DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 8-12 and 15-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sprosts et al. (U.S. Publication No. 2007/0079379 A1) in view of Alspector et al. (U.S. Patent No. 8,214,437 B1), and further in view of Nachenberg (U.S. Publication No. 2009/0328209 A1).

	
With respect to claim 1, Sprosts discloses a method of protecting users from malicious attacks propagated via emails, the method comprising: identifying a first set of clients of an email (i.e., The needs identified in the foregoing Background, and other needs and objects that will become apparent for the following description, are achieved in the present invention, which comprises, in one aspect, a method comprising receiving an electronic mail message having a destination address for a recipient account [identifying a first set of clients of an email], ¶ 45.  In an embodiment, virus information logic 114 is implemented as an independent logical module in messaging gateway 107. Messaging gateway 107 invokes virus information logic 114 with message data and receives a verdict in response. The verdict may be based on message heuristics. Message heuristics score messages and determine the likelihood that a message is a virus. p Virus information logic 114 detects viruses based in part on parameters of messages. In an embodiment, virus detection is performed based upon any one or more of: heuristics of mail containing executable code; heuristics of mismatched message headers; heuristics of mail from known Open Relays; heuristics of mail having mismatched content types and extensions; heuristics of mail from dynamic user lists, blacklisted hosts, or senders known to have poor reputations; and sender authenticity test results. Sender authenticity tests results may be generated by logic that receives sender ID values from public networks [a method of protecting users from malicious attacks propagated via emails], ¶ 57). 
Sprosts further discloses computing a reputation score for the email based on hygiene scores of the first set of clients, wherein the reputation score indicates a probability of malicious attacks being propagated via the email (i.e., The anti-spam logic 119 scans inbound messages to determine if they are unwanted according to a mail acceptance policy, such as whether the inbound messages are unsolicited commercial email, and the anti-spam logic 119 applies policies to restrict delivery, redirect, or refuse acceptance of any unwanted messages. In an embodiment, anti-spam logic 119 scans messages and returns a score of between 0 and 100 for each message indicating a probability that the message is spam or another type of unwanted email [a reputation score for the email based on hygiene scores of the first set of clients, wherein the reputation score indicates a probability of malicious attacks being propagated via the email]. Score ranges are associated with an threshold, definable by an administrator, of possible spam and likely spam against which users can apply a specified set of actions described further below [based on a hygiene score]. In an embodiment, messages scoring 90 or above are spam and messages scoring 75-89 are suspected spam, ¶ 59.  In an embodiment, anti-spam logic 119 determines a spam score based at least in part upon reputation information, obtained from database 112 or an external reputation service such as SenderBase from IronPort Systems, Inc., that indicates whether a sender of the message is associated with spam, viruses, or other threats [a reputation score for the email based on hygiene scores of the first set of clients, wherein the reputation score indicates a probability of malicious attacks being propagated via the email]. Scanning may comprise recording an X-header in the scanned message that verifies that the message was successfully scanned, and includes an obfuscated string that identifies rules that matched for the message. Obfuscation may comprise creating a hash of rule identifiers based on a private key and a one-way hash algorithm. Obfuscation ensures that only a specified party, such as service provider 700 of FIG. 7, can decode the rules that matched, improving security of the system, ¶ 60.  The determination that a message is suspicious also may be made by extracting a source network address from the message, such as a source IP value, and issuing a query to the SenderBase service to determine whether the source is known to be associated with spam or viruses. For example, a reputation score value provided by the SenderBase service may be taken into account in determining whether a message is suspicious. A message may also be determined to be suspicious if it was sent from an IP address associated with a host known to be compromised, that has a history of sending viruses, or has only recently started sending email to the Internet. The determination also may be based upon one or more of the following factors: (a) the type or extension of a file attachment that is directly attached to the message, (b) the type or extension of a file that is contained within a compressed file, an archive, a .zip file, or another file that is directly attached to the message, and (c) a data fingerprint obtained from an attachment, ¶ 82.  In these example rules, Rule 1 indicates that ZIP attachments are more likely to include a virus than EXE attachments because the virus score is 4 in Rule 2 but only 3 in Rule 1. Furthermore, the example rules above indicate that EXE attachments with a size of greater than 50 k are the most likely to have a virus, but EXE attachments with a size of less than 50 k but greater than 20 k are a little less likely to include a virus, perhaps because most of the suspicious messages with EXE attachments are greater than 50 k in size [hygiene score], ¶ 143.  In an embodiment, threat identification team 710 (FIG. 7) determines rule grouping and ordering and assigns priorities. TI team 710 also can continuously evaluate the statistical effectiveness of the rules to determine how to order them for execution, including assigning different priorities [reputation scores based on hygiene scores], ¶ 203). 
