; (ii) compares a suspicious user message with each of the received user messages using at least one known method for comparing text data, for example, by character-by-character comparison, comparison by keywords that can be extracted from each user message using, for example, a special pre-programmed classifier embedded in the analyzing module 220, and/or by comparing the hash sums calculated by the analyzer module 220 for each suspicious user message, with the hash sum calculated by the analyzing module 220 for each of the received user messages, to detect messages similar to the a given suspicious user message in these messaging systems 110, 120, ensuring that users who send such similar messages are grouped into a user cluster; (iii) such that, if a reputation score of at least one of the users in the user cluster exceeds the predetermined reputation threshold (as described in more detail above), all users from the user cluster are classified as suspicious users. It shall be noted that, in the non-limiting embodiments of the present technology, in order to obtain the necessary user messages, the analyzing module 220 can either send a corresponding request to each of the messaging systems 110, 120 to receive the necessary user messages, or directly access each of the message databases 116, 126 or establish a connection with them to extract the necessary user messages therefrom.” -e.g. see, [0158]; herein, a query is constructed with plain text (i.e. keywords) in order to detect messages similar to the suspicious message and searched the messaging systems); 
execute the query using the selected one or more segments of the plain text with one or more match criteria (“ … in messaging systems 110, 120, the analyzing module 220 (i) receives from each of the messaging systems 110, 120 all user messages stored respectively in the message databases 116, 126, each received user message being associated with a unique identifier of a respective messaging system and unique identifier of a specific user; (ii) compares a suspicious user message with each of the received user messages using at least one known method for comparing text data, for example, by character-by-character comparison, comparison by keywords that can be extracted from each user message using, for example, a special pre-programmed classifier embedded in the analyzing module 220, and/or by comparing the hash sums calculated by the analyzer module 220 for each suspicious user message, with the hash sum calculated by the analyzing module 220 for each of the received user messages, to detect messages similar to the a given suspicious user message in these messaging systems 110, 120, ensuring that users who send such similar messages are grouped into a user cluster; (iii) such that, if a reputation score of at least one of the users in the user cluster exceeds the predetermined reputation threshold (as described in more detail above), all users from the user cluster are classified as suspicious users. It shall be noted that, in the non-limiting embodiments of the present technology, in order to obtain the necessary user messages, the analyzing module 220 can either send a corresponding request to each of the messaging systems 110, 120 to receive the necessary user messages, or directly access each of the message databases 116, 126 or establish a connection with them to extract the necessary user messages therefrom.” -e.g. see, [0158]);
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Higbee with the teaching of Kalinin to “provide, plain text of content selected from the malicious message; select one or more segments of the plain text as key content for construction of a query; and execute the query using the selected one or more segments of the plain text with one or more match criteria” in order to identify a group of intruders carrying out similar malicious activities both in the same messenger and in several different instant messengers.

As to claim 1, it is rejected using the similar rationale as for the rejection of claim 11.

As to claim 12, the combination of Higbee and Kalinin disclose wherein the one or more servers are further configured to select content from the malicious message (Kalinin: “ … (ii) compares a suspicious user message with each of the received user messages using at least one known method for comparing text data, for example, by character-by-character comparison, comparison by keywords that can be extracted from each user message using, for example, a special pre-programmed classifier embedded in the analyzing module 220, and/or by comparing the hash sums calculated by the analyzer module 220 for each suspicious user message, with the hash sum calculated by the analyzing module 220 for each of the received user messages, to detect messages similar to the a given suspicious user message in these messaging systems 110, 120, ensuring that users who send such similar messages are grouped into a user cluster;” -e.g. see, Kalinin: [0158]; herein, Kalinin discloses selecting content (i.e. extracting) from the malicious message (i.e. a suspicious user message)).  

As to claim 2, it is rejected using the similar rationale as for the rejection of claim 12.

