DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Applicant’s submission dated 06/14/2022 has been received and made of record. 
Application 17/839,847 claims benefit to Provisional Application 63/210,164, filed 06/14/2021.
Claims 1-20 are currently pending in Application 17/839,847.

Claim Objections
Claims 1-20 are objected to because of the following informalities: formatting symbols such as bullet points should not be included in the claims.  Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 17683221 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because they recite substantially similar subject matter, with the differences amounting to drafting choice and recitation or non-recitation of implicit/common elements, as shown in the table below. 
Copending Application 17683221
Current Application 17839847
1. A method for detecting financial attacks in emails comprising: accessing an email inbound to a recipient address; scanning a body of the email for a set of language signals; correlating a first sequence of words, in the email, with a financial signal in the set of language signals; correlating a second sequence of words, in the email, with an action request signal in the set of language signals; calculating a risk for the email representing a financial attack based on a combination of the financial signal and the action request signal detected in the email; and in response to the risk exceeding a threshold risk: annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal; annotating the second sequence of words in the email according to a second visual highlighting scheme associated with the action request signal, the second visual highlighting scheme different from the first visual highlighting scheme; and redirecting the email to a quarantine folder.

2. The method of claim 1: wherein accessing the email comprises intercepting the email inbound to the recipient address within an email domain; and further comprising: retrieving an attribute of a recipient associated with the recipient address; accessing a risk schedule specifying a set of threshold risks, each threshold risk in the set of threshold risks associated with a unique combination of recipient attributes and based on malicious targeting frequency of recipients represented by the unique combination of recipient attributes within the email domain; and selecting the threshold risk, from the risk schedule, based on the attribute of the recipient.

3. The method of claim 1: wherein annotating the first sequence of words in the email according to the first visual highlighting scheme comprises highlighting the first sequence of words in the email with a first color according to the first visual highlighting scheme; wherein annotating the second sequence of words in the email according to the second visual highlighting scheme comprises highlighting the second sequence of words in the email with a second color, different from the first color, according to the second visual highlighting scheme; and further comprising, within an email viewer, in response to selection of the email from the quarantine folder: rendering the email with the first sequence of words highlighted in the first color and with the second sequence of words highlighted in the second color; labeling the first color as corresponding to the financial signal; and labeling the second color as corresponding to the action request signal.

4. The method of claim 1, further comprising: wherein redirecting the email to the quarantine folder comprises redirecting the email from an email inbox to the quarantine folder within an email account at the recipient address; and further comprising: in response to selection of the email from the quarantine folder, rendering the email with a risk alert, with the first sequence of words highlighted according to the first visual highlighting scheme, and with the second sequence of words highlighted according to the second visual highlighting scheme; intercepting a second email inbound to the recipient address; scanning a second body of the second email for the set of language signals; correlating a third sequence of words, in the second email, with the financial signal; correlating a fourth sequence of words, in the second email, with the action request signal; calculating a second risk for the second email representing a second financial attack based on a second combination of the financial signal and the action request signal detected in the second email; in response to the second risk falling below the threshold risk: annotating the third sequence of words in the second email according to the first visual highlighting scheme associated with the financial signal; annotating the fourth sequence of words in the second email according to the second visual highlighting scheme associated with the action request signal; and releasing the second email to an email inbox within the email account at the recipient address; and in response to selection of the second email from the email inbox, rendering the second email with the third sequence of words highlighted according to the first visual highlighting scheme and with the fourth sequence of words highlighted according to the second visual highlighting scheme.

5. The method of claim 1: wherein redirecting the email to the quarantine folder comprises redirecting the email from an email inbox to the quarantine folder within an email account at the recipient address; and further comprising: loading the email into an administrator folder; within an administrator email viewer, in response to selection of the email from the administrator folder: rendering the email with the first sequence of words highlighted in the first color according to the first visual highlighting scheme and with the second sequence of words highlighted in the second color; according to the second visual highlighting scheme; labeling the first color as corresponding to the financial signal; and labeling the second color as corresponding to the action request signal; and in response to manual identification of the email as malicious within the administrator email viewer prior to review of the email in the quarantine folder, discarding the email from the quarantine folder within the email account at the recipient address.

6. The method of claim 1: wherein redirecting the email to the quarantine folder comprises redirecting the email from an email inbox to the quarantine folder within an email account at the recipient address; and further comprising: loading the email into an administrator folder; within an administrator email viewer, in response to selection of the email from the administrator folder: rendering the email with the first sequence of words highlighted in the first color according to the first visual highlighting scheme and with the second sequence of words highlighted in the second color; according to the second visual highlighting scheme labeling the first color as corresponding to the financial signal; and labeling the second color as corresponding to the action request signal; and in response to manual identification of the email as benign within the administrator email viewer prior to review of the email in the quarantine folder, transferring the email from the quarantine folder to the email inbox within the email account at the recipient address.

7. The method of claim 1: further comprising: scanning the email for attachments; in response to detecting an attachment in the email: extracting a set of characters from the attachment; and scanning the set of characters for the set of language signals; correlating a third sequence of words, in the attachment, with a third signal in the set of language signals; and wherein calculating the risk for the email comprises calculating the risk for the email based on the combination of: the financial signal and the action request signal detected in the email; and the third signal detected in the set of characters extracted from the attachment.

8. The method of claim 1: further comprising: intercepting a second email inbound to the recipient address from a sender at a second time; scanning a second body of the second email for the set of language signals; correlating a third sequence of words, in the second email, with a third signal in the set of language signals; correlating a fourth sequence of words, in the second email, with a fourth signal in the set of language signals; calculating a second risk for the second email representing a second financial attack based on a second combination of the third signal and the fourth signal detected in the second email; and in response to the second risk falling below the threshold risk, releasing the second email to an email inbox within an email account at the recipient address; wherein accessing the email comprises intercepting the email inbound to the recipient address from the sender at a first time succeeding the second time; further comprising identifying the first email and the second email as forming an email thread; wherein calculating the risk for the email comprises, in response to identifying the first email and the second email as forming the email thread, calculating the risk for the email thread based on the combination of: the financial signal and the action request signal detected in the email; and the third signal detected in the second email; and further comprising, in response to the risk exceeding the threshold risk, transferring the second email from the email inbox to the quarantine folder within the email account at the recipient address.

