Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application is a continuation-in-part of co-pending U.S. patent application Ser. No. 15/453,737 entitled MITIGATING COMMUNICATION RISK BY DETECTING SIMILARITY TO A TRUSTED MESSAGE CONTACT filed Mar. 8, 2017, which claims priority to U.S. Provisional Patent Application No. 62/399,821 entitled MITIGATING COMMUNICATION RISK filed Sep. 26, 2016 both of which are incorporated herein by reference for all purposes. This application claims priority to U.S. Provisional Patent Application No. 62/412,196 entitled ADDRESSING SOPHISTICATED COMMUNICATION ATTACKS filed Oct. 24, 2016 which is incorporated herein by reference for all purposes.
		Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 02/17/2021 has been entered.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/19/2021 and 06/02/2021 were filed after the mailing date of the Final office action on 11/25/2020. The submission is in 
DETAILED ACTION
This office action is in response to a Request for Continued Examination (RCE) application received on 02/17/2021. In the RCE, applicant has amended claims 1, 4, 19 and 20. Claim 6 has been cancelled. Claims 3, 6 and 10-11 remain cancelled. Claims 23-24 have been added as new claims. 
For this office action, claims 1-2, 4-5, 7-9, and 12-24 have been received for consideration and have been examined. 
Response to Arguments
Claim Rejections – 35 U.S.C. § 112
	Applicant’s amendments to independent claims have been reviewed by the examiner and appears to overcome the 112(a) issues therefore examiner has withdrawn the 35 U.S.C. § 112(a) rejection in this office action.
	Applicant’s amendments to independent claims 1 and 19, second last limitation has been reviewed by the examiner and appears to overcome the 112(b) issues therefore examiner has withdrawn the 35 U.S.C. § 112(b) rejection pertaining to independent claims 1 and 19. 
	However, after reviewing newly added claims 23 & 24, examiner has issued new 112(b) indefiniteness rejection. See office action for details. 
Claim Rejection – 35 U.S.C. § 103
Applicant’s arguments, filed 02/17/2021, with respect to the rejections of claims under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Dependent claims 23 and 24 are rejected under 35 U.S.C. 112(b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, regards as the invention.
Independent claim 1 recites in first limitation “determining the initial risk based on scores associated with one or more of the following: trust, reputation, authenticity, and/or risk”.
Dependent claim 23 preamble recites “the method of claim 1, wherein the determining of the initial risk is based on scores associated with two or more of the following: trust, reputation, authenticity, and/or risk”.
Dependent claim 24 preamble recites “The method of claim 1, wherein the determining of the initial risk is based on scores associated with trust, reputation, authenticity, and risk”.
It is unclear for an ordinary person skilled in the art before the effective filing date of the claimed invention to understand how a system will perform method steps of claims 23 and 24 when system has already performed the initial analysis of determining the initial risk on an electronic message based on only one factor out of trust, reputation, authenticity, and risk and did not utilize more than one factor in determining the initial risk of an electronic message in the independent claim.
23 & 24, applicant is applying narrow initial risk factors after implementing broad initial risk factors as recited in independent claim 1. 
Therefore, it is unclear and confusing for one skilled in the art to understand the intended scope of the claim as how to apply the claim language of dependent claims 23 & 24 when system has already determined the initial risk of the electronic message by using only one factor as claimed in independent claim 1. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5, 7, 9, 12, 14-15, 17-19 and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over O’Sullivan et al., (US20110061089A1) in view of Berman., .
Regarding claim 1, O’Sullivan discloses:
	A method, comprising:
using a processor to determine an initial risk of an electronic message, comprising:
determining the initial risk based on scores associated with one or more of the following: trust (see [0021] i.e. activities of the user), reputation, authenticity, and/or risk, wherein ([0021] an electronic system comprising an email system will be used … where it is desired to determine a security risk for a user based on the activities of the user and set a security policy for the user based on the security risk; [0022] According to embodiments of the present invention, when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user.
Examiner Note: based on claim language, examiner has considered only one risk factor in order to determine initial risk score):
a score associated with the trust (see [0022] i.e. variables such as the number of confidential messages, a relationship of the user to persons that have a high security score is construed as score associated with trust) is determined based on a number of messages sent between an apparent sender and a recipient ([0022] when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user. The score may be based on any of many different variables such as, for example, the number of confidential messages, a relationship of the user to persons that have a high security score, a linguistic analysis of the message, keyword matching, roll and level of the user within the organization, a degree of personal activity overlap of the user on company devices and/or time, etc. If a user contacts or has a relationship with a person that is an employee of the company, the employee may have a low security score. In contrast, if the person is employed by another company or a competitor, the person may have a high security score. Communications and relationships of the user with this person having a high security score increases the security score of the user);
determining a risk profile of an intended recipient of the electronic message based on a number of electronic messages received by the intended recipient, a reaction of the intended recipient to a received electronic message, or both ([0018] According to embodiments of the present invention, aggregated scoring is provided that allows a security policy for a user to be changed if the security risk of the user is deemed to have exceeded a predetermined level …  The security risk may be based on many different variables such as, for example, a rank of the user in the organization, who the user communicates with, patterns of behavior of the user, a number and level of confidential interactions of the user, etc; [0022] The score may be based on any of many different variables such as, for example, the number of confidential messages).