As to claim 13, the combination of Higbee and Kalinin disclose wherein the one or more servers are further configured to parse the plain text from the content using a parser to parse out the plain text from content corresponding to authoring language used to create the content (Kalinin: “… the parsers 130, 140, respectively, shall be preprogrammed or configured to be able to process the output data streams, presented in a form of character strings, respectively, from the API-interfaces 114, 124, wherein each of the parsers 130, 140 shall at least know recording format of the processed data streams. In particular, for the example above, the parsers 130, 140 shall at least be configured to recognize that the keyword in the received character string of the beginning of the text of the user message is the word “text”. It shall also be noted that in order to process the output data stream from the corresponding API-interface in the parser, it could additionally (in addition to the extracted text of the user message, as described earlier in this document) retrieve all the necessary identification data describing the extracted user message, for example, date and time of sending, identification data of the sender, identification data of the recipient, identification data of the messaging system itself and/or other identifiers (that is, all the information that is usually comprised in the headers of user messages transmitted within a particular messaging system, and which allows to describe the body of these user messages), the specified parser shall also be configured to recognize other standard keywords commonly used in the received character strings to indicate the presence of certain identifying information following this keyword in these character strings.” -e.g. see, Kalinin: [0086]; herein, a parser parses the plain text (i.e. keyword) from content (i.e. user message) corresponding the authoring language (i.e. corresponding API-interface) used to create the content).  

As to claim 3, it is rejected using the similar rationale as for the rejection of claim 13.

As to claim 14, the combination of Higbee and Kalinin disclose wherein the one or more servers are further configured to generate a recommendation of the one or more segments of the plain text as the key content (Kalinin: “ … keywords that can be extracted from each user message using, for example, a special pre-programmed classifier embedded in the analyzing module 220, and/or by comparing the hash sums calculated by the analyzer module 220 for each suspicious user message, with the hash sum calculated by the analyzing module 220 for each of the received user messages, to detect messages similar to the a given suspicious user message in these messaging systems…” -e.g. see, Kalinin: [0158]; herein, classifier selecting keywords from the message).  

As to claim 4, it is rejected using the similar rationale as for the rejection of claim 14.

As to claim 15, the combination of Higbee and Kalinin disclose wherein the one or more servers are further configured to identify the one or more match criteria for matching the selected one or more segments to one or more messages (Kalinin: “In some other embodiments of this technique, when analyzing the file obtained by the extracted reference, the hash sum is additionally calculated for maliciousness and it is determined whether the calculated hash sum of the analyzed file matches the hash sum of one of the known malicious files.” -e.g. see, Kalinin: [0038], see also, [0158]).  

As to claim 5, it is rejected using the similar rationale as for the rejection of claim 15.

As to claim 16, the combination of Higbee and Kalinin disclose wherein the one or more servers are further configured to construct the query based at least on the one or more segments of the plain text and the one or more match criteria (Kalinin: “ … in messaging systems 110, 120, the analyzing module 220 (i) receives from each of the messaging systems 110, 120 all user messages stored respectively in the message databases 116, 126, each received user message being associated with a unique identifier of a respective messaging system and unique identifier of a specific user; (ii) compares a suspicious user message with each of the received user messages using at least one known method for comparing text data, for example, by character-by-character comparison, comparison by keywords that can be extracted from each user message using, for example, a special pre-programmed classifier embedded in the analyzing module 220, and/or by comparing the hash sums calculated by the analyzer module 220 for each suspicious user message, with the hash sum calculated by the analyzing module 220 for each of the received user messages, to detect messages similar to the a given suspicious user message in these messaging systems 110, 120, ensuring that users who send such similar messages are grouped into a user cluster; (iii) such that, if a reputation score of at least one of the users in the user cluster exceeds the predetermined reputation threshold (as described in more detail above), all users from the user cluster are classified as suspicious users. It shall be noted that, in the non-limiting embodiments of the present technology, in order to obtain the necessary user messages, the analyzing module 220 can either send a corresponding request to each of the messaging systems 110, 120 to receive the necessary user messages, or directly access each of the message databases 116, 126 or establish a connection with them to extract the necessary user messages therefrom.” -e.g. see, Kalinin: [0158]).  

As to claim 6, it is rejected using the similar rationale as for the rejection of claim 16.

As to claim 17, the combination of Higbee and Kalinin wherein the one or more servers are further configured to a construct the query to be formatted into a single query that searches a body of one or more messages for a collection of the one or more segments of the plain text matching the one or more match criteria (Kalinin: “ … in messaging systems 110, 120, the analyzing module 220 (i) receives from each of the messaging systems 110, 120 all user messages stored respectively in the message databases 116, 126, each received user message being associated with a unique identifier of a respective messaging system and unique identifier of a specific user; (ii) compares a suspicious user message with each of the received user messages using at least one known method for comparing text data, for example, by character-by-character comparison, comparison by keywords that can be extracted from each user message using, for example, a special pre-programmed classifier embedded in the analyzing module 220, and/or by comparing the hash sums calculated by the analyzer module 220 for each suspicious user message, with the hash sum calculated by the analyzing module 220 for each of the received user messages, to detect messages similar to the a given suspicious user message in these messaging systems 110, 120, ensuring that users who send such similar messages are grouped into a user cluster; (iii) such that, if a reputation score of at least one of the users in the user cluster exceeds the predetermined reputation threshold (as described in more detail above), ….” -e.g. see, Kalinin: [0158]).  

