DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see pages 11-15 of Remarks, filed on 11/15/2022, with respect to the 35 U.S.C. § 101 rejection of claims 1-20 have been fully considered and are persuasive.  The 35 U.S.C. § 101 rejection of claims 1-20 has been withdrawn. 
Applicant’s arguments with respect to claim(s) 1, 10, and 17 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3, 4, 5, 6, 7, 9, 10, 12, 13, 14, 16, 17, 18, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Astiz US PGPUB No. 20180018387 in view of Xavier et al US Patent No. 11075930 and further in view of Korotkikh US PGPUB No. US20220109649.


Regarding Claim 1: Astiz teaches an apparatus comprising: 
a processor; ([Astiz ¶0023] “In one implementation, the computing device 200 can include … a processor 208 …”) and 
a memory on which is stored machine-readable instructions that when executed by the processor ([Astiz ¶0023] “In one implementation, the computing device 200 can include … and a memory 212. … The memory 212 can be any suitable storage medium (flash, hard disk, etc.) configured to store information at the computing device 200, such as a set of instructions for execution by the processor 208.” Thus, the memory stores the instructions which are executed by processor.), cause the processor to: 
identify features in a plurality of messages communicated between senders and receivers, wherein the identified features include information related to the senders of the plurality of messages; ([Astiz ¶0016] “the present disclosure provides a system and method that receives a plurality of email messages. Each of the email messages includes text, has a subject in a subject field (which can be considered to comprise a portion of the text), and is associated with both a sender and a recipient.” [Astiz ¶0025] “The computing device 200 can receive a plurality of email messages 310 - 1, 310 - 2, . . . 310 - m (referred to herein individually and collectively as " email message (s) 310”).” [Astiz ¶0018] “Examples of email specific features include, but are not limited to, one or more words preceding the alphanumeric candidate, a position in the originating email at which the alphanumeric candidate is located, the subject of the originating email, and the sender of the originating email.” Thus, when the system received the plurality of email messages from a recipient to a sender, the features are identified where the identified features include the information of sender.)  
determine common patterns in the identified features in the plurality of messages, including identifying messages that were received … within a predefined time window; ([Astiz ¶0019] “Accordingly, such recipient specific features can be determined by analyzing emails in the collection of emails in which the particular alphanumeric candidate is present and which share the same recipient as the originating email. These recipient specific features can be indicative of the type of the alphanumeric candidates. For example, only, if a particular alphanumeric candidate has a long lifetime (e. g., it is identified in many emails with the same recipient, over a long period of time), it may be assumed that the type of the particular alphanumeric candidate corresponds to a long lifetime type (loyalty number, frequent flyer number, etc.) and is not a short lifetime type (e. g., a tracking number or order number).” Thus, the email (recipient specific) feature pattern of particular alphanumeric candidate can be determined where the alphanumeric candidate has long lifetime or collected over a given period of time (“long period of time”).)
group the plurality of messages into a plurality of clusters based on the common patterns in the identified features in the plurality of messages; ([Astiz ¶0032] “The computing device 200 can utilize one or more of the email specific features, the recipient specific features, and the recipient agnostic features to cluster the alphanumeric candidates 320 and thereby generate a plurality of clusters 330 - 1, 330 - 2, . . . 330 - p (referred to herein individually and collectively as “cluster (s) 330 ”) .” [Astiz ¶0039] “At 460, the computing device 200 can cluster the alphanumeric candidates 320 based on the various determined features (the email specific features, the recipient specific features, and / or the recipient agnostic features) to generate a plurality of clusters 330.” Thus, multiple clusters can be generated based on the determined patterns of email specific features, like recipient specific features and/or recipient agnostic features.)
But Astiz fails to disclose
… from a same sender …
evaluate the plurality of clusters to identify a potentially malicious pattern among the messages in any one of the plurality of clusters, wherein a potentially malicious pattern is identified in one particular cluster when, in the particular cluster, a count of the messages that were received from the same sender within the predefined time window exceeds a threshold number;
based on the potentially malicious pattern being identified in the particular cluster, execute an action with regard to the messages in the particular cluster, wherein the action comprises one of notification or removal of specific messages from the particular cluster.
 However, Xavier teaches:
evaluate the plurality of clusters separately [Xavier Col. 14 Lines 15 – 24] “… this would facilitate detection of an email campaign even where the attacker attempts to cloak the campaign by inserting dissimilar intervening email (s) in the middle of the campaign or where two or more different email campaigns may be launched concurrently (at least partially overlapping in time) against a victim. For the latter embodiments, the correlation logic 370 continues to examine a prescribed number of neighboring email representations within the sequence after encountering a non - correlating email representation.” Therefore, the correlation logic may examine (evaluate) the different launched email campaigns (different clusters of email messages) in sequence (separately). to identify a potentially malicious pattern among the messages in any one of the plurality of clusters, wherein a potentially malicious pattern is identified in one particular cluster when, in the particular cluster, a count of the messages that were received … within the predefined time window exceeds a threshold number; ([Xavier Col 10 Lines 62 – 67] “Subsequently, the malicious email set 160 is received by the email campaign detection engine 140 for analysis. A malicious email set may be received periodically (e.g., after a threshold period of time has elapsed) or received aperiodcally (e.g., after a prescribed number of malicious email messages are retained in the email data store 130 …” [Xavier Col. 4 Lines 3 – 5] “A cluster exceeding a prescribed number (N) of email messages (e.g., N210) represents a strong indicator of a malicious email campaign.” Thus, the cluster will be identified as malicious if it contains email messages more than a prescribed (threshold) number and the malicious message (email) may be received between any predefined time period (periodical or aperiodical).) and 
based on the potentially malicious pattern being identified in the particular cluster, execute an action with regard to the messages in the particular cluster, wherein the action comprises one of notification or removal of specific messages from the particular cluster. ([Xavier Col 2 Lines 61 – 65] “Alternatively, the malicious email messages (and corresponding representations) may be stored and deleted in accordance with a first - in, first - out (FIFO) storage protocol when an email data store exceeds a capacity threshold.” [Xavier Col 8 Lines 32 – 40] “The results 170 may identify one or more of the set of malicious email messages 160 being part of a known email campaign or a subset of malicious email set 160 being part of a newly detected email campaign. Also, the email campaign detection engine 140 notifies reporting engine 180 of a detected email campaign which may cause the reporting engine 180 to access to email data store 130 and transmit one or more alert messages to administrators of a network deploying the cybersecurity system 100.” [Xavier Col 19 Lines 12 – 22] “the global campaign analytics engine 540 may generate an alert message 580 to one or more administrators (of networks to which the network device 520, and network device 520M belong) of the enlarged email campaign. The alert message 580 is provided to enable action to be taken, by the administrator to remediate, interdict or neutralize the email campaign attack and / or halt its spread. This remediation may involve a review of email storage of the network devices 5201, -520M and email in - boxes at email servers or other network devices to delete or quarantine email messages.” Thus, on detection of malicious message (email) an alert report is generated and the malicious message may be deleted or quarantined.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as taught by Xavier for detecting and identifying malicious email messages which are part of cybersecurity attack, letting know that a cybersecurity attack is underway and providing a remedial action to security administrator. (Xavier Col. 1 Lines 48 – 49 Col. 4 Lines 54 – 55)
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining so that the security administrator identify the malicious email messages which are parts of any cybersecurity attack and the administrator becomes enable to take any remedial action. (Xavier Col. 1 Lines 48 – 49 Col. 4 Lines 54 – 55)
But Astiz in view of Xavier fails to disclose:
… from a/the same sender … 
However, Korotkikh teaches:
… from a/the same sender … ([Korotkikh ¶0164] “In another example, the clustering may be performed by the server 106 determining whether emails have a com mon sender address.” [Korotkikh ¶0109] “Non - limiting examples of such mechanisms include satisfactory spam limits, sender policy frameworks, whitelists and blacklists, and recipient verification tool.” [Korotkikh ¶0136] “the server 106 may assign to the first cluster 304 the ground truth parameter indicative of that the first subset of emails 320 include spam emails.” Therefore, the clustering in the email message can be formed based on the same sender and accordingly those clusters may be evaluated as spam (malicious) emails.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz in view of Xavier’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining by enhancing Astiz in view of Xavier’s system by performing clustering based on fact that the emails have from the same senders and evaluating them as a spam emails as taught by Korotkikh for providing a filtering process which can easily circumvent the spam messages based on sender. (Korotkikh ¶0007)  
The motivation is to improve Astiz in view of Xavier’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining further by performing clustering based on fact that the emails have from the same senders and evaluating them as a spam emails to provide a filtering process which can easily circumvent the spam messages based on sender. (Korotkikh ¶0007)
 
