DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a Non-Final Office Action in response to applicant’s filing on 07/25/2022.
Claims 1-20 are pending.           

Response to Amendment
The Amendment filed on August 24, 2022 has been entered. Claims 1, 19, and 20 were amended. No claims were added. As a result, claims 1-20 are pending, of which claims 1, 19 and 20 are in independent form.

                                                    Response to Arguments
On Page 7 of remarks by applicant, the Applicant argues that the combination of Higbee and Bowditch do not appear to teach or suggest the limitations of amended independent claims 1, 19, and 20, “training a machine learning model to detect cybersecurity attacks, wherein training the machine learning model includes configuring the machine learning model to be biased toward determining user messages to be malicious, wherein configuring the machine learning model to be biased comprises including a target rate in an objective function or cost function as a model constraint during training of the machine learning model”.
In response, the Applicant’s remarks and amended claims necessitated the Examiner to conduct a new search and reconsider the novelty of the claims which results to this final office action necessitated by the amendment. In view of the amended claims 1, 19 and 20, a new ground of the rejection is applied to the amended claims. As to the dependent claims 2- 18, these claims remain rejected by virtue of dependency to their independent claims.

Therefore, the Applicant’s argument is not persuasive. Thus, the examiner maintains the rejection under 35 USC § 103.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1- 20 are rejected under 35 U.S.C. 103 as being unpatentable over Higbee et al. (US 2017/0237776 Al), hereinafter Higbee in view of Bowditch et al. (US 2020/0358819 Al), hereinafter Bowditch further in view of Jeyakumar et al. (US 2020/0204572 A1), hereinafter Jeyakumar.

In regards to claim 1, Higbee discloses a method, comprising:
receiving an indication of a message that was identified by a recipient user of the message as being associated with a cybersecurity attack (Higbee, Fig. 7, Para. 0058, the system may receive a message identified as a potential phishing attack in stage 704 (step S1), note the indication was received by a user);
extracting properties of the message (Higbee, Para. 0056, Para. 0061, in stage 712 after decoding and decrypting, the system derives a tracking URL (step $6). The tracking URL could be in the form of “https ://phishreporter. phishmessage. com’’);
Higbee fails to disclose providing the extracted properties of the message as inputs to the machine learning model to determine a likelihood the message is associated with a true cybersecurity attack; and utilizing the determined likelihood to handle a security response associated with the message.
However, Bowditch teaches providing the extracted properties of the message as inputs to the machine learning model to determine a likelihood the message is associated with a true cybersecurity attack (Bowditch, Para. 0032, extracted or computed by the extractors 22 of the detection and extraction processor 14 can be provided as inputs for the machine learning model 30. Using these features, as well as the screenshot or image information, the machine learning model 30 can determine or generate a probability or confidence level that the request (e.g., the webpage or email requesting a user's information) is malicious, such as is being uses as part of a phishing attack); and
utilizing the determined likelihood to handle a security response associated with the message (Bowditch, Para. 0055, a log and an alert, alarm, other notification, etc. can be generated to notify the user of the likelihood or confidence interval that the request is malicious (e.g., as shown in FIG. 3) and/or further communications with the webpage, domain, URL, etc. can be prevented or prohibited (e. g., using the logic/action processor 18)).
