Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Notice of Allowability is in response to application filed on 12/27/2019. Claims 1-11 and 13-20 are pending of which claims 1, 11 and 16 are independent claims.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6/21/2021, 03/01/2022, and 04/05/2022 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Martin Wojcik (Reg. No. 57577) on 06/03/2022.
1. (Currently amended) A method for using a malware and phishing detection and mediation platform, the method comprising: 
accessing a plurality of data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a respective potential malware or phishing; 
selecting a different detection engine, of a plurality of detection engines for processing the plurality of data, instead of a next detection engine of an initial sequence of detection engines, the initial sequence determined based on an entity accessing the malware and phishing detection and mediation platform, the selecting based on previous results of previous processing by one or more detection engines of the plurality of detection engines, each of the plurality of detection engines for performing one or more respective investigation actions on the plurality of data to determine a particular issue with one or more of the monitored website portion of website data and the monitored portion of emails; and 
performing a mediation action that is determined based on a result of processing of the different detection engine and the previous processing.  
4. (Currently amended) The method of claim 1, wherein the particular issue indicates one or more of the data being a phishing Uniform Resource Locator (URL), the data being malware, the data indicating a branding issue, and/or the data indicating inappropriate content.  
6. (Currently amended) The method of claim 1, wherein 
the monitored portion of website data comprises a plurality of scraped Uniform Resource Locators (URLs)with a certain likelihood of malware or phishing; and 
the monitored portion of emails indicate URLs with another likelihood of malware or phishing.  
7. (Currently amended) The method of claim 1, further comprising 
revising a detection plan to use the different detection engine, the detection plan indicating a sequence of detection engines and score thresholds for respective results from each of the detection engines in the sequence 
8. (Currently amended) The method of claim 1, further comprising initiating processing of the data using the different detection engine to perform a different malware and phishing test on the data 
9. (Currently amended) The method of claim 1, further comprising: 
determining whether the processing of the data using the different detection engine requires accessing content of a webpage associated with a Uniform Resource Locator (URL) of the data; and 
in response to determining that the processing of the data does not require accessing the content, using the different detection engine to analyze one or more of the URL and a cryptographic certificate associated with the URL.  
11. (Currently amended) A system comprising: 
a non-transitory memory storing instructions; and 
a processor configured to execute the instructions to cause the system to: 
access data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a respective potential malware; 
determine to use a different detection engine from a next detection engine indicated by an initial sequence of detection engines, the initial sequence determined based on a type of business accessing a[[the]] malware and phishing detection and mediation platform, said determining based on respective results of previous processing performed by other detection engines from a[[the]] plurality of detection engines, each of the plurality of detection engines for performing a respective one of a plurality of malware and phishing tests; and 
revise a detection plan to use the different detection engine, the detection plan indicating a sequence of detection engines and score thresholds for respective results from each of the detection engines in the sequence; 
initiate processing of the data using the different detection engine to perform a different malware and phishing test on the data; and 
perform an action, the action determined based on a result of processing of the different detection engine and the previous processing.  
12. (Canceled) 
13. (Currently amended) The system of claim 11[[12]], wherein the action comprises creation of an evidence package for submission to a web traffic monitoring entity, the evidence package created based on a type of a result of the different malware and phishing test, on the respective results, and on a desired mediation action determined for the result.  
14. (Currently amended) The system of claim 11, wherein the plurality of malware phishing tests are for determining whether the data being a phishing Uniform Resource Locator (URL), the data being malware, the data indicating a branding issue, and/or the data indicating inappropriate content.  
15. (Currently amended) The system of claim 11, wherein executing the instructions further cause the system to, 
determine whether the processing of the data using the different detection engine requires accessing content of a webpage associated with a Uniform Resource Locator (URL) of the data; and 
in response to determining that the processing of the data does not require accessing the content, using the different detection engine to analyze one or more of the URL and a cryptographic certificate associated with the URL.  
16. (Currently amended) A non-transitory machine-readable medium having instructions stored thereon, the instructions executable to cause performance of operations comprising: 
accessing data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a suspect Uniform Resource Locator (URL); 
determining a different detection engine, of a plurality of detection engines for processing the suspect URL, instead of a next detection engine of an initial detection plan indicating a sequence of detection engines to be used, the initial detection plan determined based on historical use of the plurality of detection engines to analyze suspect URLs, the selecting based on previous results of previous processing by one or more detection engines of the plurality of detection engines, each of the plurality of detection engines for performing one or more respective investigation actions on the suspect URL to determine whether the suspect URL is a phishing URL; 
revising the initial detection plan to use the different detection engine, the initial detection plan further indicating score thresholds for the detection engines;
determining an action based on a result of processing of the different detection engine and the previous processing; and 
performing the action.  