Regarding Claim 3: Astiz in view of Xavier and further in view of Korotkikh teaches the apparatus of claim 1, wherein the instructions cause the processor to: 
identify the features in the plurality of messages that were received within predefined windows of time. ([Astiz ¶0019] “Accordingly, such recipient specific features can be determined by analyzing emails in the collection of emails in which the particular alphanumeric candidate is present and which share the same recipient as the originating email. These recipient specific features can be indicative of the type of the alphanumeric candidates. For example, only, if a particular alphanumeric candidate has a long lifetime (e. g., it is identified in many emails with the same recipient, over a long period of time), it may be assumed that the type of the particular alphanumeric candidate corresponds to a long lifetime type (loyalty number, frequent flyer number, etc.) and is not a short lifetime type (e. g., a tracking number or order number).” Thus, the email (recipient specific) feature pattern of particular alphanumeric candidate can be identified where the alphanumeric candidate has long lifetime or collected (received) over a given period of time (“long period of time”).)

Regarding Claim 4: Astiz in view of Xavier and further in view of Korotkikh teaches the apparatus of claim 1, Astiz teaches wherein the plurality of messages are categorized into event hubs by types of the messages, ([Astiz ¶0016] “The plurality of email messages can, e. g., be a collection of email messages that are known to include particular types of alphanumeric candidates, each of which being labeled as such.” Therefore, we have alphanumeric candidates in the email messages contained in the collection of email messages (may be considered as event hub) and in this way we can have multiple email messages categorized in a collection (event hub)) and wherein the instructions cause the processor to: 
apply a first clustering logic on the plurality of messages in a first event hub of the event hubs to group the plurality of messages in the first event hub into a first plurality of clusters; ([Astiz ¶0032] “As mentioned above , any clustering analysis or algorithm can be utilized to group the alphanumeric candidates 320 into clusters 330 and the clusters should be generated such that the alphanumeric candidates 320 in each particular cluster 330 of the plurality of clusters 330 are more similar to each other than to other alphanumeric candidates 320 in other clusters 330.” Thus, a clustering algorithm (first logic) can be applied to any cluster (say email message in the first event hub.)
apply a second clustering logic on the plurality of messages in a second event hub of the event hubs to group the plurality of messages in the second event hub into a second plurality of clusters; ([Astiz ¶0032] “As mentioned above , any clustering analysis or algorithm can be utilized to group the alphanumeric candidates 320 into clusters 330 and the clusters should be generated such that the alphanumeric candidates 320 in each particular cluster 330 of the plurality of clusters 330 are more similar to each other than to other alphanumeric candidates 320 in other clusters 330.” Thus, a clustering algorithm (second logic) can be applied to any cluster (say email message in the second event hub.)
But Astiz fails to disclose: 
evaluate the first plurality of clusters separately from the second plurality of clusters to identify potentially malicious patterns in the first plurality of clusters and the second plurality of clusters.
However, Xavier teaches
evaluate the first plurality of clusters separately from the second plurality of clusters ([Xavier Col. 14 Lines 15 – 24] “… this would facilitate detection of an email campaign even where the attacker attempts to cloak the campaign by inserting dissimilar intervening email (s) in the middle of the campaign or where two or more different email campaigns may be launched concurrently (at least partially overlapping in time) against a victim. For the latter embodiments, the correlation logic 370 continues to examine a prescribed number of neighboring email representations within the sequence after encountering a non - correlating email representation.” Therefore, the correlation logic may examine (evaluate) the different launched email campaigns (different clusters of email messages) in sequence (separately).) to identify potentially malicious patterns in the first plurality of clusters and the second plurality of clusters. ([Xavier Col 10 Lines 62 – 67] “Subsequently, the malicious email set 160 is received by the email campaign detection engine 140 for analysis. A malicious email set may be received periodically (e.g., after a threshold period of time has elapsed) or received aperiodcally (e.g., after a prescribed number of malicious email messages are retained in the email data store 130 …” [Xavier Col. 4 Lines 3 – 5] “A cluster exceeding a prescribed number (N) of email messages (e.g., N210) represents a strong indicator of a malicious email campaign.” Thus, the first clusters and second clusters may be identified as malicious.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as taught by Xavier for detecting and identifying malicious email messages which are part of cybersecurity. (Xavier Col. 1 Lines 48 – 49)
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining so that the security administrator identify the malicious email messages which are parts of any cybersecurity attack. (Xavier Col. 1 Lines 48 – 49)

Regarding Claim 5: Astiz in view of Xavier and further in view of Korotkikh teaches the apparatus of claim 1, but Astiz fails to disclose: wherein the instructions cause the processor to: 
determine a degree of the identified potentially malicious pattern; and 
determine the action to be executed based on the determined degree of the identified potentially malicious pattern.  
However, Xavier teaches:
determine a degree of the identified potentially malicious pattern; ([Xavier Col 8 Lines 10 – 12] “Based on such findings, the email representation may be a “border” (start / end) message of an email campaign, as described below in FIGS. 3A - 3B.” [Xavier Col 13 Lines 38 – 44] “If the correlation between the email representation 350 and the neighboring email representation 355 is equal to or exceeds a second threshold (e.g., being the same or different than the first threshold), the malicious email message 150 is identified as being a potential “border” email message for an email campaign.” Therefore, a malicious email message can be determined with a potential gradation (degree) say as “border”.) 
determine the action to be executed based on the determined degree of the identified potentially malicious pattern. ([Xavier Col 13 Lines 44 – 46] “A count logic 375, reset to a prescribed number e.g., “0”) after the start of each campaign analysis, may be incremented or decremented to produce a count value. The count value is used maintain the number of malicious email messages that are correlated to each other …” Thus, upon determining a degree as “border” (start/end) an action that the count logic is resetting when each email campaign analysis is started and the count value may be incremented or decremented is executed where the count value is related to the number of malicious email messages that are correlated to each other.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by determining a malicious email message with some potential gradation as taught by Xavier for analyzing the correlation between an email representation to its neighboring email representation to identify whether any similar malicious email message is present in both representations. (Xavier Col 13 Lines 35 – 54)
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by
determining a malicious email message with some potential gradation to analyze the correlation between an email representation to its neighboring email representation for identifying whether any similar malicious email message is present in both representations. (Xavier Col 13 Lines 35 – 54)

