DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 09/21/2022 have been fully considered but they are not persuasive. Regarding arguments on pages 8-10 of the Remarks, Examiner notes that the claims are directed to initiation of a remediation action. The initiation may be a step performed in a human mind. For example, the initiation of an action may be the user making the decision to perform the action. Another example would be for the user to think of another credential for the resetting process. A further example would be determining which resources to prevent access to. It is further unclear what the claimed improvement is, and how it amount to significantly more. However, the steps individually and as a whole are abstract in nature.
Regarding arguments on pages 10-14 of the Remarks, Examiner notes that since Dunn is dealing with cyber threat defense, all elements could be considered “expected to be replicated as part of a malicious communication.” Dunn teaches analyzing the sender, as well as the similarities as shown in the rejection of claim 7 previously.
Regarding arguments on pages 14-15 of the Remarks, Examiner notes that a new reference is being used to teach the deep learning, as well as the latent semantic indexing, and thus the arguments are moot.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-6 and 8-21 rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.  Using the subject matter eligibility test from page 74621 of the Federal Register Notice titled “2014 Interim Guidance on Patent Subject Matter Eligibility,” a two-step process is performed. Under step 1, the claims are analyzed to determine if the claim is directed to a process, machine, article of manufacture, or composition of matter. In this case, claims 1-6, 8-18 and 21 are directed to a method, which is a process; claim 19 is directed to an apparatus, which is a machine or article of manufacture; and claim 20 is directed to a computer readable medium, which is a machine or article of manufacture. Step 2A (part 1 of the Mayo test), using the guidance from pages 50-57 of the Federal Register Vol. 84 No. 4 from Monday, January 7, 2019, requires applying a two-prong inquiry. In Prong One, examiners evaluate whether the claim recites a judicial exception, determining if the claim is directed to a law of nature, a natural phenomenon, or an abstract idea. In this case, claim 1 recites identifying information or data, determining if a communication is malicious, and initiating remediation, which are mental processes. In Prong Two, examiners evaluate whether the judicial exception is integrated into a practical application that imposes a meaningful limit on the judicial exception. In this case, additional elements such as processor, memory, and computer readable medium are generic computer components, and do not constitute integration into a practical application.
Step 2B (part 2 of the Mayo test) requires analyzing the claims to determine if they recite additional elements that amount to significantly more than the judicial exception. In this case, the claims do not include additional elements that are sufficient to amount to significantly more than the abstract idea itself.  

Regarding claims 1 and 19-20, identifying information or data, determining if a communication is malicious, and initiating remediation are mental processes, which are abstract ideas. Additional limitations of processor, memory, and computer readable medium are generic computer components, and do not constitute integration into a practical application or significantly more.

Regarding claims 2-6, 8-13, 15-18, and 21, the limitations are further clarifications of the above abstract ideas.

Regarding claim 14, extracting features and making a determination are mental processes, which are abstract ideas without significantly more and without integration into a practical application.

The limitations of the claims, taken alone, do not amount to significantly more than the above-identified judicial exception (the abstract idea). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements individually. Applicable case law cited in the Federal Register includes, but is not limited to: Alice Corp., 134 S. Ct. at 2355-56, Digitech Image Tech., LLC v. Electronics for Imaging, Inc., 758 F.3d 1344 (Fed. Cir. 2014), Benson, 409 U.S. at 63.

See "Preliminary Examination Instructions in view of the Supreme Court Decision in Alice Corporation Pty. Ltd. v. CLS Bank International, et al.," dated June 25, 2014, and the Federal Register notice titled "2014 Interim Guidance on Patent Subject Matter Eligibility" (79 FR 74618).

	
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-6 and 8-21 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. The limitation “and which is expected to be replicated as part of a malicious communication” in claims 1 and 19-20 is unclear, as it is not apparent whether this is optional or required in the reference. As the Dunn reference is directed to cyber threat defense, Examiner is interpreting the elements of the reference as “expected to be replicated as part of a malicious communication.”
	
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-6, 8 and 14-21 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Dunn et al. (US 2019/0260780 A1), hereinafter referred to as Dunn.

