DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/13/2020 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claims 1, 3, 6, 8, 10, 17, and 19 are objected to because of the following informalities:  
Claim 1, lines 8 and 10: suggest use of “when” versus “if” to positively recite.
Claim 3, line 1: suggest use of “when” versus “if” to positively recite.
Claim 6, line 1: suggest use of “when” versus “if” to positively recite.
Claim 8, lines 2-3 and 5: suggest use of “when” versus “if” to positively recite.
Claim 10, lines 9 and 11: : suggest use of “when” versus “if” to positively recite.
Claim 17, lines 3-4 and 6: suggest use of “when” versus “if” to positively recite.
Claim 19, lines 9 and 11: suggest use of “when” versus “if” to positively recite.  Appropriate correction is required.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claim(s) 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Higbee et al, hereinafter (“Higbee”), US PG Publication (2018/0191754 A1), was submitted in 08/13/2020 IDS.
Regarding claims 1, 10 and 19, Higbee teaches a computer implemented method for classifying and mitigating security threats in a digital communication network, the method comprising; a system for classifying and mitigating security threats in digital communication networks, the system comprising; and a method for training users to classify and mitigate security threats in a digital communication network, the method comprising: 
receiving a digital communication from a user, wherein the digital communication has been identified as suspicious by the user; [Higbee, ¶0034: the systems and methods described herein can be used to raise the acuity of the individual in identifying phishing attack messages and provide a means for identifying and reporting those messages so that remedial action can be taken with reduced time between arrival of the attack message and the remedial action. ¶0055: When a message is received on a computing device of an individual, the user may report the message as a possible phishing attack. When reported, a network server device then receives a notification indicating that the one or more users has reported the message as a possible phishing attack.]
parsing the digital communication to identify at least one content indicator; [Higbee, ¶0035: For messages that are not simulated phishing messages, the message or the source of the message can be assigned a credibility score similar to the reputation score of users of the system. ¶0069: reported messages are received at the network server. The reported messages are checked against rules stored in the system. The rules can be written for YARA or another tool that enables determining whether message or attachment data contains defined textual or binary patterns (e.g. regex parsing, etc). ¶0103: As a message meets specific reporting thresholds, the rules module can be automatically implemented or an administrator can implement the rules upon review. This can include extraction of header information, content information or any other information that the management console module is capable of extracting.]
performing at least one processing activity based on the at least one content indicator, wherein performance of the at least one processing activity generates an output; [Higbee, ¶0094: Further processing can be used to determine whether the message is malicious. Rules can be used to determine whether a reported message is suspicious or malicious. As non-limiting examples, maliciousness may be determined based on any URLs in the message, the content of the site at the URL, or an attachment to the message. ¶0159: The threat information derived from messages can be provided, by an API or other means, such as but not limited to an Indicator of Compromise (IOC), to a sandbox 1810, Aresight™, Splunk™, SIEM, or a logging system. As non-limiting examples of the further processing that may be performed by the network security device, sandboxing systems can be used to evaluate artifacts, such as attachments and hashes, domains and URL analysis (sandboxing), and virus data lookups (VirusTotal™).] 
determining if the digital communication comprises malicious content based on the output generated by the at least one processing activity; [Higbee, ¶0094: Rules can be used to determine whether a reported message is suspicious or malicious. As non-limiting examples, maliciousness may be determined based on any URLs in the message, the content of the site at the URL, or an attachment to the message. ¶0110: the system provides the predefined categories: Phishing Simulation (i.e. the report contains email sent by the system during a simulated phishing campaign), Non-Malicious (i.e. the report contains safe, solicited email; internal email; or misreported email), Spam (i.e. the report contains unsolicited emails), Crimeware (i.e. the report contains malicious, mass-targeted malware), and Advanced Threats] and 
performing at least one mitigation activity if the digital communication comprises malicious content. [Higbee, ¶0059: the system at the client computing device can move the reported message to a “Deleted Items” or “Junk” folder, or apply a corresponding deleted or junk label, or take no action with respect to moving the message. ¶0060: If the message is determined not to be a phishing message, it is returned to a normal accessible status. If it is determined to be a phishing message, then the message can be deleted or moved into “Junk” folder or such action be taken. ¶0160: URLs identified using rules, recipes, or by manual identification can be provided to a network security device, such as a firewall, to enable blocking of those URLs.]
Regarding claims 2 and 11, Higbee teaches claim 1 as described above.
Higbee teaches standardizing the output generated by the at least one processing activity. [Higbee, ¶¶0143, 0153, and 0159: clusters of messages can be assigned and/or categorized accordingly. ¶0181: (inter)process communications support standards, protocols, or technologies.]

Regarding claims 3 and 12, Higbee teaches claim 1 as described above.
Higbee teaches determining if the digital communication comprises malicious content based on the standardized output. [Higbee, ¶¶0116, 0142-0143 and 0152: a recipe 1700 to resolve reports of suspicious messages bases on satisfying a rule created from cluster summary to be further group based on clustering techniques]

Regarding claims 4 and 13, Higbee teaches claim 1 as described above.
Higbee teaches classifying the digital communication as one of malicious, non-malicious, or spam. [Higbee, See ¶¶0116 and 0142-0143. ¶0076: a pie chart 1030 depicting the relative categories of reported emails (e.g. non-malicious, spam, Crimeware, advanced threats, and uncategorized)]


Regarding claims 5 and 14, Higbee teaches claim 1 as described above.
Higbee teaches notifying the user of the classification of the digital communication. [Higbee, ¶0095: rules processing can send alert notification for further analysis]

Regarding claims 6 and 15, Higbee teaches claim 1 as described above.
Higbee teaches wherein if the digital communication is classified as spam, performing at least one spam mitigation activity. [Higbee, ¶0029: counter phishing attacks; See ¶¶0142-0143. ¶0116: As recipes are updated, the interdiction module can automatically be run to remove or block specific messages that match a recipe that is developed.]

Regarding claims 7 and 16, Higbee teaches claim 1 as described above.
Higbee teaches logging the at least one mitigation activity performed at an event management system.  [Higbee, ¶¶0116, 0159, and 0162: Threat information provided to API or sandboxing and managing platforms: Aresight™, Splunk™, Security Information and Event Management (SIEM) platforms, incident management systems, ticketing systems, or a logging system. ¶0104: interdiction module can execute a quarantine of messages or the recipes module can execute actions per rule]


Higbee teaches determining if the digital communication has been previously processed; [Higbee, ¶¶0068, 0098, and 0120: previously determined suspicious message performs checks
if the digital communication has been previously processed, determining if the digital communication is related to phishing, [Higbee, ¶¶0037, 0063, 0086, and 0098: A simulated phishing attack message may be generated in a phishing simulation module. The phishing simulation module may provide a template message that can contain placeholders for, e.g., an employee name, etc.; where previously determined suspicious message performs checks] and, 
if the digital communication is related to phishing, performing at least one processing activity for at least a second time. [Higbee, ¶¶0068, 0098, 0132, and 0140: interdiction module can repeatedly determine during analysis of malicious or non-malicious message, which removes previous malicious/phishing attacks and updates database.

Regarding claims 9 and 17, Higbee teaches claim 1 as described above.
Higbee teaches wherein the digital communication is determined as previously processed based on the at least one content indicator. [Higbee, See ¶0103: extraction of header information; ¶0068, 0098 and 0124: rule content searches from matches against previous open records.   
	
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Grafi (20180276389 A1) discloses determining malware prevention based on retrospective content scan.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 

SAKINAH WHITE-TAYLOR
Examiner
Art Unit 2497



/Sakinah White Taylor/           Examiner, Art Unit 2497