Sprosts further discloses providing the reputation score for the email to a second set of clients of the email (i.e., In another aspect, the invention provides a method comprising receiving and storing a plurality of rules specifying characteristics of electronic messages that indicate threats associated with the messages, wherein each rule has a priority value, wherein each rule is associated with a message element type; receiving an electronic mail message having a destination address for a recipient account, wherein the message comprises a plurality of message elements; extracting a first message element; determining a threat score value for the message by matching only the first message element to only selected rules having a message element type corresponding to the first message element, and according to an order of the priorities of the selected rules; when the threat score value is greater than a specified threshold, outputting the threat score value [providing the reputation score for the email to a second set of clients of the email], ¶ 47.  In an embodiment, anti-spam logic 119 determines a spam score based at least in part upon reputation information, obtained from database 112 or an external reputation service such as SenderBase from IronPort Systems, Inc, ¶ 60.  Although not shown in FIG. 1, virus information processor 108 can include or be communicatively coupled to a virus outbreak operation center (VOOC), a receiving virus score (RVS) processor, or both. The VOOC and RVS processor can be separate from virus information processor 108 but communicatively coupled to database 112 and public network 102. The VOOC can be implemented as a staffed center with personnel available 24 hours a day, 7 days a week to monitor the information collected by virus information processor 108 and stored in database 112. The personnel staffing the VOOC can take manual actions, such as issuing virus outbreak alerts, updating the information stored in database 112, publishing virus outbreak information so that messaging gateways 107 can access the virus outbreak information, and manually initiating the sending of virus outbreak information to messaging gateway 107 and other messaging gateways, ¶ 70). 
Sprosts may not explicitly disclose identifying a set of recipients of an email.
However, Alspector discloses identifying a set of recipients of an email who have opened the email (i.e., Implicit feedback may include the user keeping a message marked as new after the user has read the e-mail [identifying a set of recipients of an email who have opened the email], forwarding the e-mail, replying to the e-mail, adding the sender's e-mail address to the user's address book, and printing the e-mail. Implicit feedback also may include the user not explicitly changing the classification of a message. In other words, there may be an assumption that the classification was correctly performed if the user does not explicitly change the class. If the described techniques are used in an instant messaging system, implicit feedback may include, for example, a user refusing to accept an initial message from a sender not on the user's buddy list, column 12 ¶ 3) in order to provide a global e-mail classifier that classifies e-mail as it enters the e-mail system (column 4 lines 54-55).
Therefore, based on Sprosts in view of Alspector, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Alspector to the system of Sprosts in order to provide a global e-mail classifier that classifies e-mail as it enters the e-mail system.
Sprosts and Alspector may not explicitly disclose computing a reputation score for the email based on hygiene scores of the first set of clients.
However, Nachenberg discloses computing a reputation score for the email based on hygiene scores of the first set of clients (i.e., In one embodiment, hygiene scores are determined for each of a plurality of clients, where the hygiene scores represent assessments of the trustworthiness of the clients. When one of the clients encounters an entity, a reputation score for that entity is calculated and provided to the client. The reputation score may be calculated as a function of only those clients that have a hygiene score above a threshold. The calculated reputation score represents an assessment of whether the entity is malicious in terms of the special users who have clients with high hygiene scores. The client that encountered the entity then presents the reputation score to a user, along with a message indicating that the reputation score is based on other trustworthy clients that have good hygiene scores. In this way, the user is informed of the entity's reputation using information about the extent to which the trustworthy clients with good hygiene have interacted with the entity, ¶ 10) in order to provide a score that is an assessment of the likelihood that an entity is malicious (¶ 23).
Therefore, based on Sprosts in view of Alspector, and further in view of Nachenberg, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Nachenberg to the system of Sprosts and Alspector in order to provide a score that is an assessment of the likelihood that an entity is malicious.