Regarding Claim 6: Astiz in view of Xavier and further in view of Korotkikh teaches the apparatus of claim 1, but Astiz fails to disclose: wherein the instructions cause the processor to: 
based on the potentially malicious pattern being identified in the particular cluster, determine whether the notification to request additional analysis is to be outputted; and 
based on a determination that the notification is to be outputted, execute the action to output the notification. 
However, Xavier teaches:
based on the potentially malicious pattern being identified in the particular cluster, determine whether the notification to request additional analysis is to be outputted; ([Xavier Col 8 Lines 32 – 40] “The results 170 may identify one or more of the set of malicious email messages 160 being part of a known email campaign or a subset of malicious email set 160 being part of a newly detected email campaign. Also, the email campaign detection engine 140 notifies reporting engine 180 of a detected email campaign which may cause the reporting engine 180 to access to email data store 130 and transmit one or more alert messages to administrators of a network deploying the cybersecurity system 100.” Thus, upon identifying malicious email messages, the email campaign detection engine notifies reporting engine to access email data store and transmit alert messages to an administrator. These actions may be regarded as “additional analysis”.) and 
based on a determination that the notification is to be outputted, execute the action to output the notification. [Xavier Col 11 Lines 49 – 52] “Upon detecting which malicious email messages, if any, are associated with a known email campaign or a new email campaign, the reporting engine 180 generates one or more alert messages directed to an administrator …” Thus, the reporting engine generates alert messages to an administrator upon detecting malicious email messages.)  
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by issuing a notification of alert messages to an administrator when malicious email messages are detected as taught by Xavier so that the security administrator can take a remedial action. (Xavier Col. 4 Lines 54 – 55)
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by
issuing a notification of alert messages to an administrator when malicious email messages are detected so that the security administrator can take a remedial action. (Xavier Col. 4 Lines 54 – 55)

Regarding Claim 7: Astiz in view of Xavier and further in view of Korotkikh teaches the apparatus of claim 1, but Astiz fails to disclose: wherein the instructions cause the processor to: 
based on the potentially malicious pattern being identified in the particular cluster, determine whether the specific messages in the particular cluster are to be removed; and 
based on a determination that the specific messages in the particular cluster are to be removed, execute the action to remove the specific messages from the particular cluster. 
However, Xavier teaches:
based on the potentially malicious pattern being identified in the particular cluster, determine whether the specific messages in the particular cluster are to be removed; ([Xavier Col 11 Lines 18 – 25] “Upon extracting selective features by the feature extraction logic 280, the pre - processing logic 282 is responsible for generating character patterns representative of each malicious email message by at least aggregating the characters associated with the features and conducting a filtering operation to remove (or substitute) certain characters (e.g., special characters, spaces, etc.) from the aggregate to produce a filtered character pattern.” Thus, a filtering operation executed by the pre-processing logic is responsible to detect whether certain characters associated with a feature (particular cluster) corresponding to the malicious email message are to be removed.) and
based on a determination that the specific messages in the particular cluster are to be removed, execute the action to remove the specific messages from the particular cluster. ([Xavier Col 11 Lines 18 – 25] “After the filtering operations, the filtered character patterns corresponding to the malicious email messages forming the malicious email set 160 are arranged in a first ordered sequence.” The filtering operation or removal of character patterns corresponding to the malicious email are done.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by identifying a particular character patterns form malicious email message for removal as taught by Xavier for forming a set of malicious mails with a first order of sequence. (Xavier Col 11 Lines 18 – 25)
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by identifying a particular character patterns form malicious email message for removal as taught by Xavier to form a set of malicious mails with a first order of sequence. (Xavier Col 11 Lines 18 – 25)

Regarding Claim 9: Astiz in view of Xavier and further in view of Korotkikh teaches the apparatus of claim 1, but Astiz fails to disclose: wherein the instructions cause the processor to: 
determine that the potentially malicious pattern has been identified at least a predefined number of times; and 
based on the determination that the potentially malicious pattern has been identified at least the predefined number of times, update a service that is to perform antivirus operations on the plurality of messages as the plurality of messages are received regarding the potential malicious pattern. 
However, Xavier teaches:
determine that the potentially malicious pattern has been identified at least a predefined number of times; ([Xavier Col 8 Lines 21 – 25] “Upon detecting at least a predetermined number of malicious email representations being correlated, which correspond to a prescribed subset of malicious email messages within the malicious email set 160” Therefore, we have seen that malicious pattern may be identified by a predetermined number.) and 
based on the determination that the potentially malicious pattern has been identified at least the predefined number of times, update a service that is to perform antivirus operations on the plurality of messages as the plurality of messages are received regarding the potential malicious pattern. ([Xavier Col 7 Lines 61 – 67 Col 8 Lines 1 – 5] “The threat detection engine 120 is configured to perform a static analysis on the content of the email message 150 and / or perform a dynamic analysis by supplying the email message 150 (or contents of the email message 150) to a virtual machine (or other isolated execution environment), performing operations on the email message 150 within the virtual machine, and analyzing behaviors of the email message 150 and/or the virtual machine to determine whether the email message 150 is malicious or benign . Examples of a “static” analysis may include, but are not limited or restricted to anti - virus scanning, anti - spam scanning, pattern matching …” Therefore, an antivirus scanning is to be employed when an email message is determined as malicious which may be identified by a predetermined number.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by identifying a malicious pattern as occurred by  a predetermined time and then employing anti-virus scan as taught by Xavier for protecting the network device within the network by analyzing email messages whether they are suspicious which are propagated along the network. (Xavier Col 1 Lines 35 – 38) 
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by identifying a malicious pattern as occurred by a predetermined time and then employing anti-virus scan to protect the network device within the network by analyzing email messages whether they are suspicious which are propagated along the network. (Xavier Col 1 Lines 35 – 38)

