DETAILED ACTION
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/14/2020  has been entered.
-Claims 1 and 5 have been amended. 
-Claims 17-18 are newly added.
-Claims 2-4 and 6-11 are cancelled.
-Previous objections to claims 1, 5 and 9 have been withdrawn based on the claim amendments. 
- Claims 1, 5 and 12-18 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
 	Applicant’s arguments filed on 12/14/2020 have been considered.
However they are moot in view of the new grounds of rejection necessitated by the claim amendments.

Claim Objections 
 	Claims 1, 5, 12, 14 and 16 are objected to because they recite “said electronic message” which lack antecedent basis. For the purpose of examination, the first recitation of “said electronic message” in claim 1 is being read as “identifying an electronic message”. Correction is required.
Claims 13 and 14 are objected to because they recite “said learning process”. which lacks antecedent basis. This recitation is read as “said training process”. Correction is required.
Claim 16 is objected to because it recites “said result of said behavior analysis” which lacks antecedent basis. This recitation is read as “said result of said analysis”. Correction is required.
Claim 17 is objected to because it recites “said messaging system” which lacks antecedent basis. This recitation is read as “said messaging service”. Correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claim 18 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 18 recites “said operation” twice however it is not clear if “said operation” refers to “an operation” recited 

The The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1 and 18 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. These claims recite “said parameter implicitly indicating about identifying said electronic message as suspicious or as non-suspicious” and “said implicit parameter…”, respectively, however the specification does not appear to describe a parameter as being “implicit” or “implied” or “implying” or “not explicit”. 
The written description support that Applicant noted in the Remarks does not provide sufficient support because although the specification describes examples of implicit user activity, the specification does not limit user activity to implicit activity.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 12-16 are rejected under 35 U.S.C. 103 as being unpatentable over Higbee et al (US Pub.No.2016/0301705) in view of Syrowitz et al (US Pub.No. 2014/0006522).

Re Claim 1. Higbee discloses a method for detecting malicious or soliciting electronic messages in a messaging system: comprising: by a behavior analysis training process, learning a behavior of a user with messages of said messaging system (i.e. the system can adjust the reporter reputation score points based on reporting activity by the user) [Higbee, para.0087, see also 0030], (i.e. The rules module can also develop rules based upon reported files and extracted information from the reported messages. This feature can work in combination with the interdiction module. As a message meets specific reporting thresholds, the rules module can be automatically implemented or an administrator can implement the rules upon review. This can include extraction of header information, content information or any other information that the management console module is capable of extracting. The ) [Higbee, para.0083]; extracting from an operation associated with said user behavior a parameter (i.e. The interdiction module can also provide notification to the module responsible for maintaining the reporter reputation scores for individuals of any actions that have been taken by the individuals for the messages that are removed by it.  Examples would be notifying the reporting module that the message had been opened, or moved to trash, or not opened) [Higbee, para.00100];
 	Higbee does not explicity disclose whereas Syrowitz does: said parameter implicitly indicating about identifying said electronic message as suspicious or as non-suspicious; analyzing said parameter (i.e. History component 116 may further track information about received emails when the account user deletes the email without reading the email, manually marks the email as "junk" or spam, opens the email, responds to the email, and other user-initiated behavior regarding email messages.  History component 116 may store a log of this information as profile 118 to develop a behavior profile for the account user that may be used by spam filter 110 to further refine spam detection) [Syrowitz, para.0030]; and determining said electronic message as analyzing (i.e. For example, rule selection logic 260 and/or filtering engine 280 may retrieve profile 118, 400 for the intended recipient of the received message. Logic flow 800 may select a subset of filtering rules at block 810.  For example, rule selection logic 260 may select rules according to the email characteristics, global filtering rule statistics and/or recipient profile………………… Logic flow 800 may apply the prioritized subset of rules to the message at block 814.  For example, filtering engine 280 may received the prioritized subset form prioritization logic 270 and may apply the rules in order from highest to lowest priority until a determination of whether the message is spam is reached) [Syrowitz, para.0081-0087]. 
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Higbee with Syrowitz because The selected rules may be prioritized such that the most useful, efficient, and/or relevant rules are applied first.  In this manner, a determination of whether the message is spam may be reached more quickly and efficiently [Syrowitz, para.0016].
Re Claim 12. Higbee in view of Syrowitz discloses the method of claim 1, Higbee further discloses: comprising: associating a first time frame from said behavior with an event of suspecting said electronic message by said user; said first time frame being between reading said electronic message by said user to performing an at least one The system can also be configured to reduce the reputation score of a user who fails to report a suspicious message that user is known to have received, or received and opened, after a specific period of time has elapsed. Points can be reduced based on failing to report either a simulated phishing message generated as described herein or an actual malicious message. Points can also be reduced for reporting a legitimate message as well. Alternatively, if a user falls victim to a phishing attack or malicious message and reports it after the fact, this can have a different point value than reporting the message prior to falling victim) [Higbee, para.0088], (i.e. The extraction can be automatic upon meeting a specific threshold, such as number of people reporting the same message or reporting user reputation score above a threshold……………..as illustrated in FIG. 16. A recipe can be associated with a name 1610, a description 1620, a status (active/inactive) 1630, keyword tag(s) 1640, etc. and be ) [para.0083-0086].  