9. The method of claim 1: wherein correlating the first sequence of words, in the email, with the financial signal comprises: accessing a first natural language processing model trained on a financial services and financial transaction lexicon; based on the first natural language processing model, identifying the first sequence of words, related to financial transactions, in the email; normalizing the first sequence of words to a first standard financial transaction language concept; and representing the first standard financial transaction language concept in the financial signal; further comprising: based on the first natural language processing model, identifying a third sequence of words, related to financial transactions, in the email; normalizing the third sequence of words to a second standard financial transaction language concept; and representing the second standard financial transaction language concept in a second financial signal; wherein correlating the second sequence of words, in the email, with the action request signal comprises: accessing a second natural language processing model trained on an action request and prompt lexicon; based on the second natural language processing model, identifying the second sequence of words, describing an action request, in the email; normalizing the second sequence of words to a standard action request language concept; and representing the standard action request language concept in the action request signal; further comprising annotating the third sequence of words in the email according to the first visual highlighting scheme; and wherein calculating the risk for the email comprises calculating the risk for the email based on the combination of the financial signal, the second financial signal, and the action request signal detected in the email.

10. The method of claim 1: wherein correlating the first sequence of words, in the email, with the financial signal comprises: accessing a first natural language processing model trained on a financial services and financial transaction lexicon; based on the first natural language processing model, identifying the first sequence of words, related to financial transactions, in the email; normalizing the first sequence of words to a first standard financial transaction language concept; and representing the first standard financial transaction language concept in the financial signal; wherein correlating the second sequence of words, in the email, with the action request signal comprises: accessing a second natural language processing model trained on an action request and prompt lexicon; based on the second natural language processing model, identifying the second sequence of words, describing an action request, in the email; normalizing the second sequence of words to a standard action request language concept; and representing the standard action request language concept in the action request signal; further comprising: accessing a third natural language processing model trained on a sensitive data lexicon; based on the third natural language processing model, identifying a third sequence of words, describing sensitive personal information, in the email; normalizing the third sequence of words to a standard sensitive data language concept; representing the standard sensitive data language concept in a sensitive data signal; and annotating the third sequence of words in the email according to a third visual highlighting scheme associated with the sensitive data signal, the third visual highlighting scheme different from the first visual highlighting scheme and the second visual highlighting scheme; and wherein calculating the risk for the email comprises calculating the risk for the email based on the combination of the financial signal, the action request signal, and the sensitive data signal detected in the email.

1. method of claim 1: wherein correlating the first sequence of words, in the email, with the financial signal comprises: accessing a first natural language processing model trained on a financial services and financial transaction lexicon; based on the first natural language processing model, identifying the first sequence of words, related to financial transactions, in the email; normalizing the first sequence of words to a first standard financial transaction language concept; and representing the first standard financial transaction language concept in the financial signal; wherein correlating the second sequence of words, in the email, with the action request signal comprises: accessing a second natural language processing model trained on an action request and prompt lexicon; based on the second natural language processing model, identifying the second sequence of words, describing an action request, in the email; normalizing the second sequence of words to a standard action request language concept; and representing the standard action request language concept in the action request signal; further comprising: accessing a third natural language processing model trained on an urgency and deadline lexicon; based on the third natural language processing model, identifying a third sequence of words, describing urgency of the standard action request, in the email; normalizing the third sequence of words to a standard urgency language concept; representing the standard urgency language concept in an urgency data signal; and annotating the third sequence of words in the email according to a third visual highlighting scheme associated with the urgency signal, the third visual highlighting scheme different from the first visual highlighting scheme and the second visual highlighting scheme; and wherein calculating the risk for the email comprises calculating the risk for the email based on the combination of the financial signal, the action request signal, and the urgency signal detected in the email.

12. The method of claim 11, wherein calculating the risk for the email comprises: aggregating the financial signal, the action request signal, and the urgency signal into a target vector; accessing a corpus of stored vectors representing and labeled with known email-based attack types; identifying a particular vector, in the corpus of stored vectors, nearest the target vector in a multi-dimensional feature space; characterizing a distance between the particular vector and the target vector in the multi-dimensional feature space; and calculating the risk for the email inversely proportional to the distance.

13. The method of claim 12: wherein accessing the email comprises intercepting the email inbound to the recipient address within an email domain; and further comprising: retrieving an attribute of a recipient associated with the recipient address; accessing a corpus of risk profiles, each risk profile in the corpus of risk profiles: associated with a set of attributes; and specifying risk thresholds for a set of known email-based attack types based on the set of attributes; associating the recipient address with a particular risk profile, in the corpus of risk profiles, based on the attribute; and reading the risk threshold from the particular risk profile based on a particular email-based attack type represented by the particular vector.

14. The method of claim 1: wherein correlating the first sequence of words, in the email, with the financial signal comprises: accessing a first natural language processing model trained on a financial services and financial transaction lexicon; based on the first natural language processing model, identifying the first sequence of words, related to financial transactions, in the email; normalizing the first sequence of words to a first standard financial transaction language concept; and representing the first standard financial transaction language concept in the financial signal; wherein correlating the second sequence of words, in the email, with the action request signal comprises: accessing a second natural language processing model trained on an action request and prompt lexicon; based on the second natural language processing model, identifying the second sequence of words, describing an action request, in the email; normalizing the second sequence of words to a standard action request language concept; and representing the standard action request language concept in the action request signal; further comprising: extracting a sender address from the email; querying a historical email database for a frequency of historical email communications between the sender address and the recipient addresses; and representing the frequency of historical email communications in a historical communication signal; and wherein calculating the risk for the email comprises calculating the risk for the email based on the combination of: the financial signal and the action request signal detected in the email; and the historical communication signal.

15. The method of claim 1: further comprising accessing a database of attack templates, each attack template in the database of attack templates: representing a known attack type; labeled with a risk score; and specify a set of signals indicative of an email-based attack of the known attack type; and wherein calculating the risk for the email comprises: matching the financial signal and the action request signal detected in the email to a set of set of signals specified in a particular attack template in the database of attack templates; reading a particular risk score from the particular attack template; and calculating the risk for the email based on the particular risk score.

1. method of claim 1: wherein accessing the email comprises intercepting the email inbound to the recipient address within an email domain; further comprising: accessing a corpus of past emails inbound to recipients within the email domain, the corpus of past emails comprising a first subset of past emails labeled as malicious and a second subset of past emails labeled as benign; detecting financial signals and action request signals in the corpus of past emails; and training a risk model based on the first subset of past emails labeled as malicious, the second subset of past emails labeled as benign, and financial signals and action request signals detected in emails in the corpus of past emails, the risk model configured to return a risk score based on financial signals and action request signals detected in an inbound email; and wherein calculating the risk for the email comprises inserting the financial signal and the action request signal, extracted from the email, into the risk model to calculate the risk for the email.