Higbee and Bowditch are both considered to be analogous to the claim invention because they are in the same field of utilizing computer vision and machine learning components and processes for enhanced detection of malicious behavior, such as potential phishing attacks. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include providing the extracted properties of the message as inputs to the machine learning model to determine a likelihood the message is associated with a true cybersecurity attack (Bowditch, Para. 0032); and
utilizing the determined likelihood to handle a security response associated with the message (Bowditch, Para. 0055). Doing so would improve the accuracy or efficacy of the machine learning model 30 with each iteration. Accordingly, over time, the system 10 can generate and update/populate one or more Blacklists including entities, such as URLs, domains, email servers, etc., that have been identified by the system 10 as malicious, rather than manually reported, to help increase early detection times of phishing attempts or other malicious actions/requests (Bowditch, Para. 0033).
Higbee and Bowditch fail to teach training a machine learning model to detect cybersecurity attacks, wherein training the machine learning model includes configuring the machine learning model to be biased toward determining user messages to be malicious, wherein configuring the machine learning model to be biased comprises including a target rate in an objective function or cost function as a model constraint during training of the machine learning model;
However, Jeyakumar teaches training a machine learning model to detect cybersecurity attacks (Jeyakumar, Para. 0104, The process 400 can optionally include training ML models to detect email attack types), wherein training the machine learning model includes configuring the machine learning model to be biased toward determining user messages to be malicious (Jeyakumar, Para. 0104, these malicious emails can be used to train the ML models based on that customer), wherein configuring the machine learning model to be biased comprises including a target rate in an objective function or cost function as a model constraint during training of the machine learning model (Jeyakumar, Para. 0138, the thresholds are updated, continually or periodically, to maintain a target flag rate. For example, the threat detection platform may alter the threshold so that a predetermined percentage of all incoming emails (e.g., 0.1%, 0.5%, or 1.0%) are flagged as borderline, suspicious, or bad. The threshold for a given model may be calibrated based on an internal target for the number of false positives and/or false negatives generated by the given model); 
Higbee, Bowditch and Jeyakumar are all considered to be analogous to the claim invention because they are in the same field of utilizing computer vision and machine learning components and processes for enhanced detection of malicious behavior, such as potential phishing attacks. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee and Bowditch to incorporate the teachings of Jeyakumar to include training a machine learning model to detect cybersecurity attacks (Jeyakumar, Para. 0104), wherein training the machine learning model includes configuring the machine learning model to be biased toward determining user messages to be malicious (Jeyakumar, Para. 0104), wherein configuring the machine learning model to be biased comprises including a target rate in an objective function or cost function as a model constraint during training of the machine learning model (Jeyakumar, Para. 0138). Doing so would improve to build a model representative of the normal email behavior of an enterprise (or an individual employee of the enterprise) and then look for deviations to identify abnormalities by applying the model to incoming emails. By establishing what constitutes normal behavior traits and/or normal email content, the enterprise can be protected against new, sophisticated attacks such as employee impersonation, vendor impersonation, fraudulent invoices, email account compromise, and account takeover (Jeyakumar, Para. 0018).