Regarding Claim 10: Astiz teaches a method comprising: 
identifying, by a processor, first features in first messages in a first event hub and second features in second messages in a second event hub, ([Astiz ¶0016] “The plurality of email messages can, e. g., be a collection of email messages that are known to include particular types of alphanumeric candidates, each of which being labeled as such.” Therefore, we have alphanumeric candidates in the email messages (first, second etc.) in the collection of email messages (may be considered as event hub first event hub, second event hub etc.))  wherein the first and second messages are first and second types of communications between senders and receivers, and wherein the first and second features include information related to the senders of the first and second messages; ([Astiz ¶0016] “the present disclosure provides a system and method that receives a plurality of email messages. Each of the email messages includes text, has a subject in a subject field (which can be considered to comprise a portion of the text), and is associated with both a sender and a recipient.” [Astiz ¶0025] “The computing device 200 can receive a plurality of email messages 310 - 1, 310 - 2, . . . 310 - m (referred to herein individually and collectively as " email message (s) 310”).” [Astiz ¶0018] “Examples of email specific features include, but are not limited to, one or more words preceding the alphanumeric candidate, a position in the originating email at which the alphanumeric candidate is located, the subject of the originating email, and the sender of the originating email.” Thus, when the system received the plurality of email messages from a recipient to a sender, the features of first email messages and second email messages are identified where the identified features include the information of sender.)  
determining, by the processor, first patterns in the first features and second patterns in the second features, including identifying that the first messages were received … within a predefined time window; ([Astiz ¶0019] “Accordingly, such recipient specific features can be determined by analyzing emails in the collection of emails in which the particular alphanumeric candidate is present and which share the same recipient as the originating email. These recipient specific features can be indicative of the type of the alphanumeric candidates. For example, only, if a particular alphanumeric candidate has a long lifetime (e. g., it is identified in many emails with the same recipient, over a long period of time), it may be assumed that the type of the particular alphanumeric candidate corresponds to a long lifetime type (loyalty number, frequent flyer number, etc.) and is not a short lifetime type (e. g., a tracking number or order number).” Thus, the email (recipient specific) feature pattern of particular alphanumeric candidate for first messages as well as second messages can be determined where the alphanumeric candidate has long lifetime or collected over a given period of time (“long period of time”).)
grouping, by the processor, the first messages into first clusters based on the first patterns and the second messages into second clusters based on the second patterns; ([Astiz ¶0032] “The computing device 200 can utilize one or more of the email specific features, the recipient specific features, and the recipient agnostic features to cluster the alphanumeric candidates 320 and thereby generate a plurality of clusters 330 - 1, 330 - 2, . . . 330 - p (referred to herein individually and collectively as “cluster (s) 330 ”) .” [Astiz ¶0039] “At 460, the computing device 200 can cluster the alphanumeric candidates 320 based on the various determined features (the email specific features, the recipient specific features, and / or the recipient agnostic features) to generate a plurality of clusters 330.” Thus, multiple clusters can be generated based on the determined first and second patterns of respectively first and second email message specific features, like recipient specific features and/or recipient agnostic features.)
But Astiz fails to disclose
… from a same sender …
evaluating, by the processor, the first clusters and the second clusters separately to identify a potentially malicious pattern among the first and second messages in any one of the first clusters and the second clusters, wherein a potentially malicious pattern is identified in the first clusters when, in the first clusters, a count of the first messages that were received from the same sender within the predefined time window exceeds a threshold number; and 
based on the potentially malicious pattern being identified in the first clusters, executing, by the processor, an action with regard to the first messages in the first clusters, wherein the action comprises one of notification or removal of the first messages from the first clusters.
However, Xavier teaches:
…
evaluating, by the processor, the first clusters and the second clusters separately ([Xavier Col. 14 Lines 15 – 24] “… this would facilitate detection of an email campaign even where the attacker attempts to cloak the campaign by inserting dissimilar intervening email (s) in the middle of the campaign or where two or more different email campaigns may be launched concurrently (at least partially overlapping in time) against a victim. For the latter embodiments, the correlation logic 370 continues to examine a prescribed number of neighboring email representations within the sequence after encountering a non - correlating email representation.” Therefore, the correlation logic may examine (evaluate) the different launched email campaigns (different clusters of email messages) in sequence (separately).) to identify a potentially malicious pattern among the first and second messages in any one of the first clusters and the second clusters, wherein a potentially malicious pattern is identified in the first clusters when, in the first clusters, a count of the first messages that were received … within the predefined time window exceeds a threshold number; ([Xavier Col 10 Lines 62 – 67] “Subsequently , the malicious email set 160 is received by the email campaign detection engine 140 for analysis . A malicious email set may be received periodically (e.g., after a threshold period of time has elapsed) or received aperiodcally (e.g., after a prescribed number of malicious email messages are retained in the email data store 130 …” [Xavier Col. 4 Lines 3 – 5] “A cluster exceeding a prescribed number (N) of email messages (e.g., N210) represents a strong indicator of a malicious email campaign.” Thus, the first clusters and second clusters will be identified as malicious if they contain first email messages and second email messages more than a prescribed (threshold) number and these malicious messages (emails) may be received between any predefined time period (periodical or aperiodical).) and 
based on the potentially malicious pattern being identified in the first clusters, executing, by the processor, an action with regard to the first messages in the first clusters, wherein the action comprises one of notification or removal of the first messages from the first clusters. ([Xavier Col 2 Lines 61 – 65] “Alternatively, the malicious email messages (and corresponding representations) may be stored and deleted in accordance with a first - in, first - out (FIFO) storage protocol when an email data store exceeds a capacity threshold.” [Xavier Col 8 Lines 32 – 40] “The results 170 may identify one or more of the set of malicious email messages 160 being part of a known email campaign or a subset of malicious email set 160 being part of a newly detected email campaign. Also, the email campaign detection engine 140 notifies reporting engine 180 of a detected email campaign which may cause the reporting engine 180 to access to email data store 130 and transmit one or more alert messages to administrators of a network deploying the cybersecurity system 100.” [Xavier Col 19 Lines 12 – 22] “the global campaign analytics engine 540 may generate an alert message 580 to one or more administrators (of networks to which the network device 520, and network device 520M belong) of the enlarged email campaign. The alert message 580 is provided to enable action to be taken, by the administrator to remediate, interdict or neutralize the email campaign attack and / or halt its spread. This remediation may involve a review of email storage of the network devices 5201, -520M and email in - boxes at email servers or other network devices to delete or quarantine email messages.” Thus, on detection of malicious message (email) an alert report is generated and the malicious message (say first email messages in the first clusters) may be deleted or quarantined.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as taught by Xavier for detecting and identifying malicious email messages which are part of cybersecurity attack, letting know that a cybersecurity attack is underway and providing a remedial action to security administrator. (Xavier Col. 1 Lines 48 – 49 Col. 4 Lines 54 – 55)
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining so that the security administrator identify the malicious email messages which are parts of any cybersecurity attack and the administrator becomes enable to take any remedial action. (Xavier Col. 1 Lines 48 – 49 Col. 4 Lines 54 – 55)
But Astiz in view of Xavier fails to disclose:
… from a/the same sender … 
However, Korotkikh teaches:
… from a/the same sender … ([Korotkikh ¶0164] “In another example, the clustering may be performed by the server 106 determining whether emails have a com mon sender address.” [Korotkikh ¶0109] “Non - limiting examples of such mechanisms include satisfactory spam limits, sender policy frameworks, whitelists and blacklists, and recipient verification tool.” [Korotkikh ¶0136] “the server 106 may assign to the first cluster 304 the ground truth parameter indicative of that the first subset of emails 320 include spam emails.” Therefore, the clustering in the email message can be formed based on the same sender and accordingly those clusters may be evaluated as spam (malicious) emails.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz in view of Xavier’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining by enhancing Astiz in view of Xavier’s system by performing clustering based on fact that the emails have from the same senders and evaluating them as a spam emails as taught by Korotkikh for providing a filtering process which can easily circumvent the spam messages based on sender. (Korotkikh ¶0007)  
The motivation is to improve Astiz in view of Xavier’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining further by performing clustering based on fact that the emails have from the same senders and evaluating them as a spam emails to provide a filtering process which can easily circumvent the spam messages based on sender. (Korotkikh ¶0007) 

Regarding Claim 12: Astiz in view of Xavier and further in view of Korotkikh teaches the method of claim 10, Astiz teaches wherein identifying the second features in the second messages includes identifying the second messages that were received … within the predefined time window. ([Astiz ¶0019] “Accordingly, such recipient specific features can be determined by analyzing emails in the collection of emails in which the particular alphanumeric candidate is present and which share the same recipient as the originating email. These recipient specific features can be indicative of the type of the alphanumeric candidates. For example, only, if a particular alphanumeric candidate has a long lifetime (e. g., it is identified in many emails with the same recipient, over a long period of time), it may be assumed that the type of the particular alphanumeric candidate corresponds to a long lifetime type (loyalty number, frequent flyer number, etc.) and is not a short lifetime type (e. g., a tracking number or order number).” Thus, the email (recipient specific) feature pattern (second features in second email) of particular alphanumeric candidate can be identified where the alphanumeric candidate has long lifetime or collected (received) over a given period of time (“long period of time”).)
	But Astiz in view of Xavier fails to disclose:
	… from the same sender …
	However, Korotkikh teaches: 
	… from the same sender … ([Korotkikh ¶0086] “It should be noted that a given email from the plurality of emails 210 received by the server 106 may comprise header data and content data. Broadly speaking, header data is used for email transfer purposes and generally includes information identifying the subject, sender and recipient of a given email. For example, header data may comprise information about (i) the sender's email address associated with a “From” field of the given email,” [Korotkikh ¶0164] “In another example, the clustering may be performed by the server 106 determining whether emails have a com mon sender address.” Therefore, the clustering in the email message can be formed based on the same sender where the header data of plurality of emails received contain information are identified with the sender’s email address.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz in view of Xavier’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining by enhancing Astiz in view of Xavier’s system by performing clustering based on fact that the emails have from the same senders as taught by Korotkikh for providing a filtering process which can easily circumvent the spam messages based on sender. (Korotkikh ¶0007)  
The motivation is to improve Astiz in view of Xavier’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining further by performing clustering based on fact that the emails have from the same senders to provide a filtering process which can easily circumvent the spam messages based on sender. (Korotkikh ¶0007)  

