DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received 03/10/2022. 

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 12/17/2021 and 02/7/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Response to Amendment
Claims 1, 2, 5-9, 12, 16 and 17 have been amended. 
Claims 3 and 4 have been cancelled. 
Claims 1, 2 and 5-17 have been examined. 
Examiner’s rejection of claims 1 and 17 under 35 U.S.C 112 is withdrawn in light of the applicant’s amendments to the claims. 
Applicant’s arguments with respect to claims 1 and 17 regarding the new limitations: “responsive to determining that the email is potentially a malicious email based on the first output, apply a second model to the email to produce a second output indicative of whether the email is representative of a given type of potentially malicious email, wherein the second model is one of a plurality of models, each of which is respectively associated with a different type of malicious email”, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Objections
Claim 12 is objected to because of the following informalities:  Claim 12 recites: “plurality of collectively produce…” instead of “plurality of models collectively produce…”.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 2, 5, 7-12 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 10397272 to Bruss et al (hereinafter Bruss), prior art of record US 20190384911 to Caspi et al (hereinafter Caspi) and CN107315954A to Luo et al (hereinafter Luo).
Examiner’s Note: The examiner used an English translation of CN107315954A. The English translation is attached to the end of the original document. 
As per claims 1 and 17, Bruss teaches:
A system, comprising: 
a processor (Bruss: column 11, lines 13-28: The computing device architecture 300 of FIG. 3 includes a central processing unit (CPU) 302) configured to: 
receive an email addressed to an employee of an enterprise (Bruss: column , lines 57-61: Sender devices 190a-190c transmit emails to an enterprise or organization (e.g., to addresses associated with the organization or its employees)); 
apply a first model to the email to produce a first output indicative of whether the email is representative of a non-malicious email (Bruss: column 8, lines 17-45: FIG. 2A illustrates an example machine-learning structure that may be implemented by the attack-detection server 140 in some implementations. In FIG. 2A, in some implementations, unstructured email subject-line data and/or body text (e.g., fully unstructured data) may be analyzed using term frequency-inverse document frequency (TF-IDF) logistic regression. Semi-structured, header data (e.g., semi-structured data) may be analyzed using a random decision forest classifier. Column 9, lines 38-55: Outputs from the FFNN and LSTM RNN are then fed into a fully-connected dense layer, which outputs a determination as to whether the email is likely malicious (e.g. has a probability of being malicious that exceeds a threshold)), wherein the first model is trained using past emails addressed to the employee that have been verified as non-malicious emails (Bruss: column 2, lines 19-23: analyze at least one of the email body and the subject line using term frequency-inverse document frequency (TF-IDF) logistic regression trained with an email corpus. Column 6, lines 18-35: In some implementations, the SOC analyst may add tags to reviewed emails in addition to `benign` or `malicious`. Once a critical mass of emails is provided with a particular tag, the classifier can automatically assess emails (future and past) in accordance with the additional tag (e.g., after retraining with the additionally tagged emails included in the training set)); 
determine, based on the first output, that the email is potentially may be a malicious email (Bruss: Column 9, lines 38-55: Outputs from the FFNN and LSTM RNN are then fed into a fully-connected dense layer, which outputs a determination as to whether the email is likely malicious (e.g. has a probability of being malicious that exceeds a threshold)); 
and 
a memory coupled to the processor and configured to provide the processor with instructions (Bruss: column 12, lines 49-65 and column 13, lines 8-38).
Bruss does not teach: responsive to determining that the email is potentially a malicious email based on the first output, apply a second model to the email to produce a second output indicative of whether the email is representative of a given type of potentially malicious email (Caspi: [0136] As shown in FIG. 3, according to some embodiments, the malware detector 320 can also comprise a deep learning neural network operable on a processing unit. [0361] The method can comprise providing (operation 1500) a file which is assumed to be malware. For example, a malware detector (see e.g. malware detector 320 in FIG. 3) can have detected that this file constitutes malware. [0362] This file can then be transmitted to the malware determination system for determining its category. The malware determination system can store a machine learning algorithm which was trained, in particular in accordance with one of the training methods described above. [0370]-[0372] The machine learning algorithm comprises a model (also called prediction model) which provides prospects that the malware belongs to one or more categories Ci of malware. [0373] The prospects can comprise, depending on the embodiments, probabilities that the malware belongs to one or more of categories Ci. For example, a probability can be associated to each category. For example, a result for a given file could be "80%" for Trojan, and "20%" for Ransomware); and 
perform an action with respect to the email based on the second output (Caspi: [0374] The results computed by the malware determination system can be output, e.g. using a user interface, to a user. [0375] According to some embodiments, depending on the category of the malware, appropriate cure of the threat can be performed);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Caspi in the invention of Bruss to include the above limitations. The motivation to do so would be to provide a method of training a malware determination system comprising a machine learning algorithm, wherein the malware determination system is configured to identify a category of malware files (Caspi: [0011]).
Bruss in view of Caspi does not teach: wherein the second model is one of a plurality of models, each of which is respectively associated with a different type of malicious email. However, Kashyap teaches:
wherein the second model is one of a plurality of models, each of which is respectively associated with a different type of malicious email (Luo: [0129]: It can be understood that the classification model obtained in this embodiment for identifying the at least one type of virus and normal file may be composed of k+1 classification models, where k represents k-1 type of virus and 1 type of normal file. , k is an integer greater than or equal to 2. [0140]: For the processing method of performing feature extraction on the to-be-recognized file to obtain at least one feature corresponding to the to-be-recognized file, reference may be made to the processing method of performing feature extraction on the training sample in Embodiment 1 or Embodiment 2. [0141]: For example, first convert the features of the samples to be identified into vectors, and then use the k+1 machine learning models generated in 4 for classification, and classify the unknown samples into the class with the largest classification function value; The file is input into the classification model, and then the function value of the normal file type is 40, the classification function value of the first type virus is 20, and the classification function value of the second type virus is 98, then it can be determined that the classification result is the to-be-identified The file is a second type of virus).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Luo in the invention of Bruss in view of Caspi to include the above limitations. The motivation to do so would be to provide a file type identification method and a server, so as to at least solve the above-mentioned existing technical problems (Luo: [0007]).

