DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-30 are pending in this application.
IDS submitted on 1/31/2019 has been considered.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 2, 29 and 30 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Higbee et al. (Pub. No.: US 2016/0301705 A1) (hereinafter, “Higbee”).

As to claim 1, Higbee discloses a computer-implemented method, comprising: 
receiving an electronic message associated with an email address of a user into a first folder (“When a message is received on a computing device of an individual, the user may report the message as a possible phishing attack.” –e.g. see, [0051]; Fig. 5B; herein a message is received which includes an icon to report phishing); 
one-click of a button, one-touch of a button) may be sufficient to trigger the notification to be sent to the network device. Examples of such a graphical reporting button are illustrated in FIGS. 5A and 5B. The graphical user interface can include a label to the effect of "Report Phishing" as a button 520, or may be presented as a contextual menu item 510.” –e.g. see, [0052]); 
receiving selections of the electronic message and the user-selectable icon (“…identifying information relating to the reported message and/or the user who reported the message may be communicated to the network server device…” –e.g. see, [0052]); 
quarantining the electronic message in response to the selections (“…a message may be set to be inaccessible to the reporting individual upon it being reported (or otherwise quarantined) and remain in such status until there is a resolution to the status of the message.” –e.g. see, [0055]; herein, once a message is reported, it’s being quarantined until there is a resolution of the reported message; see also, [00098]); 
electronically communicating the electronic message to a processor for performing threat analysis in response to the selections (“…reported messages are received at the network server. The reported messages are checked against rules stored in the system. The rules can be written for YARA or another tool that enables determining whether message or attachment data contains defined textual or binary patterns (e.g. regex parsing, etc).” –e.g. see, [0064], see also, [0054]); 
The header can include a unique or a substantially unique identifier generated by the system for tracking purposes. In some embodiments, the identifier can be an alphanumeric code. The header may also include, as part of identifier information or separately, an identification of the user for whom the simulated phishing message was generated. This may provide attribution back to the user who reported the suspicious message…” –e.g. see, [0046]); 
receiving a response message in response to the performed threat analysis, the response message comprising the one or more headers and indicating a threat status of the electronic message (“Combined, the other integrations 1840 may characterize a reported e-mail as "good" or "bad", i.e. determine with some probabilistic determination whether the reported e-mail is generally malicious or non-malicious to aid an administrator in responding to threats. Alternatively, the characterization of a message as "good" or "bad" may cause the system to automatically perform some action on the message (e.g., quarantine), or otherwise automate the functions of the administrator.” –e.g. see, [0123]; see also, [0088]: “A recipe or rules can be configured to auto-reply to a user in response to receiving a report from that user. The auto-reply can be to indicate that the reported message is not, in fact, suspicious.”, se also, [0090], [0092]); and 
processing the electronic message in response to the response message, wherein processing comprises at least one of deleting the electronic message, leaving the electronic message in quarantine, and/or moving the electronic message to the first folder (“… the characterization of a message as "good" or "bad" may cause the system to automatically perform some action on the message (e.g., quarantine), or otherwise automate the functions of the administrator.” –e.g. see, [0123], see also, [0054], [0055], [0098]). 

As to claims 28 and 29, these are rejected using the similar rationale as for the rejection of clam 1.

As to claim 2, Higbee discloses further comprising updating a blacklist and/or a predelivery checklist in response to the threat status of the electronic message (“The threat information can also be provided to blocklists and/or blacklists 1820. For example, information relating to certain message addresses, IP addresses, and URLs can be provided.” –e.g. see, [0122]). 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over Higbee in view of Xiong (2007/0136808 A1).

As to claim 4, Higbee doesn’t explicitly disclose wherein the threat status comprises a traffic light indicator, the traffic light indicator red or stop for electronic messages corresponding to a known threat, the traffic light indicator yellow or caution for electronic messages corresponding to a possible threat, the traffic light indicator green or proceed for electronic messages not associated with a known threat or suspected of being a threat, and wherein the threat status comprises a threat category. 
However, in an analogous art, Xiong discloses wherein the threat status comprises a traffic light indicator, the traffic light indicator red or stop for electronic messages corresponding to a known threat, the traffic light indicator yellow or caution for electronic messages corresponding to a possible threat, the traffic light indicator green or proceed for electronic messages not associated with a known threat or suspected of being a threat, and wherein the threat status comprises a threat category (“Under the "soft quarantine" policy, the quarantine process uses a two level color code warning system: a red warning signal for emails sent from probable cases and a yellow warning signal for emails sent from potential cases. We choose the color code warning system since similar schemes, such as the traffic light signaling and the terror threat warning schemes, have been used widely in people's daily lives. So people understand the meaning of them almost subconsciously. The color code warning system is made known to all email users. A red flag is added to every email with attachment sent from a 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of the invention was made to modify teaching of Higbee as taught by Xiong in order to implement a threat warning system that people understand the meaning of them almost subconsciously.