O’Sullivan fails to disclose:
based on the initial risk, determining whether to modify the electronic message; and in an event it is determined to modify the electronic message: modifying the electronic message, comprising: dynamically determining a modification to be made based at least in part on a first risk profile of the intended recipient or a second risk profile of the intended recipient; allowing 
However, Berman discloses:
	based on the initial risk, determining whether to modify the electronic message; and in an event it is determined to modify the electronic message: 
modifying the electronic message, comprising: dynamically determining a modification to be made (i.e. replacing an original URL reference of a hyperlink) based at least in part on a first risk profile of the intended recipient or a second risk profile of the intended recipient ([0023] the present invention is directed to a method for blocking phishing, the method comprising the steps of: at a point in a path of an email message from a sender thereof to a recipient thereof: replacing an original URL reference of a hyperlink within the email message with a URL reference of a phishing inspection utility); 
automatically performing the secondary computer security risk assessment of the electronic message ([0022] the present invention is directed to a method for blocking phishing, the method comprising the steps of: upon activating a hyperlink within an email message by a user's email client: sending an original URL reference of the hyperlink to a phishing inspection utility; testing the original URL reference by the phishing inspection utility for being a phishing URL);
[0015] Thus, during the phishing detection operation each URL within an email message is compared with the URLs of the black list, and if such URL is found within an email message, it can be removed from the email message and replaced by a URL which displays a warning, etc; [0022] the sending operation includes the steps of: replacing the original URL reference of the hyperlink with a URL reference of the phishing inspection utility; and setting the original URL reference as a parameter to the URL reference of the phishing inspection utility).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan and include phishing inspection utility to inspect and modify e-mail messages, as disclosed by Berman. 
The motivation to inspect e-mail messages with disclosed phishing inspection utility is to scan and detect malicious content in the e-mail messages and block potential phishing attempt (See Berman: [0021]).
The combination of O’Sullivan and Berman fails to disclose:
	allowing the modified electronic message to be delivered to the intended recipient of the electronic message; wherein the secondary computer security risk assessment includes an anti-virus test, a malware test, or both.
However, Liao discloses:
	allowing the modified electronic message (See FIG. 17 & [0036-0037]; i.e. insertion of script code into an email is equivalent to email modification) to be delivered to the intended recipient of the electronic message ([0036] FIG. 17 is an example of script code inserted into an e-mail message and then delivered to a user in an attachment; [0037] FIG. 18 is an example of script code inserted into an e-mail message and then delivered to a user via a corporate intranet; [0084] FIG. 17 shows an example of a phishing e-mail message that has been processed according to an embodiment of the present invention. In this example, a portion of the original phishing e-mail message along with the inserted script code has been placed into an attachment. The message shown indicates that a corporate computer has scanned the message, inserted code, and provided the message in an attachment).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the O’Sullivan and Berman references and have a message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient, as disclosed by Liao.
	The motivation to have message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient is to protect the malicious content from executing on the intended recipient computer (See Liao: FIGS. 12-14). 
The combination of Sullivan, Berman and Liao fails to disclose:
	wherein the secondary computer security risk assessment includes an anti-virus test, a malware test, or both.
However, McDougal discloses:
	wherein the secondary computer security risk assessment includes an anti-virus test, a malware test, or both ([0037] the malware analysis module 110 can perform a malware analysis on data from the carver module 122 and/or the file/context database 108. The malware analysis module 110 can receive data in a specified format, such as a sendmail queue format. The malware analysis module 110 can perform one or more of a signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis on the data received. Examiner’s note: signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis by malware analysis module is equivalent to performing risk assessment which includes an anti-virus test or a malware test).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Sullivan, Berman and Liao and include malware analysis module, as disclosed by McDougal. 
	The motivation to include malware analysis module is to extract network traffic and perform one or more of a signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis on the data received (See McDougal [0017]).
Regarding claim 2, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
	The method of claim 1, wherein determining the initial risk of the
electronic message includes determining whether the electronic message includes an attachment or a macro (Liao: [0057] At this point it is instructive to review the various types of phishing e-mail messages … A second type of phishing e-mail message includes a hostile attachment, and the body of the message attempts to trick the user into executing the attachment).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the O’Sullivan, Berman and McDougal references and have a message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient, as disclosed by Liao.