As per claim 2, Bruss in view of Caspi and Luo teaches:
The system of claim 1, wherein the second output indicates that the email is not of the given type of malicious email, and wherein performing the action comprises forwarding the email to an inbox of the employee (Bruss: column 6, lines 48-53: In some implementations, attack-detection server 140 may analyze all emails received from MTA filter 120 automatically. If attack-detection server 140 detects any false positives (e.g., legitimate emails that were tagged as malicious), attack-detection server 140 may forward the same to the appropriate reception device 130a-130c).

As per claim 5, Bruss in view of Caspi and Luo teaches:
The system of claim 1, wherein at least one model included in the plurality of models determines whether content in a given email includes a query for data (Bruss: column 6, lines 60-67: In some cases, analysis of all e-mails received by an organization may reveal additional malicious emails. However, if all hyperlinks titled "Sign-In to Your Account" have the same URL, this may indicate that the mass emails are part of a phishing attack. Column 8, lines 17-19 and 45-51: FIG. 2A illustrates an example machine-learning structure that may be implemented by the attack-detection server 140. A separate machine-learning analysis may be performed on any URLs or embedded links identified in the email).

As per claim 7, Bruss in view of Caspi and Luo teaches:
The system of claim 1, wherein at least one model included in the plurality of models determines whether content in a given email includes a link to a Hypertext Markup Language (HTML) resource (Bruss: column 8, lines 17-19 and 45-51: FIG. 2A illustrates an example machine-learning structure that may be implemented by the attack-detection server 140. A separate machine-learning analysis may be performed on any URLs or embedded links identified in the email. In some cases, the attack-detection server 140 (e.g., acting alone or in conjunction with one or more other devices within the system 100a/100b) may receive the email, parse the email into portions (e.g., header, subject line, body text, URLs or other embedded links).