As to claim 5, the combination of Higbee and Xiong disclose wherein the threat category comprises at least one of a safe message, a malicious message, a phishing message, a virus, a spam message, and/or a pornographic message (Higbee: [0123]: herein, Combined, the other integrations 1840 may characterize a reported e-mail as "good" or "bad", i.e. determine with some probabilistic determination whether the reported e-mail is generally malicious or non-malicious to aid an administrator in responding to threats). 

Claims 3, 6-28 are rejected under 35 U.S.C. 103 as being unpatentable over Higbee in view of Benishti (US 2017/0244736 A1).



However, in an analogous art, Benishti discloses disclose further comprising electronically communicating the electronic message to the processor for performing threat analysis in response to at least one of: a sender of the electronic message has not sent a previous electronic message to the email address of the user, a variation in a spelling of a name of the sender as compared to previous electronic messages sent by the sender to the email address of the user, the electronic message originating from a sending system that is not associated with other electronic messages received by the email address of the user, or the electronic message having a calculated fingerprint that matches a fingerprint in a fingerprint database having a malicious threat status at a confidence level less than a confidence level threshold (“Comparing the signatures and features to previous reports (step 33), and scoring the message based on features similarity, for example, same sending name or address, same origin SMTP server or same SMTP servers path, same links name and addresses or same attachments Each feature has a predefined, configurable, score, that is added (step 33) to the overall score of the message.” –e.g. see, [0082]; see also [0084]; the message is treated as suspicious (step 35). For example, if the FuzzyHash compare score is above a predefined threshold the messages will be treated as similar or suspected similar.). 
Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the invention was made to modify the teaching of Higbee as taught by Benishti in order to provide a way to mitigate a phishing attach in particular when a message is altered and manipulated across different recipients to avoid signature and exact match comparison and detection as suggested by Benishti (para 3).

As to claim 6,  Higbee may not explicitly disclose further comprising: decomposing the electronic message into at least one header or header list, at least one body, and, if the electronic message comprises an attachment, at least one attachment; generating a header fingerprint for each at least one header or header list; parsing each at least one body; normalizing each at least one body; generating a body fingerprint for each parsed and normalized at least one body; generating, if the electronic message comprising an attachment, an attachment fingerprint for each at least one attachment; and aggregating each at least one header fingerprint, each at least one body fingerprint, and, if the electronic message comprises an attachment, each at least one attachment fingerprint, into a message fingerprint. 
attachments type name, signatures and any other metadata that is extractable from the structure of the message, its content and metadata (step 31); [0081] Creating signatures based on the above extracted features and properties (step 32a), for example, MD5/SHA 1 and CTPH (computing Context Triggered Piecewise Hashes such as FuzzyHash), the signatures can be set on any subset of the message features, for example, the CTPH signature can be created using the message subject and body.). 
Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the invention was made to modify the teaching of Higbee as taught by Benishti in order to provide a way to mitigate a phishing attach in particular when a message is altered and manipulated across different recipients to avoid signature and exact match comparison and detection as suggested by Benishti (para 3).
predefined threshold will be classified as malicious (e.g., a spear-phishing e-mail message) and will be controlled by the system (e.g., deleted/quarantined/disabled), …” –e.g. see, Benishti: [0066]). 

As to claim 8, the combination of Higbee and Benishti disclose wherein each at least one body comprises at least one of a uniform resource locator (URL), a text formatted body, and a binary formatted body, and wherein each attachment comprises at least one of a text formatted attachment and a binary formatted attachment (Benishti: “Extracting from the reported message features and properties such as sender name and address, message headers, message subject, body, links--name and address, attachments type name, signatures and any other metadata that is extractable from the structure of the message, its content and metadata (step 31);” –e.g. see, Benishti:[0080]). 