Regarding claim 1, Dunn teaches:
A method, comprising: 
identifying, by a processing system including at least one processor, a workflow to be protected (para [0030], [0145], where a cyber-threat module and processor analyzes network, computer, and email activity); 
identifying, by the processing system for the workflow, a set of valid resources of the workflow, wherein the set of valid resources includes a set of artifacts and a set of templates (Fig. 4, para [0068-70], where the other emails received are the set of templates, and their contents or properties such as links are the set of artifacts), wherein each template in the set of templates comprises a resource which is to be presented to a user within a context of the workflow and which is expected to be replicated as part of a malicious communication (Fig. 4, where the formatting is considered a resource), and wherein each artifact of the set of artifacts comprises an element of the workflow which is expected to be replicated as part of a malicious communication (Fig. 4, where the email content is considered the artifact); 
identifying, by the processing system from a dataset associated with the workflow and based on the set of artifacts, an electronic communication associated with the workflow (para [0061], where every email is examined including the artifacts therein, where the dataset is all the emails), wherein the electronic communication is identified based on a determination that the electronic communication is associated with an unknown source and based on a determination that one or more elements of the electronic communication are similar to one or more artifacts of the set of artifacts (para [0066], where the sender is analyzed, and para [0087], where the normal pattern of life information, interpreted as the information being similar, is filtered out and the behaviors are used to detect threats); 
determining, by the processing system based on an analysis of the electronic communication based on the set of templates, that the electronic communication is malicious (para [0071-72], [0117], where the system determines malicious characteristics by comparison with normal emails); and 
initiating, by the processing system based on the determination that the electronic communication is malicious, a remediation action (Fig. 7, para [0119], where the system takes action against malicious emails), wherein the remediation action includes at least one of: blocking a delivery of the electronic communication, initiating a takedown of a malicious website indicated within the electronic communication, preventing access to a resource requested by a user from the electronic communication, or resetting a credential of at least one user associate with the electronic communication (Fig. 7, para [0119], where the system takes action against malicious emails, para [0125], where the email is held or blocked).  

Regarding claim 2, Dunn teaches:
The method of claim 1, wherein the workflow is based on at least one of: an email, a text message, a voice communication, a video, a website interaction, or an application interaction (Fig. 4, para [0061], where all emails are examined).  

Regarding claim 3, Dunn teaches:
The method of claim 1, wherein the workflow is identified based on an identification of a set of users able to interact with the workflow (para [0033], [0035], where normal behavior of users is analyzed).  

Regarding claim 4, Dunn teaches:
The method of claim 1, wherein the set of artifacts is identified from the set of templates (Fig. 4, para [0068-70], where the contents, links, and properties are extracted from the emails).  

Regarding claim 5, Dunn teaches:
The method of claim 1, wherein the electronic communication is further identified based on application of a set of filters to the dataset associated with the workflow (para [0087], where normal behaviors are filtered out, and the remaining behaviors are analyzed to determine if they are malicious).

Regarding claim 6, Dunn teaches:
The method of claim 5, wherein the set of filters is created based on the set of artifacts (para [0087], where the activities/events/alerts are artifacts).  

Regarding claim 8, Dunn teaches:
The method of claim 1, wherein the analysis of the electronic communication is based on a learning algorithm (para [0061], where machine learning is used).  

Regarding claim 14, Dunn teaches:
The method of claim 8, wherein the learning algorithm is configured to: 
extract, from the set of artifacts, a set of features of the artifacts (para [0056], where data is extracted to determine pattern of life data); 
extract, from the electronic communication, a set of features of the electronic communication (para [0072], where metadata is extracted from the emails); and 
determine, based on an analysis of the set of features of the artifacts and the set of features of the electronic communication, that the electronic communication is malicious (para [0072], where the day to day behavior is compared with the email to determine if the email is malicious).  

Regarding claim 15, Dunn teaches:
The method of claim 14, wherein the determination that the electronic communication is malicious is based on a determination that the set of features of the artifacts and the set of features of the electronic communication are similar (para [0087], where the normal pattern of life information, interpreted as the information being similar, is filtered out and the behaviors are used to detect threats).  

Regarding claim 16, Dunn teaches:
The method of claim 1, wherein the analysis of the electronic communication includes at least one of an analysis of a source associated with the electronic communication, an analysis of a domain associated with the electronic communication, or an analysis of a resource identifier associated with the electronic communication (para [0066-67], where the relationship of the sender is analyzed).  

Regarding claim 17, Dunn teaches:
The method of claim 1, wherein the remediation action further includes a case management action (Fig. 7, para [0119], where the system takes action against malicious emails, para [0125], where the email is held or blocked, interpreted as a case management action).  