As per claim 8, Bruss in view of Caspi and Luo teaches:
The system of claim 1, wherein at least one model included in the plurality of models determines whether a given email includes an attachment (Bruss: column 8, lines 17-19 and 45-55: FIG. 2A illustrates an example machine-learning structure that may be implemented by the attack-detection server 140. In some cases, features derived from one or more of URL analysis, header analysis, and attachment analysis may be fed into a nonparametric model. For example, the distribution of features derived from URL analysis, header analysis and attachment analysis may not normal, so the use of a nonparametric model compensates for this difference. A stacked ensemble classifier may take, as inputs, the results of a plurality of additional lower-level classifiers to determine whether an email is malicious. Also, column 9, lines 1-13). 

As per claim 9, Bruss in view of Caspi and Luo teaches:
The system of claim 1, wherein at least one model included in the plurality of models discovers one or more facets of a security threat (Caspi: [0373] The prospects can comprise, depending on the embodiments, probabilities that the malware belongs to one or more of categories Ci. For example, a probability can be associated to each category. For example, a result for a given file could be "80%" for Trojan, and "20%" for Ransomware. Bruss: column 8, lines 17-19 and 45-55: FIG. 2A illustrates an example machine-learning structure that may be implemented by the attack-detection server 140. In some cases, features derived from one or more of URL analysis, header analysis, and attachment analysis may be fed into a nonparametric model. For example, the distribution of features derived from URL analysis, header analysis and attachment analysis may not normal, so the use of a nonparametric model compensates for this difference. A stacked ensemble classifier may take, as inputs, the results of a plurality of additional lower-level classifiers to determine whether an email is malicious. Also, column 9, lines 38-56).
The examiner provides the same rationale to combine prior arts Bruss, Caspi and Luo as in claim 1 above. 

As per claim 10, Bruss in view of Caspi and Luo teaches:
The system of claim 9, wherein at least one facet comprises a goal of the security threat (Caspi: [0373] The prospects can comprise, depending on the embodiments, probabilities that the malware belongs to one or more of categories Ci. For example, a probability can be associated to each category. For example, a result for a given file could be "80%" for Trojan, and "20%" for Ransomware. Bruss: column 6, lines 60-67: In some cases, analysis of all e-mails received by an organization may reveal additional malicious emails. However, if all hyperlinks titled "Sign-In to Your Account" have the same URL, this may indicate that the mass emails are part of a phishing attack).
The examiner provides the same rationale to combine prior arts Bruss, Caspi and Luo as in claim 1 above. 

As per claim 11, Bruss in view of Caspi and Luo teaches:
The system of claim 9, wherein the processor is further configured to upload information associated with the discovered one or more facets to a profile of the employee (Bruss: column 5, lines 59-63: For example, when the attack-detection server 140 identifies any high-risk email (e.g., high-priority alert on the email), the email may be forwarded to a security operations center (SOC) analyst for further review. Column 16, lines 49-55: the attack-detection server may be able to … warn employees about malicious emails).

As per claim 12, Bruss in view of Caspi and Luo teaches:
The system of claim 1, wherein the plurality of collectively produce a plurality of outputs when applied to the email, and wherein the processor is further configured to apply a third model designed to aggregate at least two of the plurality of outputs produced into a comprehensible visualization component (Luo: [0129]: It can be understood that the classification model obtained in this embodiment for identifying the at least one type of virus and normal file may be composed of k+1 classification models, where k represents k-1 type of virus and 1 type of normal file. , k is an integer greater than or equal to 2. [0141]: For example, first convert the features of the samples to be identified into vectors, and then use the k+1 machine learning models generated in 4 for classification, and classify the unknown samples into the class with the largest classification function value; The file is input into the classification model, and then the function value of the normal file type is 40, the classification function value of the first type virus is 20, and the classification function value of the second type virus is 98, then it can be determined that the classification result is the to-be-identified The file is a second type of virus. Caspi: [0386] According to some embodiments, the machine learning algorithm can store a plurality of predictive models (each one can be trained according to the various methods described above). The file can be converted into a data structure, and fed to one or more of these models. Each model can provide prospects representative of one or more malware categories to which said file belongs, and an aggregation of these prospects can be performed to provide a final result. [0389]-[0394]: According to some embodiments, a neural network aggregates (third model) the different prospects provided by the machine learning algorithm for the file, into unique aggregated prospects (such as a unique probability), or into a binary result (for each category, it indicates whether it belongs to this category or not). [0373]: Various methods can be used, such as selecting the highest probability/probabilities, using a voting method, and using another neural network trained to provide a binary result based on a plurality of prospects representative of different malware categories provided by the machine learning algorithm for a given file, etc. [0374] The results computed by the malware determination system can be output, e.g. using a user interface, to a user).
The examiner provides the same rationale to combine prior arts Bruss, Caspi and Luo as in claim 1 above. 

