DETAILED ACTION
This Action is in response to Applicant’s amendment filed on 02/10/22. 
Claim 21 has been previously cancelled
Claims 1-20 and 22-26 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Argument A) – The applicant argues, in regards to the 103 rejection of claim 1, that Prakash does not disclose the limitation “an anti-phishing training engine running on a host and configured to customize and provide an anti-phishing training exercise…”.  In particular, the applicant states that Prakash discloses the training module resides on a user device as opposed to “running on a host” as claimed (see applicant’s remarks; pages 8 and 9).
Response to argument A) – The examiner respectfully disagrees.  It appears the applicant is stating that a user device, as taught by Prakash and noted by the applicant, is not a “host” in the claimed fashion.  However, according the applicant’s specification, a host can be a computing device including a laptop PC, desktop PC, an iPhone, etc. (emphasis added) (see applicant’s specification as filed; paragraph 0016).
Prakash discloses that a user device is a computing device and can be any device capable of displaying electronic content and communicating over the network, such as a desktop computer, laptop or notebook computer, mobile phone, etc. (emphasis added) (see Prakash; paragraph 0015).  Further, based on analytics derived from user behavior and interactions, a 
Therefore, in regards to the claimed limitation, Prakash does in fact disclose “an anti-phishing training engine running on a host…” (emphasis added) by the training module for phishing prevention being initiated on the user device.  As such, the rejection has been maintained.
The applicant states similar reasons for independent claims 15 and 16 (and the dependent claims) (see applicant’s remarks; page 9).  As such, the rejection has been maintained for the similar reasons provided above.

Argument B) – The applicant argues, in regards to the 103 rejection of claim 7, that Prakash does not disclose the “security protection engine” runs on a host, as recited by claim 1, from which claim 7 depends.  In particular, the applicant states that Prakash’s browser application executes on a user device as opposed to running on a host (see applicant’s remarks; pages 9 and 10).
Response to argument B) – The examiner respectfully disagrees.  As discussed above, in regards to claim 1, it appears the applicant is stating that the user device, as taught by Prakash and noted by the applicant, is not a “host” in the claimed fashion.  However, according the applicant’s specification, a host can be a computing device including a laptop PC, desktop PC, an iPhone, etc. (emphasis added) (see applicant’s specification as filed; paragraph 0016).  Further, the examiner notes that claim 1, from which claim 7 depends, recites that the content filtering and interception engine, security protection engine, an anti-phishing training engine run on “a host” (emphasis added).  As such, nothing in the claim precludes “a host” from being the 
Prakash discloses that a user device is a computing device and can be any device capable of displaying electronic content and communicating over the network, such as a desktop computer, laptop or notebook computer, mobile phone, etc. (emphasis added) (see Prakash; paragraph 0015).  Further, a behavior monitor and browser application, executing on the user device, records user behavior (see Prakash; paragraphs 0022, 0027 and 0072).
Therefore, in regards to the claimed limitation, Prakash does in fact disclose “security protection engine” running on a host by the behavior monitor and browser application running on the user device.  As such, the rejection has been maintained.
The applicant states similar reasons for claim 19 (and the other dependent claims) (see applicant’s remarks; page 10).  As such, the rejection has been maintained for the similar reasons provided above.

Argument C) – The applicant argues, in regards to the 103 rejection of claim 3, that Prakash does not disclose the claimed limitation “the content filtering and interception engine is configured to intercept the email via either a proxy or a relay mechanism prescribed to a governing communication protocol”.  In particular, the applicant states that Chasin’s proxy gateway of the email handler automatically receives the emails being sent to the email server as opposed to intercepting them in the claimed fashion (see applicant’s remarks; page 10).
Response to argument C) - The examiner respectfully disagrees.  The examiner interprets the claimed limitation as merely the email is received by the proxy first before 
Chasin discloses the handler may take any useful form for accepting and otherwise handling e-mail messages, and in one embodiment, comprises a message transfer agent that creates a proxy gateway, positioned between the internet/email server or destination server and the e-mail recipients, for inbound e-mail (emphasis added) to the e-mail server or destination mail host by accepting the incoming messages with the Simple Mail Transport Protocol (SMTP), e.g., is a SMTP proxy server (see Chasin; paragraph 0031).
