DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.    The text of those sections of Title 35 U.S. Code not included in this section can be found in the prior office action.
3.    The prior office actions are incorporated herein by reference. In particular, the observations with respect to claim language, and response to previously presented arguments.
4.    Claims 1-22 are pending.

Applicant’s Arguments
Applicant’s amendments are sufficient to overcome the claim objections set forth in the previous Office action.
Applicant’s amendments are sufficient to overcome the 35 U.S.C. 101 rejections set forth in the previous Office action.
Applicant’s amendments (and the Examiner’s amendments herein below) are sufficient to overcome the 35 U.S.C. 103 rejections set forth in the previous Office action.

EXAMINER’S AMENDMENT

Authorization for this examiner’s amendment was given in a telephone interview with Stephen Terrile (Reg. No. 32,946) on 22 February 2021.
The application has been amended as follows:

Listing of Claims:

Claim 1 (Currently Amended)	A computer-implemented method for identifying communications received from potentially untrustworthy entities comprising:
receiving, via a protected endpoint, an electronic communication for a receiving entity from a sending entity, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device;
accessing, via a security analytics system, social media information for the sending entity from a social media network; 
analyzing, via the security analytics system, the social media information of the sending entity pursuant to determining whether the received electronic communication is from a potentially untrustworthy entity; 
determining whether the receiving entity and the sending entity have common contacts in the social media network;
determining a number of common contacts in the social media network the receiving entity and the sending entity have;
using a threshold criterion for the number of common contacts to determine whether the sending entity may be trusted;
assigning a confidence level that the received electronic communication is a communication from a potentially untrustworthy entity when the receiving entity and the sending entity have common contacts in the social media network, wherein the confidence level includes a common contact confidence level, the common contact confidence level being based on a degree of relationship with respect to the receiving entity between any common contacts of the receiving entity and the sending entity in the social media network;
identifying, via the security analytics system, the electronic communication as a reconnaissance communication using the confidence level that the received electronic communication is from a potentially untrustworthy entity; and,
executing security mitigation operations on the received electronic communication when the electronic communication is identified as a reconnaissance communication.


determining whether a social media profile exists on the social media network for the sending entity;
determining a number of contacts with which the sending entity is associated on the social media network;
determining whether the receiving entity and the sending entity are linked as contacts in the social media network;

determining a geographical region of the sending entity; 
determining how long the social media profile has been active; and
determining a social media participation score for the sending entity.

Claim 4 (Currently Amended)	The method of claim 1, wherein analyzing social media information comprises:
assigning a weighted confidence level that the received electronic communication is a communication from a potentially untrustworthy entity, wherein the weighted confidence level includes one or more of:
a first confidence level determined from a number of contacts with which the sending entity is associated;

a third confidence level based on whether the receiving entity and the sending entity have common contacts in the social media network; 

a fourth 
a fifth 
a sixth 
a seventh 
determining a composite confidence level using one or more of the first, second, third, fourth, fifth, sixth, or seventh


the electronic communication comprises an email; and
the analysis of the social media information of the sending entity is used to determine 

Claim 10 (Currently Amended)	A system comprising:  
a processor;  
a data bus coupled to the processor; and 
a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: 
receiving, via a protected endpoint, an electronic communication for a receiving entity from a sending entity, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device;
accessing, via a security analytics system, social media information for the sending entity from a social media network; 
;
determining whether the receiving entity and the sending entity have common contacts in the social media network;
determining a number of common contacts in the social media network the receiving entity and the sending entity have;
using a threshold criterion for the number of common contacts to determine whether the sending entity may be trusted;
assigning a confidence level that the received electronic communication is a communication from a potentially untrustworthy entity when the receiving entity and the sending entity have common contacts in the social media network, wherein the confidence level includes a common contact confidence level, the common contact confidence level being based on a degree of relationship with respect to the receiving entity between any common contacts of the receiving entity and the sending entity in the social media network;
identifying, via the security analytics system, the electronic communication as a reconnaissance communication using the confidence level that the electronic communication is from a potentially untrustworthy entity; and,


Claim 11 (Currently Amended)	The system of claim 10, wherein analyzing the social media information of the sending entity comprises one or more of:
determining whether a social media profile exists on the social media network for the sending entity;
determining a number of contacts with which the sending entity is associated on the social media network;
determining whether the receiving entity and the sending entity are linked as contacts in the social media network;

determining a geographical region of the sending entity; 
determining a social media participation score for the sending entity; and
determining how long the social media profile has been active.