With respect to claim 2, Sprosts discloses wherein when the email contains a link or an attachment, the identifying identifies the first set of recipients who have accessed the link or the attachment contained in the email (i.e., In most virus outbreaks, executable attachments now serve as a carrier of virus code. For example, of 17 leading virus outbreaks in the last three years, 13 viruses were sent through email attachments. Twelve of the 13 viruses sent through email attachments were sent through dangerous attachment types. Thus, some enterprise network mail gateways now block all types of executable file attachments, ¶ 6.  determining a virus score value for the message based upon one or more rules that specify attributes of messages that are known to contain computer viruses, wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures [the identifying identifies the first set of recipients who have accessed the link or the attachment contained in the email]; when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account, ¶ 45.  In an embodiment, the staffing personnel at a VOOC or components of a system according to an embodiment may determine whether a message contains a virus based on a variety of factors, such as (a) patterns in receiving messages with attachments [the identifying identifies the first set of recipients who have accessed the link or the attachment contained in the email], (b) risky characteristics of attachments to received messages [the identifying identifies the first set of recipients who have accessed the link or the attachment contained in the email], (c) published vendor virus alerts, (d) increased mailing list activity, (e) risky source-based characteristics of messages, (f) the percentage of dynamic network addresses associated with sources of received messages, (g) the percentage of computerized hosts associated with sources of received messages, and (h) the percentage of suspicious volume patterns, ¶ 73). 
Sprosts also discloses wherein hygiene score of a first recipient is higher than that of a second recipient if the first recipient has caused infections with lesser probability than that caused by the second recipient, wherein higher hygiene scores for the first set of recipients implies a lower probability of malicious attacks being propagated via the email (i.e., The needs identified in the foregoing Background, and other needs and objects that will become apparent for the following description, are achieved in the present invention, which comprises, in one aspect, a method comprising receiving an electronic mail message having a destination address for a recipient account; determining a virus score value [hygiene score] for the message based upon one or more rules that specify attributes of messages that are known to contain computer viruses, wherein the attributes comprise a type of file attachment to the message, a size of the file attachment, and one or more heuristics based on the message sender, subject or body and other than file attachment signatures; when the virus score value is greater than or equal to a specified threshold, storing the message in a quarantine queue without immediately delivering the message to the recipient account, ¶ 45.  In these example rules, Rule 1 indicates that ZIP attachments are more likely to include a virus than EXE attachments because the virus score is 4 in Rule 2 but only 3 in Rule 1 [wherein hygiene score of a first recipient is higher than that of a second recipient if the first recipient has caused infections with lesser probability than that caused by the second recipient, wherein higher hygiene scores for the first set of recipients implies a lower probability of malicious attacks being propagated via the email], ¶ 143.  According to one approach, a virus score is determined and stored in a database in association with an IP address value of a sender of the message. The score thus indicates the likelihood that a message originating from the associated address will contain a virus [wherein hygiene score of a first recipient is higher than that of a second recipient if the first recipient has caused infections with lesser probability than that caused by the second recipient, wherein higher hygiene scores for the first set of recipients implies a lower probability of malicious attacks being propagated via the email], ¶ 231). 
Sprosts may not explicitly disclose identifies the first set of recipients who have opened the email.
However, Alspector discloses identifies the first set of recipients who have opened the email (i.e., Implicit feedback may include the user keeping a message marked as new after the user has read the e-mail [identifying a set of recipients of an email who have opened the email], forwarding the e-mail, replying to the e-mail, adding the sender's e-mail address to the user's address book, and printing the e-mail. Implicit feedback also may include the user not explicitly changing the classification of a message. In other words, there may be an assumption that the classification was correctly performed if the user does not explicitly change the class. If the described techniques are used in an instant messaging system, implicit feedback may include, for example, a user refusing to accept an initial message from a sender not on the user's buddy list, column 12 ¶ 3) in order to provide a global e-mail classifier that classifies e-mail as it enters the e-mail system (column 4 lines 54-55).
Therefore, based on Sprosts in view of Alspector, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Alspector to the system of Sprosts in order to provide a global e-mail classifier that classifies e-mail as it enters the e-mail system.

