DETAILED ACTION

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

                                               Remarks
The Examiner found that the previous Office Action is incomplete because the last work related with the simple paragraphs such as “Regarding claim 12, it is a non-transitory claim corresponding to an apparatus claim 1 and is therefore rejected for the similar reasons set forth in the rejection of the claim. Regarding claims 13 and 14, they are claims corresponding to claims 2 & 3, respectively and are therefore rejected for the similar reasons set forth in the rejection of the claims” were not saved. According to “Reply Period is Reset or Restarted [MPEP 710.06 [R-6], where the citation of a reference is incorrect or an Office action contains some other error that affects applicant’s ability to reply to the Office action and this error is called to the attention of the Office within 1 month of the mail date of the action, the Office will restart the previously set period for reply to run from the date the error is corrected,” the Office will restart the previously set period for reply.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-3, 7-10, 13, 14, and 23-29 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recite the limitation "the electronic communication" in lines 5-6. There is insufficient antecedent basis for this limitation in the claim.
Claim 2, recite the limitation “contacts and contact information” in line 5. There is insufficient antecedent basis for this limitation in the claim because “contacts” in line 3. Does the “contact information” indicate the “contact information” in claim 1, line 6?
Claim 3, recite the limitation “communication history” in line 2. There is insufficient antecedent basis for this limitation in the claim.
Claim 13, recite the limitation “contacts and contact information” in line 6. There is insufficient antecedent basis for this limitation in the claim because “contacts” in line 3. Does the “contact information” indicate the “contact information” in claim 12, line 5?
Claim 23 recite the limitation "the electronic communication" in line 4. There is insufficient antecedent basis for this limitation in the claim.
Claim 24, recite the limitation “contacts and contact information” in line 4. There is insufficient antecedent basis for this limitation in the claim because “contacts” in line 2. Does the “contact information” indicate the “contact information” in claim 23, line 5?
[Examiner’s Note]: there are many 112(b) issues in the remainder of the claims. The Applicant is required to identify those and make appropriate corrections. In addition, lack of art rejection should not be considered as allowable subject matter.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-3, 7-10, 12-14, 16, 18-21, 23-25, 27, and 29 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Jakobsson et al. (US 2018/0375877, “Jakobsson”).
Regarding claim 1, Jakobsson discloses an apparatus to process an electronic communication, the apparatus comprising: 
- a trusted communication identifier including (See ¶.30, the identity (e.g., including display name, email address, domain, and identity conveyed by or associated with content of the email) and that of entities that are trusted): 
- a contact identifier to (See ¶.30, one of the contact identifiers): 
- compare sender information from the electronic communication to contact information from a contact datastore (See, 1004 fig.10, ‘A sender of the message exactly matches a trusted contact?’; See ¶.51, profiling the message may include storing information about and/or included in the message in a database to track historical observations about the sender of the message, the recipient of the message, and/or the content portion of the message; See ¶.57, an assessment is made on whether the resource identifier refers to known malicious content by comparing at least a portion of the resource identifier to a known list and/or obtaining and analyzing content referenced by the resource identifier; See ¶.67, the encrypted value and/or the original resource identifier may be used to look up in a database the associated context information; See ¶.70, examples of the associated context information (e.g., stored in a database entry associated with at least a portion of the alternative resource identifier or encrypted and included in the alternative resource identifier) include: a display name, an address, an associated security risk, and any other information associated with a sender of the original message);
- determine that a communication has not previously been sent from a recipient of the electronic communication to the sender of the electronic communication when the sender information from the electronic communication is not found in the contact datastore (See 1004 & 1008 fig.10, ‘A sender of the message exactly matches a trusted contact?’ ‘The sender of the message is similar to a trusted contact?’; See ¶.212, the message is identified as suspicious if a recipient identified in the message has not previously sent a message to the sender of the message); and 
- in response to determining that the communication has not been previously sent, provide an alert message that the sender information from the electronic communication is unknown (See 1010 fig.10, ‘Filter the message if applicable’; See 1308 fig.13A, ‘Base on the response to the manual classification request, perform a security action, if applicable; See fig.14A-B and ¶.211, security action); and 
- a user action determiner to store the sender information from the electronic communication in the contact datastore when a response to the electronic communication has been sent (See fig. 14B, store suspicious email address such as “ppeterson14014@yahoo.com” to compare; See ¶.71, the database storing the context information may store information indefinitely; until it has been accessed and a determination made; for a fixed amount of time, such as one week; until a positive (safe) decision has been made; until a negative decision (high risk) has been made, in which case the original URL may be placed on a block list; and/or until a user action has been performed, such as placing the message in the trash folder, or according to a policy that is associated with the recipient or his or her organization; See 89, blacklist; See ¶.94, a whitelist).