Regarding claim 18, Dunn teaches:
The method of claim 1, wherein the determining that the electronic communication is malicious comprises an early detection of a low-volume targeted attack (para [0104], [0109],  [0120], where targeted email attacks such as phishing, are protected preemptively).  

Regarding claim 19, Dunn teaches:
An apparatus comprising: 
a processing system including at least one processor (para [0145], where a processor is used); and 
a computer-readable medium storing instructions (para [0254], where computing machine readable media is used) which, when executed by the processing system, cause the processing system to perform operations, the operations comprising: 
identifying a workflow to be protected (para [0030], where a cyber-threat module analyzes network, computer, and email activity); 
identifying, for the workflow, a set of valid resources of the workflow, wherein the set of valid resources includes a set of artifacts and a set of templates (Fig. 4, para [0068-70], where the other emails received are the set of templates, and their contents or properties such as links are the set of artifacts), wherein each template in the set of templates comprises a resource which is to be presented to a user within a context of the workflow and which is expected to be replicated as part of a malicious communication (Fig. 4, where the formatting is considered a resource), and wherein each artifact of the set of artifacts comprises an element of the workflow which is expected to be replicated as part of a malicious communication (Fig. 4, where the email content is considered the artifact); 
identifying, from a dataset associated with the workflow and based on the set of artifacts, an electronic communication associated with the workflow (para [0061], where every email is examined including the artifacts therein, where the dataset is all the emails), wherein the electronic communication is identified based on a determination that the electronic communication is associated with an unknown source and based on a determination that one or more elements of the electronic communication are similar to one or more artifacts of the set of artifacts (para [0066], where the sender is analyzed, and para [0087], where the normal pattern of life information, interpreted as the information being similar, is filtered out and the behaviors are used to detect threats); 
determining, based on an analysis of the electronic communication based on the set of templates, that the electronic communication is malicious (para [0071-72], [0117], where the system determines malicious characteristics by comparison with normal emails); and 
initiating, based on the determination that the electronic communication is malicious, a remediation action (Fig. 7, para [0119], where the system takes action against malicious emails), wherein the remediation action includes at least one of: blocking a delivery of the electronic communication, initiating a takedown of a malicious website indicated within the electronic communication, preventing access to a resource requested by a user from the electronic communication, or resetting a credential of at least one user associate with the electronic communication (Fig. 7, para [0119], where the system takes action against malicious emails, para [0125], where the email is held or blocked).  

Regarding claim 20, Dunn teaches:
A non-transitory computer-readable medium (para [0254], where computing machine readable media is used) storing instructions which, when executed by a processing system including at least one processor (para [0145], where a processor is used), cause the processing system to perform operations, the operations comprising: 
identifying a workflow to be protected (para [0030], where a cyber-threat module analyzes network, computer, and email activity); 
identifying, for the workflow, a set of valid resources of the workflow, wherein the set of valid resources includes a set of artifacts and a set of templates (Fig. 4, para [0068-70], where the other emails received are the set of templates, and their contents or properties such as links are the set of artifacts), wherein each template in the set of templates comprises a resource which is to be presented to a user within a context of the workflow and which is expected to be replicated as part of a malicious communication (Fig. 4, where the formatting is considered a resource), and wherein each artifact of the set of artifacts comprises an element of the workflow which is expected to be replicated as part of a malicious communication (Fig. 4, where the email content is considered the artifact); 
identifying, from a dataset associated with the workflow and based on the set of artifacts, an electronic communication associated with the workflow (para [0061], where every email is examined including the artifacts therein, where the dataset is all the emails), wherein the electronic communication is identified based on a determination that the electronic communication is associated with an unknown source and based on a determination that one or more elements of the electronic communication are similar to one or more artifacts of the set of artifacts (para [0066], where the sender is analyzed, and para [0087], where the normal pattern of life information, interpreted as the information being similar, is filtered out and the behaviors are used to detect threats); 
determining, based on an analysis of the electronic communication based on the set of templates, that the electronic communication is malicious (para [0071-72], [0117], where the system determines malicious characteristics by comparison with normal emails); and 
initiating, based on the determination that the electronic communication is malicious, a remediation action (Fig. 7, para [0119], where the system takes action against malicious emails), wherein the remediation action includes at least one of: blocking a delivery of the electronic communication, initiating a takedown of a malicious website indicated within the electronic communication, preventing access to a resource requested by a user from the electronic communication, or resetting a credential of at least one user associate with the electronic communication (Fig. 7, para [0119], where the system takes action against malicious emails, para [0125], where the email is held or blocked).