Regarding claim 5, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
The method of claim 1, wherein determining the initial risk of the electronic message includes determining whether the electronic message passes Sender Policy Framework (SPF) validation, passes DomainKeys Identified Mail (DKIM) validation, or has been sent from a trusted sender (McDougal: [0013] The context of a file is often left out of malware analysis consideration when using a passive approach to malware analysis. For example, consider an example in which the data stream is not copied and data that corresponds to data to be analyzed for malware is pulled out of the stream of network traffic. The context of the data in this example is often left out of the malware analysis because it is much simpler to just pull the content of the file and not pull the context data from the stream; [0014] Context data as used herein means data corresponding to a sender address, a recipient address, a send port/IP address, a receive port/IP address, a sender identity, a recipient identity, a time of transmission, a copy contact, a blind copy contact, a subject line content, a content of the message of the email, an author, time of creation, program used to create the content, attachment(s), server(s) involved in transmission, message identification (ID), domain key identified mail (DKIM) information, character set used, multipurpose internet mail extensions (MIME) information, or other context).

The motivation to include malware analysis module is to extract network traffic and perform one or more of a signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis on the data received (See McDougal [0017]).
Regarding claim 7, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
The method of claim 1, wherein determining to modify the electronic message includes determining that a potential security threat that required further analysis has been detected for the electronic message (Liao: [0058] In step 408, in one of the embodiment, the message is parsed or otherwise analyzed to determine whether the message is a potential phishing e-mail message. Step 408 is primarily used to judge if a message needs to the further processing).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the O’Sullivan, Berman and McDougal references and have a message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient, as disclosed by Liao.
The motivation to have message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient is to protect the malicious content from executing on the intended recipient computer.
Regarding claim 9, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
Liao: [0069] In step 430 of FIG. 10, the process begins by replacing the message body 506 of e-mail message 502 with new plain text 557 that provides a warning that a phishing scam might be underway, or an explanation regarding any modifications to the e-mail message that have been performed).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the O’Sullivan and Berman references and have a message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient, as disclosed by Liao.
The motivation to have message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient is to protect the malicious content from executing on the intended recipient computer.
Regarding claim 12, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
The method of claim 1, wherein allowing the modified electronic message to be delivered to the intended recipient of the electronic message includes allowing the intended recipient to access the modified electronic message in a message repository of the intended recipient prior to a completion of the secondary computer security risk assessment (Berman: [0045] At block 110, which takes place when an email message reaches an email server, a gateway server to a LAN, etc., or even to a user's computer, the URL references within the email message are replaced by a reference to a URL in which a phishing inspection utility operates. The original URL reference is placed as a parameter of the URL reference of the inspection utility; [0046] At block 120, which takes place after the user opens the email message, the user clicks the hyperlink; [0047] At block 130, the suspected URL reference is sent to the inspection utility; [0048] At block 140, the suspected URL reference is searched within a database of known phishing URL references; [0049] From block 150, if the tested URL reference is found in the database, the reference URL is of a phishing web site, and therefore the user's browser is redirected to a URL which displays a warning, etc. Otherwise, on block 170 the user's browser is redirected to the original UR).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan and include phishing inspection utility to inspect and modify e-mail messages, as disclosed by Berman. 
The motivation to inspect e-mail messages with disclosed phishing inspection utility is to scan and detect malicious content in the e-mail messages and block potential phishing attempt (See Berman: [0021]).
Regarding claim 14, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
The method of claim 1, wherein performing the secondary computer security risk assessment is based on the determined initial risk (Liao: [0058] In step 408, in one of the embodiment, the message is parsed or otherwise analyzed to determine whether the message is a potential phishing e-mail message. Step 408 is primarily used to judge if a message needs to the further processing).

The motivation to have message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient is to protect the malicious content from executing on the intended recipient computer.
Regarding claim 15, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
The method of claim 1, wherein performing the secondary computer security risk assessment includes performing a more computationally intensive analysis of content included in or referenced by the electronic message as compared to an analysis performed to determine the initial risk (McDougal: [0037] the malware analysis module 110 can perform a malware analysis on data from the carver module 122 and/or the file/context database 108. The malware analysis module 110 can receive data in a specified format, such as a sendmail queue format. The malware analysis module 110 can perform one or more of a signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis on the data received).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Sullivan, Berman and Liao and include malware analysis module, as disclosed by McDougal. 

Regarding claim 17, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
The method of claim 1, wherein updating the modified message based on the secondary computer security risk assessment includes determining whether a result of the secondary computer security risk assessment indicates a sufficient detected security threat for the electronic message, and in an event the result of the secondary computer security risk assessment does not indicate the sufficient detected security threat, allowing the intended recipient to fully access the electronic message without at least a portion of a modification made in the modified electronic message (Liao: [0060] If a link is not found, or if it is otherwise determined that the message is not a phishing e-mail message, then in step 412 it is determined that the message poses little risk of being a phishing e-mail message and in step 424 the original message (without modification) is delivered to the MTA or other indication is given indicating that the original message may be sent to the end user).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the O’Sullivan and Berman references and have a message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient, as disclosed by Liao.