In regards to claim 2, the combination of Higbee and Bowditch further in view of Jeyakumar teaches the method of claim 1, wherein the cybersecurity attack is a phishing attack (Higbee, Para. 0056, When a message is received on a computing device of an individual, the user may report the message as a possible phishing attack).

In regards to claim 3, the method of claim 1, the combination of Higbee and Bowditch further in view of Jeyakumar teaches wherein utilizing the determined likelihood to handle the security response includes reporting the determined likelihood to a security analyst (Bowditch, Para. 0037, the logic/action processor 18 can generate one or more alerts, alarms, notifications, etc. (such as a popup window 44 shown in FIG. 3) to notify users (or security service providers) of the probability or likelihood of a phishing attack or other malicious action). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include wherein utilizing the determined likelihood to handle the security response includes reporting the determined likelihood to a security analyst (Bowditch, Para. 0037). Doing so would help detecting when a user has been directed to or is navigating a webpage with interface elements, indicating that the site is impersonating a reputable site, and is being asked to provide login credentials; whereupon the user can be warned/alerted that the webpage is not a legitimate login page and/or can be stopped/prevented from providing login credentials through the site (Bowditch, Para. 0005).

In regards to claim 4, the method of claim 1, the combination of Higbee and Bowditch further in view of Jeyakumar teaches wherein utilizing the determined likelihood to handle the security response includes initiating an automated security workflow based at least in part on the determined likelihood (Bowditch, Fig. 5B and Para. 0055, furthermore, at 122, a log and an alert, alarm, other notification, etc. can be generated to notify the user of the likelihood or confidence interval that the request is malicious (e.g., as shown in FIG. 3) and/or further communications with the webpage, domain, URL, etc. can be prevented or prohibited (e.g., using the logic/action processor 18)). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include wherein utilizing the determined likelihood to handle the security response includes initiating an automated security workflow based at least in part on the determined likelihood (Bowditch, Fig. 5B and Para. 0055). Doing so would improve the accuracy or efficacy of the machine learning model 30 with each iteration. Accordingly, over time, the system 10 can generate and update/populate one or more Blacklists including entities, such as URLs, domains, email servers, etc., that have been identified by the system 10 as malicious, rather than manually reported, to help increase early detection times of phishing attempts or other malicious actions/requests (Bowditch, Para. 0033).

In regards to claim 5, the combination of Higbee and Bowditch further in view of Jeyakumar teaches the method of claim 1, wherein utilizing the determined likelihood to handle the security response includes initiating, based at least in part on the determined likelihood, a security workflow that is performed at least in part by a security analyst (Bowditch, Para. 0037, even if the probability or confidence level does not exceed a prescribed threshold to allow users and/or internal network security or other security service provider to make a determination as to whether to proceed to a webpage and/or provide their credentials/information based on the generated probability/confidence level). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include wherein utilizing the determined likelihood to handle the security response includes initiating, based at least in part on the determined likelihood, a security workflow that is performed at least in part by a security analyst (Bowditch, Para. 0037). Doing so would help notifying the user of a phishing attack before the user has entered their credentials and/or before the phishing site has been manually reported by other existing services (Bowditch, Para. 0038).

In regards to claim 6, the method of claim 1, the combination of Higbee and Bowditch further in view of Jeyakumar teaches wherein the security response includes disposal or quarantine of the message (Higbee, Para. 0054, If it is determined to be a phishing message, then the message can be deleted or moved into “Junk” folder or such action be taken).

In regards to claim 7, the method of claim 1, the combination of Higbee and Bowditch further in view of Jeyakumar teaches wherein the indication is received over a network (Higbee, Fig. 1, Para. 0028, a system 100 is illustrated as having a network server device 110 with access to an outbound mail server 120 that is in communication through a network 150).

In regards to claim 8, the method of claim 1, the combination of Higbee and Bowditch further in view of Jeyakumar teaches further comprising storing the message in a storage that is separate from any storage utilized by the recipient user (Higbee, Para. 0054, the system may be configured to store messages in an electronic data store at the network server device or other location accessible to the management console module).

In regards to claim 9, the method of claim 1, the combination of Higbee and Bowditch further in view of Jeyakumar teaches wherein utilizing the determined likelihood includes comparing the determined likelihood to a specified threshold likelihood (Bowditch, Para. 0055, if the general likelihood/probability or confidence interval is
greater than or within a selected standard deviation of a prescribed threshold (e.g., about 90%, about 92%, about 93%, 94%, 95%, etc.), as determined at 118, then the request can be classified as a phishing or malicious attempt). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include wherein utilizing the determined likelihood includes comparing the determined likelihood to a specified threshold likelihood (Bowditch, Para. 0055). Doing so would help notifying the user of a phishing attack before the user has entered their credentials and/or before the phishing site has been manually reported by other existing services (Bowditch, Para. 0038).

In regards to claim 10, the method of claim 1, the combination of Higbee and Bowditch further in view of Jeyakumar teaches wherein the machine learning model has been trained using historical messages received by the recipient user or members of an organization to which the recipient user belongs (Bowditch, Para. 0035, For training of the machine learning model 30, a labeled data set including a variety of labeled screenshot or image information or data set(s) can be collected/obtained (e.g., such as screenshots, images, etc. corresponding to known reputable/trusted domains). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include wherein the machine learning model has been trained using historical messages received by the recipient user or members of an organization to which the recipient user belongs (Bowditch, Para. 0035). Doing so would help the machine learning model 30 to determine or generate a probability or confidence level that the request (e.g., the webpage or email requesting a user's information) is malicious, such as is being uses as part of a phishing attack (Bowditch, Para. 0032).