Therefore, in regards to the claimed limitation, Chasin does in fact disclose “the content filtering and interception engine is configured to intercept (accept/receive) the email via either a proxy or a relay mechanism prescribed to a governing communication protocol” by the proxy gateway being positioned between the email server/internet and the email recipient and accepting incoming messages for the recipient.  As such, the rejection has been maintained.
The applicant states similar reasons for claim 16 (see applicant’s remarks; page 10).  As such, the rejection has been maintained for the similar reasons provided above.

Claim Interpretation
Regarding claims 1, 3, 4, 8, 13, 15, 16 and 26, the claims recite alternative language, i.e. using the term “or”, and as such, the Examiner interprets certain features to not be required due to the claim language listing the features in the alternative.  The rejection below specifies the particular limitations.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 4, 5, 7, 8, 11, 15, 17, 19, 22 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Berman (U.S. 2007/0136806 A1) in view of Prakash et al. (U.S. 2020/0092326 A1).
Regarding claims 1, 15 and 26, Berman discloses a system and method to support anti-phishing training using real attacks in real time, comprising:
a content filtering and interception engine (e.g. gateway server) running on a host and configured to intercept and detect an active content (URL) of an email arriving at a recipient’s email account within an entity or corporation (see Berman; paragraphs 0023 and 0045; Berman discloses blocking phishing at a point in a path of an email message from a sender to a recipient, i.e. “email account within an entity”.  When the email message reaches a gateway server, i.e. “intercept”, the URL within, i.e. “detect”, the email is replaced by another URL);
attempts to access the active content”, the URL is sent to the inspection utility where it searches, i.e. “examine”, the URL within a database.  The URL is searched in the phishing database only when, therefore “in real time”, the user activates the URL);
re-direct the recipient to a safe blocking mechanism (warning) designed to alert the recipient of the phishing attack once the phishing attack is blocked (see Berman; paragraph 0049; Berman discloses when it is determined that the URL is a phishing web site and blocked, redirecting the user’s browser to a URL which displays a warning, i.e. “safe blocking mechanism”).
While Berman discloses blocking a phishing attack, (see Berman; paragraphs 0022 and 0049), Berman does not explicitly disclose deliver additional content associated with the active content of the email to the recipient if the active content is determined to be safe for access by the recipient; block the recipient from accessing the additional content associated with the active content of the email if the active content is determined to be malicious to prevent the recipient from falling victim to the phishing attack; and an anti-phishing training engine running on a host and configured to customize and provide an anti-phishing training exercise to the recipient in response to the recipient being blocked from accessing the additional content associated with the active content, wherein content of the anti-phishing training exercise is specifically customized for the recipient based on the blocked phishing attack the recipient received in the email.

block the recipient from accessing the additional content (webpage content) associated with the active (URL) content of the email if the active content (URL) is determined to be malicious to prevent the recipient from falling victim to the phishing attack (see Prakash; paragraphs 0013, 0041 and 0044; Prakash discloses if the URL, from the link in the email, is determined to be counterfeit, the browser application blocks access to webpage content referenced by the received URL); and 
an anti-phishing training engine running on a host and configured to customize and provide an anti-phishing training exercise to the recipient in response to the recipient being blocked from accessing the additional content (webpage content) associated with the active content (URL), wherein content of the anti-phishing training exercise is specifically customized for the recipient based on the blocked phishing attack the recipient received in the email (see Prakash; paragraphs 0041, 0046, 0072, 0073 and 0083; Prakash discloses the user clicking on a link/URL, i.e. “active content”, in an email and if it is determined that the URL is counterfeit then blocking access to the webpage, i.e. “additional content”, referenced by the URL and recording user behavior.  Analytics are generated based on the recorded user behavior, e.g. the in response to the recipient being blocked…”, a training module, i.e. “anti-phishing training engine”, may be initiated on the user device, which includes instructions or activities for training on phishing prevention best practices to users who click on such phishing links, i.e. “customized for the recipient based on the blocked phishing attack”).