Regarding claim 18, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
The method of claim 1, wherein updating the modified message based on the secondary computer security risk assessment includes determining whether a result of the secondary computer security risk assessment indicates a sufficient detected security threat for the electronic message, and in an event the result of the secondary computer security risk assessment does indicate the sufficient detected security threat, performing one or more of the following:
moving the modified message from a message inbox to another message folder; removing the modified message from a message inbox; modifying, removing or replacing at least one message attachment; modifying, removing or replacing at least one content location identifier; modifying, removing or replacing at least one contact identifier; and not allowing the intended recipient to fully access the electronic message (Liao: FIG. 13; [0072] In step 454, original message body in the form of an HTML document 506′ is transformed into an attachment 558 and is appended to modified message 502′. Thus as shown in FIG. 12, modified message 502′ includes as attachments 558 the modified original message 506′ (in HTML format) and any original attachments 540-546. Alternatively, HTML document 506′ can be stored on a web server as a file that can be later accessed by the end user. Or, HTML document 506′ can be stored into an end user's personal folder on the network for later access. And as mentioned previously, the HTML document can represent the original message body or the entire message including attachments).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the O’Sullivan and Berman references and have a message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient, as disclosed by Liao.
The motivation to have message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient is to protect the malicious content from executing on the intended recipient computer.
Regarding claim 19, O’Sullivan discloses:
A system, comprising: a processor configured to:
determine an initial risk of an electronic message, comprising to:
determine the initial risk based on scores associated with one or more of the following: trust (see [0021] i.e. activities of the user), reputation, authenticity, and/or risk, wherein ([0021] an electronic system comprising an email system will be used … where it is desired to determine a security risk for a user based on the activities of the user and set a security policy for the user based on the security risk; [0022] According to embodiments of the present invention, when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user.
Examiner Note: based on claim language, examiner has considered only one risk factor in order to determine initial risk score):
a score associated with the trust (see [0022] i.e. variables such as the number of confidential messages, a relationship of the user to persons that have a high security score is construed as score associated with trust) is determined based on a number of messages sent between an apparent sender and a recipient ([0022] when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user. The score may be based on any of many different variables such as, for example, the number of confidential messages, a relationship of the user to persons that have a high security score, a linguistic analysis of the message, keyword matching, roll and level of the user within the organization, a degree of personal activity overlap of the user on company devices and/or time, etc. If a user contacts or has a relationship with a person that is an employee of the company, the employee may have a low security score. In contrast, if the person is employed by another company or a competitor, the person may have a high security score. Communications and relationships of the user with this person having a high security score increases the security score of the user);
determining a risk profile of an intended recipient of the electronic message based on a number of electronic messages received by the intended recipient, a reaction of the intended recipient to a received electronic message, or both ([0018] According to embodiments of the present invention, aggregated scoring is provided that allows a security policy for a user to be changed if the security risk of the user is deemed to have exceeded a predetermined level …  The security risk may be based on many different variables such as, for example, a rank of the user in the organization, who the user communicates with, patterns of behavior of the user, a number and level of confidential interactions of the user, etc; [0022] The score may be based on any of many different variables such as, for example, the number of confidential messages).
O’Sullivan fails to disclose:
based on the initial risk, determining whether to modify the electronic message; and in an event it is determined to modify the electronic message: modifying the electronic message, comprising: dynamically determining a modification to be made based at least in part on a first risk profile of the intended recipient or a second risk profile of the intended recipient; allowing the modified electronic message to be delivered to the intended recipient of the electronic message; automatically performing a secondary computer security risk assessment of the electronic message, wherein the secondary computer security risk assessment includes an anti-virus test, a malware test, or both; and based on the secondary computer security risk assessment, updating the modified message.
However, Berman discloses:
	based on the initial risk, determining whether to modify the electronic message; and in an event it is determined to modify the electronic message: 
modifying the electronic message, comprising: dynamically determining a modification to be made (i.e. replacing an original URL reference of a hyperlink) based at least in part on a first risk profile of the intended recipient or a second risk profile of the intended recipient ([0023] the present invention is directed to a method for blocking phishing, the method comprising the steps of: at a point in a path of an email message from a sender thereof to a recipient thereof: replacing an original URL reference of a hyperlink within the email message with a URL reference of a phishing inspection utility); 
automatically performing the secondary computer security risk assessment of the electronic message ([0022] the present invention is directed to a method for blocking phishing, the method comprising the steps of: upon activating a hyperlink within an email message by a user's email client: sending an original URL reference of the hyperlink to a phishing inspection utility; testing the original URL reference by the phishing inspection utility for being a phishing URL);
based on the secondary computer security risk assessment, updating the modified message ([0015] Thus, during the phishing detection operation each URL within an email message is compared with the URLs of the black list, and if such URL is found within an email message, it can be removed from the email message and replaced by a URL which displays a warning, etc; [0022] the sending operation includes the steps of: replacing the original URL reference of the hyperlink with a URL reference of the phishing inspection utility; and setting the original URL reference as a parameter to the URL reference of the phishing inspection utility).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan and include phishing inspection utility to inspect and modify e-mail messages, as disclosed by Berman. 