As to claim 7, it is rejected using the similar rationale as for the rejection of claim 17.

As to claim 19, Higbee discloses wherein the one or more servers are further configured to quarantine the one or more other malicious messages identified from the query (“In stage 810 (step I3), the inbound mail sever can generate a command to remove the matching messages from users' inboxes, trash folders, or similar storage, or otherwise render the message inaccessible to the user. In some embodiments, the interdiction module can provide a placeholder message that, if opened, states the message cannot be accessed because it is being analyzed. The system can automatically perform this step upon receiving a notification depending on a user's reputation score or title. Alternatively, the default can be automatic quarantine of all messages unless the reputation score is above a specific threshold value.” -e.g. see, Higbee: [0338]).  

As to claim 9, it is rejected using the similar rationale as for the rejection of claim 19.


Claims 8, 10, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Higbee in view of Kalinin and further in view of Raz et al. (US 2018/0205753 A1) (hereinafter, Raz”).


As to claim 18, although Higbee discloses wherein the one or more servers are further configured to … identifying the one or more other malicious messages corresponding to the reported malicious message (Higbee: “In some embodiments, the system can use a plagiarism detection system, n-gram analysis, or comparable system to identify similar phishing stories, flag corresponding messages as suspicious, and cluster messages so identified as embodying a similar phishing story.” -e.g. see, [0158]; see also, “In stage 806 (step I2), the inbound mail server can run a search on the existing mail stores and identify matching messages that have been sent to other users.” -e.g. see, [0336]). 
Neither Higbee nor Kalinin explicitly disclose validating the query based at least on a measure of success in identifying the one or more other malicious messages. However, in an analogous art, Raz discloses validating the query based at least on a measure of success in identifying the one or more other malicious messages (“In accordance with example implementations, for a set of queries that is determined to be anomalous, the malicious behavior detection engine 128 may further process the set to remove any false positives (i.e., remove any DNS queries that are determined, upon subsequent processing, to be benign, or not associated with malicious communications).” -e.g. see, Raz: [0023]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Higbee and Kalinin with the teaching of Raz to include validating the query based at least on a measure of success in identifying the one or more other malicious messages to accurately detecting relatively high frequency malicious communications.

As to claim 8, it is rejected using the similar rationale as for the rejection of claim 18.

As to claim 20, neither Higbee nor Kalinin explicitly disclose wherein the one or more servers are further configured to monitor the one or more other malicious messages identified by the query to determine a number of false positives arising from the query.
However, in an analogous art, Raz discloses wherein the one or more servers are further configured to monitor the one or more other malicious messages identified by the query to determine a number of false positives arising from the query (“In accordance with example implementations, for a set of queries that is determined to be anomalous, the malicious behavior detection engine 128 may further process the set to remove any false positives (i.e., remove any DNS queries that are determined, upon subsequent processing, to be benign, or not associated with malicious communications).” -e.g. see, Raz: [0023]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Higbee and Kalinin with the teaching of Raz to include validating the query based at least on a measure of success in identifying the one or more other malicious messages to accurately detecting relatively high frequency malicious communications.

As to claim 10, it is rejected using the similar rationale as for the rejection of claim 20.


Response to Arguments
Applicant's arguments filed on 07/18/2022 have been fully considered but they are not persuasive. 