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Bruss in view of Caspi and Luo as applied to claim 1 above, and further in view of prior art of record US 20190238571 to Adir et al (hereinafter Adir).
As per claim 6, Bruss in view of Caspi and Luo teaches models that detect email phishing attacks (Bruss: column 6, lines 60-67) but does not explicitly teach: determining whether a given email includes a query for funds
wherein at least one model included in the plurality of models includes determining whether a given email includes a query for funds (Adir: [0002] Email phishing attacks attempt to induce users to click on a malicious link, transfer money, or perform any other action through misleading emails and social engineering manipulations).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Adir in the invention of Bruss in view of Caspi and Luo to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Bruss in view of Caspi and Luo as applied to claim 1 above, and further in view of prior art of record US 8819819 to Johnston et al (hereinafter Johnston).
As per claim 13, Bruss in view of Caspi and Luo teaches:
The system of claim 1, wherein the second output indicates that the email includes a link to a Hypertext Markup Language (HTML) resource, and wherein performing the action comprises: following the link so that the HTML resource is accessed using a virtual web browser (Bruss: column 9, lines 57-67: In some implementations, URLs in the email (e.g., hyperlinks within the email or embedded URLS) may be analyzed separately from the header, body, and subject-line data. The attack-detection server 140 may analyze re-routing from the link, any automatic downloads, or web page data from the navigated to link to help determine the email's legitimacy. In some instances, the attack-detection server 140 may analyze a webpage navigated to by the link (e.g., review the webpage's contents, internal links, and URLs)); 
Bruss in view of Caspi and Luo does not teach: extracting a Document Object Model (DOM) for the HTML resource through the virtual web browser; and analyzing the DOM to determine whether the link represents a security threat. However, Johnston teaches:
extracting a Document Object Model (DOM) for the HTML resource through the virtual web browser (Johnston: column 6, lines 8-17: As discussed in more detail below, URL analysis process 185 is used to analyze all URLs detected in messages addressed to user computing system(s) 100 and URL redirect analysis process 187 is used to further analyze URLs that are determined at URL analysis process 185 to result in redirects. Column 8, lines 41-45: Any JavaScript contained within the webpages associated with a URL is identified, extracted, and further analyzed using JavaScript redirect processing procedure module 259 and JavaScript execution and analysis process module 260. Column 9, lines 15-20: Following the execution of each JavaScript fragment by the web browser being simulated using JavaScript execution and analysis process module 260, the resulting DOM is examined by JavaScript execution and analysis process module 260 using an introspective method within the DOM implementation itself); and 
analyzing the DOM to determine whether the link represents a security threat (Johnston: column 7, lines 57-67: URL redirect analysis process module 251 further includes redirect identification module 252 that includes procedures, data, and/or instructions for determining the type of redirect involved, and/or if other issues are present, such as, but not limited to: … whether DOM manipulation is present. Column 4, lines 33-40: If, based on the results of the URL redirect analysis process, and/or the results of any of the redirect processing procedures, a URL is identified as being spam or potential spam, then protective action is taken such as, but not limited to: transforming the status of the URL, and the message including the URL, to a status of spam or potential spam; and/or blocking the message including the URL, and/or all associated URLS; and/or adding the URL to a URL block list).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Johnston in the invention of Bruss in view of Caspi and Luo to include the above limitations. The motivation to do so would be to identify and stop far more spam messages than is possible using currently available methods and systems (Johnston: column 5, line 67-column 6, line 2).