Regarding Claim 13: Astiz in view of Xavier and further in view of Korotkikh teaches the method of claim 10, but Astiz fails to disclose: further comprising: 
determining a degree of the identified potentially malicious pattern; and 
determining the action to be executed based on the determined degree of the identified potentially malicious pattern.
  	However, Xavier teaches:
determining a degree of the identified potentially malicious pattern; ([Xavier Col 8 Lines 10 – 12] “Based on such findings, the email representation may be a “border” (start / end) message of an email campaign, as described below in FIGS. 3A - 3B.” [Xavier Col 13 Lines 38 – 44] “If the correlation between the email representation 350 and the neighboring email representation 355 is equal to or exceeds a second threshold (e.g., being the same or different than the first threshold), the malicious email message 150 is identified as being a potential “border” email message for an email campaign.” Therefore, a malicious email message can be determined with a potential gradation (degree) say as “border”.) 
determining the action to be executed based on the determined degree of the identified potentially malicious pattern. ([Xavier Col 13 Lines 44 – 46] “A count logic 375, reset to a prescribed number e.g., “0”) after the start of each campaign analysis, may be incremented or decremented to produce a count value. The count value is used maintain the number of malicious email messages that are correlated to each other …” Thus, upon determining a degree as “border” (start/end) an action that the count logic is resetting when each email campaign analysis is started and the count value may be incremented or decremented is executed where the count value is related to the number of malicious email messages that are correlated to each other.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by determining a malicious email message with some potential gradation as taught by Xavier for analyzing the correlation between an email representation to its neighboring email representation to identify whether any similar malicious email message is present in both representations. (Xavier Col 13 Lines 35 – 54)
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by
determining a malicious email message with some potential gradation to analyze the correlation between an email representation to its neighboring email representation for identifying whether any similar malicious email message is present in both representations. (Xavier Col 13 Lines 35 – 54)

Regarding Claim 14: Astiz in view of Xavier and further in view of Korotkikh teaches the method of claim 10, but Astiz fails to disclose: wherein determining the action to be executed on the first messages further comprises: 
determining that the notification to request additional analysis is to be outputted; or 
determining that the first messages are to be removed.
However, Xavier teaches:
determining that the notification to request additional analysis is to be outputted; ([Xavier Col 8 Lines 32 – 40] “The results 170 may identify one or more of the set of malicious email messages 160 being part of a known email campaign or a subset of malicious email set 160 being part of a newly detected email campaign. Also, the email campaign detection engine 140 notifies reporting engine 180 of a detected email campaign which may cause the reporting engine 180 to access to email data store 130 and transmit one or more alert messages to administrators of a network deploying the cybersecurity system 100.” Thus, upon identifying malicious email messages, the email campaign detection engine notifies the reporting engine to access email data store and transmit alert messages to an administrator. These actions may be regarded as “additional analysis”.)  
determining that the first messages are to be removed. ([Xavier Col 19 Lines 12 – 22] “The alert message 580 is provided to enable action to be taken, by the administrator to remediate, interdict or neutralize the email campaign attack and / or halt its spread. This remediation may involve a review of email storage of the network devices 5201, -520M and email in - boxes at email servers or other network devices to delete or quarantine email messages.” Thus, the alert reports are provided and the email messages may be deleted or quarantined.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by issuing a notification of alert messages to an administrator when malicious email messages are detected and deleting the email messages as taught by Xavier so that the security administrator can take a remedial action. (Xavier Col. 4 Lines 54 – 55)
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by
issuing a notification of alert messages to an administrator when malicious email messages are detected and deleting the email messages so that the security administrator can take a remedial action. (Xavier Col. 4 Lines 54 – 55)

Regarding Claim 16: Astiz in view of Xavier and further in view of Korotkikh teaches the method of claim 10, But Astiz fails to disclose: further comprising: 
determining that the potentially malicious pattern has been identified at least a predefined number of times; and 
based on the determination that the potentially malicious pattern has been identified at least the predefined number of times, updating a service that is to perform antivirus operations regarding the potential malicious pattern on additional messages as the additional messages are received. 
However, Xavier teaches:
determining that the potentially malicious pattern has been identified at least a predefined number of times; ([Xavier Col 8 Lines 21 – 25] “Upon detecting at least a predetermined number of malicious email representations being correlated, which correspond to a prescribed subset of malicious email messages within the malicious email set 160” Therefore, we have seen that malicious pattern may be identified by a predetermined number.) and 
based on the determination that the potentially malicious pattern has been identified at least the predefined number of times, updating a service that is to perform antivirus operations regarding the potential malicious pattern on additional messages as the additional messages are received. ([Xavier Col 7 Lines 61 – 67 Col 8 Lines 1 – 5] “The threat detection engine 120 is configured to perform a static analysis on the content of the email message 150 and / or perform a dynamic analysis by supplying the email message 150 (or contents of the email message 150) to a virtual machine (or other isolated execution environment), performing operations on the email message 150 within the virtual machine, and analyzing behaviors of the email message 150 and/or the virtual machine to determine whether the email message 150 is malicious or benign . Examples of a “static” analysis may include, but are not limited or restricted to anti - virus scanning, anti - spam scanning, pattern matching …” Therefore, an antivirus scanning is to be employed when an email message is determined as malicious which may be identified by a predetermined number.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by identifying a malicious pattern as occurred by  a predetermined time and then employing anti-virus scan as taught by Xavier for protecting the network device within the network by analyzing email messages whether they are suspicious which are propagated along the network. (Xavier Col 1 Lines 35 – 38) 
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by identifying a malicious pattern as occurred by a predetermined time and then employing anti-virus scan to protect the network device within the network by analyzing email messages whether they are suspicious which are propagated along the network. (Xavier Col 1 Lines 35 – 38)
  