With respect to claim 3, Sprosts discloses wherein the identifying and the computing is performed at a first time instance, the method further comprising: continuing to monitor the email to identify a third set of recipients who have opened the email at a second time instance after the first time instance, and to compute a new value for the reputation score based on hygiene scores of the third set of recipients; and updating the reputation score for the email to the new value (i.e., The present invention is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar elements and in which:… FIG. 7 is a block diagram of a system that may be used in approaches for blocking "spam" messages, and for other kinds of email scanning processes, ¶s 9 and 16.  The anti-spam logic 119 scans inbound messages to determine if they are unwanted according to a mail acceptance policy, such as whether the inbound messages are unsolicited commercial email, and the anti-spam logic 119 applies policies to restrict delivery, redirect, or refuse acceptance of any unwanted messages. In an embodiment, anti-spam logic 119 scans messages and returns a score of between 0 and 100 for each message indicating a probability that the message is spam or another type of unwanted email. Score ranges are associated with an threshold, definable by an administrator, of possible spam and likely spam against which users can apply a specified set of actions described further below. In an embodiment, messages scoring 90 or above are spam and messages scoring 75-89 are suspected spam, ¶ 59.  In an embodiment, block 312 also may involve generating and sending an alert message to one or more administrators when the virus outbreak information obtained from virus information processor 108 satisfies a specified threshold, such as when a virus score value meets or exceeds a specified threshold virus score value. For example, an alert message sent at block 312 may comprise an email that specifies the attachment types for which the virus score has changed, current virus score, prior virus score, current threshold virus score, and when the last update of the virus score for that type of attachment was received from the virus information processor 108, ¶ 110.  Thus, the scores are updated and changed based on up-to-date information). 

With respect to claim 4, Sprosts discloses wherein the email is addressed to a plurality of recipients, the first set of recipients and the second set of recipients being contained in the plurality of recipients, wherein the second set of recipients of the email include at least some of those of the plurality of recipients not contained in the first set of recipients (i.e., The message is either addressed to, or propagates by action of the virus to, a plurality of destinations such as virus information source 104 and spamtrap 106 [wherein the email is addressed to a plurality of recipients, the first set of recipients and the second set of recipients being contained in the plurality of recipients], ¶ 52.  In an embodiment, messaging gateway 107 includes virus information logic 114 for obtaining virus outbreak information from virus information processor 108 and processing messages destined for end stations 120A, 120B, 120C according to policies that are set at the messaging gateway, ¶ 56.  Also see figure 1.  Thus the recipients can be many different users and accounts and it would be obvious to one of ordinary skill in the art for those recipients to be subsets of one another such as with carbon copy and blind copy recipients). 

With respect to claim 5, Sprosts discloses wherein the first set of recipients belong to a first enterprise and the second set of recipients belong to a second enterprise (i.e., In an embodiment, an administrator can configure anti-spam logic 119 to scan a message against enterprise-specific content dictionaries before performing other anti-spam scanning [different enterprises]. This approach enables messages to first receive a low score if they contain enterprise-specific terms or industry-standard terms, without undergoing other computationally expensive spam scanning,¶ 185.   In an embodiment, a set of configuration information stored in messaging gateway 107 specifies additional program behavior for virus outbreak scanning for each potential recipient of a message from the gateway. Since messaging gateway 107 typically controls message traffic to a finite set of users, e.g., employees, contractors or other users in an enterprise private network, such configuration information may be managed for all potential recipients. For example, a per-recipient configuration value may specify a list of message attachment file extension types (".doc", ".ppt", etc.) that are excluded from consideration by the scanning described herein, and a value indicating that a message should not be quarantined. In an embodiment, the configuration information can include a particular threshold value for each recipient. Thus, the tests of step 312 and step 908 may have a different outcome for different recipients depending upon the associated threshold values, ¶ 266.  Thus, users of different enterprises have different outcomes and thresholds.  These different enterprises could obviously have different sets of users). 