As per claim 14, Bruss in view of Caspi and Luo teaches:
The system of claim 1, wherein the second output indicates that the email includes a primary link to a resource hosted by a network-accessible hosting service, and wherein performing the action comprises: following the primary link so that the resource is accessed using a virtual web browser (Bruss: column 9, lines 57-67: In some implementations, URLs in the email (e.g., hyperlinks within the email or embedded URLS) may be analyzed separately from the header, body, and subject-line data. In some implementations, attack-detection server 140 may navigate to the link (e.g., in a sandbox or virtual machine));
discovering whether any secondary links to secondary resources are present by examining content of the resource through the virtual web browser (Bruss: column 10, lines 1-15: In some instances, the attack-detection server 140 may analyze a webpage navigated to by the link (e.g., review the webpage's contents, internal links, and URLs)); 
Bruss in view of Caspi and Luo does not teach: for each secondary link, following the secondary link so that the corresponding secondary resource is accessed using the virtual web browser and analyzing content of the corresponding secondary resource to determine whether the secondary link represents a security threat; and determining whether the primary link represents a security threat based on whether any secondary links were determined to represent security threats. However, Johnston teaches:
for each secondary link, following the secondary link so that the corresponding secondary resource is accessed using the virtual web browser and analyzing content of the corresponding secondary resource to determine whether the secondary link represents a security threat; and determining whether the primary link represents a security threat based on whether any secondary links were determined to represent security threats (Johnston: column 9, lines 15-55: The web browser being simulated by JavaScript execution and analysis process module 260 looks for any redirect URLs that are, or include, dynamically written content. The web browser being simulated by JavaScript execution and analysis process module 260 then takes one of three actions depending on the result. If the result of the JavaScript execution and analysis process is pure HTML data, the HTML data is returned to the URL redirect analysis process for inclusion in a later HTML analysis of the webpage content as discussed below. First, any URLs that were detected either from the JavaScript execution itself or those embedded in the resultant HTML by the JavaScript execution and analysis process are themselves link followed by the URL redirect analysis process, as discussed below. Column 10, lines 19-31: The embedded URLs are treated by DOM manipulation redirect processing procedure module 263 in the same manner as frames are treated by frames redirect processing procedure module 261, i.e., each embedded URL is recursed into following any additional embedded URL/redirects. Column 4, lines 33-40: If, based on the results of the URL redirect analysis process, and/or the results of any of the redirect processing procedures, a URL is identified as being spam or potential spam, then protective action is taken such as, but not limited to: transforming the status of the URL, and the message including the URL, to a status of spam or potential spam; and/or blocking the message including the URL, and/or all associated URLS; and/or adding the URL to a URL block list). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Johnston in the invention of Bruss in view of Caspi and Luo to include the above limitations. The motivation to do so would be to identify and stop far more spam messages than is possible using currently available methods and systems (Johnston: column 5, line 67-column 6, line 2).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Bruss in view of Caspi and Luo as applied to claim 1 above, and further in view of prior art of record US 20190104154 to Kumar et al (hereinafter Kumar).
As per claim 15, Bruss in view of Caspi and Luo teaches:
The system of claim 1, wherein the second output indicates that the email includes a link to a Hypertext Markup Language (HTML) resource, and wherein performing the action comprises: following the link so that the HTML resource is accessed using a virtual web browser (Bruss: column 9, lines 57-67: In some implementations, URLs in the email (e.g., hyperlinks within the email or embedded URLS) may be analyzed separately from the header, body, and subject-line data. In some implementations, attack-detection server 140 may navigate to the link (e.g., in a sandbox or virtual machine). Column 10, lines 1-15: In some instances, the attack-detection server 140 may analyze a webpage navigated to by the link (e.g., review the webpage's contents, internal links, and URLs)); 
Bruss in view of Caspi and Luo teaches navigating the link using a virtual machine but does not teach: capturing a screenshot of the HTML resource through the virtual web browser; applying a computer vision algorithm designed to identify similarities between the screenshot and a library of verified sign-in websites; and determining whether the link represents a security threat based on an output produced by the computer vision algorithm. However, Kumar teaches:
capturing a screenshot of the HTML resource through the virtual web browser (Kumar: [0025] The detection process involves receipt of a URL for analysis to determine whether the URL is associated with a phishing cyberattack ("subject URL"). [0026] More particularly, the detection process includes the (i) generation of a subject screenshot of a webpage retrieved from a subject URL); 
applying a computer vision algorithm designed to identify similarities between the screenshot and a library of verified sign-in websites (Kumar: [0013] The training process involves the generation of a model using machine learning techniques, the model representing a categorization of a training set of URLs into one or more webpage families, the training set of URLs known to be associated with genuine (non-phishing) websites (in some embodiments, known phishing URLs may be provided to improve the model). [0021]: The detection of keypoints and generation of feature vectors are performed using computer vision techniques such as those mentioned above [0026] More particularly, the detection process includes the (i) generation of a subject screenshot of a webpage retrieved from a subject URL, (ii) processing the subject screenshot to identify a set of keypoints, (iii) correlating the set of keypoints to a set of known benign (verified) or known phishing pages using the model); and 
determining whether the link represents a security threat based on an output produced by the computer vision algorithm (Kumar: [0011]: The phishing, detection and analysis system (PDAS) is configured to detect a phishing attack through the use of computer vision techniques that leverage a graphic representation (i.e., the representation expressing the "look and feel") of a webpage to determine whether the webpage is attempting to mimic a legitimate webpage. [0026]: (iv) if the correlation exceeds a threshold, classifying the subject URL as part of a phishing cyberattack).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kumar in the invention of Bruss in view of Caspi and Luo to include the above limitations. The motivation to do so would be to provide systems and methods for detecting phishing URLs and webpages that efficiently use resources and save processing time previously needed to perform such a determination (Kumar: [0029]).