Regarding claim 21, Dunn teaches:
The method of claim 8, wherein the learning algorithm includes a machine learning algorithm (para [0061], where machine learning is used).  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 9-10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dunn, in view of Madavarapu et al. (US 2020/0302017 A1), hereinafter referred to as Madavarapu.

Regarding claim 9, Dunn teaches:
The method of claim 8, 
Dunn does not teach:
wherein the learning algorithm includes a deep learning (DL) algorithm.
Madavarapu teaches:
 wherein the learning algorithm includes a deep learning (DL) algorithm (para [0025], where deep learning is used).
The prior art contained a device (method, product, etc.) which differed from the claimed device by the substitution of some components (machine learning) with other components (deep learning); the substituted components and their functions were known in the art; one of ordinary skill in the art could have substituted one known element for another, and the results of the substitution would have been predictable.

Regarding claim 10, Dunn teaches:
The method of claim 8, wherein the electronic communication has text data associated therewith (para [0077], where text is included in links in the email),
Dunn does not teach:
wherein the learning algorithm is based on a latent semantic indexing.
Madavarapu teaches:
wherein the learning algorithm is based on r a latent semantic indexing (para [0024], where latent semantic indexing is used).  
The prior art contained a device (method, product, etc.) which differed from the claimed device by the substitution of some components (model training techniques) with other components (latent semantic indexing); the substituted components and their functions were known in the art; one of ordinary skill in the art could have substituted one known element for another, and the results of the substitution would have been predictable.

Claim(s) 11 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dunn, in view of Sreenivasan et al. (US 2022/0020482 A1), hereinafter referred to as Sreenivasan.

Regarding claim 11, Dunn teaches:
The method of claim 8, wherein the electronic communication has image data associated therewith (para [0127], where an image is attached),
Dunn does not teach:
wherein the learning algorithm is based on a convolutional neural network.
Sreenivasan teaches:
wherein the learning algorithm is based on a convolutional neural network (para [0025], where a CNN is used).  
The prior art contained a device (method, product, etc.) which differed from the claimed device by the substitution of some components (machine learning) with other components (CNN); the substituted components and their functions were known in the art; one of ordinary skill in the art could have substituted one known element for another, and the results of the substitution would have been predictable.

Regarding claim 13, Dunn teaches:
The method of claim 8,
Dunn does not teach:
wherein the electronic communication has video data associated therewith, wherein the learning algorithm is based on a recurrent neural network.
Sreenivasan teaches:
wherein the electronic communication has video data associated therewith (para [0022], where video is used), wherein the learning algorithm is based on a recurrent neural network (para [0025], where an RNN is used).  
The prior art contained a device (method, product, etc.) which differed from the claimed device by the substitution of some components (email, machine learning) with other components (video, RNN); the substituted components and their functions were known in the art; one of ordinary skill in the art could have substituted one known element for another, and the results of the substitution would have been predictable.

Claim(s) 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dunn, in view of Clark et al. (US 2020/0074985 A1), hereinafter referred to as Clark.

Regarding claim 12, Dunn teaches:
The method of claim 8,
Dunn does not teach:
wherein the electronic communication has voice data associated therewith, wherein the learning algorithm is based on a spectrogram- based auto-encoder. 
Clark teaches:
wherein the electronic communication has voice data associated therewith (para [0034], where speech is input), wherein the learning algorithm is based on a spectrogram- based auto-encoder (para [0079], where a spectrogram based autoencoder is used).  
The prior art contained a device (method, product, etc.) which differed from the claimed device by the substitution of some components (email, machine learning) with other components (voice, autoencoder); the substituted components and their functions were known in the art; one of ordinary skill in the art could have substituted one known element for another, and the results of the substitution would have been predictable. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 2019/0108217 A1 para [0088] teaches latent semantic indexing, while para [0142-143] teaches deep learning and fraud prevention; US 10,685,347 B1 col. 10 line 57 – col. 11 line 12 teaches latent semantic indexing, while col. 12 lines 9-13 teaches deep learning.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN S BLANKENAGEL whose telephone number is (571)270-0685. The examiner can normally be reached 8:00am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Richemond Dorvil can be reached on 571-272-7602. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BRYAN S BLANKENAGEL/Primary Examiner, Art Unit 2658