Regarding Claim 17: Astiz teaches a non-transitory computer-readable medium on which is stored computer-readable instructions that when executed by a processor, cause the processor to: ([Astiz ¶0046] “The computer programs include processor - executable instructions that are stored on a non-transitory tangible computer readable medium. The computer programs may also include stored data.”)
identify features in messages communicated between senders and receivers, wherein the identified features include information related to the senders of the messages; ([Astiz ¶0016] “the present disclosure provides a system and method that receives a plurality of email messages. Each of the email messages includes text, has a subject in a subject field (which can be considered to comprise a portion of the text), and is associated with both a sender and a recipient.” [Astiz ¶0025] “The computing device 200 can receive a plurality of email messages 310 - 1, 310 - 2, . . . 310 - m (referred to herein individually and collectively as " email message (s) 310”).” [Astiz ¶0018] “Examples of email specific features include, but are not limited to, one or more words preceding the alphanumeric candidate, a position in the originating email at which the alphanumeric candidate is located, the subject of the originating email, and the sender of the originating email.” Thus, when the system received the plurality of email messages from a recipient to a sender, the features are identified where the identified features include the information of sender.)  
determine common patterns in the identified features of the messages, including identifying messages that were received … within a predefined time window; ([Astiz ¶0019] “Accordingly, such recipient specific features can be determined by analyzing emails in the collection of emails in which the particular alphanumeric candidate is present and which share the same recipient as the originating email. These recipient specific features can be indicative of the type of the alphanumeric candidates. For example, only, if a particular alphanumeric candidate has a long lifetime (e. g., it is identified in many emails with the same recipient, over a long period of time), it may be assumed that the type of the particular alphanumeric candidate corresponds to a long lifetime type (loyalty number, frequent flyer number, etc.) and is not a short lifetime type (e. g., a tracking number or order number).” Thus, the email (recipient specific) feature pattern of particular alphanumeric candidate can be determined where the alphanumeric candidate has long lifetime or collected over a given period of time (“long period of time”).)
 group the messages into a plurality of clusters based on the determined common patterns in the identified features of the messages; ([Astiz ¶0032] “The computing device 200 can utilize one or more of the email specific features, the recipient specific features, and the recipient agnostic features to cluster the alphanumeric candidates 320 and thereby generate a plurality of clusters 330 - 1, 330 - 2, . . . 330 - p (referred to herein individually and collectively as “cluster (s) 330 ”) .” [Astiz ¶0039] “At 460, the computing device 200 can cluster the alphanumeric candidates 320 based on the various determined features (the email specific features, the recipient specific features, and / or the recipient agnostic features) to generate a plurality of clusters 330.” Thus, multiple clusters can be generated based on the determined patterns of email specific features, like recipient specific features and/or recipient agnostic features.)
But Astiz fails to disclose
… from a same sender …
evaluate the plurality of clusters separately to identify a potentially malicious pattern among the messages in any one of the plurality of clusters, wherein a potentially malicious pattern is identified in one particular cluster when, in the particular cluster, a count of the messages that were received from the same sender within the predefined time window exceeds a threshold number; and 
based on the potentially malicious pattern being identified in the particular cluster, execute an action with regard to the messages in the particular cluster, wherein the action comprises one of notification or removal of specific messages from the particular cluster. 
However, However, Xavier teaches:
… 
evaluate the plurality of clusters separately ([Xavier Col. 14 Lines 15 – 24] “… this would facilitate detection of an email campaign even where the attacker attempts to cloak the campaign by inserting dissimilar intervening email (s) in the middle of the campaign or where two or more different email campaigns may be launched concurrently (at least partially overlapping in time) against a victim. For the latter embodiments, the correlation logic 370 continues to examine a prescribed number of neighboring email representations within the sequence after encountering a non - correlating email representation.” Therefore, the correlation logic may examine (evaluate) the different launched email campaigns (different clusters of email messages) in sequence (separately).) to identify a potentially malicious pattern among the messages in any one of the plurality of clusters, wherein a potentially malicious pattern is identified in one particular cluster when, in the particular cluster, a count of the messages that were received from … within the predefined time window exceeds a threshold number; ([Xavier Col 10 Lines 62 – 67] “Subsequently , the malicious email set 160 is received by the email campaign detection engine 140 for analysis . A malicious email set may be received periodically (e.g., after a threshold period of time has elapsed) or received aperiodcally (e.g., after a prescribed number of malicious email messages are retained in the email data store 130 …” [Xavier Col. 4 Lines 3 – 5] “A cluster exceeding a prescribed number (N) of email messages (e.g., N210) represents a strong indicator of a malicious email campaign.” Thus, the cluster will be identified as malicious if it contains email messages more than a prescribed (threshold) number and the malicious message (email) may be received between any predefined time period (periodical or aperiodical).) and
based on the potentially malicious pattern being identified in the particular cluster, execute an action with regard to the messages in the particular cluster, wherein the action comprises one of notification or removal of specific messages from the particular cluster. ([Xavier Col 2 Lines 61 – 65] “Alternatively, the malicious email messages (and corresponding representations) may be stored and deleted in accordance with a first - in, first - out (FIFO) storage protocol when an email data store exceeds a capacity threshold.” [Xavier Col 8 Lines 32 – 40] “The results 170 may identify one or more of the set of malicious email messages 160 being part of a known email campaign or a subset of malicious email set 160 being part of a newly detected email campaign. Also, the email campaign detection engine 140 notifies reporting engine 180 of a detected email campaign which may cause the reporting engine 180 to access to email data store 130 and transmit one or more alert messages to administrators of a network deploying the cybersecurity system 100.” [Xavier Col 19 Lines 12 – 22] “the global campaign analytics engine 540 may generate an alert message 580 to one or more administrators (of networks to which the network device 520, and network device 520M belong) of the enlarged email campaign. The alert message 580 is provided to enable action to be taken, by the administrator to remediate, interdict or neutralize the email campaign attack and / or halt its spread. This remediation may involve a review of email storage of the network devices 5201, -520M and email in - boxes at email servers or other network devices to delete or quarantine email messages.” Thus, on detection of malicious message (email) an alert report is generated and the malicious message may be deleted or quarantined.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as taught by Xavier for detecting and identifying malicious email messages which are part of cybersecurity attack, letting know that a cybersecurity attack is underway and providing a remedial action to security administrator. (Xavier Col. 1 Lines 48 – 49 Col. 4 Lines 54 – 55)
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining so that the security administrator identify the malicious email messages which are parts of any cybersecurity attack and the administrator becomes enable to take any remedial action. (Xavier Col. 1 Lines 48 – 49 Col. 4 Lines 54 – 55)
But Astiz in view of Xavier fails to disclose:
… from a/the same sender … 
However, Korotkikh teaches:
… from a/the same sender … ([Korotkikh ¶0164] “In another example, the clustering may be performed by the server 106 determining whether emails have a com mon sender address.” [Korotkikh ¶0109] “Non - limiting examples of such mechanisms include satisfactory spam limits, sender policy frameworks, whitelists and blacklists, and recipient verification tool.” [Korotkikh ¶0136] “the server 106 may assign to the first cluster 304 the ground truth parameter indicative of that the first subset of emails 320 include spam emails.” Therefore, the clustering in the email message can be formed based on the same sender and accordingly those clusters may be evaluated as spam (malicious) emails.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz in view of Xavier’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining by enhancing Astiz in view of Xavier’s system by performing clustering based on fact that the emails have from the same senders and evaluating them as a spam emails as taught by Korotkikh for providing a filtering process which can easily circumvent the spam messages based on sender. (Korotkikh ¶0007)  
The motivation is to improve Astiz in view of Xavier’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining further by performing clustering based on fact that the emails have from the same senders and evaluating them as a spam emails to provide a filtering process which can easily circumvent the spam messages based on sender. (Korotkikh ¶0007) 

Regarding Claim 18: Astiz in view of Xavier and further in view of Korotkikh teaches the non-transitory computer-readable medium of claim 17, Astiz teaches: wherein the messages are categorized into event hubs by types of the messages, ([Astiz ¶0016] “The plurality of email messages can, e. g., be a collection of email messages that are known to include particular types of alphanumeric candidates, each of which being labeled as such.” Therefore, we have alphanumeric candidates in the email messages contained in the collection of email messages (may be considered as event hub) and in this way we can have multiple email messages categorized in a collection (event hub).) wherein the instructions further cause the processor to:  
apply a first clustering logic on the messages in a first event hub of the event hubs to group the messages in the first event hub into a first plurality of clusters; ([Astiz ¶0032] “As mentioned above , any clustering analysis or algorithm can be utilized to group the alphanumeric candidates 320 into clusters 330 and the clusters should be generated such that the alphanumeric candidates 320 in each particular cluster 330 of the plurality of clusters 330 are more similar to each other than to other alphanumeric candidates 320 in other clusters 330.” Thus, a clustering algorithm (first logic) can be applied to any cluster (say email message in the first event hub.)
apply a second clustering logic on the messages in a second event hub of the event hubs to group the messages in the second event hub into a second plurality of clusters; ([Astiz ¶0032] “As mentioned above , any clustering analysis or algorithm can be utilized to group the alphanumeric candidates 320 into clusters 330 and the clusters should be generated such that the alphanumeric candidates 320 in each particular cluster 330 of the plurality of clusters 330 are more similar to each other than to other alphanumeric candidates 320 in other clusters 330.” Thus, a clustering algorithm (second logic) can be applied to any cluster (say email message in the second event hub.)
 But Astiz fails to disclose: 
evaluate the first plurality of clusters separately from the second plurality of clusters to identify potentially malicious patterns in the first plurality of clusters and the second plurality of clusters.
However, Xavier teaches:
evaluate the first plurality of clusters separately from the second plurality of clusters ([Xavier Col. 14 Lines 15 – 24] “… this would facilitate detection of an email campaign even where the attacker attempts to cloak the campaign by inserting dissimilar intervening email (s) in the middle of the campaign or where two or more different email campaigns may be launched concurrently (at least partially overlapping in time) against a victim. For the latter embodiments, the correlation logic 370 continues to examine a prescribed number of neighboring email representations within the sequence after encountering a non - correlating email representation.” Therefore, the correlation logic may examine (evaluate) the different launched email campaigns (different clusters of email messages) in sequence (separately).) to identify potentially malicious patterns in the first plurality of clusters and the second plurality of clusters. ([Xavier Col 10 Lines 62 – 67] “Subsequently, the malicious email set 160 is received by the email campaign detection engine 140 for analysis. A malicious email set may be received periodically (e.g., after a threshold period of time has elapsed) or received aperiodcally (e.g., after a prescribed number of malicious email messages are retained in the email data store 130 …” [Xavier Col. 4 Lines 3 – 5] “A cluster exceeding a prescribed number (N) of email messages (e.g., N210) represents a strong indicator of a malicious email campaign.” Thus, the first clusters and second clusters may be identified as malicious.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as taught by Xavier for detecting and identifying malicious email messages which are part of cybersecurity. (Xavier Col. 1 Lines 48 – 49)
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining so that the security administrator identify the malicious email messages which are parts of any cybersecurity attack. (Xavier Col. 1 Lines 48 – 49)