17. (Currently amended) The non-transitory machine-readable medium of claim 16, wherein the action comprises creation of an evidence package for submission to a web traffic monitoring entity, the evidence package created based on a type of a[[the]] particular issue indicated by the different detection engine, on the previous results, and on the result.  

Allowable Subject Matter
Claims 1-11 and 13-20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The closest references of record are Singh (US 2017/0223046), Paithane et al. (US 2015/0220735) and Thomas et al. (US 2014/0380482).
Singh teaches systems, methods, and computer-program products for a targeted threat intelligence engine, implemented in a network device. The network device may receive incident data, which may include information derived starting at detection of an attack on the network until detection of an event. The network device may include analytic engines that run in a predetermined order. An analytic engine can analyze incident data of a certain data type, and can produce a result indicating whether a piece of data is associated with the attack. The network device may produce a report of the attack, which may include correlating the results from the analytic engines. The report may provide information about a sequence of events that occurred in the course of the attack. The network device may use the record of the attack to generate indicators, which may describe the attack, and may facilitate configuring security for a network. 
Paithane et al. teaches a computerized system and method is described for classifying objects as malicious by processing the objects in a virtual environment and monitoring behaviors during processing by one or more monitors. The monitors may monitor and record selected sets of process operations and capture associated process parameters, which describe the context in which the process operations were performed. By recording the context of process operations, the system and method described herein improves the intelligence of classifications and consequently reduces the likelihood of incorrectly identifying objects as malware or vice versa.
Thomas et al. teaches systems and methods are provided for malware scanning and detection in a computing system. In one exemplary embodiment, the method includes launching, in a computing device of the computing system, a virtual machine, and launching, in the virtual machine of the computing device, an internet browser. The method also includes requesting, by the internet browser, data from a web page, and performing, using one or more analysis tools, analysis on the web page. In the method, performing analysis on the web page includes performing monitoring and recording of system application programming interface (API) calls, and creating software objects associated with the web page. The method also includes performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page.
Singh (US 2017/0223046), Paithane et al. (US 2015/0220735) and Thomas et al. (US 2014/0380482), either taken by itself or in any combination, fail to disclose or suggest limitation “selecting a different detection engine, of a plurality of detection engines for processing the plurality of data, instead of a next detection engine of an initial sequence of detection engines, the initial sequence determined based on an entity accessing the malware and phishing detection and mediation platform, the selecting based on previous results of previous processing by one or more detection engines of the plurality of detection engines, each of the plurality of detection engines for performing one or more respective investigation actions on the plurality of data to determine a particular issue with one or more of the monitored website portion of website data and the monitored portion of emails” in combination with other limitations as recited by independent claim 1. 
Singh (US 2017/0223046), Paithane et al. (US 2015/0220735) and Thomas et al. (US 2014/0380482), either taken by itself or in any combination, fail to disclose or suggest limitation “determine to use a different detection engine from a next detection engine indicated by an initial sequence of detection engines, the initial sequence determined based on a type of business accessing a malware and phishing detection and mediation platform, said determining based on respective results of previous processing performed by other detection engines from a plurality of detection engines, each of the plurality of detection engines for performing a respective one of a plurality of malware and phishing tests and revise a detection plan to use the different detection engine, the detection plan indicating a sequence of detection engines and score thresholds for respective results from each of the detection engines in the sequence” in combination with other limitations as recited by independent claim 11. 
Singh (US 2017/0223046), Paithane et al. (US 2015/0220735) and Thomas et al. (US 2014/0380482), either taken by itself or in any combination, fail to disclose or suggest limitation “determining a different detection engine, of a plurality of detection engines for processing the suspect URL, instead of a next detection engine of an initial detection plan indicating a sequence of detection engines to be used, the initial detection plan determined based on historical use of the plurality of detection engines to analyze suspect URLs, the selecting based on previous results of previous processing by one or more detection engines of the plurality of detection engines, each of the plurality of detection engines for performing one or more respective investigation actions on the suspect URL to determine whether the suspect URL is a phishing URL; revising the initial detection plan to use the different detection engine, the initial detection plan further indicating score thresholds for the detection engines” in combination with other limitations as recited by independent claim 16. 
Other independent claims recite features similar to those recited in independent claim 1, and are therefore allowable for reasons similar to those given above. Dependent claims are allowed by virtue of their dependencies.
None of the prior art of record either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837. The examiner can normally be reached Monday-Friday 8:00 - 5:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KHANG DO/Primary Examiner, Art Unit 2492