assigning a weighted confidence level that the received electronic communication is a communication from a potentially untrustworthy entity, wherein the weighted confidence level includes one or more of:
a first confidence level determined from a number of contacts with which the sending entity is associated;
a second confidence level based on whether the receiving entity and the sending entity are linked as contacts in the social media network;
a third confidence level based on whether the receiving entity and the sending entity have common contacts in the social media network; 

a fourth 
a fifth 
sixth 
a seventh 
determining a composite confidence level using one or more of the first, second, third, fourth, fifth, sixth, or seventh

Claim 14 (Currently Amended)	The system of claim 13, wherein
the composite confidence level is determined using weighted values for one or more of the first, second, third, and fourth

Claim 15 (Currently Amended) The system of claim 10, wherein
the electronic communication comprises an email; and
the analysis of the social media information of the sending entity is used to determine 


receiving, via a protected endpoint an electronic communication for a receiving entity from a sending entity, the protected endpoint comprising an endpoint device and an endpoint agent, the endpoint agent executing on a hardware processor of the endpoint device;
accessing, via a security analytics system, social media information for the sending entity from a social media network; 
analyzing, via the security analytics system, the social media information of the sending entity pursuant to determining whether the received electronic communication is from a potentially untrustworthy entity;
determining whether the receiving entity and the sending entity have common contacts in the social media network;
determining a number of common contacts in the social media network the receiving entity and the sending entity have;
using a threshold criterion for the number of common contacts to determine whether the sending entity may be trusted;
assigning a confidence level that the received electronic communication is a communication from a potentially untrustworthy entity when the receiving entity and the sending entity have common contacts in the social media network, wherein the confidence level includes a common contact confidence level, the common contact confidence level being based on a degree of relationship with respect to the receiving entity between any common contacts of the receiving entity and the sending entity in the social media network;
identifying, via the security analytics system, the electronic communication as a reconnaissance communication using the confidence level that the received electronic communication is from a potentially untrustworthy entity; and,
executing security mitigation operations on the received electronic communication when the electronic communication is identified as a reconnaissance communication.

Claim 20 (Currently Amended)	The non-transitory, computer-readable storage medium of claim 19, wherein analyzing the social media information of the sending entity comprises one or more of:
determining whether a social media profile exists on the social media network for the sending entity;
determining a number of contacts with which the sending entity is associated on the social media network;
determining whether the receiving entity and the sending entity are linked as contacts in the social media network;


determining a geographical region of the sending entity; 
determining a social media participation score for the sending entity; and
determining how long the social media profile has been active.

Claim 21 (Currently Amended)	The non-transitory, computer-readable storage medium of claim 19, wherein
 the electronic communication comprises an email; and
the analysis of the social media information of the sending entity is used to determine 

Allowable Subject Matter
9.    Independent claims 1, 10 and 19 are allowed. Dependent claims 2-9, 11-18 and 20-22 are allowed based on their dependency.

10.    The following is an examiner’s statement of reasons for allowance:

Claim 1, inter alia, “determining a number of common contacts in the social media network the receiving entity and the sending entity have; using a threshold criterion for the number of common contacts to determine whether the sending entity may be trusted; assigning a confidence level that the received electronic communication 

12.    The closest prior arts made of record are:
i)	Hull et al. (U.S. Pub. No. 2005/0171954 cited in the previous Office action and hereinafter referred to as Hull) which discloses using the social network information to determine if a sender of the message is acceptable (see paragraphs [0015], [0029], [0030], [0043], [0044], [0069]-[0070] and Fig. 4 of Hull).
ii)	Hunt et al. (U.S. Pub. No. 2013/0124644 cited in the previous Office action and hereinafter referred to as Hunt) which discloses determining if a message source user is potentially untrustworthy based on social network information of the user (see paragraphs [0001], [0003], [0012], [0030], [0034], [0036] and [0037] of Hunt).

13.    While the prior art does show using social media information of a ender of a message to determine if a message is malicious, the prior art is not considered to 

Claims 10 and 19, although different, further recites similar limitations to claim 1. Therefore, claims 10 and 19 are considered to be allowable for similar reasons to claim 1.



16.    Any comments considered necessary by applicant must be submitted no later than payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance."

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Adkins (U.S. Pub. No. 2016/0014070) – cited for teaching analyzing social data to determine if a message is a phishing message – paragraph [0051]
Song et al. (“Spam Filtering in Twitter Using Sender-Receiver Relationship”) - cited for teaching using relations on social media to determine spam – Abstract

Any inquiry concerning this communication or earlier communications from the examiner should be directed to THADDEUS J PLECHA whose telephone number is (571)270-7506.  The examiner can normally be reached on M-F 8-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/THADDEUS J PLECHA/Examiner, Art Unit 2438