In regards to claim 11, the method of claim 1, the combination of Higbee and Bowditch further in view of Jeyakumar teaches wherein the machine learning model has been trained with a training goal of reaching a specified threshold of correct classification of messages associated with true cybersecurity attacks (Bowditch, Para. 0012, If the probability or confidence level developed by the machine learning model indicates that the request is malicious, e.g., the determined probability or confidence level exceeds a prescribed threshold, one or more components of the system, such as a logic/action processor, can be configured to classify the request as a malicious and/or generate and provide an alarm, alert, or notification to the user). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include wherein the machine learning model has been trained with a training goal of reaching a specified threshold of correct classification of messages associated with true cybersecurity attacks (Bowditch, Para. 0012). Doing so would improve the accuracy or efficacy of the machine learning model 30 with each iteration. Accordingly, over time, the system 10 can generate and update/populate one or more Blacklists including entities, such as URLs, domains, email servers, etc., that have been identified by the system 10 as malicious, rather than manually reported, to help increase early detection times of phishing attempts or other malicious actions/requests (Bowditch, Para. 0033).

In regards to claim 12, the method of claim 1, the combination of Higbee and Bowditch further in view of Jeyakumar teaches wherein the machine learning model has been trained with a training goal of reaching a specified threshold of correct classification of legitimate messages (Bowditch, Para. 0037, if the probability or confidence level does not exceed a prescribed threshold to allow users and/or internal network security or other security service provider to make a determination as to whether to proceed to a webpage and/or provide their credentials/information based on the generated probability/confidence level). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include wherein the machine learning model has been trained with a training goal of reaching a specified threshold of correct classification of legitimate messages (Bowditch, Para. 0037). Doing so would improve the accuracy or efficacy of the machine learning model 30 with each iteration. Accordingly, over time, the system 10 can generate and update/populate one or more Blacklists including entities, such as URLs, domains, email servers, etc., that have been identified by the system 10 as malicious, rather than manually reported, to help increase early detection times of phishing attempts or other malicious actions/requests (Bow ditch, Para. 0033).

In regards to claim 13, the combination of Higbee and Bowditch further in view of Jeyakumar teaches the method of claim 1, wherein the machine learning model is an artificial neural network (Higbee, Para. 0108, Other clustering techniques contemplated include k-means, deep learning (such as a convolutional neural network)).

In regards to claim 14, the method of claim 1, the combination of Higbee and Bowditch further in view of Jeyakumar teaches wherein utilizing the determined likelihood includes initiating a specified security response in response to a determination that the determined likelihood reaches a specified threshold (Bowditch, Para. 0056, if the general likelihood is not greater than or within a selected or standard deviation of a prescribed threshold as determined at 118, the process can end and the user may be allowed to proceed with communications with the requester, e.g., open or proceed to the webpage, at 124). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include wherein utilizing the determined likelihood includes initiating a specified security response in response to a determination that the determined likelihood reaches a specified threshold (Bowditch, Para. 0056). Doing so would improve the accuracy or efficacy of the machine learning model 30 with each iteration. Accordingly, over time, the system 10 can generate and update/populate one or more Blacklists including entities, such as URLs, domains, email servers, etc., that have been identified by the system 10 as malicious, rather than manually reported, to help increase early detection times of phishing attempts or other malicious actions/requests (Bow ditch, Para. 0033).

In regards to claim 15, the combination of Higbee and Bowditch further in view of Jeyakumar teaches the method of claim 1, wherein the extracted properties include existences of specified keywords or keyword parts in the message (Higbee, Para. 0086, FIG. 16. A recipe can be associated with a name 1610, a description 1620, a Status (active/inactive) 1630, keyword tag(s) 1640, etc.).