The motivation to inspect e-mail messages with disclosed phishing inspection utility is to scan and detect malicious content in the e-mail messages and block potential phishing attempt (See Berman: [0021]).
The combination of O’Sullivan and Berman fails to disclose:

However, Liao discloses:
	allowing the modified electronic message (See FIG. 17 & [0036-0037]; i.e. insertion of script code into an email is equivalent to email modification) to be delivered to the intended recipient of the electronic message ([0036] FIG. 17 is an example of script code inserted into an e-mail message and then delivered to a user in an attachment; [0037] FIG. 18 is an example of script code inserted into an e-mail message and then delivered to a user via a corporate intranet; [0084] FIG. 17 shows an example of a phishing e-mail message that has been processed according to an embodiment of the present invention. In this example, a portion of the original phishing e-mail message along with the inserted script code has been placed into an attachment. The message shown indicates that a corporate computer has scanned the message, inserted code, and provided the message in an attachment).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the O’Sullivan and Berman references and have a message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient, as disclosed by Liao.
	The motivation to have message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient is to protect the malicious content from executing on the intended recipient computer. 
The combination of Sullivan, Berman and Liao fails to disclose:

However, McDougal discloses:
	wherein the secondary computer security risk assessment includes an anti-virus test, a malware test, or both ([0037] the malware analysis module 110 can perform a malware analysis on data from the carver module 122 and/or the file/context database 108. The malware analysis module 110 can receive data in a specified format, such as a sendmail queue format. The malware analysis module 110 can perform one or more of a signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis on the data received. Examiner’s note: signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis by malware analysis module is equivalent to performing risk assessment which includes an anti-virus test or a malware test).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Sullivan, Berman and Liao and include malware analysis module, as disclosed by McDougal. 
	The motivation to include malware analysis module is to extract network traffic and perform one or more of a signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis on the data received (See McDougal [0017]).
Regarding claim 21, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
The method of claim 1, wherein determining the initial risk of the electronic message includes determining whether the electronic message includes a hyperlink to a content not known to be trusted (Berman: [0024] the present invention is directed to a system for blocking phishing of an email message to be displayed by an email client, comprising: a phishing inspection utility; a utility for sending a URL reference of an activated hyperlink of an email message to the phishing inspection utility instead of directing a browser to the URL).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan and include phishing inspection utility to inspect and modify e-mail messages, as disclosed by Berman. 
The motivation to inspect e-mail messages with disclosed phishing inspection utility is to scan and detect malicious content in the e-mail messages and block potential phishing attempt (See Berman: [0021]).
Regarding claim 22, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
The method of claim 1, wherein modifying the electronic message includes replacing a hyperlink or an attachment included in the message with a proxy hyperlink (Berman: [0022] According to a preferred embodiment of the invention, the sending operation includes the steps of: replacing the original URL reference of the hyperlink with a URL reference of the phishing inspection utility; [0023] the present invention is directed to a method for blocking phishing, the method comprising the steps of: at a point in a path of an email message from a sender thereof to a recipient thereof: replacing an original URL reference of a hyperlink within the email message with a URL reference of a phishing inspection utility).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan and include phishing inspection utility to inspect and modify e-mail messages, as disclosed by Berman. 

Regarding claim 23, the combination of O’Sullivan, Berman, Liao and McDougal discloses:
The method of claim 1, wherein the determining of the initial risk is based on scores associated with two or more of the following: trust, reputation, authenticity, and/or risk, wherein: 
a score associated with the trust is determined based on a number of messages sent between an apparent sender and a recipient (O’Sullivan: [0018] According to embodiments of the present invention, aggregated scoring is provided that allows a security policy for a user to be changed if the security risk of the user is deemed to have exceeded a predetermined level …  The security risk may be based on many different variables such as, for example, a rank of the user in the organization, who the user communicates with, patterns of behavior of the user, a number and level of confidential interactions of the user, etc; [0022] The score may be based on any of many different variables such as, for example, the number of confidential message); 
a score associated with the authenticity is determined based on whether the electronic message has a valid digital signature (Liao: [0010] Companies who are vulnerable to phishing attacks would send their e-mail messages with a digital signature attached. If a message arrives for a user that is either not signed or the signature cannot be verified, the user would know that it is not a genuine message from the sending bank or e-commerce provider. The digitally signed e-mail with gateway verification approach uses the S/MIME standard for e-mail that is widely available today. Instead of relying on the end user's e-mail client to verify the signature on the message, a gateway server at the mail relay level would verify the signatures before they were even received by the receiver's e-mail server).  
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the O’Sullivan and Berman references and have a message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient, as disclosed by Liao.
The motivation to have message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient is to protect the malicious content from executing on the intended recipient computer.

Claims 4, 8, 16 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over O’Sullivan et al., (US20110061089A1) in view of Berman., (US20070136806A1) in view of Liao et al., (US20060101334A1) in view of McDougal et al., (US20160269437A1) and further in view of Emigh et al., (US20150288714A1).