Regarding claim 2, Jakobsson discloses “further including a contact information initializer to: obtain communication history or contacts associated with an application on a user device; and store, in the contact datastore, contacts and contact information associated with the communication history that were utilized in sending communications from the user device (See ¶.51, profiling the message may include storing information about and/or included in the message in a database to track historical observations about the sender of the message; See ¶.83, This is a score that depends on the sender and his or her historical risk behavior (such as distributing dangerous messages, links, and attachments); the sender's role (such as being an influential person); the role of any party whose identifying information resembles the sender, where this party is known by and/or trusted by the recipient; the recipient and his or her historical risk behavior (such as opening dangerous messages, clicking on dangerous links, and opening dangerous attachments, where an item is considered dangerous if it or its format is correlated with risk); See ¶.84, The scores can be derived from past interaction with emails; past results in training sessions; past browsing history; and configurations made by the sender/recipient or admins associated with either of these. Context here is also historical—given the benefit of hindsight. Very often attacks are much clearer after they have passed. This is useless information in many security approaches, since the danger has moved on. But with historical data, notably unavailable to the web crawler or proxy, actions by the given user taken months ago may be evaluated in light of everything learned since the actions. And if this can color the assessment of the risk of the user's actions today, it can greatly ameliorate the dangers posed by their actions tomorrow on threats not yet understand. This can be a general measurement of the “gullibility” and “value” of the target, but can be even more specific to a behavior or attack type—over the past year, it may be noted that a user will blindly click on anything that looks related to their social media presence. This can then be used to tune the risk of a specific link in a message to that user. Lastly, this historical data can be used to project increased exposure proactively. If historical data shows a user has engaged with a previous threat or it has been observed in previous campaigns, it is known that their email address and/or identity is known to bad actors, and this may be utilized to evaluate new threats).”

Regarding claim 3, Jakobsson discloses “wherein the contact information initializer is to obtain communication history associated with at least two different applications on the user device (See ¶.84, the scores can be derived from past interaction with emails; past results in training sessions; past browsing history; and configurations made by the sender/recipient or admins associated with either of these. Context here is also historical—given the benefit of hindsight. Very often attacks are much clearer after they have passed. This is useless information in many security approaches, since the danger has moved on. But with historical data, notably unavailable to the web crawler or proxy, actions by the given user taken months ago may be evaluated in light of everything learned since the actions. And if this can color the assessment of the risk of the user's actions today, it can greatly ameliorate the dangers posed by their actions tomorrow on threats not yet understand. This can be a general measurement of the “gullibility” and “value” of the target, but can be even more specific to a behavior or attack type—over the past year, it may be noted that a user will blindly click on anything that looks related to their social media presence. This can then be used to tune the risk of a specific link in a message to that user. Lastly, this historical data can be used to project increased exposure proactively. If historical data shows a user has engaged with a previous threat or it has been observed in previous campaigns, it is known that their email address and/or identity is known to bad actors, and this may be utilized to evaluate new threats. For example, if a resource identifier shows up for multiple receivers, and it is known that the same set of recipients were victims of previous attacks, a higher risk can be ascribed to the resource identifiers even before evaluating it because of the correlation. There are many circumstances where an email address that has been exposed this way may be known and thus any resource identifiers sent to that user can be given a more aggressive check).”