One of ordinary skill in the art would have been motivated to combine Berman and Prakash because they both disclose features of cyber security, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Prakash’s real-time detection and training into the system of Berman in order to provide the benefit of training the user to identify legitimate URLs and avoid counterfeit URLs (see Prakash; paragraph 0083).
Further, Berman discloses the additional limitations of claim 26, a non-transitory storage medium having software instructions (see Berman; paragraphs 0014 and 0015; Berman discloses the use of servers and a database, and as such, would necessarily include a non-transitory storage medium with software instructions.  Further, Prakash discloses a computer-readable storage media; see paragraph 0092). 
Regarding claim 2, Berman and Prakash disclose all the limitations of claim 1, as discussed above, further the combination of Berman and Prakash clearly discloses the content filtering and interception engine and the security protection engine are positioned in a data path from which the active content of the email is to be consumed by the recipient so that the active content of the email is intercepted and examined before it is consumed by the recipient (see Berman; paragraphs 0022, 0023, 0045; Berman discloses the phishing inspection utility is the active content of the email is intercepted and examined before it is consumed by the recipient”).
Regarding claim 4, Berman and Prakash disclose all the limitations of claim 1, as discussed above, further the combination of Berman and Berman and Prakash clearly discloses the active content of the email is an embedded URL link directing to a website (see Berman; paragraph 0023; Berman discloses a URL reference within the email) or macros in an attached document to the email (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “embedded URL” alternative).
Regarding claims 5 and 17, Berman and Prakash disclose all the limitations of claims 4 and 15, as discussed above, further the combination of Berman and Prakash clearly discloses the security protection engine is configured to determine if the URL link points to a fake website of an attacker (see Berman; paragraph 0049; Berman discloses testing the URL reference to determine if the URL is of a phishing web site, i.e. “fake website”; Further, Prakash discloses a counterfeit URL which references a webpage that may exhibit a phishing attack; see paragraph 0013).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 15.
Regarding claims 7 and 19, Berman and Prakash disclose all the limitations of claims 1 and 15, as discussed above, further the combination of Berman and Prakash clearly discloses the security protection engine is configured to monitor and store information about the active content security protection engine”, which executes on the user device, and behavior store.  The user behavior recorded can include a number of unique URLs requested by the user of the user device in a specified period of time, i.e. “pattern of behavior” triggered by a user selection of a hyperlink in an email). 
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claims 1 and 15. 
Regarding claim 8, Berman and Prakash disclose all the limitations of claim 7, as discussed above, further the combination of Berman and Prakash clearly discloses the pattern of behavior of the recipient includes one or more of frequency of attempts by the recipient to access a malicious content (see Prakash; paragraphs 0022 and 0027; Prakash discloses a behavior monitor and behavior store.  The user behavior recorded can include a number, i.e. “frequency”, of unique URLs requested by the user of the user device in a specified period of time, i.e. “pattern of behavior” triggered by a user selection of a hyperlink in an email), types of phishing attacks the recipient is likely to fall victim to (see Prakash; paragraphs 0013 and 0028; Prakash discloses a counterfeit URL refers to an address that references an untrusted webpage exhibiting phishing behaviors, i.e. “type of phishing attacks”.  The user behaviors recorded by the behavior monitor can also include a number of counterfeit webpages blocked), and severity of such phishing attacks (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior frequency of attempts” and “types of phishing attacks” alternatives).
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claim 1.
Regarding claims 11 and 22, Berman and Prakash disclose all the limitations of claims 1 and 15, as discussed above, further the combination of Berman and Prakash clearly discloses the security protection engine is configured to re-direct the recipient to a safe blocking mechanism designed to kick-in once the phishing attack is blocked and the recipient is prevented from falling victim to such attack (see Berman; paragraph 0049; Berman discloses when it is determined that the URL is a phishing web site and blocked, redirecting the user’s browser to a URL which displays a warning, i.e. “safe blocking mechanism”).

Claims 3 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Berman (U.S. 2007/0136806 A1) in view of Prakash et al. (U.S. 2020/0092326 A1), as applied to claims 1 and 15 above, and further in view of Chasin (U.S. 2005/0015626 A1).