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Bruss in view of Caspi and Luo as applied to claim 1 above, and further in view of prior art of record US 9774626 to Himler et al (hereinafter Himler).
As per claim 16, Bruss in view of Caspi and Luo teaches:
The system of claim 1, wherein the second output indicates that the email includes an attachment (Bruss: column 2, lines 1-20: receive an email addressed to a user; separate the email into a plurality of email components; analyze, using respective machine-learning techniques, each of the plurality of email components; feed the analysis of each of the plurality of email components into a stacked ensemble analyzer; and based on an output of the stacked ensemble analyzer, determine whether the email is suspicious. Column 10, lines 56-62: each email feature (e.g., links, attachments) may be analyzed to determine what is statistically relevant); 
Bruss in view of Caspi and Luo does not teach: wherein performing the action comprises: opening the attachment within a secure processing environment; and determining whether the attachment represents a security threat based on an analysis of content of the attachment. However, Himler teaches: 
wherein performing the action comprises: opening the attachment within a secure processing environment and determining whether the attachment represents a security threat based on an analysis of content of the attachment (Himler: column 12, lines 53-58: Factor 7: Whether the message contains one or more attachments and whether such attachments contain malware. The system may perform a separate analysis to determine whether the attachment contains malware (e.g. by matching the file against malware signatures or opening the attachment in a sandboxed environment)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Himler in the invention of Bruss in view of Caspi and Luo to include the above limitations. The motivation to do so would be to determine whether a received message is a legitimate message (Himler: column 1, lines 52-53).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  
US 20180196942 to Kashyap et al: A plurality of events associated with each of a plurality of computing nodes that form part of a network topology are monitored. The network topology includes antivirus tools to detect malicious software prior to it accessing one of the computing nodes. Thereafter, it is determined that, using at least one machine learning model, at least one of the events is indicative of malicious activity that has circumvented or bypassed the antivirus tools. Data is then provided that characterizes the determination. Related apparatus, systems, techniques and articles are also described.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438