Regarding Claim 19: Astiz in view of Xavier and further in view of Korotkikh teaches the non-transitory computer-readable medium of claim 17, but Astiz fails to disclose: wherein to execute the action, the instructions further cause the processor to: 
output the notification to request that additional analysis be applied on the messages in the particular cluster; or 
remove the specific messages from particular cluster.
However, Xavier teaches:
output the notification to request that additional analysis be applied on the messages in the particular cluster; ([Xavier Col 8 Lines 32 – 40] “The results 170 may identify one or more of the set of malicious email messages 160 being part of a known email campaign or a subset of malicious email set 160 being part of a newly detected email campaign. Also, the email campaign detection engine 140 notifies reporting engine 180 of a detected email campaign which may cause the reporting engine 180 to access to email data store 130 and transmit one or more alert messages to administrators of a network deploying the cybersecurity system 100.” Thus, upon identifying set of malicious email messages, the email campaign detection engine notifies the reporting engine to access email data store and transmit alert messages to an administrator. These actions may be regarded as “additional analysis”.)
remove the specific messages from particular cluster. ([Xavier Col 19 Lines 12 – 22] “The alert message 580 is provided to enable action to be taken, by the administrator to remediate, interdict or neutralize the email campaign attack and / or halt its spread. This remediation may involve a review of email storage of the network devices 5201, -520M and email in - boxes at email servers or other network devices to delete or quarantine email messages.” Thus, the alert reports are provided and the email messages may be deleted or quarantined.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by issuing a notification of alert messages to an administrator when malicious email messages are detected and deleting the email messages as taught by Xavier so that the security administrator can take a remedial action. (Xavier Col. 4 Lines 54 – 55)
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by
issuing a notification of alert messages to an administrator when malicious email messages are detected and deleting the email messages so that the security administrator can take a remedial action. (Xavier Col. 4 Lines 54 – 55)

Regarding Claim 20: Astiz in view of Xavier and further in view of Korotkikh teaches the non-transitory computer-readable medium of claim 17, But Astiz fails to disclose: wherein the instructions further cause the processor to: 
determine that the potentially malicious pattern has been identified at least a predefined number of times; and 
based on the determination that the potentially malicious pattern has been identified at least the predefined number of times, update a service that is to perform antivirus operations on additional messages regarding the potential malicious pattern.  
However, Xavier teaches:
determine that the potentially malicious pattern has been identified at least a predefined number of times; ([Xavier Col 8 Lines 21 – 25] “Upon detecting at least a predetermined number of malicious email representations being correlated, which correspond to a prescribed subset of malicious email messages within the malicious email set 160” Therefore, we have seen that malicious pattern may be identified by a predetermined number.) and 
based on the determination that the potentially malicious pattern has been identified at least the predefined number of times, update a service that is to perform antivirus operations on additional messages regarding the potential malicious pattern. ([Xavier Col 7 Lines 61 – 67 Col 8 Lines 1 – 5] “The threat detection engine 120 is configured to perform a static analysis on the content of the email message 150 and / or perform a dynamic analysis by supplying the email message 150 (or contents of the email message 150) to a virtual machine (or other isolated execution environment), performing operations on the email message 150 within the virtual machine, and analyzing behaviors of the email message 150 and/or the virtual machine to determine whether the email message 150 is malicious or benign . Examples of a “static” analysis may include, but are not limited or restricted to anti - virus scanning, anti - spam scanning, pattern matching …” Therefore, an antivirus scanning is to be employed when an email message is determined as malicious which may be identified by a predetermined number.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time by enhancing Astiz’s system by identifying a malicious pattern as occurred by  a predetermined time and then employing anti-virus scan as taught by Xavier for protecting the network device within the network by analyzing email messages whether they are suspicious which are propagated along the network. (Xavier Col 1 Lines 35 – 38) 
The motivation is to improve Astiz’s system of classifying or clustering an alphanumeric candidate in an email message over a given period of time further by identifying a malicious pattern as occurred by a predetermined time and then employing anti-virus scan to protect the network device within the network by analyzing email messages whether they are suspicious which are propagated along the network. (Xavier Col 1 Lines 35 – 38)
   
Claims 2, and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Astiz US PGPUB No. 20180018387 in view of Xavier et al US Patent No. 11075930 and further in view of Korotkikh US PGPUB No. US20220109649 and Dedenok et al US PGPUB No. 20200314120.

Regarding Claim 2: Astiz in view of Xavier and further in view of Korotkikh teaches the apparatus of claim 1, But Astiz in view of Xavier and further in view of Korotkikh fails to disclose wherein the features comprise hashes of the features, and wherein the instructions cause the processor to: 
identify the hashes of the features; and 
determine the common patterns of the identified hashes of the features. 
However, Dedenok teaches: 
wherein the features comprise hashes of the features, ([Dedenok ¶0052] “After forming the clusters, the hash generator 120 makes a selection of at least one most frequent combination of groups in each formed cluster, and transforms the found combination of groups into a hash.” Thus, combination of group (features) of the cluster are transformed to a hash by the hash generator.) and wherein the instructions cause the processor to: 
identify the hashes of the features; ([Dedenok ¶0011] “generating a hash from the at least one most frequent combination of groups;” Therefore, a hash for most frequent combination of groups (features) can be recognized when it is generated.)
determine the common patterns of the identified hashes of the features. ([Dedenok ¶0014] “the collection of hashes contains at least a set of hashes corresponding to legitimate emails, and a set of hashes corresponding to emails containing spam.” Therefore, legitimate emails as well as spam emails (common patterns: legitimate or spam) corresponding to set or collection of generated hashes can be resolved.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz in view of Xavier and further in view of Korotkikh’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as coming from same sender by enhancing Astiz in view of Xavier and further in view of Korotkikh’s system by generating hashes for most frequent combination of groups and therefrom defining any common patterns among the message as taught by Dedenok which helps to create at least one heuristic rule related to generated hashes for identifying emails whether it is spam and legitimate. (Dedenok Abstract)     
The motivation is to improve Astiz in view of Xavier and further in view of Korotkikh’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as coming from same sender further by generating hashes for most frequent combination of groups and therefrom defining any common patterns among the message to create at least one heuristic rule related to generated hashes for identifying emails whether it is spam and legitimate. (Dedenok Abstract)