Applicant argues regarding independent claims 1 and 11 on pages 7-8 of the remark that: “The combination of Higbee and Kalinin does not both: (i) provide plain text selected from a malicious message, responsive to a report of the malicious message from a user, and (ii) select one or more segments of the same plain text provided responsive to the report of the same malicious message from the user. The Office action admits that Higbee neither provides plain text of content nor selects one or more segments of the plain text, and relies on Kalinin for this purpose (see Office action, pages 5-8). The Office action attempts to combine these alleged features of Kalinin with the alleged reporting of suspicious emails by Higbee to meet these elements (see Office action, pages 3-4).”
Examiner respectfully disagrees with the Applicant’s argument and would like to point out that the combination of Higbee and Kalinin disclose the above argued limitations. It should be noted that Applicant didn’t really articulate why the combination would not work. Further to clarify, Examiner asserts that Higbee teaches providing content selected from a malicious message from a user in response to a report of the malicious message (“In some embodiments, the system can use a plagiarism detection system, n-gram analysis, or comparable system to identify similar phishing stories, flag corresponding messages as suspicious, and cluster messages so identified as embodying a similar phishing story.” -e.g. see, [0158]; see also Fig. 17; herein, plagiarism detection system identifies (i.e. selects) phishing stories, flags corresponding messages as suspicious (i.e. content selected from a malicious message) and para. [0262] discloses that the user reports a message as a possible phishing attack and when reported, a network server device then receives a notification indicating that the one or more users has reported the message as a possible phishing attack). Kalinin discloses provide, plain text of content selected from the malicious message (e.g. see, [0158]; herein, plain text (i.e. keywords) of content (i.e. message) selected from the malicious message (i.e., a suspicious user message)) and select one or more segments of the plain text as key content for construction of a query ([0158]; herein, a query is constructed with plain text (i.e. keywords) in order to detect messages similar to the suspicious message and searched the messaging systems). Therefore, Examiner concludes that combination of Higbee and Kalinin disclose the above argued limitations. Please see rejection above for further clarification.

Applicant argues regarding independent claims 1 and 11 on page 8 of the remark that: “As Kalinin fails to discuss reporting of malicious messages by a user, Kalinin fails to teach or suggest taking any actions responsive to a report of a malicious message from the user. Meanwhile, Higbee discusses "clustering" or "aggregation of messages" reported by users by "application of rules to messages that have been reported as suspicious" (see Higbee, par. [0158]). However, because Higbee gathers all user-reported messages into aggregated clusters before taking any action, any actions taken by the combination of Higbee and Kalinin in response to Higbee's user-reported messages are taken on the entire aggregated cluster as a whole, rather than on an individual instance of a reported message itself. As a result, the combination of Higbee and Kalinin is unable to receive a report of a malicious message and then both: (i) provide plain text selected from the same malicious message, responsive to the report, and (ii) select one or more segments of the same plain text provided responsive to the same report. Instead, this combination can only receive a report of a reported message, include that message into a cluster of other messages, and take any actions on the cluster, rather than on the individual message. For at least these reasons, the combination of Higbee and Kalinin does not teach or suggest each and every element of independent Claims 1 and 11.”
Examiner respectfully disagrees with the Applicants arguments and would like to point out that Kalinin was not cited to show ‘actions responsive to a report of a malicious message from the user’, instead, primary reference, Higbee was cited for limitation as included in the claim: “receive a report of a malicious message from a user” (herein, Higbee in para [0262] teaches a user may reports a message as a possible phishing attack and in para [0158] discloses taking an action i.e. the detection system uses identifies similar phishing stories and flags corresponding messages as suspicious). Further to clarify, Examiner disagrees with the Applicant’s argument which states “However, because Higbee gathers all user-reported messages into aggregated clusters before taking any action, any actions taken by the combination of Higbee and Kalinin in response to Higbee’s user-reported messages are taken on the entire aggregated cluster as a whole, rather than on an individual instance of a reported message itself.” First, claim language doesn’t require taking action based on “an individual instance” of a reported message itself, rather an action was taken “responsive to the report of the malicious message”. Herein, with a reasonable interpretation, “the report” could be a report that is collected from a number of users or just a single user”. However, Examiner asserts that Higbee covers both by disclosing: “a network server device then receives a notification indicating that the one or more users has reported the message as a possible phishing attack” (e.g. see, para [0262]). Secondly, Higbee clearly teaches that “execute the query in the messaging system for one or more other malicious messages corresponding to the reported malicious message … with one or more match criteria” (“In stage 806 (step I2), the inbound mail server can run a search on the existing mail stores and identify matching messages that have been sent to other users.” -e.g. see, [0336]; see also, Fig. 20; Higbee further discloses: “In some embodiments, the system can use a plagiarism detection system, n-gram analysis, or comparable system to identify similar phishing stories, flag corresponding messages as suspicious, and cluster messages so identified as embodying a similar phishing story.” -e.g. see, [0158]; herein, based on a reported phishing attack (i.e. malicious message), a search/query is conducted to identify or select matching massages that has similar phishing attack messages). Thus, Examiner concludes that Higbee and Kalinin in combination teach the above argued limitation. Please see the rejection above for further clarification.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 


 Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495       

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495