As to claim 9, the combination of Higbee and Benishti disclose wherein generating a header fingerprint for each at least one header or header list comprises at least one of: lexically analyzing each at least one header or header list, wherein lexically analyzing comprises at least one of identifying the number of each type of header or addresses or same attachments filename or signature (Hash or FuzzyHash), or any other feature similarity that might indicate that the messages are basically the same message with some changes. Each feature has a predefined, configurable, score, that is added (step 33) to the overall score of the message.” –Benishti: [0082]). 

As to claim 10, the combination of Higbee and Benishti disclose wherein parsing the at least one body comprises identifying and organizing components of each at least one body using syntactic and/or semantic analysis (Benishti: [0081; herein, the CTPH signature can be created using the message subject and body). 

As to claim 11, the combination of Higbee and Benishti disclose wherein normalizing the at least one body comprises at least one of normalizing white spaces, 

As to claim 12, the combination of Higbee and Benishti disclose wherein generating a body fingerprint for each parsed and normalized at least one body comprises: applying, for each URL, a URL hash algorithm to generate a URL body fingerprint for each URL; applying, for each text formatted body, a text body hash algorithm to generate a text body fingerprint for each text body; and applying, for each binary formatted body, a binary body hash algorithm to generate a binary body fingerprint for each binary formatted body (Benishti: [0081], herein, the signatures can be set on any subset of the message features, for example, the CTPH signature can be created using the message subject and body). 
As to claim 13, the combination of Higbee and Benishti disclose wherein the URL hash algorithm comprises a traditional hash, wherein the text body hash algorithm comprises a similarity hash, and wherein the binary body hash algorithm comprises a fuzzy hash (Benishti: [0081], herein, the signatures can be set on any subset of the 
As to claim 14, the combination of Higbee and Benishti disclose wherein generating an attachment fingerprint for each attachment comprises: applying, for each text formatted attachment, a text attachment hash algorithm to generate a text attachment fingerprint for each text attachment; and applying, for each binary formatted attachment, a binary attachment hash algorithm to generate a binary attachment fingerprint for each binary formatted attachment (Benishti: [0081], herein, the signatures can be set on any subset of the message features, for example, the CTPH signature can be created using the message subject and body).. 
As to claim 15, the combination of Higbee and Benishti disclose wherein the text attachment hash algorithm comprises a similarity hash, and wherein the binary attachment hash algorithm comprises a fuzzy hash (Benishti: [0081], herein, the signatures can be set on any subset of the message features, for example, the CTPH signature can be created using the message subject and body).. 
As to claim 16, the combination of Higbee and Benishti disclose wherein performing the threat analysis comprises: generating at least one of a raw view of the electronic message, a parsed view of the electronic message, and a browser view of the electronic message; analyzing at least part of the electronic message to collect threat status indicators; automatically generating the threat status of the electronic message in response to the threat status indicators; assigning a confidence level to the threat status of the electronic message; requesting manual generation of the threat status of the 
As to claim 17, the combination of Higbee and Benishti disclose wherein the raw view of the electronic message corresponds to the text of the electronic message before parsing and normalizing the at least one body, wherein the parsed view of the electronic message corresponds to a reordering of the electronic message into a consistent format after parsing and normalizing the at least one body, and wherein the browser view of the electronic message corresponding to an HTML view of the electronic message after parsing and normalizing the at least one body (Benishti: Fig. 3, [0081], [0082]; see also, Higbee: [0123]). 
As to claim 18, the combination of Higbee and Benishti disclose wherein analyzing at least part of the electronic message to collect threat status indicators comprises applying a plurality of rules in a rules database to at least part of the electronic message to identify whether each of the plurality of rules matches the at least part of the electronic message, the rules in the rules database previously assigned a rule threat status, each identified matching rule and each corresponding rule threat status corresponding to threat status indicators (Benishti: Fig. 3, [0081], [0082]; see also, Higbee: [0088], [0123]). 
As to claim 19, the combination of Higbee and Benishti disclose wherein analyzing at least part of the electronic message to collect threat status indicators comprises scanning the at least part of the electronic message to identify whether the at 

As to claim 20, the combination of Higbee and Benishti disclose wherein analyzing at least part of the electronic message to collect threat status indicators comprises: querying a URL threat database for the URL and URL threat status, for each URL in the electronic message to identify whether the at least one URL in the electronic message comprises at least one URL in the at least one URL threat database, each identified URL in the URL threat database and corresponding URL threat status corresponding to the threat status indicator for the URL threat database query (Benishti: [0082]: herein, Comparing the signatures and features to previous reports (step 33), and scoring the message based on features similarity, for example, same sending name or address, same origin SMTP server or same SMTP servers path, same links name and addresses or same attachments filename or signature (Hash or FuzzyHash)). 