17. The method of claim 16, wherein training the risk model comprises: initializing the risk model based on the first subset of past emails labeled as malicious, the second subset of past emails labeled as benign, and financial signals and action request signals detected in the corpus of past emails; selecting a third subset of past emails, in the corpus of past emails, excluding malicious and benign labels; for each past email in the third subset of past emails: scanning a past body of the past email for language signals; and inserting language signals, extracted from the past email, into the risk model to calculate a past risk for the past email; identifying a fourth subset of past emails, from the third subset of past emails, associated with past risks exceeding the threshold risk; for each past email in the fourth subset of past emails: generating a prompt to investigate the past email; serving the prompt to an administrator; and labeling the past email according to a response supplied by the administrator; and retraining the risk model based on the first subset of past emails, the second subset of past emails, the fourth subset of past emails, and financial signals and action request signals detected in emails in the corpus of past emails.

18. A method for detecting financial attacks in emails comprising: intercepting an email inbound to a recipient address; scanning a body of the email for a set of language signals; correlating a first sequence of words, in the email, with a financial signal in the set of language signals; correlating a second sequence of words, in the email, with an action request signal in the set of language signals; correlating a third sequence of words, in the email, with an urgency signal in the set of language signals; calculating a risk for the email representing a financial attack based on a combination of the financial signal, the action request signal, and the urgency signal detected in the email; and in response to the risk exceeding a threshold risk: annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal; annotating the second sequence of words in the email according to a second visual highlighting scheme associated with the action request signal, the second visual highlighting scheme different from the first visual highlighting scheme; annotating the third sequence of words in the email according to a third visual highlighting scheme associated with the urgency signal, the third visual highlighting scheme different from the first visual highlighting scheme and the second visual highlighting scheme; and redirecting the email away from an email inbox associated with the recipient address.

19. A method for detecting financial attacks in emails comprising: intercepting an email inbound to a recipient address; scanning a body of the email for a set of language signals; correlating a first sequence of words, in the email, with a first signal in the set of language signals; correlating a second sequence of words, in the email, with a second signal in the set of language signals; calculating a risk for the email representing a financial attack based on a combination of the first signal and the second signal detected in the email; in response to the risk exceeding a threshold risk: annotating the first sequence of words in the email according to a first visual highlighting scheme associated with the financial signal; annotating the second sequence of words in the email according to a second visual highlighting scheme associated with the action request signal, the second visual highlighting scheme different from the first visual highlighting scheme; and redirecting the email away from an email inbox associated with the recipient address; and in response to selection of the email within an email viewer, rendering the email with the first sequence of words highlighted according to the first visual highlighting scheme and with the second sequence of words highlighted according to the second visual highlighting scheme.

20. The method of claim 19: wherein intercepting the email comprises intercepting the email inbound to the recipient address within an email domain; and further comprising: retrieving an attribute of a recipient associated with the recipient address; accessing a risk schedule specifying a set of threshold risks, each threshold risk in the set of threshold risks associated with a unique combination of recipient attributes and based on malicious targeting frequency of recipients represented by the unique combination of recipient attributes within the email domain; and selecting the threshold risk, from the risk schedule, based on the attribute of the recipient.
1. A method comprising: during an initial time period: accessing a first corpus of emails sent from a first email account prior to the initial time period; correlating sequences of words, in bodies of emails in the first corpus of emails, with a first set of language signals; aggregating the first set of language signals into a first sender model that represents combinations of language signals, in the first set of language signals, characteristic of language in bodies of emails sent from the first email account; and associating the first sender model with the first email account; and during a first time period succeeding the initial time period: accessing a first email outbound from the first email account and directed to a first recipient; scanning a body of the first email for the first set of language signals; correlating a first sequence of words, in the first email, with a financial signal in the first set of language signals; correlating a second sequence of words, in the first email, with an action request signal in the first set of language signals; calculating a first similarity score for the first email based on the financial signal detected in the first email, the action request signal detected in the first email, and the first sender model; and in response to the first similarity score falling below a threshold similarity, redirecting the first email away from the first recipient.

2. The method of claim 1: further comprising: annotating the first sequence of words in the first email according to a first visual highlighting scheme associated with the financial signal; and annotating the second sequence of words in the first email according to a second visual highlighting scheme associated with the action request signal, the second visual highlighting scheme different from the first visual highlighting scheme; and wherein redirecting the first email away from the first recipient comprises: redirecting the first email to a quarantine folder; and prompting security personnel to investigate the first email account for compromise.

3. The method of claim 2: wherein correlating the first sequence of words, in the first email, with the financial signal comprises: accessing a first natural language processing model trained on a financial services and financial transaction lexicon; based on the first natural language processing model, identifying the first sequence of words, related to financial transactions, in the first email; normalizing the first sequence of words to a first standard financial transaction language concept; and representing the first standard financial transaction language concept in the financial signal; further comprising: based on the first natural language processing model, identifying a third sequence of words, related to financial transactions, in the first email; normalizing the third sequence of words to a second standard financial transaction language concept; and representing the second standard financial transaction language concept in a second financial signal; wherein correlating the second sequence of words, in the first email, with the action request signal comprises: accessing a second natural language processing model trained on an action request and prompt lexicon; based on the second natural language processing model, identifying the second sequence of words, describing an action request, in the first email; normalizing the second sequence of words to a standard action request language concept; and representing the standard action request language concept in the action request signal; further comprising annotating the third sequence of words in the first email according to the first visual highlighting scheme; and wherein calculating the first similarity score for the first email comprises calculating the first similarity score for the first email based on the financial signal detected in the first email, the second the financial signal detected in the first email, the action request signal detected in the first email, and the first sender model.

4. The method of claim 1, further comprising, during the first time period: accessing a third email outbound from the first email account and directed to a third recipient; scanning a third body of the third email for the first set of language signals; correlating sequences of words, in the third email, with a third subset of language signals in the first set of language signals; calculating a third similarity score for the third email based on the third subset of language signals and the first sender model; and in response to the third similarity score exceeding the threshold similarity and falling below a minimum similarity: labeling the third email as suspicious; and releasing the third email to the third recipient.