Regarding Claim 11: Astiz in view of Xavier and further in view of Korotkikh teaches the method of claim 10, But Astiz in view of Xavier and further in view of Korotkikh fails to disclose wherein the first features and the second features comprise respective hashes of the first features and the second features, and wherein the method further comprises: 
identifying the hashes of the first features and the second features; and 
determining the first patterns in the hashes of the first features and the second patterns in hashes of the second features.
However, Dedenok teaches:	
wherein the first features and the second features comprise respective hashes of the first features and the second features, ([Dedenok ¶0052] “After forming the clusters, the hash generator 120 makes a selection of at least one most frequent combination of groups in each formed cluster, and transforms the found combination of groups into a hash.” Thus, combination of group (first and second features) of the cluster are transformed to respective hashes by the hash generator.) and wherein the method further comprises: 
identifying the hashes of the first features and the second features; ([Dedenok ¶0011] “generating a hash from the at least one most frequent combination of groups;” Therefore, respective hashes for most frequent combination of groups (first and second features) can be recognized when it is generated.) and 
determining the first patterns in the hashes of the first features and the second patterns in hashes of the second features. ([Dedenok ¶0014] “the collection of hashes contains at least a set of hashes corresponding to legitimate emails, and a set of hashes corresponding to emails containing spam.” Therefore, legitimate emails as well as spam emails (common two patterns: legitimate and spam) corresponding to set or collection of generated hashes can be resolved.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz in view of Xavier and further in view of Korotkikh’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as coming from same sender by enhancing Astiz in view of Xavier and further in view of Korotkikh’s system by generating hashes for most frequent combination of groups and therefrom defining any common patterns among the message as taught by Dedenok which helps to create at least one heuristic rule related to generated hashes for identifying emails whether it is spam and legitimate. (Dedenok Abstract)     
The motivation is to improve Astiz in view of Xavier and further in view of Korotkikh’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as coming from same sender further by generating hashes for most frequent combination of groups and therefrom defining any common patterns among the message to create at least one heuristic rule related to generated hashes for identifying emails whether it is spam and legitimate. (Dedenok Abstract)

Claims 8, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Astiz US PGPUB No. 20180018387 in view of Xavier et al US Patent No. 11075930 and further in view of Korotkikh US PGPUB No. US20220109649 and Gu et al US PGPUB No. 20180052918.
 
Regarding Claim 8: Astiz in view of Xavier and further in view of Korotkikh teaches the apparatus of claim 1, but Astiz in view of Xavier and further in view of Korotkikh fails to disclose wherein the instructions cause the processor to: 
aggregate the plurality of clusters into a reduced number of clusters based on the identified features in the plurality of messages grouped in the plurality of clusters.  
But Gu teaches:
aggregate the plurality of clusters into a reduced number of clusters based on the identified features in the plurality of messages grouped in the plurality of clusters. ([Gu ¶0024] “A huge number of texts is now collected. There is need to quickly summarize them for analysis. A clustering or cluster analysis can be used for summarizing them” [Gu ¶0025] “The clustering or cluster analysis is the task of grouping a set of objects in such a way that objects in the same group or cluster are more similar in some sense or another to each other than to those in other groups or clusters.” [Gu ¶0003] “The method comprises the followings: tokenizing each of a plurality of texts to obtain tokens ; performing a feature analysis on each of the tokens to obtain feature scores; generating a first set of vectors, each vector in the first set of vectors having one or more obtained feature scores equal to or larger than a predefined value; generating a vector space using the first set of vectors; executing non - hierarchical clustering using the vector space to generate a first plurality of clusters” [Gu ¶0033] “Texts may comprise, for example, but not limited to: log messages which can be sent from one or more servers; texts obtained from a speech recognition system; mails; or business texts.” [Gu ¶0116] “The user may combine clusters or decrease the number of clusters, for example, by double - clicking two or more representative text in corresponding clusters displayed in the message window (513, 533, 553 or 573). In response to the double - clicking of the two or more representative texts, the system may combine the cluster by decreasing the number of clusters, using the tree diagram window.” Therefore, the number of clusters is decreased (reduced) by combining (aggregating) the clusters generated by clustering analysis using vector and vector space having some feature scores from huge amount of text which may be obtained from messages like log message, email messages, from speech recognition system, etc.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz in view of Xavier and further in view of Korotkikh’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as coming from same sender by enhancing Astiz in view of Xavier and further in view of Korotkikh’s system by combining and decreasing clusters as taught by Gu for providing a technique of summarizing a plurality of texts or messages because it is difficult to create summary from the texts or messages in a predefined tie when number of texts or messages is huge (Gu ¶0001 ¶0029) 
The motivation is to improve Astiz in view of Xavier and further in view of Korotkikh’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as coming from same sender further by combining and decreasing clusters to create a summary of huge number of texts or messages within a predefined time. (Gu ¶0001 ¶0029)
 
Regarding Claim 15: Astiz in view of Xavier and further in view of Korotkikh teaches the method of claim 10, but Astiz in view of Xavier and further in view of Korotkikh fails to disclose further comprising: 
aggregating the first clusters into a reduced number of first clusters based on the identified features in the first messages grouped in the first clusters.
But Gu teaches:
aggregating the first clusters into a reduced number of first clusters based on the identified features in the first messages grouped in the first clusters. ([Gu ¶0024] “A huge number of texts is now collected. There is need to quickly summarize them for analysis. A clustering or cluster analysis can be used for summarizing them” [Gu ¶0025] “The clustering or cluster analysis is the task of grouping a set of objects in such a way that objects in the same group or cluster are more similar in some sense or another to each other than to those in other groups or clusters.” [Gu ¶0003] “The method comprises the followings: tokenizing each of a plurality of texts to obtain tokens ; performing a feature analysis on each of the tokens to obtain feature scores; generating a first set of vectors, each vector in the first set of vectors having one or more obtained feature scores equal to or larger than a predefined value; generating a vector space using the first set of vectors; executing non - hierarchical clustering using the vector space to generate a first plurality of clusters” [Gu ¶0033] “Texts may comprise, for example, but not limited to: log messages which can be sent from one or more servers; texts obtained from a speech recognition system; mails; or business texts.” [Gu ¶0116] “The user may combine clusters or decrease the number of clusters, for example, by double - clicking two or more representative text in corresponding clusters displayed in the message window (513, 533, 553 or 573). In response to the double - clicking of the two or more representative texts, the system may combine the cluster by decreasing the number of clusters, using the tree diagram window.” Therefore, the number of clusters is decreased (reduced) by combining (aggregating) the clusters generated by clustering analysis using vector and vector space having some feature scores from huge amount of text which may be obtained from messages like log message, email messages, from speech recognition system, etc.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Astiz in view of Xavier and further in view of Korotkikh’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as coming from same sender by enhancing Astiz in view of Xavier and further in view of Korotkikh’s system by combining and decreasing clusters as taught by Gu for providing a technique of summarizing a plurality of texts or messages because it is difficult to create summary from the texts or messages in a predefined tie when number of texts or messages is huge (Gu ¶0001 ¶0029) 
The motivation is to improve Astiz in view of Xavier and further in view of Korotkikh’s system of classifying or clustering an alphanumeric candidate in an email message and identifying the cluster as malicious over a periodic or aperiodic time interval containing number of email messages more than a predefined value and generating an alert message with performing an action of deletion or quarantining as coming from same sender further by combining and decreasing clusters to create a summary of huge number of texts or messages within a predefined time. (Gu ¶0001 ¶0029) 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARIF KHAN whose telephone number is (571)272-6528. The examiner can normally be reached Monday - Friday: 8:30 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/A.K./Examiner, Art Unit 2491                                                                                                                                                                                                        

/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491