In regards to claim 16, the combination of Higbee and Bowditch further in view of Jeyakumar teaches the method of claim 1, wherein the extracted properties include a count of at least one of the following: Uniform Resource Locators in the message, hyperlinks in the message, or number of dots in one or more hostnames of Uniform Resource Locators in the message (Higbee, Para. 0061, in stage 712 after decoding and decrypting, the system derives a tracking URL (step S6). The tracking URL could be in the form of “https ://phishreporter. phishmessage.com’’).

In regards to claim 17, the combination of Higbee and Bowditch further in view of Jeyakumar teaches the method of claim 1, wherein the extracted properties include at least one of the following dates associated with an Internet domain in the message: a creation date, an update date, or an expiration date (Bowditch, Para. 0032, one or more of the features (e.g., domain reputation, IP analysis, keywords in an email, a domain registration age, a domain registrar, and a domain's SSL certificate details, etc.). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include wherein the extracted properties include at least one of the following dates associated with an Internet domain in the message: a creation date, an update date, or an expiration date (Bowditch, Para. 0032). Doing so would improve the accuracy or efficacy of the machine learning model 30 with each iteration. Accordingly, over time, the system 10 can generate and update/populate one or more Blacklists including entities, such as URLs, domains, email servers, etc., that have been identified by the system 10 as malicious, rather than manually reported, to help increase early detection times of phishing attempts or other malicious actions/requests (Bow ditch, Para. 0033).

In regards to claim 18, the method of claim 1, the combination of Higbee and Bowditch further in view of Jeyakumar teaches wherein the extracted properties include whether an Internet protocol address is included in a Uniform Resource Locator in the message (Higbee, Fig. 11, Para. 0070, the preview panel 1150 may contain options to display message headers 1120, a text-only view 1121, as well as a URL option 1124 to display all URLs contained in the selected message, note item 1150 contains the IP address).