Regarding claims 3 and 16, Berman and Prakash discloses all the limitations of claims 1 and 15, as discussed above, while Berman discloses content filtering and interception engine is configured to intercept the email (see Berman; paragraph 0023 and 0045; Berman discloses blocking phishing at a point in a path of an email message from a sender thereof to a recipient, in which the email reaches a gateway server), as also discussed above, the combination of Berman and Prakash does not explicitly disclose the content filtering and interception engine is configured to intercept the email via either a proxy or a relay mechanism prescribed to a governing communication protocol.
proxy” alternative).
One of ordinary skill in the art would have been motivated to combine Berman and Prakash because they all disclose features of cyber security, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Chasin’s proxy server into the combined system of Berman and Prakash in order to provide the benefit of scalability by allowing Berman’s gateway to be implemented as a proxy server which includes filters (see Chasin; paragraph 0031).

Claims 6, 9, 10, 12-14, 18, 20 and 23-25 are rejected under 35 U.S.C. 103 as being unpatentable over Berman (U.S. 2007/0136806 A1) in view of Prakash et al. (U.S. 2020/0092326 A1), as applied to claims 4 and 15, and further in view of Sadeh-Koniecpol et al. (U.S. 2014/0199663 A1) (applicant submitted prior art, see IDS filed 03/17/2021).
Regarding claims 6 and 18, Berman and Prakash disclose all the limitations of claims 4 and 15, as discussed above.  The combination of Berman and Prakash does not explicitly disclose the security protection engine is configured to determine if the attachment contains any malicious content. 
In analogous art, Sadeh-Koniecpol discloses the security protection engine is configured to determine if the attachment contains any malicious content (see Sadeh-Koniecpol; paragraph 0058; Sadeh-Koniecpol discloses repurposing an actual attack by making it harmless, e.g. replacing a malicious attachment, i.e. therefore a determination that “the attachment contains any malicious content” with a mock malicious attachment).
One of ordinary skill in the art would have been motivated to combine Berman, Prakash and Sadeh-Koniecpol because they all disclose features of cyber security, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Sadeh-Koniecpol’s training intervention into the combined system of Berman and Prakash in order to provide the benefit of helping to reduce future risk of threats users fall prey to (see Sadeh-Koniecpol; paragraphs 0034 and 0043). 
Regarding claims 9 and 20, Berman and Prakash disclose all the limitations of claims 7 and 19, as discussed above.  The combination of Berman and Prakash does not explicitly disclose the security protection engine is configured to determine the anti-phishing training 
In analogous art, Sadeh-Koniecpol discloses the security protection engine is configured to determine the anti-phishing training exercise (training intervention) that the recipients needs to go through specific (appropriate) to his/her needs and inform the recipient accordingly according to his/her pattern (trend) of behavior to access to the malicious content (see Sadeh-Koniecpol; paragraphs 0059, 0062, 0063 and 0114; Sadeh-Koniecpol discloses an SMS message or email message being used to deliver training, i.e. “inform the recipient”.  The system analyzes data, such as behavior data, which includes a trend of the user.  The system determines whether a need for training is indicated by a user action, e.g. behavior trend, selects a training intervention appropriate for the user action, and transmits the training intervention.  In other words, the system determines the appropriate intervention training for the user based on an action, e.g. behavior trend, of the user and informs the user of the selected training).
One of ordinary skill in the art would have been motivated to combine Berman, Prakash and Sadeh-Koniecpol because they all disclose features of cyber security, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Sadeh-Koniecpol’s training intervention into the combined system of Berman and Prakash in order to provide the benefit of helping to reduce future risk of threats users fall prey to (see Sadeh-Koniecpol; paragraphs 0034 and 0043). 
Regarding claim 10, Berman, Prakash and Sadeh-Koniecpol disclose all the limitations of claim 9, as discussed above, further the combination of Berman, Prakash and Sadeh-automatically determine”, maintenance and customization of training needs is done which includes updating and customizing individual training interventions by accessing the historical training data.  In other words, it is determined that the “recipient needs to be retrained” by the training being updated for the individual user in view of the data showing how well the user responded to the training and failing to conform to the expected best practices or apply the knowledge covered in the training.  Further, the system may provide recommendations for further training of the user, i.e. “elevated to a different training”) (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “retrained” and “elevated to a different training” alternatives). 