With respect to claims 8 and 15, the limitations of claims 8 and 15 are rejected in the analysis of claim 1 above, and the claim is rejected on that basis.

With respect to claims 9 and 16, the limitations of claims 9 and 16 are rejected in the analysis of claim 2 above, and the claim is rejected on that basis.

With respect to claims 10 and 17, the limitations of claims 10 and 17 are rejected in the analysis of claim 3 above, and the claim is rejected on that basis.

With respect to claims 11 and 18, the limitations of claims 11 and 18 are rejected in the analysis of claim 4 above, and the claim is rejected on that basis.

With respect to claims 12 and 19, the limitations of claims 12 and 19 are rejected in the analysis of claim 5 above, and the claim is rejected on that basis.

Claims 6-7, 13-14 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sprosts et al. (U.S. Publication No. 2007/0079379 A1) in view of Alspector et al. (U.S. Patent No. 8,214,437 B1), and Nachenberg (U.S. Publication No. 2009/0328209 A1), and in further view of Weith et al. (U.S. Publication No. 2017/0359220 A1).
With respect to claim 6, Sprosts discloses wherein each recipient has positive and negative hygiene scores (i.e., For example, a rule can be "if `exe`, then 4" to denote a virus score of 4 for messages with EXE attachments. As another example, a rule can be "if `exe` and size &lt;50 k, then 3" to denote a virus score of 3 for messages with EXE attachments with a size of less than 50 k. As yet another example, a rule can be "if SBRS&lt;-5, then 4" to denote a virus score of 4 if the SenderBase Reputation Score (SBRS) is less than "-5", ¶ 132.  or the purposes of describing FIG. 5, assume that that message has an EXE type of attachment with a size of 35 k and that sending host for the message has a SenderBase reputation score of -2, ¶ 136.  In the present example in which the message has an EXE type of attachment with a size of 35 k and the associated SenderBase reputation score is -2, Rules 1 and 4 match while Rules 2, 3, and 5 do not match, ¶ 144.  One additional feature is to obtain sender-based data that is specifically designed to aid in the identification of virus threats. For example, when an MGA queries a service such as SenderBase to obtain the SenderBase reputation score for the connecting IP address, SenderBase can provide virus threat data that is specific for the connecting IP address. The virus threat data is based on data collected by SenderBase for the IP address and reflects the history of the IP address in terms of how often viruses are detected in messages originating from the IP address or the company associated with the IP address. This can allow the MGA to obtain a virus score from SenderBase based solely on the sender of the message without any information or knowledge about the content of a particular message from the sending IP address. The data on the virus threat for the sender can be used in place of, or in addition to, a virus score as determined above, or the data on the virus threat for the sender can be factored into the calculation of the virus score. For example, the MGA could increase or decrease a particular virus score value based on the virus threat data for the sender, ¶ 160). 
Sprosts, Alspector and Nachenberg may not explicitly disclose deeming that a recipient has never caused an infection in a pre-determined duration and if the recipient has been a cause of at least one infection in the pre-determined duration.
However, Weith discloses deeming that a recipient has never caused an infection in a pre-determined duration and if the recipient has been a cause of at least one infection in the pre-determined duration (i.e., In an exemplary embodiment, a method implemented through a distributed security system for determining and addressing risk of users, groups of users, locations, and/or companies includes obtaining log data from the distributed security system; analyzing the log data to obtain a risk score for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company, and wherein the risk score is a weighted combination of pre-infection behavior [deeming that a recipient has never caused an infection in a pre-determined duration], post-infection behavior [if the recipient has been a cause of at least one infection in the pre-determined duration], and suspicious behavior; performing one or more remedial actions for the entity; and subsequently obtaining updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions. The analyzing to obtain the risk score can include performing a plurality of levels of aggregation on the log data to determine threats for the entity and to categorize the threats; and determining the risk score for the entity based on a weighted formula of the categorized threats and a length of infection of each [pre-determined duration]. The plurality of levels of aggregation can each a form of a Structured Query Language (SQL) query on the log data. The categorized threats can be segmented in the pre-infection behavior, the post-infection behavior, and the suspicious behavior. The post-infection behavior is weighted higher than the pre-infection behavior which is weighted higher than the suspicious behavior, ¶ 5.  It is also advantageous to take the length of infection into account with the risk score, or at least average length of infection, but to do so would require storing a list of every infection that a user had for every day. However, the amount of data stored per user can be fixed assuming that, e.g., if there are 3 infections on day one and three infections on day two, that they are the same infections. Having made that assumption, adding up the number of infections over, e.g., 5 days, then estimate the average period of infection as the sum of the bucket counts for the 5 days, all divided by 5. The estimate will be >=the actual average length of infection [pre-determined durations], ¶ 129) in order to obtain a risk score for an entity (¶ 5).
Therefore, based on Sprosts in view of Alspector and Nachenberg, and further in view of Weith, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Weith to the system of Sprosts, Alspector and Nachenberg in order to obtain a risk score for an entity.

