DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Prakash (9,154,514) in view of Egilmez et al (2017/0034091) and Langton et al (10,091,222) and Official Notice.
With respect to claims 1,11,20, Prakash discloses an apparatus (fig 1) comprising: an endpoint agent extension 150 (fig 1) of a cyber defense system (fig 1) for email (abstract) that includes two or more modules 170–177 (fig 1) comprising: an integration module 171 (fig 1 or col 6, lines 27-28 (“In some embodiments, the system may further comprise being couple to with third party online social networks 121”) of the endpoint agent extension configured to integrate the endpoint agent extension with an email client application on an endpoint computing device to detect email cyber threats in emails in the email client application (fig 2) as well as regulate outbound emails (fig 3) and sending a notification to cyber security personnel of an organization regarding the email (col 19, lines 64-67) (since applicant claim the action can be one or more actions, the “sending a notification” action is satisfied the claimed limitation).
Prakash discloses detecting threat for the electronic email system (abstract). Prakash does not explicitly discloses at least an outbound email including its attached files and/or linked files under analysis when a cyber threat module determines the outbound email including its attached files and/or linked files (b) to be both malicious and anomalous behavior as compared to a user’s modeled email behavior. Egilmez discloses a system comprising: detecting an email including its attached files and/or linked files (abstract) to be both malicious and anomalous behavior as compared to a user’s modeled email behavior (para [0003]).It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Prakash’s outbound mail to determine the malicious behavior, taught by Egilmez, to avoid any cyber threat.
Prakash does not disclose determining a data exfiltration threat. Langton discloses a method for determining a data exfiltration threat for an email system (fig 5B). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Prakash with the method of determining the data exfiltration threat of Langton for the same motivation discussed above.
Prakash does not explicitly disclose the combination of the two determinations (a) and (b). However, It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Prakash by combining different determination methods to provide better protection, since applying a known technique to a similar process to obtain predictable result requires only routine skilled in the art (KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). 
Prakash does not explicitly disclose the machine learning models and the action should be perform by a machine. The Official Notice is taken that the claimed limitations would have been known. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Prakash with the claimed limitations for automating the process.

With respect to claims 2,12, refer to discussion in claim 1 above for the machine learning. Prakash discloses an attachment analyzer of the endpoint agent extension that is configured to scan a file i) attached to and/or ii) linked to the outbound email that is about to be sent in an outbox, in order to analyze content and meta data of the file via investigation of the file structure, a meta data analysis tool, and machine learning analysis to gather information about the file itself and the content in the file (col 8, lines 10-55 or col 10, lines 50-60).

With respect to claims 3,13, Prakash discloses wherein the endpoint agent extension is implemented as one of i) a plug-in integration for the email client application (col 24, lines 19-25) and ii) a browser extension for integration with a browser-based email client application (col 22, lines 26-37).

With respect to claims 4,14, refer to discussion in claim 1 above for the machine learning models and user behavior for the outbound email. Langton discloses where the modules of the endpoint agent extension are configured to receive and factor in, both knowledge outside an email domain as well as metrics and other information from the email domain (fig 5A, 5B, col 10, lines 38-67). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Prakash with the modules of Langton to provide greater protection from data exfiltration (Langton, col 2, lines 40-45).

With respect to claims 5,15, refer to discussion in claim 4 above for receiving information outside an email domain. Further, Langton discloses taking instructions or receive additional information from an autonomous response module of the cyber security appliance regarding what autonomous action to take against the outbound email to mitigate a threat posed by the outbound email and its attachments and/or links 704 (fig 7 or fig 8). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Prakash by taking instructions or receiving additional information from an autonomous response module, taught by Langton, for the motivation discussed in claim 4 above.

With respect to claims 6,16, refer to discussion in claim 1 above for the information about attached files of the outbound email. Further, Prakash discloses where the cyber defense appliance of the cyber threat defense system is located in an IT network (col 22, lines 35-37). Prakash does not explicitly disclose analyzing user behavior to prevent incidents of data loss as well as wrongly addressed recipients. The Official Notice is taken that analyzing user’s behavior to prevent incidents of data loss as well as wrongly addressed recipients, would have been known. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Prakash with the known analyzing as claimed to improve the performance of the network.

With respect to claims 7-8,17-18, Prakash does not disclose analyzing on all inbound and outbound email flow for an organization to develop an awareness of a pattern-of-life or tracking and maintaining a dynamic profile modeled for each email user in a domain who compose emails to make a decision that the behavior is deviating from the pattern-of-life for the email under analysis and any of its files attached or linked, where the cyber security appliance is configured to convey this information to the modules in the endpoint agent extension through the secure communications module. The Official Notice is taken that the claimed limitations would have been known. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Prakash with the known limitations to analyze the behavior of the users to predict the user behavior to analyze the threat more accurate.

With respect to claims 9,19, Prakash discloses where an email module in the network cyber security appliance is configured to track and maintain a dynamic profile modeled in a user model for each email user in the domain who compose emails 220-250 (fig 2), as well as cooperate with a model of email and network activities (fig 4) of each peer group in an organization as well as a model of an organization’s email activity in general (fig 6A), where the inputs from all three of these different modeled insights is factored into the dynamic profile when making a decision 260 (fig 2, “comparing”) whether the outbound email by the user is unusual and triggers a further analysis, and wherein a secure communications module in the endpoint agent extension is configured to securely receive an instance of a dynamic profile, for each email user in the domain who composes emails, as well as a memory to store the instances of dynamic profiles for each of the users on the end point device for quicker processing of each outbound mail under analysis, where the email module is configured to generate the dynamic profiles sent to the secure communications module 320 (fig 3, “updating database”).

With respect to claim 10, refer to discussion in claim 1 above for the actions and sending the notification. Prakash does not explicitly disclose (d) sending a notification to the user on whether they intend to send the outbound email to a deemed errant email recipient address, as well as (e) sending a notification to the user when the email under analysis including any attached or linked files is determined to violate an email policy implemented by an organization that contains the user. The Official Notice is taken that the claimed sending notifications would have been known. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Prakash by sending the notifications as claimed for different intended uses.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TU T NGUYEN whose telephone number is (571)272-2424. The examiner can normally be reached M-F 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on (571) 272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/TU T NGUYEN/Primary Examiner, Art Unit 2453
11/19/2022