Regarding claim 4, the combination of O’Sullivan, Berman, Liao and McDougal fails to disclose:
The method of claim 1, wherein determining the initial risk of the electronic message includes determining whether a sender of the electronic message is a trusted sender.
However, Emigh discloses:
Abstract: techniques for computer security comprise receiving an email message; determining a sender of the email message; determining whether the sender of the email message is trusted, wherein determining whether the sender of the email message is trusted includes determining whether the sender of the email message is associated with a whitelist; retrieving domain-related information by performing a DNS query on a domain associated with the sender; based at least in part on the domain-related information, determining whether the sender of the email message is verified; determining whether the sender is both trusted and verified; [0125] An analysis may be performed to determine the trustworthiness of the document (1702). One example of an analysis is a spam analysis, for example a determination of how likely a message is to be spam … Another example of an analysis is a determination of whether a message was sent by a verified sender).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan, Berman, Liao and McDougal and determine the initial risk of the electronic message includes determining whether sender of the electronic message is to be trusted or not, as taught by Emigh.
	The motivation to check the sender of the electronic message is to reduce the deceptiveness of electronic interaction, and for protecting legitimate communications (See Emigh: [0002]
Regarding claim 8, the combination of O’Sullivan, Berman, Liao and McDougal fails to disclose:
The method of claim 1, wherein the determination of whether to modify the electronic message is made based on one or more comparisons of one or more scores calculated during an initial analysis with one or more corresponding threshold values.
However, Emigh discloses:
	wherein the determination of whether to modify the electronic message is made based on one or more comparisons of one or more scores calculated during an initial analysis with one or more corresponding threshold values ([0064] The suspicion level may be compared with a threshold (216). In some embodiments, a comparison may be performed after calculating a suspicion level. An example of calculating a suspicion level is to scoreboard one or more factors enumerated in an enumeration-based suspicion level).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan, Berman, Liao and McDougal and determine the initial risk of the electronic message includes determining whether sender of the electronic message is to be trusted or not, as taught by Emigh.
	The motivation to check the sender of the electronic message is to reduce the deceptiveness of electronic interaction, and for protecting legitimate communications (See Emigh: [0002]
Regarding claim 16, the combination of O’Sullivan, Berman, Liao and McDougal fails to disclose:
The method of claim 1, wherein performing the secondary computer security risk assessment includes automatically generating a security inquiry and sending the security inquiry to a sender of the electronic message.
However, Emigh discloses:
	wherein performing the secondary computer security risk assessment includes automatically generating a security inquiry and sending the security inquiry to a sender of the electronic message ([0128] Examples of sender verification include presence of a digital signature demonstrating an identity matching the stated identity of the sender, proof that the sender is a preferred sender by reason of membership in an organization that is trusted to certify trustworthy senders, message transmission via a secure protocol that authenticates the sender, a digital signature proving that a message originated with the domain that is shown as its originator (such as Domain Keys), and validation by a technique such as SPF, Sender-ID or Caller ID for Email, which ensures that transmitting servers are authorized to handle messages from the address for which they are distributing a message). 
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan, Berman, Liao and McDougal and determine the initial risk of the electronic message includes determining whether sender of the electronic message is to be trusted or not, as taught by Emigh.
See Emigh: [0002]).
Regarding claim 24, O’Sullivan discloses:
The method of claim 1, wherein the determining of the initial risk is based on scores associated with trust, reputation, authenticity, and risk, wherein:
a score associated with the trust is determined based on a number of messages sent between an apparent sender and a recipient (O’Sullivan: [0018] aggregated scoring is provided that allows a security policy for a user to be changed if the security risk of the user is deemed to have exceeded a predetermined level. In embodiments according to the present invention, a security policy may be modified, for example, to change password strength, a frequency of virus scans, a window for applying patches, to require that a laptop must remain on site, a sleep time between interactions, etc. The security risk may be based on many different variables such as, for example, a rank of the user in the organization, who the user communicates with, patterns of behavior of the user, a number and level of confidential interactions of the user, etc.).
O’Sullivan fails to disclose:
	a score associated with the reputation is determined based on an extent to which a sender is recognized based on historical traffic; a score associated with the authenticity is determined based on an analysis of a header of the electronic message, determining whether an originating server is associated with an IP address that has been previously utilized by a sender of the electronic message, whether the electronic message has a valid digital signature, 
However, Emigh discloses: 
a score associated with the reputation is determined based on an extent to which a sender is recognized based on historical traffic (Emigh: [0065] The illustrated enumeration of penalty factors is not exhaustive, and factors may be omitted and/or added in various embodiments. In addition to penalty factors, positive factors may be incorporated to effectively decrease the suspicion level of a URL prior to comparison to a suspicion threshold. For example, if a URL is contained in a message associated with a sender that has been authenticated, then an authentication factor may be incorporated into the suspicion level prior to comparing to a threshold. An example of incorporating an authentication factor into a suspicion level is to subtract it from a numeric suspicion level).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of O’Sullivan, Berman, Liao and McDougal and determine the initial risk of the electronic message includes 
	The motivation to check the sender of the electronic message is to reduce the deceptiveness of electronic interaction, and for protecting legitimate communications (See Emigh: [0002]).
