DETAILED ACTION
Claims 1-26 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/19/2019 and 03/17/2021 have been acknowledged and considered by the examiner.

Claim Objections
Claims 9, 20 and 21 are objected to because of the following informalities:  There is a grammatical error in the limitation.  In particular, the limitation recites “inform the recipient accordingly according to his/her pattern”.  The term “accordingly” should be removed.
Appropriate correction is required.

Claim Interpretation
Regarding claims 1, 3, 4, 8, 13, 15, 16 and 26, the claims recite alternative language, i.e. using the term “or”, and as such, the Examiner interprets certain features to not be required due 
	

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-26 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claims 1, 15 and 26, the limitation “synchronously examine the active content of the email in real time for potential malicious intent of a phishing attack when the recipient attempts to access the active content of the email” (emphasis added) is recited.  In other words, when a user tries to access the active content, the active content is examined.
However, further limitations recite “deliver the active content of the email to the recipient…” and “block the recipient from accessing the active content of the email…” (emphasis added).  It is unclear how the recipient is delivered the active content or is blocked from accessing the active content when the recipient previously “attempts to access the active content”.  In other words, in order to attempt to access the active content, the recipient would have already received the active content of the email.
active content” in the “deliver” and “block” limitations refers to content responsive to a user clicking a URL link and not the URL link itself.  However, according to the applicant’s specification, the active content is an embedded URL (see applicant’s specification; paragraph 0017).  As such, the claims are rendered indefinite.
For purposes of examination, the examiner interprets the active content as a URL link.

Dependent claims 2-14 and 16-25 include all the limitations of claims 1, 15 and 26.  And as such, are rejected using the same rationale discussed above.