With respect to claim 7, Sprosts discloses wherein each recipient has positive and negative hygiene scores (i.e., For example, a rule can be "if `exe`, then 4" to denote a virus score of 4 for messages with EXE attachments. As another example, a rule can be "if `exe` and size &lt;50 k, then 3" to denote a virus score of 3 for messages with EXE attachments with a size of less than 50 k. As yet another example, a rule can be "if SBRS&lt;-5, then 4" to denote a virus score of 4 if the SenderBase Reputation Score (SBRS) is less than "-5", ¶ 132.  or the purposes of describing FIG. 5, assume that that message has an EXE type of attachment with a size of 35 k and that sending host for the message has a SenderBase reputation score of -2, ¶ 136.  In the present example in which the message has an EXE type of attachment with a size of 35 k and the associated SenderBase reputation score is -2, Rules 1 and 4 match while Rules 2, 3, and 5 do not match, ¶ 144.  One additional feature is to obtain sender-based data that is specifically designed to aid in the identification of virus threats. For example, when an MGA queries a service such as SenderBase to obtain the SenderBase reputation score for the connecting IP address, SenderBase can provide virus threat data that is specific for the connecting IP address. The virus threat data is based on data collected by SenderBase for the IP address and reflects the history of the IP address in terms of how often viruses are detected in messages originating from the IP address or the company associated with the IP address. This can allow the MGA to obtain a virus score from SenderBase based solely on the sender of the message without any information or knowledge about the content of a particular message from the sending IP address. The data on the virus threat for the sender can be used in place of, or in addition to, a virus score as determined above, or the data on the virus threat for the sender can be factored into the calculation of the virus score. For example, the MGA could increase or decrease a particular virus score value based on the virus threat data for the sender, ¶ 160). 
Sprosts and Alspector may not explicitly disclose wherein the reputation score for the email is computed as a negative value if the number of recipients having negative hygiene score in the first set of recipients is greater than the number of recipients having positive hygiene score in the first set of recipients and a positive value otherwise.
However, Nachenberg discloses wherein the reputation score for the email is computed as a negative value if the number of recipients having negative hygiene score in the first set of recipients is greater than the number of recipients having positive hygiene score in the first set of recipients and a positive value otherwise (i.e., The calculated reputation score represents an assessment of whether the entity is malicious in terms of the special users who have clients with high hygiene scores, ¶ 10.  For example, if a particular file is predominantly encountered by clients 112 with low hygiene scores, there is an elevated risk that the file is malicious because most users that use the file are poor at avoiding computer threats. Therefore, the file is likely to receive a low reputation score. Similarly, a website that is frequently visited by clients 112 having high hygiene scores is likely to receive a high reputation score because the website is frequented by users that are good at avoiding computer threats, ¶ 23.  For example, a score of zero can represent the lowest reputation while a score of one can represent the highest reputation. In other embodiments, the reputation score is quantized into one of a limited set of values [negative or positive score values], ¶ 58) in order to provide a score that is an assessment of the likelihood that an entity is malicious (¶ 23).
Nachenberg also discloses wherein the negative value of the reputation score indicates a high probability of malicious attacks being propagated via the email (i.e., For example, if a particular file is predominantly encountered by clients 112 with low hygiene scores, there is an elevated risk that the file is malicious because most users that use the file are poor at avoiding computer threats. Therefore, the file is likely to receive a low reputation score. Similarly, a website that is frequently visited by clients 112 having high hygiene scores is likely to receive a high reputation score because the website is frequented by users that are good at avoiding computer threats, ¶ 23).
Therefore, based on Sprosts in view of Alspector, and further in view of Nachenberg, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Nachenberg to the system of Sprosts and Alspector in order to provide a score that is an assessment of the likelihood that an entity is malicious.