The combination of O’Sullivan and Emigh fails to disclose:
a score associated with the authenticity is determined based on an analysis of a header of the electronic message, determining whether an originating server is associated with an IP address that has been previously utilized by a sender of the electronic message, whether the electronic message has a valid digital signature, or any combination thereof; and a score associated with the risk is determined based on a heuristically computed score that depends on whether a sender has a Domain-based Message Authentication, Reporting & Conformance (DMARC) reject policy, whether message contents of the electronic message includes a uniform resource locator (URL), whether message contents of the electronic message include a potentially executable attachment, whether message contents of the electronic message include keywords associated with high risk, or any combination thereof.
However, Liao discloses:
a score associated with the authenticity is determined based on an analysis of a header of the electronic message, determining whether an originating server is associated with an IP address that has been previously utilized by a sender of the electronic message, whether the electronic message has a valid digital signature, or any combination thereof (Liao: [0010] Companies who are vulnerable to phishing attacks would send their e-mail messages with a digital signature attached. If a message arrives for a user that is either not signed or the signature cannot be verified, the user would know that it is not a genuine message from the sending bank or e-commerce provider. The digitally signed e-mail with gateway verification approach uses the S/MIME standard for e-mail that is widely available today. Instead of relying on the end user's e-mail client to verify the signature on the message, a gateway server at the mail relay level would verify the signatures before they were even received by the receiver's e-mail server).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the O’Sullivan and Berman references and have a message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient, as disclosed by Liao.
	The motivation to have message transfer agent (MTA) which modifies the potential malicious email message before delivering it to the intended recipient is to protect the malicious content from executing on the intended recipient computer.
The combination of O’Sullivan, Emigh and Liao fails to disclose:
a score associated with the risk is determined based on a heuristically computed score that depends on whether a sender has a Domain-based Message Authentication, Reporting & Conformance (DMARC) reject policy, whether message contents of the electronic message includes a uniform resource locator (URL), whether message contents of the electronic message 
However, McDougal discloses:
a score associated with the risk is determined based on a heuristically computed score that depends on whether a sender has a Domain-based Message Authentication, Reporting & Conformance (DMARC) reject policy, whether message contents of the electronic message includes a uniform resource locator (URL), whether message contents of the electronic message include a potentially executable attachment, whether message contents of the electronic message include keywords associated with high risk, or any combination thereof (McDougal: [0068] Example 2 can include or use, or can optionally be combined with the subject matter of Example 1, to include or use, wherein the specified property is data indicating that the application layer data traffic is one or more of electronic mail (email) traffic that includes an attachment, a file, and an executable).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Sullivan, Berman and Liao and include malware analysis module, as disclosed by McDougal. 
The motivation to include malware analysis module is to extract network traffic and perform one or more of a signature analysis, a heuristic analysis, a behavioral analysis, and/or a hash analysis on the data received (See McDougal [0017]).

s 13 is rejected under 35 U.S.C. 103 as being unpatentable over O’Sullivan et al., (US20110061089A1) in view of Berman., (US20070136806A1) in view of Liao et al., (US20060101334A1) in view of McDougal et al., (US20160269437A1) and further in view of Vaidya et al., (US7797752B1).
Regarding claim 13, the combination of O’Sullivan, Berman, Liao and McDougal fails to disclose:
The method of claim 1, wherein the secondary computer security risk assessment is held and not performed until a resource availability criteria has been met.
However, Vaidya discloses:
	wherein the secondary computer security risk assessment is held and not performed until a resource availability criteria has been met (Col. 8, Lines 47-59; the periodic scanner has a variable scanning interval. The interval, in one embodiment, has a default setting of XXX. However, an administrator may alter the interval. In one embodiment, a user may also alter the interval for scanning. In one embodiment, the interval for scanning defines a “next scan” based the “date and time of last scan” information. In one embodiment, the “next scan” is defined as a date and time. When the date and time is reached, the periodic scanner is automatically initiated. In one embodiment, the periodic scanner may be delayed temporarily by a user, for example if the user is in the middle of a complex process, and needs the processing power otherwise diverted to the scanner. Once the scan is initiated, the process described above is followed).
	It would have been obvious to one of ordinary skill in the art at the time of the invention to modify the references of O’Sullivan, Berman, Liao and McDougal, to provide wherein the 
	The motivation to check hyperlinks in an email message is to provide a more secure system and protecting users from malicious electronic messages.

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over McDougal et al., (US20160269437A1) in view of Cohen et al., (US20100235636A1) and further in view of O’Sullivan et al., (US20110061089A1).