Re Claim 13. Higbee in view of Syrowitz discloses the method of claim 1, Higbee further discloses wherein said learning process is a machine learning process (i.e.  Other clustering techniques contemplated include k-means, deep learning (such as a convolutional neural network), or through various other machine learning techniques) [Higbee, para.0108].  

Re Claim 14. Higbee in view of Syrowitz discloses the method of claim 1, Higbee further discloses further comprising, by said learning process identifying predictable behavior patterns with said electronic message and wherein said determining said electronic message as suspicious being as a result of comparing a behavior of said user with same or similar message to said predictable behavior (i.e. This can include extraction of header information, content information or any other information that the management console module is capable of extracting.  The extraction can be automatic upon meeting a specific threshold, such as number of people reporting the same message or reporting user reputation score above threshold.  The system can then aggregate the similar characteristics or pattern matching to develop rules.  These can include if specific headers are identified, attachments, links, message content or any other element that malware and virus scanning programs detect) [Higbee, para.0083, see also 0089].   

Re Claim 15. Higbee in view of Syrowitz discloses the method of claim 1, Higbee further discloses wherein said result of said analysis being performed on metadata of one or more similar messages from said messages (i.e. This can include extraction of header information, content information or any other information that the management console module is capable of extracting.  The extraction can be automatic upon meeting a specific threshold, such as number of people reporting the same message or reporting user reputation score above threshold.  The system can then aggregate the similar characteristics or pattern matching to develop rules.  These can include if specific headers are identified, attachments, links, message content or any other element that malware and virus scanning programs detect) [Higbee, para.0083].   
 
Re Claim 16. Higbee in view of Syrowitz discloses the method of claim 1, Higbee discloses further comprising determining level of suspiciousness of said electronic message in accordance with said result of said behavior analysis (i.e. Based on the results of the rules processing, in some embodiments through the interdiction module, described herein, further actions can be taken. The further actions can be any arbitrary action. As non-limiting examples, based on a rule match, a message can be assigned a threat level) [Higbee, para.0077].  

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Higbee in view of Syrowitz, as applied to claim 1, further in view of Marino et al (US Pub.No. 2006/0184632).

Re Claim 5. Higbee in view of Syrowitz discloses the method of claim 1, Higbee does not explicitly disclose whereas Marino does: embedding an alerting message with said electronic message for displaying said alerting message on a reading pane of said electronic message, said embedding in response to said identifying said electronic message as a suspicious to thereby enabling said user to preview said alerting message prior to opening said electronic message (i.e. the appliance at step 602 verifies whether identity fraud was detected in the email content. If this was the case, the email is tagged by placing an appropriate message, such as "[PHISH]" either in the subject line (step 603) or, alternatively, in the header of the email message…………..the tagged email with the inserted management toolbar is forwarded to the client at step 624) [Marino, para.0052-0055].   
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Higbee in view of Syrowitz with Marino because Marino provides an integrated plug and play solution designed to protect home networks against spam, phishing emails, viruses, spyware as well as other similar threats [Marino, Abstract].