In regards to claim 19, Higbee discloses a system, comprising:
One or more processors configured to (Higbee, Para. 0125):
receive an indication of a message that was identified by a recipient user of the message as being associated with a cybersecurity attack (Higbee, Fig. 7, Para. 0058, the system may receive a message identified as a potential phishing attack in stage 704 (step S1), note the indication was received by a user);
extract properties of the message (Higbee, Para. 0056, Para. 0061, in stage 712 after decoding and decrypting, the system derives a tracking URL (step S6). The tracking URL could be in the form of “https ://phishreporter. phishmessage. com’’);
Higbee fails to disclose provide the extracted properties of the message as inputs to the machine learning model to determine a likelihood the message is associated with a true cybersecurity attack; and
utilize the determined likelihood to handle a security response associated with the message; and
a Memory coupled to the processor and configured to provide the processor with instructions.
However, Bowditch teaches provide the extracted properties of the message as inputs to the machine learning model to determine a likelihood the message is associated with a true cybersecurity attack (Bowditch, Para. 0032, extracted or computed by the extractors 22 of the detection and extraction processor 14 can be provided as inputs for the machine learning model 30. Using these features, as well as the screenshot or image information, the machine learning model 30 can determine or generate a probability or confidence level that the request (e.g., the webpage or email requesting a user's information) is malicious, such as is being uses as part of a phishing attack); and
utilize the determined likelihood to handle a security response associated with the message (Bowditch, Para. 0055, a log and an alert, alarm, other notification, etc. can be generated to notify the user of the likelihood or confidence interval that the request is malicious (e.g., as shown in FIG. 3) and/or further communications with the webpage, domain, URL, etc. can be prevented or prohibited (e.g., using the logic/action processor 18)); and
a Memory coupled to at least one of the one or more processors and configured to provide at least one of the one or more processors with instructions (Bow ditch, Para. 0040, FIG. 1 of the system 10 can include computer programmable instructions, workflows, etc. that can be stored in memory and executed or accessed by one or more processors). Higbee and Bowditch are both considered to be analogous to the claim invention because they are in the same field of utilizing computer vision and machine learning components and processes for enhanced detection of malicious behavior, such as potential phishing attacks. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include provide the extracted properties of the message as inputs to the machine learning model to determine a likelihood the message is associated with a true cybersecurity attack (Bowditch, Para. 0032); and
utilize the determined likelihood to handle a security response associated with the message (Bow ditch, Para. 0055); and a memory coupled to the processor and configured to provide the processor with instructions (Bowditch, Para. 0040, FIG. 1). Doing so would improve the accuracy or efficacy of the machine learning model 30 with each iteration. Accordingly, over time, the system 10 can generate and update/populate one or more Blacklists including entities, such as URLs, domains, email servers, etc., that have been identified by the system 10 as malicious, rather than manually reported, to help increase early detection times of phishing attempts or other malicious actions/requests (Bowditch, Para. 0033).
Higbee and Bowditch fail to teach train a machine learning model to detect cybersecurity attacks, wherein the one or more processors are configured to train the machine learning model including by being configured to configure the machine learning model to be biased toward determining user messages to be malicious, wherein the one or more processors are configured to configure the machine learning model to be biased including by being configured to include a target rate in an objective function or cost function as a model constraint during training of the machine learning model;
However, Jeykumar teaches train a machine learning model to detect cybersecurity attacks (Jeyakumar, Para. 0104, The process 400 can optionally include training ML models to detect email attack types), wherein the one or more processors are configured to train the machine learning model including by being configured to configure the machine learning model to be biased toward determining user messages to be malicious (Jeyakumar, Para. 0104, these malicious emails can be used to train the ML models based on that customer), wherein the one or more processors are configured to configure the machine learning model to be biased including by being configured to include a target rate in an objective function or cost function as a model constraint during training of the machine learning model (Jeyakumar, Para. 0138, the thresholds are updated, continually or periodically, to maintain a target flag rate. For example, the threat detection platform may alter the threshold so that a predetermined percentage of all incoming emails (e.g., 0.1%, 0.5%, or 1.0%) are flagged as borderline, suspicious, or bad. The threshold for a given model may be calibrated based on an internal target for the number of false positives and/or false negatives generated by the given model);
Higbee, Bowditch and Jeyakumar are all considered to be analogous to the claim invention because they are in the same field of utilizing computer vision and machine learning components and processes for enhanced detection of malicious behavior, such as potential phishing attacks. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee and Bowditch to incorporate the teachings of Jeyakumar to include train a machine learning model to detect cybersecurity attacks (Jeyakumar, Para. 0104), wherein the one or more processors are configured to train the machine learning model including by being configured to configure the machine learning model to be biased toward determining user messages to be malicious (Jeyakumar, Para. 0104), wherein the one or more processors are configured to configure the machine learning model to be biased including by being configured to include a target rate in an objective function or cost function as a model constraint during training of the machine learning model (Jeyakumar, Para. 0138). Doing so would improve to build a model representative of the normal email behavior of an enterprise (or an individual employee of the enterprise) and then look for deviations to identify abnormalities by applying the model to incoming emails. By establishing what constitutes normal behavior traits and/or normal email content, the enterprise can be protected against new, sophisticated attacks such as employee impersonation, vendor impersonation, fraudulent invoices, email account compromise, and account takeover (Jeyakumar, Para. 0018).