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 21 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.
Claim 21 recites the limitation “determining the anti-phishing training exercise that the recipients needs to go through specific to his/her needs and inform the recipient accordingly according to his/her pattern of behavior to access to the malicious content”.  However, claim 20, recites the same limitation.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 4-15 and 17-26 are rejected under 35 U.S.C. 103 as being unpatentable over Berman (U.S. 2007/0136806 A1) in view of Sadeh-Koniecpol et al. (U.S. 2014/0199663 A1) (applicant submitted prior art, see IDS filed 03/17/2021).
Regarding claims 1, 15 and 26, Berman discloses a system and method to support anti-phishing training using real attacks in real time, comprising:
a content filtering and interception engine (e.g. gateway server) running on a host and configured to intercept and detect an active content (URL) of an email arriving at a recipient’s email account within an entity or corporation (see Berman; paragraphs 0023 and 0045; Berman discloses blocking phishing at a point in a path of an email message from a sender to a recipient, i.e. “email account within an entity”.  When the email message reaches a gateway server, i.e. “intercept”, the URL within, i.e. “detect”, the email is replaced by another URL);
a security protection engine (phishing inspection utility) running on a host and configured to synchronously examine the active content (URL) of the email in real time for potential malicious intent of a phishing attack when the recipient attempts to access the active content (URL) of the email (see Berman; paragraphs 0022, 0046-0048 and 0050; Berman discloses a phishing inspection utility located remotely to an email client.  When a user clicks the URL hyperlink, i.e. “attempts to access the active content”, the URL is sent to the inspection utility where it searches, i.e. “examine”, the URL within a database.  The URL is searched in the phishing database only when, therefore “in real time”, the user activates the URL);
deliver the active content (URL) of the email to the recipient if the active content (URL) is determined to be safe for access by the recipient (see Berman; paragraph 0049; Berman discloses if the URL reference is not a phishing website the user’s browser is redirected to the original URL.  In other words, the URL is delivered to the user’s browser);
block the recipient from accessing the active content of the email if the active content is determined to be malicious to prevent the recipient from falling victim to the phishing attack (see 
re-direct the recipient to a safe blocking mechanism (warning) designed to alert the recipient of the phishing attack once the phishing attack is blocked (see Berman; paragraph 0049; Berman discloses when it is determined that the URL is a phishing web site and blocked, redirecting the user’s browser to a URL which displays a warning, i.e. “safe blocking mechanism”).
While Berman discloses blocking a phishing attack, Berman does not explicitly disclose an anti-phishing training engine running on a host and configured to customize and provide an anti-phishing training exercise to the recipient, wherein content of the anti-phishing training exercise is specifically customized for the recipient based on the blocked phishing attack the recipient received in the email and/or the recipient’s security posture and awareness.
In analogous art, Sadeh-Koniecpol discloses an anti-phishing training engine running on a host (analysis host) and configured to customize and provide an anti-phishing training exercise (training intervention) to the recipient, wherein content of the anti-phishing training exercise (training intervention) is specifically customized for the recipient based on the blocked phishing attack the recipient received in the email and/or the recipient’s security posture and awareness (see Sadeh-Koniecpol; paragraphs 0043, 0049, 0064, 0067 and 0112; Sadeh-Koniecpol discloses training interventions are customizable based on relevant contextual information such as activities and behavior of a user.  Such as a user falling for phishing URLs.  Further, historical user training data, such as user proficiency which includes recorded instances where the user failed to conform to expected best practices or apply relevant knowledge, i.e. “recipient’s security posture and awareness”, is used in selection of the relevant training.  An analysis host recipient’s security posture and awareness” alternative).
One of ordinary skill in the art would have been motivated to combine Berman and Sadeh-Koniecpol because they both disclose features of cyber security, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Sadeh-Koniecpol’s training intervention into the system of Berman in order to provide the benefit of helping to reduce future risk of threats users fall prey to (see Sadeh-Koniecpol; paragraphs 0034 and 0043).
Further, Berman discloses the additional limitations of claim 26, a non-transitory storage medium having software instructions (see Berman; paragraphs 0014 and 0015; Berman discloses the use of servers and a database, and as such, would necessarily include a non-transitory storage medium with software instructions.  Further, Sadeh-Koniecpol discloses a computer readable memory; see paragraph 0008).
Regarding claim 2, Berman and Sadeh-Koniecpol disclose all the limitations of claim 1, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the content filtering and interception engine and the security protection engine are positioned in a data path from which the active content of the email is to be consumed by the recipient so that the active content of the email is intercepted and examined before it is consumed by the recipient (see Berman; paragraphs 0022, 0023, 0045; Berman discloses the phishing inspection utility is the active content of the email is intercepted and examined before it is consumed by the recipient”).
Regarding claim 4, Berman and Sadeh-Koniecpol disclose all the limitations of claim 1, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the active content of the email is an embedded URL link directing to a website (see Berman; paragraph 0023; Berman discloses a URL reference within the email) or macros in an attached document to the email (see Sadeh-Koniecpol; paragraph 0060; Sadeh-Koniecpol discloses detecting attachments in emails) (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen both the “embedded URL” and “attached document” alternatives).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claim 1.
Regarding claims 5 and 17, Berman and Sadeh-Koniecpol disclose all the limitations of claims 4 and 15, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the security protection engine is configured to determine if the URL link points to a fake website of an attacker (see Berman; paragraph 0049; Berman discloses testing the URL reference to determine if the URL is of a phishing web site, i.e. “fake website”).
Regarding claims 6 and 18, Berman and Sadeh-Koniecpol disclose all the limitations of claims 4 and 15, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the security protection engine is configured to determine if the attachment 
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 15. 
Regarding claims 7 and 19, Berman and Sadeh-Koniecpol disclose all the limitations of claims 1 and 15, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the security protection engine is configured to monitor and store information about the active content the recipient attempted to access into a user behavior database, wherein such information is used to establish a pattern of behavior of the recipient when the recipient faces a phishing attack (see Sadeh-Koniecpol; paragraphs 0062 and 0063; Sadeh-Koniecpol discloses the system analyzing sensor data, such as behavior data, to determine if a user took an unsafe action on a phishing message.  The user behavior data can be captured and recorded, i.e. “store information…into a user behavior database”.  The behavior data includes frequency associated with different types of events or situations and trends, i.e. “establish a pattern of behavior”).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 15. 
Regarding claim 8, Berman and Sadeh-Koniecpol disclose all the limitations of claim 7, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the pattern of behavior of the recipient includes one or more of frequency of attempts by the recipient to access a malicious content (see Sadeh-Koniecpol; paragraph 0063; Sadeh-Koniecpol phishing attacks”), and severity of such phishing attacks (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen both the “frequency of attempts” and “types of phishing attacks” alternatives).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claim 1.
Regarding claims 9, 20 and 21, Berman and Sadeh-Koniecpol disclose all the limitations of claims 7 and 19, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the security protection engine is configured to determine the anti-phishing training exercise (training intervention) that the recipients needs to go through specific (appropriate) to his/her needs and inform the recipient accordingly according to his/her pattern (trend) of behavior to access to the malicious content (see Sadeh-Koniecpol; paragraphs 0059, 0062, 0063 and 0114; Sadeh-Koniecpol discloses an SMS message or email message being used to deliver training, i.e. “inform the recipient”.  The system analyzes data, such as behavior data, which includes a trend of the user.  The system determines whether a need for training is indicated by a user action, e.g. behavior trend, selects a training intervention appropriate for the user action, and transmits the training intervention.  In other words, the system determines the appropriate intervention training for the user based on an action, e.g. behavior trend, of the user and informs the user of the selected training).