The prior art used in the rejection of the current claim is combined using the same motivations as was applied in claim 1.
Regarding claims 12 and 23, Berman and Prakash disclose all the limitations of claims 1 and 15, as discussed above.  While Prakash discloses recording user behavior, as discussed above, the combination of Berman and Prakash does not explicitly disclose the anti-phishing 
In analogous art, Sadeh-Koniecpol discloses the anti-phishing training engine is configured to access and retrieve the recipient’s pattern of behavior of accessing malicious content in the past to determine the type of anti-phishing training exercise the recipient needs (see Sadeh-Koniecpol; paragraphs 0063, 0064, 0072 and 0112; Sadeh-Koniecpol discloses the system accessing storage comprising user behavior data which includes trends, historical user training data, as well as, training needs models to customize the training interventions).
One of ordinary skill in the art would have been motivated to combine Berman, Prakash and Sadeh-Koniecpol because they all disclose features of cyber security, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Sadeh-Koniecpol’s training intervention into the combined system of Berman and Prakash in order to provide the benefit of helping to reduce future risk of threats users fall prey to (see Sadeh-Koniecpol; paragraphs 0034 and 0043).
Regarding claims 13 and 24, Berman and Prakash disclose all the limitations of claims 1 and 15, as discussed above.  While Prakash discloses the “anti-phishing engine”, as discussed above, the combination of Berman and Prakash does not explicitly disclose the anti-phishing training engine is configured to interactively present the antiphishing training exercise to the recipient via a user portal in formats that include one or more of audio.
audio”, “video” and “human interactions” alternatives).
One of ordinary skill in the art would have been motivated to combine Berman, Prakash and Sadeh-Koniecpol because they all disclose features of cyber security, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Sadeh-Koniecpol’s training intervention into the combined system of Berman and Prakash in order to provide the benefit of helping to reduce future risk of threats users fall prey to (see Sadeh-Koniecpol; paragraphs 0034 and 0043).
Regarding claims 14 and 25, Berman and Prakash disclose all the limitations of claims 1 and 15, as discussed above.  While Prakash discloses tracking training progress (see Prakash; paragraph 0083), the combination of Berman and Prakash does not explicitly disclose the anti-phishing training engine is configured to record the recipient’s current security posture and 
In analogous art, Sadeh-Koniecpol discloses the anti-phishing training engine is configured to record the recipient’s current security posture and awareness and/or the recipient’s training record in the training exercise for future training consideration for the recipient (see Sadeh-Koniecpol; paragraphs 0064, 0083, 0085, and 0087; Sadeh-Koniecpol discloses historical user training data that is used for customization, which includes updating training interventions.  The training interventions may include recommendations for further training, i.e. “future training”.  Further, user responses are recorded for later analysis and the historical user training data is stored, i.e. “record… recipient’s training record in the training exercise”) (The claim list features in the alternative. While the claim lists a number of optional limitations only one limitation from the list is required and needs to be met by the prior art. The Examiner has chosen the “record… recipient’s training record in the training exercise for future training consideration for the recipient” alternative).
One of ordinary skill in the art would have been motivated to combine Berman, Prakash and Sadeh-Koniecpol because they all disclose features of cyber security, and as such, are within the same environment.
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate Sadeh-Koniecpol’s training intervention into the combined system of Berman and Prakash in order to provide the benefit of helping to reduce future risk of threats users fall prey to (see Sadeh-Koniecpol; paragraphs 0034 and 0043).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Hadnagy (U.S. 9,635,052) discloses training can be tailored to educate each user on the exact type of phishing message that tricked them.
Lowry et al. (U.S. 2018/0324201 A1) discloses customize anti-phishing training for a user.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ADAM A COONEY whose telephone number is (571)270-5653. The examiner can normally be reached M-F 7:30am-5:00pm (every other Fri off).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on 571-272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/A.A.C/Examiner, Art Unit 2442                                                                                                                                                                                                        02/20/2022

/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442