As to claim 21, the combination of Higbee and Benishti disclose wherein analyzing at least part of the electronic message to collect threat status indicators comprises analyzing the at least one header for compliance with at least one rule for headers (Higbee: [0064]; herein, The reported messages are checked against rules 
As to claim 22, the combination of Higbee and Benishti disclose wherein the rule for headers comprises including no more than one message ID in an electronic message (Higbee: [0074]; herein, The network server can include a rules module for the creation, modification, and application of rules to the messages reported. The rules applied to the messages can identify textual or binary patterns in message data, such as the body, headers, or attachments of a message using wild-cards, case-insensitive strings, regular expressions, special operators, or other operations). 
As to claim 23, the combination of Higbee and Benishti disclose wherein analyzing at least part of the electronic message to collect threat status indicators comprises identifying a risky command or behavior within the electronic message (Benishti: [0083]; herein, Optional additional steps comprise scanning relevant properties (links/attachments/domains/IPs) using third party/external sources (step 32b), and adding the scan results to the message overall score (step 33b)). 
As to claim 24, the combination of Higbee and Benishti disclose wherein the risky command or behavior comprises executing code or a macro when a user opens the electronic message or one of the at least one attachments (Higbee: [0050]; herein, Non-limiting examples of suspicious purposes can be to solicit access credentials or other types of personal or confidential information, or to induce the recipient to execute malicious software provided by the message. The system can be configured to allow 
As to claim 25, the combination of Higbee and Benishti disclose wherein analyzing at least part of the electronic message to collect threat status indicators comprises a domain name service analysis comprising: extracting IP addresses, and domain names from headers, and URLs within the at least one part of the electronic message, resolving extracted domain names to IP addresses; for each domain name, identify a registration age, a domain name reputation, and an obfuscation, for each IP address, identify an IP address reputation and a geolocation; determine a domain name service threat status corresponding to the threat status indicator for the domain name service analysis (Higbee: [0122]; Benishti: [0026]). 
As to claim 26, the combination of Higbee and Benishti disclose wherein analyzing at least part of the electronic message to collect threat status indicators comprises comparing the message fingerprint with a plurality of fingerprints in a fingerprint database, the fingerprints in the fingerprint database previously assigned a fingerprint threat status, each identified matching fingerprint and each corresponding fingerprint threat status corresponding to threat status indicators, the type of match an exact match, an inclusive match, a similarity hash match, and/or a fuzzy hash match (Benishti: [0082], herein, Comparing the signatures and features to previous reports (step 33), and scoring the message based on features similarity, for example, same sending name or address, same origin SMTP server or same SMTP servers path, same links name and addresses or same attachments filename or signature (Hash or 
As to claim 27, the combination of Higbee and Benishti disclose wherein analyzing at least part of the electronic message to collect threat status indicators comprises: electronically communicating the electronic message to a security sandbox, the security sandbox a compartmentalized computing environment designed to isolate and monitor security flaws; activating the electronic message in the security sandbox; monitoring the activated electronic message for suspicious execution traits; identifying the suspicious execution traits in a database of known suspicious execution traits; and calculating a sandbox threat status indicator in response to the identified suspicious execution traits (Benishti: [0066], [0074]). 
As to claim 28, the combination of Higbee and Benishti disclose wherein requesting manual generation of the threat status of the electronic message comprises providing, for manual review, a heatmap of the aggregated fingerprint and the threat status indicators for the electronic message, the raw view of the electronic message, the parsed view of the electronic message, the browser view of the electronic message, and/or the threat status indicators (Higbee: [0066]; herein, The system can include a console module, which can also be referred to as a dashboard, portal, or by a similar label. The console module can display various administrator controls and options, as further described herein, as well as a list of suspicious messages submitted by users using the methods described herein). 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256.  The examiner can normally be reached on Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


SUMAN DEBNATH

Art Unit 2495



/S.D/Examiner, Art Unit 2495                  

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495