5. The method of claim 1, further comprising: during the initial time period: accessing a second corpus of emails sent from a second email account prior to the initial time period; correlating sequences of words, in bodies of emails in the second corpus of emails, with a second set of language signals; aggregating the second set of language signals into a second sender model that represents combinations of language signals, in the second set of language signals, characteristic of language in bodies of emails sent from the second email account; and associating the second sender model with the second email account; and during the second time period: accessing a second email outbound from the second email account and directed to a second recipient; scanning a body of the second email for the first set of language signals; correlating sequence of words, in the second email, with a second subset of the first set of language signals; calculating a second similarity score for the second email based on the second subset of language signals detected in the second email and the second sender model; in response to the second similarity score exceeding the threshold similarity: releasing the second email to the second recipient; and labeling the second email account as secure; and in response to the first similarity score of the first email falling below the threshold similarity: flagging the first email account as compromised; and prompting security personnel to investigate the first email account for compromise.

6. The method of claim 1: wherein correlating sequences of words, in bodies of emails in the first corpus of emails, with the first set of language signals comprises: scanning bodies of emails in the first corpus of emails for the first set of language signals comprising: financial signals; sensitive information signals; action signals; urgency signals; deadline signals; keyword signals; and syntax signals; and detecting combinations of language signals, in the first set of language signals, in bodies of emails in the first corpus of emails; and wherein aggregating the first set of language signals into the first sender model comprises training the first sender model to calculate similarities of new emails sent from the first sender account and the first corpus of emails based on: combinations of language signals, in the first set of language signals, in bodies of emails in the first corpus of emails; and language signals detected in new emails sent from the first sender account.

7. The method of claim 1: further comprising, during a second time period preceding the initial time period: accessing a second corpus of emails sent from email accounts within a first group of users, within an email domain, prior to the second time period; correlating sequences of words, in bodies of emails in the second corpus of emails, with a second set of language signals; aggregating the second set of language signals into a group sender model that represents combinations of language signals, in the second set of language signals, characteristic of language in bodies of emails sent from email accounts in the first group of users; in response to activation of the first email account, within the first group of users, associating the group sender model with the first email account; accessing a second email outbound from the first email account and directed to a second recipient; scanning a body of the second email for the first set of language signals; correlating sequences of words, in the second email, with a second subset of language signals in the second set of language signals; calculating a second similarity score for the second email based on the second subset of language signals and the group sender model; and in response to the second similarity score exceeding a threshold group similarity, releasing the second email to the second recipient; and wherein aggregating the first set of language signals into the first sender model comprises aggregating the first set of language signals into the first sender model in response to a quantity of emails in the first corpus of emails, sent from the first email account, exceeding a threshold quantity.

8. The method of claim 7: further comprising calculating a first group similarity score for the first email based on the financial signal detected in the first email, the action request signal detected in the first email, and the group sender model; and wherein redirecting the first email away from the first recipient comprises quarantining the first email: in response to the first similarity score falling below the threshold similarity; and in response to the first group similarity score falling below the threshold group similarity.

9. The method of claim 7, further comprising, during the first time period: accessing a third email outbound from the first email account and directed to a third recipient; scanning a third body of the third email for the first set of language signals; correlating sequences of words, in the third email, with a third subset of language signals in the first set of language signals; calculating a third similarity score for the third email based on the third subset of language signals and the first sender model; calculating a third group similarity score for the third email based on the third subset of language signals and the group sender model; and in response to the third similarity score falling below the threshold similarity and in response to the third group similarity score exceeding the threshold group similarity: labeling the third email as suspicious; and releasing the third email to the third recipient.

10. The method of claim 7: wherein aggregating the second set of language signals into the group sender model comprises generating the group sender model that represents combinations of language signals characteristic of language in bodies of emails sent from email accounts of the first group of users within a department within an organization associated with the email domain; and wherein associating the group sender model with the first email account comprises associating the group sender model with the first email account in response to activation of the first email account for a new user within the first group of users in the department within the organization.

11. The method of claim 1: further comprising, during the initial time period: in response to a quantity of emails in the first corpus of emails, sent from the first email account prior to the initial time period, falling below a threshold quantity: retrieving a first characteristic of a first user associated with the first email account; accessing a second corpus of emails sent from a second set of email accounts associated with a group of users exhibiting the first characteristic; and correlating sequences of words, in bodies of emails in the second corpus of emails, with a second set of language signals; and wherein aggregating the first set of language signals into the first sender model comprises aggregating the first set of language signals and the second set of language signals into the first sender model.

12. The method of claim 11: wherein retrieving the first characteristic of the first user comprises identifying a department, within an organization, employing the first user; and wherein accessing the second corpus of emails comprises accessing the second corpus of emails sent from the second set of email accounts associated with the group of users employed within the department within the organization.

13. The method of claim 11, further comprising, during a second time period succeeding the initial time period: in response to the quantity of emails in the first corpus of emails, sent from the first email account prior to the second time period, exceeding the threshold quantity: retraining the first sender model based on the first set of language signals, derived from the first corpus of emails, and exclusive of the second set of language signals, derived from the second corpus of emails.

14. The method of claim 1: wherein accessing the first corpus of emails comprises accessing the first corpus of emails sent from a set of email accounts associated with a group of users, the group of users comprising a first user associated with the first email account; and wherein aggregating the first set of language signals into the first sender model comprises training the first sender model to characterize similarities of emails sent from the set of email accounts after the initial time period to emails sent from the set of email accounts prior to the initial time period.

15. The method of claim 14, wherein accessing the first corpus of emails comprises accessing the first corpus of emails sent from the set of email accounts associated with the group of users employed within a particular department within a particular organization.

16. The method of claim 1: wherein accessing the first corpus of emails comprises accessing the first corpus of emails sent from the first email account to a first set of recipients associated with a first recipient characteristic prior to the initial time period; wherein aggregating the first set of language signals into the first sender model comprises aggregating the first set of language signals into the first sender model that represents combinations of language signals characteristic of language in bodies of emails sent from the first email account to recipients associated with the first recipient characteristic; wherein associating the first sender model with the first email account comprises associating the first sender model with the first email account and the first recipient characteristic; wherein calculating the first similarity score for the first email comprises: identifying the first recipient of the first email as associated with the first recipient characteristic; and calculating the first similarity score for the first email based on the financial signal detected in the first email, the action request signal detected in the first email, and the first sender model associated with the first recipient characteristic; further comprising, during the initial time period: accessing a second corpus of emails sent from the first email account to a second set of recipients associated with a second recipient characteristic prior to the initial time period; correlating sequences of words, in bodies of emails in the second corpus of emails, with a second set of language signals; aggregating the second set of language signals into a second sender model that represents combinations of language signals characteristic of language in bodies of emails sent from the first email account to recipients associated with the second recipient characteristic; and associating the second sender model with the first email account and the second recipient characteristic; and during a second time period succeeding the initial time period: accessing a second email outbound from the first email account and directed to a second recipient associated with the second recipient characteristic; scanning a body of the second email for the second set of language signals; correlating sequences of words, in the second email, with a second subset of language signals in the second set of language signals; identifying the second recipient of the second email as associated with the second recipient characteristic; calculating a second similarity score for the second email based on the second subset of language signals detected in the second email and the second sender model; and in response to the second similarity score exceeding the threshold similarity, releasing the second email to the second recipient.