With respect to claim 13, the limitations of claim 13 are rejected in the analysis of claim 6 above, and the claim is rejected on that basis.

With respect to claim 14, the limitations of claim 14 are rejected in the analysis of claim 7 above, and the claim is rejected on that basis.

With respect to claim 20, Sprosts discloses wherein each recipient has positive and negative hygiene scores (i.e., For example, a rule can be "if `exe`, then 4" to denote a virus score of 4 for messages with EXE attachments. As another example, a rule can be "if `exe` and size &lt;50 k, then 3" to denote a virus score of 3 for messages with EXE attachments with a size of less than 50 k. As yet another example, a rule can be "if SBRS&lt;-5, then 4" to denote a virus score of 4 if the SenderBase Reputation Score (SBRS) is less than "-5", ¶ 132.  or the purposes of describing FIG. 5, assume that that message has an EXE type of attachment with a size of 35 k and that sending host for the message has a SenderBase reputation score of -2, ¶ 136.  In the present example in which the message has an EXE type of attachment with a size of 35 k and the associated SenderBase reputation score is -2, Rules 1 and 4 match while Rules 2, 3, and 5 do not match, ¶ 144.  One additional feature is to obtain sender-based data that is specifically designed to aid in the identification of virus threats. For example, when an MGA queries a service such as SenderBase to obtain the SenderBase reputation score for the connecting IP address, SenderBase can provide virus threat data that is specific for the connecting IP address. The virus threat data is based on data collected by SenderBase for the IP address and reflects the history of the IP address in terms of how often viruses are detected in messages originating from the IP address or the company associated with the IP address. This can allow the MGA to obtain a virus score from SenderBase based solely on the sender of the message without any information or knowledge about the content of a particular message from the sending IP address. The data on the virus threat for the sender can be used in place of, or in addition to, a virus score as determined above, or the data on the virus threat for the sender can be factored into the calculation of the virus score. For example, the MGA could increase or decrease a particular virus score value based on the virus threat data for the sender, ¶ 160). 
Sprosts and Alspector may not explicitly disclose wherein the reputation score for the email is computed as a negative value if the number of recipients having negative hygiene score in the first set of recipients is greater than the number of recipients having positive hygiene score in the first set of recipients.
However, Nachenberg discloses wherein the reputation score for the email is computed as a negative value if the number of recipients having negative hygiene score in the first set of recipients is greater than the number of recipients having positive hygiene score in the first set of recipients (i.e., The calculated reputation score represents an assessment of whether the entity is malicious in terms of the special users who have clients with high hygiene scores, ¶ 10.  For example, if a particular file is predominantly encountered by clients 112 with low hygiene scores, there is an elevated risk that the file is malicious because most users that use the file are poor at avoiding computer threats. Therefore, the file is likely to receive a low reputation score. Similarly, a website that is frequently visited by clients 112 having high hygiene scores is likely to receive a high reputation score because the website is frequented by users that are good at avoiding computer threats, ¶ 23.  For example, a score of zero can represent the lowest reputation while a score of one can represent the highest reputation. In other embodiments, the reputation score is quantized into one of a limited set of values [negative or positive score values], ¶ 58) in order to provide a score that is an assessment of the likelihood that an entity is malicious (¶ 23).