Regarding claim 20, McDougal discloses:
	A method, comprising:
identifying that an electronic message includes an encrypted message content item ([0030] The decrypt module 128 can decrypt data, such as SSL or TLS data, such as to help determine if the traffic includes a specified property which is being monitored by the detect module 130. The decrypt module 128 can determine if data is encrypted and a type of encryption of the data);
analyzing a computer security threat of the encrypted message content item prior to allowing the user access to decrypted content of the encrypted message content item ([0044] The network data from the client 104B is copied by the copy module 126, decrypted by the decrypt module 128 (if necessary), and analyzed by the detect module 130 before forwarding to the client 104B, gateway 102, or the client 104A. If the detect module 130 identifies that the network traffic data includes a specified property, that data corresponding to the property can be removed from the network data stream without being forwarded to the client 104A-B);
McDougal fails to disclose:
generating a wrapped version of the encrypted message content item and modifying the electronic message to include the wrapped version of the encrypted message content item instead of the original encrypted message content item; and allowing the electronic message with the wrapped version of the encrypted message content item to be delivered; wherein, in response to a user attempting to access content of the wrapped version of the encrypted message content item, the user is provided a request for a decryption password by a wrapper program of the wrapped version and the decryption password is utilized. 
However, Cohen discloses:
	generating a wrapped version of the encrypted message content item and modifying the electronic message to include the wrapped version of the encrypted message content item instead of the original encrypted message content item; and allowing the electronic message with the wrapped version of the encrypted message content item to be delivered ([0050] FIG. 2 is a flowchart illustrating the method of transmitting and accessing enhanced content for correct rendering by the recipient system; [0058] The method, comprises transforming (step b) the electronic message including the embedded instructions 24 into transformed content, i.e. data 26, essentially alphanumeric text. The transforming may include encrypting, encoding or compressing); 
	wherein, in response to a user attempting to access content of the wrapped version of the encrypted message content item, the user is provided a request for a decryption password ([0059] the recipient may be prompted (step f) to supply a password or decryption key to effect the transformation. Furthermore, the received data may be validated (step e) by checking the internal integrity of the embedded instructions 24, or by checking a digital signature of the message 14, or the received data 26).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the reference of McDougal and include the method of encrypting the attachment in the message either with a user supplied password or decryption key, as disclosed by Cohen.
	The motivation to combine the two references is to be able to identify security threat in the email attachment and prevent the distribution of the encrypted malicious content in the email. 
The combination of McDougal and Cohen fails to disclose:
	determining the initial risk based on scores associated with one or more of the following: trust, reputation, authenticity, and/or risk, wherein a score associated with the trust; determining a risk profile of an intended recipient of the electronic message based on a number of electronic messages received by the intended recipient, a reaction of the intended recipient to a received electronic message, or both
However, O’Sullivan discloses:
	determining the initial risk based on scores associated with one or more of the following: trust (see [0021] i.e. activities of the user), reputation, authenticity, and/or risk, wherein ([0021] an electronic system comprising an email system will be used … where it is desired to determine a security risk for a user based on the activities of the user and set a security policy for the user based on the security risk; [0022] According to embodiments of the present invention, when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user.
Examiner Note: based on claim language, examiner has considered only one risk factor in order to determine initial risk score):
a score associated with the trust (see [0022] i.e. variables such as the number of confidential messages, a relationship of the user to persons that have a high security score is construed as score associated with trust) is determined based on a number of messages sent between an apparent sender and a recipient ([0022] when a user sends or receives a message, a server or system may scan the message, analyze the result of the scan, and use the analysis to help build a security score for the user. The score may be based on any of many different variables such as, for example, the number of confidential messages, a relationship of the user to persons that have a high security score, a linguistic analysis of the message, keyword matching, roll and level of the user within the organization, a degree of personal activity overlap of the user on company devices and/or time, etc. If a user contacts or has a relationship with a person that is an employee of the company, the employee may have a low security score. In contrast, if the person is employed by another company or a competitor, the person may have a high security score. Communications and relationships of the user with this person having a high security score increases the security score of the user);
a number of electronic messages received by the intended recipient, a reaction of the intended recipient to a received electronic message, or both ([0018] According to embodiments of the present invention, aggregated scoring is provided that allows a security policy for a user to be changed if the security risk of the user is deemed to have exceeded a predetermined level …  The security risk may be based on many different variables such as, for example, a rank of the user in the organization, who the user communicates with, patterns of behavior of the user, a number and level of confidential interactions of the user, etc; [0022] The score may be based on any of many different variables such as, for example, the number of confidential messages).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the McDougal and Cohen references and include a system and method to determine a security risk for the user of an email system based on predetermined security policies, as disclosed by O’Sullivan.
	The motivation to determine a security risk for the user of an email system based on predetermined security policies is to protect the email user from falling prey to malicious emails (See O’Sullivan: Abstract).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018.  The examiner can normally be reached on 8:30 AM - 6:00 PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/S.M.A./Patent Examiner, Art Unit 2432                                                                                                                                                                                                        
/SYED A ZAIDI/Primary Examiner, Art Unit 2432