17. The method of claim 16: wherein accessing the first corpus of emails comprises accessing the first corpus of emails sent from the first email account to the first set of recipients associated with the first recipient characteristic comprising a professional affiliation with the first email account; and wherein accessing the second corpus of emails comprises accessing the second corpus of emails sent from the first email account to the second set of recipients associated with the second recipient characteristic comprising a personal affiliation with the first email account.

18. A method comprising: during an initial time period: accessing a first corpus of emails sent from a first email account prior to the initial time period; correlating sequences of words, in bodies of emails in the first corpus of emails, with a first set of language signals; aggregating the first set of language signals into a first sender model that represents combinations of language signals, in the first set of language signals, characteristic of language in bodies of emails sent from the first email account; and associating the first sender model with the first email account; and during a first time period succeeding the initial time period: accessing a first email outbound from the first email account and directed to a first recipient; scanning a body of the first email for the first set of language signals; correlating sequences of words, in the first email, with a first subset of language signals in the first set of language signals; calculating a first similarity score for the first email based on the first subset of language signals detected in the first email and the first sender model; and in response to the first similarity score falling below a threshold similarity: flagging the first email as suspicious; and redirecting the first email away from the first recipient.

19. A method comprising: during an initial time period: accessing a first corpus of emails inbound to a first email account prior to the initial time period; correlating sequences of words, in bodies of emails in the first corpus of emails, with a first set of language signals; aggregating the first set of language signals into a first recipient model that represents combinations of language signals, in the first set of language signals, characteristic of language in bodies of emails received at the first email account; and associating the first recipient model with the first email account; and during a first time period succeeding the initial time period: accessing a first email inbound to the first email account; scanning a body of the first email for the first set of language signals; correlating sequences of words, in the first email, with a first subset of language signals in the first set of language signals; calculating a first similarity score for the first email based on the first subset of language signals detected in the first email and the first recipient model; and in response to the first similarity score falling below a threshold similarity: flagging the first email as suspicious; and redirecting the first email away from the first email account.

20. The method of claim 19: wherein accessing the first corpus of emails comprises accessing the first corpus of emails sent to the first email account from a first set of senders associated with a first sender characteristic prior to the initial time period; wherein aggregating the first set of language signals into the first recipient model comprises aggregating the first set of language signals into the first recipient model that represents combinations of language signals characteristic of language in bodies of emails sent from the first set of senders, associated with the first sender characteristic, to the first email account; wherein associating the first recipient model with the first email account comprises associating the first recipient model with the first email account and the first sender characteristic; wherein calculating the first similarity score for the first email comprises: identifying a first sender of the first email as associated with the first sender characteristic; and calculating the first similarity score for the first email based on the first subset of language signals detected in the first email, the first recipient model, and the first sender characteristic of the first sender; further comprising, during the initial time period: accessing a second corpus of emails sent to the first email account from a second set of senders associated with a second sender characteristic prior to the initial time period; correlating sequences of words, in bodies of emails in the second corpus of emails, with a second set of language signals; aggregating the second set of language signals into a second recipient model that represents combinations of language signals characteristic of language in bodies of emails sent to the first email account from senders associated with the second sender characteristic; and associating the second recipient model with the first email account and the second sender characteristic; and during a second time period succeeding the initial time period: accessing a second email inbound to the first email account and sent from a second sender; scanning a body of the second email for the second set of language signals; correlating sequences of words, in the second email, with a second subset of language signals in the second set of language signals; identifying the second sender of the second email as associated with the second sender characteristic; calculating a second similarity score for the second email based on the second subset of language signals detected in the second email and the second recipient model; and in response to the second similarity score exceeding the threshold similarity, releasing the second email to the second recipient.


This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-2, 4-5, 7-12, 14-15, and 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shi (US 2022/0141252 A1) in view of LaRosa (US 2017/0251006 A1).