Nachenberg further discloses wherein the negative value of the reputation score indicates a high probability of a malicious attack being propagated via the email (i.e., For example, if a particular file is predominantly encountered by clients 112 with low hygiene scores, there is an elevated risk that the file is malicious because most users that use the file are poor at avoiding computer threats. Therefore, the file is likely to receive a low reputation score. Similarly, a website that is frequently visited by clients 112 having high hygiene scores is likely to receive a high reputation score because the website is frequented by users that are good at avoiding computer threats, ¶ 23). 
Therefore, based on Sprosts in view of Alspector, and further in view of Nachenberg, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Nachenberg to the system of Sprosts and Alspector in order to provide a score that is an assessment of the likelihood that an entity is malicious.
Sprosts, Alspector and Nachenberg may not explicitly disclose deeming that a recipient has never caused an infection in a pre-determined duration and if the recipient has been a cause of at least one infection in the pre-determined duration.
However, Weith discloses deeming that a recipient has never caused an infection in a pre-determined duration and if the recipient has been a cause of at least one infection in the pre-determined duration (i.e., In an exemplary embodiment, a method implemented through a distributed security system for determining and addressing risk of users, groups of users, locations, and/or companies includes obtaining log data from the distributed security system; analyzing the log data to obtain a risk score for an entity associated with the distributed security system, wherein the entity comprises one of a user, a group of users, a location, and a company, and wherein the risk score is a weighted combination of pre-infection behavior [deeming that a recipient has never caused an infection in a pre-determined duration], post-infection behavior [if the recipient has been a cause of at least one infection in the pre-determined duration], and suspicious behavior; performing one or more remedial actions for the entity; and subsequently obtaining updated log data and analyzing the updated log data to obtain an updated risk score to determine efficacy of the one or more remedial actions. The analyzing to obtain the risk score can include performing a plurality of levels of aggregation on the log data to determine threats for the entity and to categorize the threats; and determining the risk score for the entity based on a weighted formula of the categorized threats and a length of infection of each [pre-determined duration]. The plurality of levels of aggregation can each a form of a Structured Query Language (SQL) query on the log data. The categorized threats can be segmented in the pre-infection behavior, the post-infection behavior, and the suspicious behavior. The post-infection behavior is weighted higher than the pre-infection behavior which is weighted higher than the suspicious behavior, ¶ 5.  It is also advantageous to take the length of infection into account with the risk score, or at least average length of infection, but to do so would require storing a list of every infection that a user had for every day. However, the amount of data stored per user can be fixed assuming that, e.g., if there are 3 infections on day one and three infections on day two, that they are the same infections. Having made that assumption, adding up the number of infections over, e.g., 5 days, then estimate the average period of infection as the sum of the bucket counts for the 5 days, all divided by 5. The estimate will be >=the actual average length of infection [pre-determined durations], ¶ 129) in order to obtain a risk score for an entity (¶ 5).
Therefore, based on Sprosts in view of Alspector and Nachenberg, and further in view of Weith, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to utilize the teaching of Weith to the system of Sprosts, Alspector and Nachenberg in order to obtain a risk score for an entity.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAREN M MEANS whose telephone number is (571)270-7202.  The examiner can normally be reached on 12pm-6pm ET.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang can be reached on 571-272-4036.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




Jaren M. Means
/J.M.M./
Patent Examiner 
Art Unit 2447
4/29/2022

/JOON H HWANG/Supervisory Patent Examiner, Art Unit 2447