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Higbee in view of Syrowitz, as applied to claim 1, further in view of Wright (US Pub.No. 2011/0023115).

Re Claim 18. Higbee in view of Syrowitz discloses the method of claim 1, Higbee in view of Syrowitz further discloses: wherein said implicit parameter comprises one member selected from a group consisting of: time from reading said electronic message to performing other operation with said electronic message (i.e. The system can also be configured to reduce the reputation score of a user who fails to report a suspicious message that user is known to have received, or received and opened, after a specific period of time has elapsed) [Higbee, para.0088], date and time associated with receiving of said electronic message and with performing said operation (i.e. cluster summary 1100 is depicted in FIG. 11.  The cluster summary 1100 may display a list of all messages assigned to the cluster.  Each message may display a "to" address 1110, a "from" address 1112, a reporter score 1114, rule matches 1115, as well as any other data associated with the message such as a subject, a received time, a reported time) [Higbee, para.0070, Fig.12 shows dates and times], 
Higbee in view of Syrowitz does not explicitly disclose whereas Wright does: mouse movements of said user associated with said operation (i.e. Other sample 
behaviors may include, but are not limited to, a user scrolling down a page) [Wright, para.0075], keystrokes of said user associated with said The behavior monitoring facility 204 may monitor user behaviors, such as mouse clicks, touchpad movement, keyboard key presses, or other user behaviors) [Wright, para.0091].
           Wright does not explicity teach: hovering of said user associated with the said operation, however it would have been obvious to a person having ordinary skill in the art to modify Wright to include “hovering” because Wright teaches that a user interaction may occur on a keyboard, a mouse, a display device, [Wright, para.0080] and hovering is one of a limited number of known mouse interactions.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Higbee in view of Syrowitz with Wright because certain malicious code may be identified via a combination of user behaviors and code behaviors [Wright, para.0089].

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Nikolayev et al (US Pub.No. 2013/0339456).

Re Claim 17. Nikolayev teaches a method, the method comprises; classifying, an at least one of operations of a user with a mailbox of a messaging service, as a positive operation, wherein said positive operation indicating that a certain electronic message is a non suspicious message (i.e if the country of origin identified in the message is Russia, and the recipient received two e-mail ) [Nikolayev, para.0064-0066, this teaches that opening a message is classified as a positive operation indicating that an opened message is non suspicious]; monitoring behaviour of said user with said messaging system (i.e. Either history component 119 or history analyzer 340 may keep track of a total number of e-mails sent and/or received by a specific user account within a recent time period) [Nikolayev, para.0042]; identifying, from said behaviour, a first electronic message associated with said positive operation of said user; extracting an at least one first parameter from said first electronic messages (i.e. history component 119 or history analyzer 340 may determine how many e-mails were received from country A (e.g. the U.S.) and from country B (e.g. ……... The determination of a commonly used country or language may be affected by factors in addition to frequency.  For example, a language frequency for language C (e.g. Chinese) may be modified or weighted by how many times an e-mail sent in language C (e.g. Chinese) is actually opened, or deleted without opening) [Nikolayev, para.0042-0043]; receiving a second electronic message; extracting an at least one second parameter from said second electronic message (i.e. logic flow 700 may receive an e-mail message for a recipient at block 702.  For example, e-mail server 110 may receive an e-mail 130 ("the message") intended for a recipient.  E-mail server 110 may identify the intended recipient and locate a mailbox 112 for the recipient. Logic flow 700 may determine a country of origin for the message at block 704.  For example, country detector 116, 310 may examine the IP address 132 of the message and identify the country to which it was assigned) [Nikolayev, para.0061-0062]; and if said at least one second parameter is different from said at least one first parameter, determining said second electronic message as suspicious or malicious (i.e. a filtering rule states that if the country of origin of a received e-mail does not match the countries that the recipient ) [Nikolayev, para.0038].  
	Nikolayev does not disclose the above features in one embodiment, however it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to combine the different embodiments of Nikolayev because such combination is suggested: It is, of course, not possible to describe every conceivable combination of components and methodologies, but one of ordinary skill in the art may recognize that many further combinations and permutations are possible [Nikolayev, para.0092].


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285.  The examiner can normally be reached on Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434