Regarding claims 1, 18, and 19, Shi discloses A method (Shi: Claim 18, “A method to support data filtering in machine learning (ML)”) comprising: 
	during an initial time period (Shi: Paragraph [0017], “the data filtering and training engine 102 is configured to collect a set of data or information associated with a user, wherein such data includes but is not limited to electronic messages and/or web-based resources such as websites originated, authored, or owned by the user. In some embodiments, the data is collected from a content database 106, which is configured to maintain archived electronic messages that have been audited and verified to be originated or authored by the user in the past”, and Figure 1): 
		accessing a first corpus of emails sent from a first email account prior to the initial time period (Shi: Paragraph [0017], “the data filtering and training engine 102 is configured to collect a set of data or information associated with a user, wherein such data includes but is not limited to electronic messages and/or web-based resources such as websites originated, authored, or owned by the user. In some embodiments, the data is collected from a content database 106, which is configured to maintain archived electronic messages that have been audited and verified to be originated or authored by the user in the past”, and Figure 1); 
		correlating sequences of words, in bodies of emails in the first corpus of emails, with a first set of language signals (Shi: Paragraph [0019], “in the case of electronic messages, the ML models capture the user's unique writing styles and/or patterns including but not limited to how often the user uses certain types of punctuations such as exclamations and/or semi-colons, how the user addresses other people either internally or externally in the content, how the user signs at the conclusions of the electronic messages”); 
		aggregating the first set of language signals into a first sender model that represents combinations of language signals, in the first set of language signals, characteristic of language in bodies of emails sent from the first email account (Shi: Paragraph [0019], “Once the features are filtered and extracted from the data collected from each user, the data filtering and training engine 102 is configured to train one or more machine learning (ML) models for the user using these extracted features instead of using the full set of collected data. For each user from whom the data is being collected, the ML models establishes key characteristics and/or stats for the user based on and enriched by the extracted features. In some embodiments, the characteristics and/or stats of the ML models for each user are maintained in the ML model database 108”); 
		and associating the first sender model with the first email account (Shi: Paragraph [0019], “Once the features are filtered and extracted from the data collected from each user, the data filtering and training engine 102 is configured to train one or more machine learning (ML) models for the user using these extracted features instead of using the full set of collected data. For each user from whom the data is being collected, the ML models establishes key characteristics and/or stats for the user based on and enriched by the extracted features. In some embodiments, the characteristics and/or stats of the ML models for each user are maintained in the ML model database 108”, and Paragraph [0020], “email address”); 
	and during a first time period succeeding the initial time period (Shi: Paragraph [0020], “the impersonation attack detection engine 110 is configured to intercept and/or monitor an electronic message or web-based resource purportedly from a user. The impersonation attack detection engine 110 is then configured to examine the content of the electronic message or web-based resource to determine or predict if the electronic message or web-based resource is actually from the user (and not impersonated by a hacker) based on the evaluation of applicable ML models maintained in the ML model database 108”; this occurs after the training of the ML models): 
		accessing a first email outbound from the first email account and directed to a first recipient (Shi: Paragraph [0020], “the impersonation attack detection engine 110 is configured to intercept and/or monitor an electronic message or web-based resource purportedly from a user. The impersonation attack detection engine 110 is then configured to examine the content of the electronic message or web-based resource to determine or predict if the electronic message or web-based resource is actually from the user (and not impersonated by a hacker) based on the evaluation of applicable ML models maintained in the ML model database 108”); 
		scanning a body of the first email for the first set of language signals (Shi: Paragraph [0020], “the impersonation attack detection engine 110 is configured to intercept and/or monitor an electronic message or web-based resource purportedly from a user. The impersonation attack detection engine 110 is then configured to examine the content of the electronic message or web-based resource to determine or predict if the electronic message or web-based resource is actually from the user (and not impersonated by a hacker) based on the evaluation of applicable ML models maintained in the ML model database 108”); 
		correlating a first sequence of words, in the first email, with a first characteristic (Shi: Paragraphs [0020] and [0021], “the impersonation attack detection engine 110 is configured to iterate through one or more rounds of data filtering and apply each of the matching ML models to the intercepted electronic message or the web-based resource for a model-specific determination at each iteration. If one or more of the ML models predicts the electronic message to be suspicious during any round of data filtering, e.g., the intercepted electronic message uses different patterns or styles of signatures and/or punctuations from what are uniquely associated with the user…”); 
		correlating a second sequence of words, in the first email, with a second characteristic (Shi: Paragraphs [0020] and [0021], “the impersonation attack detection engine 110 is configured to iterate through one or more rounds of data filtering and apply each of the matching ML models to the intercepted electronic message or the web-based resource for a model-specific determination at each iteration. If one or more of the ML models predicts the electronic message to be suspicious during any round of data filtering, e.g., the intercepted electronic message uses different patterns or styles of signatures and/or punctuations from what are uniquely associated with the user…”); 
		detecting impersonation for the first email based on the characteristics detected in the first email, and the first sender model (Shi: Paragraphs [0020] and [0021], “the impersonation attack detection engine 110 is configured to iterate through one or more rounds of data filtering and apply each of the matching ML models to the intercepted electronic message or the web-based resource for a model-specific determination at each iteration. If one or more of the ML models predicts the electronic message to be suspicious during any round of data filtering, e.g., the intercepted electronic message uses different patterns or styles of signatures and/or punctuations from what are uniquely associated with the user…”);
		and in response to impersonation detection, flagging the first email as suspicious and redirecting the first email away from the first recipient/email account (Shi: Paragraphs [0020] and [0021], “the impersonation attack detection engine 110 is configured to iterate through one or more rounds of data filtering and apply each of the matching ML models to the intercepted electronic message or the web-based resource for a model-specific determination at each iteration. If one or more of the ML models predicts the electronic message to be suspicious during any round of data filtering, e.g., the intercepted electronic message uses different patterns or styles of signatures and/or punctuations from what are uniquely associated with the user, the impersonation attack detection engine 110 is configured to mark the electronic message as high risk and alert a system administrator accordingly, who may then check and confirm if the electronic message is part of an impersonation attack… the impersonation attack detection engine 110 is configured to quarantine any electronic messages marked as high risk and to block or redirect any access request to the web-based resources marked as high risk if any malicious and/or evasive behavior is found”).

	Shi does not explicitly disclose steps for: 
		correlating a first sequence of words, in the first email, with a financial signal in the first set of language signals; 
		correlating a second sequence of words, in the first email, with an action request signal in the first set of language signals; 
		calculating a first similarity score for the first email based on the financial signal detected in the first email, the action request signal detected in the first email, and the first sender model; 
		and in response to the first similarity score falling below a threshold similarity…

	However, LaRosa discloses steps for: 
		correlating a first sequence of words, in the first email, with a financial signal in the first set of language signals (LaRosa: Paragraph [0099], “communications linguistics and learned patterns as the training input data to proactively attempt to predict deviations and outliers in the types of communications occurring. As the communications are classified, they will feed back to the social graph tagging messages with the predicted communications classifiers, e.g., financial transactions, supply chain activity, header/footer mismatches, abnormal increases in the use of formality, etc.”); 
		correlating a second sequence of words, in the first email, with an action request signal in the first set of language signals (LaRosa: Paragraph [0038], “i. scoring all activity occurring in real-time using multiple parameters to identify thresholds of risk for actions to be taken”); 
		calculating a first similarity score for the first email based on the financial signal detected in the first email, the action request signal detected in the first email, and the first sender model (LaRosa: Paragraph [0108], “Evaluating an email's cumulative score to determine message processing”; this includes similarity scores across multiple vectors); 
		and in response to the first similarity score falling below a threshold similarity (LaRosa: Paragraph [0111], “3. Quarantining, or otherwise isolating, messages that are over the organizational tolerance level of risk points going forward for later manual review or modifying the message to send to recipients with a warning indicator of risk score data.”)…

	Shi and LaRosa are analogous art in the same field of endeavor as the instant invention as both are drawn to email impersonation detection. The differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains; that is, it would have been obvious to incorporate LaRosa’s scoring and thresholds into the system of Shi to allow for greater granularity and efficiency. 