In regards to claim 20, Higbee discloses a computer program product, the computer program product being embodied in a non- transitory computer readable storage medium and comprising computer instructions for (Higbee, Para. 0128):
receiving an indication of a message that was identified by a recipient user of the message as being associated with a cybersecurity attack (Higbee, Fig. 7, Para. 0058, the system may receive a message identified as a potential phishing attack in stage 704 (step S1), note the indication was received by a user);
extracting properties of the message (Higbee, Para. 0056, Para. 0061, in stage 712 after decoding and decrypting, the system derives a tracking URL (step $6). The tracking URL could be in the form of “https ://phishreporter. phishmessage. com’’);
Higbee fails to disclose providing the extracted properties of the message as inputs to the machine learning model to determine a likelihood the message is associated with a true cybersecurity attack; and
utilizing the determined likelihood to handle a security response associated with the message.
However, Bowditch teaches providing the extracted properties of the message as inputs to the machine learning model to determine a likelihood the message is associated with a true cybersecurity attack (Bowditch, Para. 0032, extracted or computed by the extractors 22 of the detection and extraction processor 14 can be provided as inputs for the machine learning model 30. Using these features, as well as the screenshot or image information, the machine learning model 30 can determine or generate a probability or confidence level that the request (e.g., the webpage or email requesting a user's information) is malicious, such as is being uses as part of a phishing attack); and
utilizing the determined likelihood to handle a security response associated with the message (Bowditch, Para. 0055, a log and an alert, alarm, other notification, etc. can be generated to notify the user of the likelihood or confidence interval that the request is malicious (e.g., as shown in FIG. 3) and/or further communications with the webpage, domain, URL, etc. can be prevented or prohibited (e. g., using the logic/action processor 18)).
Higbee and Bowditch are both considered to be analogous to the claim invention because they are in the same field of utilizing computer vision and machine learning components and processes for enhanced detection of malicious behavior, such as potential phishing attacks. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee to incorporate the teachings of Bowditch to include providing the extracted properties of the message as inputs to the machine learning model to determine a likelihood the message is associated with a true cybersecurity attack (Bowditch, Para. 0032); and 
utilizing the determined likelihood to handle a security response associated with the message (Bow ditch, Para. 0055)). Doing so would improve the accuracy or efficacy of the machine learning model 30 with each iteration. Accordingly, over time, the system 10 can generate and update/populate one or more Blacklists including entities, such as URLs, domains, email servers, etc., that have been identified by the system 10 as malicious, rather than manually reported, to help increase early detection times of phishing attempts or other malicious actions/requests (Bowditch, Para. 0033).
Higbee and Bowditch fail to teach training a machine learning model to detect cybersecurity attacks, wherein training the machine learning model includes configuring the machine learning model to be biased toward determining user messages to be malicious, wherein configuring the machine learning model to be biased comprises including a target rate in an objective function or cost function as a model constraint during training of the machine learning model;
However, Jeyakumar teaches training a machine learning model to detect cybersecurity attacks (Jeyakumar, Para. 0104, The process 400 can optionally include training ML models to detect email attack types), wherein training the machine learning model includes configuring the machine learning model to be biased toward determining user messages to be malicious (Jeyakumar, Para. 0104, these malicious emails can be used to train the ML models based on that customer), wherein configuring the machine learning model to be biased comprises including a target rate in an objective function or cost function as a model constraint during training of the machine learning model (Jeyakumar, Para. 0138, the thresholds are updated, continually or periodically, to maintain a target flag rate. For example, the threat detection platform may alter the threshold so that a predetermined percentage of all incoming emails (e.g., 0.1%, 0.5%, or 1.0%) are flagged as borderline, suspicious, or bad. The threshold for a given model may be calibrated based on an internal target for the number of false positives and/or false negatives generated by the given model);
Higbee, Bowditch and Jeyakumar are all considered to be analogous to the claim invention because they are in the same field of utilizing computer vision and machine learning components and processes for enhanced detection of malicious behavior, such as potential phishing attacks. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Higbee and Bowditch to incorporate the teachings of Jeyakumar to include training a machine learning model to detect cybersecurity attacks (Jeyakumar, Para. 0104), wherein training the machine learning model includes configuring the machine learning model to be biased toward determining user messages to be malicious (Jeyakumar, Para. 0104), wherein configuring the machine learning model to be biased comprises including a target rate in an objective function or cost function as a model constraint during training of the machine learning model (Jeyakumar, Para. 0138). Doing so would improve to build a model representative of the normal email behavior of an enterprise (or an individual employee of the enterprise) and then look for deviations to identify abnormalities by applying the model to incoming emails. By establishing what constitutes normal behavior traits and/or normal email content, the enterprise can be protected against new, sophisticated attacks such as employee impersonation, vendor impersonation, fraudulent invoices, email account compromise, and account takeover (Jeyakumar, Para. 0018).

                                                                      Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/G.F./
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496