Regarding claim 7, Jakobsson discloses “further including a new contact monitor to: determine if a new contact is added to contacts associated with an application; and in response to determining the new contact is added, store information of the new contact in the contact datastore (See ¶.75, wherein the receiving system of the new recipient may add to the database of contextual information to describe the context as seen by the second and new recipient. It is also possible to add a second alternative resource identifier associated with this second-recipient context).”

Regarding claim 8, Jakobsson discloses “further including a malicious content scanner to determine if the electronic communication includes a uniform recourse locator (URL) or an attachment file (See ¶.30, a URL hyperlink in an email is identified, and the URL hyperlink in the email is modified to reference an alternative URL prior to delivery. The alternative URL can be used to obtain the original URL hyperlink as well as contextual information associated with the email. When the alternative URL is visited by a message recipient, a determination is made on the security associated with the original URL and/or the associated email and/or the associated sender, utilizing the contextual information and the URL assessment. Here, the assessment of the URL can be done by performing one of rendering, partially rendering, automatically interacting with the associated site, making an assessment of the associated site behavior, including spawning of processes or other webpage rendering requests, and making an assessment of the domain and subdomain of the URL, including reputation, age, and contextual use. This decision can be done as soon as possible after the URL is identified, in batch mode, as a result of the user clicking on the modified URL in the delivered email, or as a result of an external event, such as notification of a risk or attack potentially affecting the recipient. Context relating to the email is used, including text in the email, logos and other graphics in the email, the recipient of the email and whether this user normally receives emails with URLs of a similar type according to a security classification, and based on the sender, whether the sender is a trusted party, and if the sender is not considered a trusted part, whether there is any potential likeness between the identity (e.g., including display name, email address, domain, and identity conveyed by or associated with content of the email) and that of entities that are trusted by the recipients, or trusted by many users like the recipient).”

Regarding claim 9, Jakobsson discloses “further including the malicious content scanner to determine if the URL included in the electronic communication is malicious using anti-virus software (See ¶.224, an unwanted URL/attachment is one that is judged likely to be associated with risk, e.g., using a blacklist or an anti-virus scan; See ¶.32, improves anti-virus filtering based on contextual information and threat information relating to the threat vector used for message delivery; See ¶.121, This can be done in a multiplicity of ways, including detonating each file, determining whether any of the files match an anti-virus signature, determining whether any of the files has executable code segments in it, etc).”

Regarding claim 10, Jakobsson discloses “further including the malicious content scanner to determine if the attachment file included in the electronic communication is malicious using anti-virus software (See ¶.224, an unwanted URL/attachment is one that is judged likely to be associated with risk, e.g., using a blacklist or an anti-virus scan; See ¶.32, improves anti-virus filtering based on contextual information and threat information relating to the threat vector used for message delivery).”

Regarding claim 12, it is a non-transitory claim corresponding to an apparatus claim 1 and is therefore rejected for the similar reasons set forth in the rejection of the claim.

Regarding claims 13 and 14, they are claims corresponding to claims 2 & 3, respectively and are therefore rejected for the similar reasons set forth in the rejection of the claims.

Regarding claim 16, Jakobsson discloses “wherein the contact datastore is accessible across different user devices (See ¶.138, the list of recipients may correspond to the recipients/email servers accessible (e.g., list of email domains being managed) by an analysis server. In some embodiments, each email server of each recipient performs its own determination of its measure of local reputation for the sender. In some embodiments, the measure of local reputation is determined dynamically. For example, when a recipient receives a message from the sender, the recipient determines the measure of local reputation for the sender).”

Regarding claims 18-21, they are claims corresponding to claims 7-10, respectively and are therefore rejected for the similar reasons set forth in the rejection of the claims.

Regarding claim 23, it is a method claim corresponding to the apparatus claim 1 and is therefore rejected for the similar reasons set forth in the rejection of the claim.

Regarding claims 24, 25, 27, and 29, they are claims corresponding to claims 2, 3, 16, & 7, respectively and are therefore rejected for the similar reasons set forth in the rejection of the claims.

Contact Information

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jung Park whose telephone number is 571-272-8565. The examiner can normally be reached on Mon-Fri during 7:00-3:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Derrick Ferris can be reached on 571-272-3123.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/JUNG H PARK/Primary Examiner, Art Unit 2411