Shi-LaRosa teaches 2. The method of Claim 1: wherein redirecting the first email away from the first recipient comprises: 
		redirecting the first email to a quarantine folder (Shi: Paragraphs [0020] and [0021], “mark the electronic message as high risk and alert a system administrator accordingly, who may then check and confirm if the electronic message is part of an impersonation attack… the impersonation attack detection engine 110 is configured to quarantine any electronic messages marked as high risk”; and LaRosa: Paragraph [0111], “3. Quarantining, or otherwise isolating, messages that are over the organizational tolerance level of risk points going forward for later manual review or modifying the message to send to recipients with a warning indicator of risk score data.”); 
	and prompting security personnel to investigate the first email account for compromise (Shi: Paragraphs [0020] and [0021], “mark the electronic message as high risk and alert a system administrator accordingly, who may then check and confirm if the electronic message is part of an impersonation attack… the impersonation attack detection engine 110 is configured to quarantine any electronic messages marked as high risk”; and LaRosa: Paragraph [0111], “3. Quarantining, or otherwise isolating, messages that are over the organizational tolerance level of risk points going forward for later manual review or modifying the message to send to recipients with a warning indicator of risk score data.”).
	Shi-LaRosa does not explicitly disclose: 	annotating the first sequence of words in the first email according to a first visual highlighting scheme associated with the financial signal; 
	and annotating the second sequence of words in the first email according to a second visual highlighting scheme associated with the action request signal, the second visual highlighting scheme different from the first visual highlighting scheme.
	However, Examiner takes Official Notice that using different colors/highlighting for different word matches was well known by/before the time of the instant invention. It would have been obvious to a person having ordinary skill in the art to have incorporated such a visual highlighting scheme in the system of Shi-LaRosa to aid manual review of suspect messages. 


Shi-LaRosa teaches 4. The method of Claim 1, further comprising, during the first time period: 
	accessing a third email outbound from the first email account and directed to a third recipient (Shi: Paragraph [0020], “the impersonation attack detection engine 110 is configured to intercept and/or monitor an electronic message or web-based resource purportedly from a user. The impersonation attack detection engine 110 is then configured to examine the content of the electronic message or web-based resource to determine or predict if the electronic message or web-based resource is actually from the user (and not impersonated by a hacker) based on the evaluation of applicable ML models maintained in the ML model database 108”); 
	scanning a third body of the third email for the first set of language signals (Shi: Paragraph [0020], “the impersonation attack detection engine 110 is configured to intercept and/or monitor an electronic message or web-based resource purportedly from a user. The impersonation attack detection engine 110 is then configured to examine the content of the electronic message or web-based resource to determine or predict if the electronic message or web-based resource is actually from the user (and not impersonated by a hacker) based on the evaluation of applicable ML models maintained in the ML model database 108”); 
	correlating sequences of words, in the third email, with a third subset of language signals in the first set of language signals (Shi: Paragraph [0020], “the impersonation attack detection engine 110 is configured to intercept and/or monitor an electronic message or web-based resource purportedly from a user. The impersonation attack detection engine 110 is then configured to examine the content of the electronic message or web-based resource to determine or predict if the electronic message or web-based resource is actually from the user (and not impersonated by a hacker) based on the evaluation of applicable ML models maintained in the ML model database 108”); 
	calculating a third similarity score for the third email based on the third subset of language signals and the first sender model (LaRosa: Paragraph [0017], “generate a risk score for the communication as function of the comparison to the stored relationships and associated characterizations; and process the communication as function of a comparison of the generated risk score to one more predetermined threshold values comprising: an alerting threshold value, a notification threshold value, and a communications labeling threshold value.”); 
	and in response to the third similarity score exceeding the threshold similarity and falling below a minimum similarity (LaRosa: Paragraph [0017], “generate a risk score for the communication as function of the comparison to the stored relationships and associated characterizations; and process the communication as function of a comparison of the generated risk score to one more predetermined threshold values comprising: an alerting threshold value, a notification threshold value, and a communications labeling threshold value.”): 
	labeling the third email as suspicious (Shi: Paragraph [0020], “If one or more of the ML models predicts the electronic message to be suspicious during any round of data filtering, e.g., the intercepted electronic message uses different patterns or styles of signatures and/or punctuations from what are uniquely associated with the user, the impersonation attack detection engine 110 is configured to mark the electronic message as high risk and alert a system administrator accordingly, who may then check and confirm if the electronic message is part of an impersonation attack.”; LaRosa: Abstract, “Suspicious emails can be held and flagged for later review, discarded or passed through with an alert raised indicating a review is needed.”); 
	and releasing the third email to the third recipient (Shi: Paragraph [0020], “If one or more of the ML models predicts the electronic message to be suspicious during any round of data filtering, e.g., the intercepted electronic message uses different patterns or styles of signatures and/or punctuations from what are uniquely associated with the user, the impersonation attack detection engine 110 is configured to mark the electronic message as high risk and alert a system administrator accordingly, who may then check and confirm if the electronic message is part of an impersonation attack.”; LaRosa: Abstract, “Suspicious emails can be held and flagged for later review, discarded or passed through with an alert raised indicating a review is needed.”).

Shi-LaRosa teaches 5. The method of Claim 1, further comprising: 
	during the initial time period: 
	accessing a second corpus of emails sent from a second email account prior to the initial time period; 
	correlating sequences of words, in bodies of emails in the second corpus of emails, with a second set of language signals; 
	aggregating the second set of language signals into a second sender model that represents combinations of language signals, in the second set of language signals, characteristic of language in bodies of emails sent from the second email account; 
	and associating the second sender model with the second email account; 
	and during the second time period: 
	accessing a second email outbound from the second email account and directed to a second recipient; 
	scanning a body of the second email for the first set of language signals; 
	correlating sequence of words, in the second email, with a second subset of the first set of language signals; 
	calculating a second similarity score for the second email based on the second subset of language signals detected in the second email and the second sender model; 
	in response to the second similarity score exceeding the threshold similarity: 
	releasing the second email to the second recipient; 
	and labeling the second email account as secure; 
	and in response to the first similarity score of the first email falling below the threshold similarity: 
	flagging the first email account as compromised; 
	and prompting security personnel to investigate the first email account for compromise (as above; the system is applied to multiple users).