Regarding claim 10, Berman and Sadeh-Koniecpol disclose all the limitations of claim 9, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the anti-phishing training engine is configured to automatically determine if the recipient needs to be retrained with the same anti-phishing training exercise or elevated to a different training exercise based on the recipient’s behaviors, interactions, responses, during and/or after the anti-phishing training exercise (see Sadeh-Koniecpol; paragraphs 0064, 0083 and 0085; Sadeh-Koniecpol discloses historical user training data which includes how well the user responded when taking the training modules and recorded instances where the user failed to conform to expected best practices or apply relevant knowledge covered by the training system.  Through manual configuration or statistical analysis, i.e. “automatically determine”, maintenance and customization of training needs is done which includes updating and customizing individual training interventions by accessing the historical training data.  In other words, it is determined that the “recipient needs to be retrained” by the training being updated for the individual user in view of the data showing how well the user responded to the training and failing to conform to the expected best practices or apply the knowledge covered in the training.  Further, the system may provide recommendations for further training of the user, i.e. “elevated to a different training”) (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “retrained” and “elevated to a different training” alternatives). 
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claim 1.
Regarding claims 11 and 22, Berman and Sadeh-Koniecpol disclose all the limitations of claims 1 and 15, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the security protection engine is configured to re-direct the recipient to a safe blocking mechanism designed to kick-in once the phishing attack is blocked and the recipient is prevented from falling victim to such attack (see Berman; paragraph 0049; Berman discloses when it is determined that the URL is a phishing web site and blocked, redirecting the user’s browser to a URL which displays a warning, i.e. “safe blocking mechanism”).
Regarding claims 12 and 23, Berman and Sadeh-Koniecpol disclose all the limitations of claims 1 and 15, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the anti-phishing training engine is configured to access and retrieve the recipient’s pattern of behavior of accessing malicious content in the past to determine the type of anti-phishing training exercise the recipient needs (see Sadeh-Koniecpol; paragraphs 0063, 0064, 0072 and 0112; Sadeh-Koniecpol discloses the system accessing storage comprising user behavior data which includes trends, historical user training data, as well as, training needs models to customize the training interventions).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 15. 
Regarding claims 13 and 24, Berman and Sadeh-Koniecpol disclose all the limitations of claims 1 and 15, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the anti-phishing training engine is configured to interactively present the antiphishing training exercise to the recipient via a user portal in formats that include one or more of audio (see Sadeh-Koniecpol; paragraph 0086; Sadeh-Koniecpol discloses training intervention in the format of audio), video (see Sadeh-Koniecpol; paragraph 0086; Sadeh-audio”, “video” and “human interactions” alternatives).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 15.
Regarding claims 14 and 25, Berman and Sadeh-Koniecpol disclose all the limitations of claims 1 and 15, as discussed above, further the combination of Berman and Sadeh-Koniecpol clearly discloses the anti-phishing training engine is configured to record the recipient’s current security posture and awareness and/or the recipient’s training record in the training exercise for future training consideration for the recipient (see Sadeh-Koniecpol; paragraphs 0064, 0083, 0085, and 0087; Sadeh-Koniecpol discloses historical user training data that is used for customization, which includes updating training interventions.  The training interventions may include recommendations for further training, i.e. “future training”.  Further, user responses are recorded for later analysis and the historical user training data is stored, i.e. “record… recipient’s training record in the training exercise”) (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “record… recipient’s training record in the training exercise” alternative).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 15.

Claims 3 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Berman (U.S. 2007/0136806 A1) in view of Sadeh-Koniecpol et al. (U.S. 2014/0199663 A1) (applicant submitted prior art, see IDS filed 03/17/2021), as applied to claim 1above, and further in view of Chasin (U.S. 2005/0015626 A1).
Regarding claims 3 and 16, Berman and Sadeh-Koniecpol discloses all the limitations of claims 1 and 15, as discussed above, while Berman discloses content filtering and interception engine is configured to intercept the email (see Berman; paragraph 0023 and 0045; Berman discloses blocking phishing at a point in a path of an email message from a sender thereof to a recipient, in which the email reaches a gateway server), as also discussed above, the combination of Berman and Sadeh-Koniecpol does not explicitly disclose the content filtering and interception engine is configured to intercept the email via either a proxy or a relay mechanism prescribed to a governing communication protocol.
In analogous art, Chasin discloses the content filtering and interception engine (handler) is configured to intercept the email via either a proxy or a relay mechanism prescribed to a governing communication protocol (see Chasin; paragraph 0031; Chasin discloses the handler 122 may take any useful form for accepting and otherwise handling e-mail messages, and in one embodiment, comprises a message transfer agent that creates a proxy gateway for inbound e-mail to the e-mail server or destination mail host 188 by accepting the incoming messages with the Simple Mail Transport Protocol (SMTP), e.g., is a SMTP proxy server) (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “proxy” alternative).

Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Chasin’s proxy server into the combined system of Berman and Sadeh-Koniecpol in order to provide the benefit of scalability by allowing Berman’s gateway to be implemented as a proxy server which includes filters (see Chasin; paragraph 0031).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Manning Dawson (U.S. 2017/0237753 A1) discloses as emails intended for recipient mailboxes in an email system arrive, examining the emails for web links to web pages included therein.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADAM A COONEY whose telephone number is (571)270-5653.  The examiner can normally be reached on M-F 7:30am-5:00pm (every other Fri off).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/A.A.C/Examiner, Art Unit 2443                                                                                                                                                                                                        07/28/2021

/RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2443