Shi-LaRosa teaches 7. The method of Claim 1: 
	further comprising, during a second time period preceding the initial time period: 
	accessing a second corpus of emails sent from email accounts within a first group of users, within an email domain, prior to the second time period; 
	correlating sequences of words, in bodies of emails in the second corpus of emails, with a second set of language signals; 
	aggregating the second set of language signals into a group sender model that represents combinations of language signals, in the second set of language signals, characteristic of language in bodies of emails sent from email accounts in the first group of users; 
	in response to activation of the first email account, within the first group of users, associating the group sender model with the first email account; 
	accessing a second email outbound from the first email account and directed to a second recipient; 
	scanning a body of the second email for the first set of language signals; 
	correlating sequences of words, in the second email, with a second subset of language signals in the second set of language signals; 
	calculating a second similarity score for the second email based on the second subset of language signals and the group sender model; 
	and in response to the second similarity score exceeding a threshold group similarity, releasing the second email to the second recipient; 
	and wherein aggregating the first set of language signals into the first sender model comprises aggregating the first set of language signals into the first sender model in response to a quantity of emails in the first corpus of emails, sent from the first email account, exceeding a threshold quantity (as above; the system is applied to multiple users; and Shi: Paragraph [0013], “As used hereinafter, the term “user” (or “users”) refers not only to a person or human being, but also to an organization, a group of organizations, a country, and even a continent that may send or receive an electronic message, own a web-based resource, or possess any content that may be subject to an impersonation attack.”; LaRosa: Paragraph [0048], “frequency of the communications”).

Shi-LaRosa teaches 8. The method of Claim 7: 
	further comprising calculating a first group similarity score for the first email based on the financial signal detected in the first email, the action request signal detected in the first email, and the group sender model; 
	and wherein redirecting the first email away from the first recipient comprises quarantining the first email: 
	in response to the first similarity score falling below the threshold similarity; 
	and in response to the first group similarity score falling below the threshold group similarity (as above; the system is applied to multiple users; and Shi: Paragraph [0013], “As used hereinafter, the term “user” (or “users”) refers not only to a person or human being, but also to an organization, a group of organizations, a country, and even a continent that may send or receive an electronic message, own a web-based resource, or possess any content that may be subject to an impersonation attack.”).

Shi-LaRosa teaches 9. The method of Claim 7, further comprising, during the first time period: 
	accessing a third email outbound from the first email account and directed to a third recipient; 
	scanning a third body of the third email for the first set of language signals; 
	correlating sequences of words, in the third email, with a third subset of language signals in the first set of language signals; 
	calculating a third similarity score for the third email based on the third subset of language signals and the first sender model; 
	calculating a third group similarity score for the third email based on the third subset of language signals and the group sender model; 
	and in response to the third similarity score falling below the threshold similarity and in response to the third group similarity score exceeding the threshold group similarity: 
	labeling the third email as suspicious; 
	and releasing the third email to the third recipient (as above; the system is applied to multiple users; and Shi: Paragraph [0013], “As used hereinafter, the term “user” (or “users”) refers not only to a person or human being, but also to an organization, a group of organizations, a country, and even a continent that may send or receive an electronic message, own a web-based resource, or possess any content that may be subject to an impersonation attack.”).

Shi-LaRosa teaches 10. The method of Claim 7: 
	wherein aggregating the second set of language signals into the group sender model comprises generating the group sender model that represents combinations of language signals characteristic of language in bodies of emails sent from email accounts of the first group of users within a department within an organization associated with the email domain; 
	and wherein associating the group sender model with the first email account comprises associating the group sender model with the first email account in response to activation of the first email account for a new user within the first group of users in the department within the organization (Shi: Paragraph [0013], “As used hereinafter, the term “user” (or “users”) refers not only to a person or human being, but also to an organization, a group of organizations, a country, and even a continent that may send or receive an electronic message, own a web-based resource, or possess any content that may be subject to an impersonation attack.”; it is understood that new user accounts associated with the group would inherit group properties).

Shi-LaRosa teaches 11. The method of Claim 1: 
	further comprising, during the initial time period: 
	in response to a quantity of emails in the first corpus of emails, sent from the first email account prior to the initial time period, falling below a threshold quantity: 
	retrieving a first characteristic of a first user associated with the first email account; 
	accessing a second corpus of emails sent from a second set of email accounts associated with a group of users exhibiting the first characteristic; 
	and correlating sequences of words, in bodies of emails in the second corpus of emails, with a second set of language signals; 
	and wherein aggregating the first set of language signals into the first sender model comprises aggregating the first set of language signals and the second set of language signals into the first sender model (LaRosa: Paragraph [0043], “learning business relationship networks of communications relating to situational business activity over time provides business relationships networks that are created to identify working behavior groups relating to “hot patterns” for comparative analytics based on specific organizational threats”).

Shi-LaRosa teaches 12. The method of Claim 11: 
	wherein retrieving the first characteristic of the first user comprises identifying a department, within an organization, employing the first user; 
	and wherein accessing the second corpus of emails comprises accessing the second corpus of emails sent from the second set of email accounts associated with the group of users employed within the department within the organization (LaRosa: Paragraph [0059], “The connector is dynamically adjusted allowing for the mapping of different AD fields to the input fields of the social graph as deemed necessary. Additional custom fields can also be added as required if additional AD attributes would be valuable to include, for example: Last Name, First Name, Title, Group.”).

Shi-LaRosa teaches 14. The method of Claim 1: 
	wherein accessing the first corpus of emails comprises accessing the first corpus of emails sent from a set of email accounts associated with a group of users, the group of users comprising a first user associated with the first email account; 
	and wherein aggregating the first set of language signals into the first sender model comprises training the first sender model to characterize similarities of emails sent from the set of email accounts after the initial time period to emails sent from the set of email accounts prior to the initial time period (as above; the system is applied to multiple users; and Shi: Paragraph [0013], “As used hereinafter, the term “user” (or “users”) refers not only to a person or human being, but also to an organization, a group of organizations, a country, and even a continent that may send or receive an electronic message, own a web-based resource, or possess any content that may be subject to an impersonation attack.”).

Shi-LaRosa teaches 15. The method of Claim 14, wherein accessing the first corpus of emails comprises accessing the first corpus of emails sent from the set of email accounts associated with the group of users employed within a particular department within a particular organization (as above; the system is applied to multiple users; and Shi: Paragraph [0013], “As used hereinafter, the term “user” (or “users”) refers not only to a person or human being, but also to an organization, a group of organizations, a country, and even a continent that may send or receive an electronic message, own a web-based resource, or possess any content that may be subject to an impersonation attack.”).

	Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Peace (US 2012/0030115 A1) describes a system for preventing fraudulent transactions by detecting email impersonations. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to IMAD HUSSAIN whose telephone number is (571)270-3628. The examiner can normally be reached Monday-Friday 0900-1700 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal Divecha can be reached on (571) 272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/IMAD HUSSAIN/Primary Examiner, Art Unit 2453