DETAILED ACTION 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .	
Response to Amendment
This action is in response to the communications and remarks filed on 06/15/2022. Claims 1, 10 and 19 have been amended. Claims 8 and 17 have been canceled. Claims 1-7, 9-16, and 18-20 have been examined and are pending.
Response to Arguments
Applicant's arguments, see pages 8-15 of the Remarks, filed 06/15/2022, regarding the 103 rejections of Claims 1-7, 9-16, and 18-20 have been fully considered and are persuasive.  
The claims are now in condition for allowance.
Examiner' s Amendments
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner's amendment was given via telephone/email from Mr. James A. Gromada (Reg. No. 44,727) on 06/30/2022. The application has been amended as follows:
Please replace claim 1 with: 
1. (Currently Amended) A computer implemented method for classifying and mitigating
security threats in a digital communication network, the method comprising: 
receiving a digital communication from a user, wherein the digital communication has been identified as suspicious by the user; 
parsing the digital communication to identify at least one content indicator; 
performing at least one processing activity based on the at least one content indicator, wherein performance of the at least one processing activity generates an output; 
determining whether the digital communication comprises malicious content based on the output generated by the at least one processing activity; 
performing at least one mitigation activity when the digital communication comprises malicious content; 
determining whether the digital communication has been previously processed; 
when the digital communication has been previously processed, determining when the digital communication is related to phishing; and 
when the digital communication is related to phishing, performing at least the one processing activity for at least a second time in order to determine a source of the phishing, 
wherein at least one from among the parsing of the digital communication, the performing of the at least one processing activity, the determining of whether the digital communication comprises malicious content, and the performing of the at least one mitigation {P57918 05316409.DOCX}2Attorney Docket No. P57918Application No. 16/400,493 activity comprises applying a machine learning module that is trained using a set of communications that are exemplary of malicious or suspicious content.  

Please replace claim 10 with:
10. (Currently Amended) A system for classifying and mitigating security threats in 
digital communication networks, the system comprising: 
a classification and mitigation system configured to: 
receive a digital communication from a user, wherein the digital communication has been identified as suspicious by the user; 
parse the digital communication to identify at least one content indicator; 
perform at least one processing activity based on the at least one content indicator, wherein performance of a processing activity generates an output; 
determine whether the digital communication comprises malicious content based on the output; 
perform at least one mitigation activity when the digital communication comprises malicious content; 
determine whether the digital communication has been previously processed; 
when the digital communication has been previously processed, determine when the digital communication related to phishing; and 
when the digital communication related to phishing, performing at least one processing activity for at least a second time in order to determine a source of the phishing, 
wherein the classification and mitigation system is further configured to perform at least one from among the parsing of the digital communication, the performing of the at least one processing activity, the determining of whether the digital communication comprises {P57918 05316409.DOCX}4Attorney Docket No. P57918Application No. 16/400,493 
malicious content, and the performing of the at least one mitigation activity by applying a machine learning module that is trained using a set of communications that are exemplary of malicious or suspicious content.  

Please replace claim 19 with:
19. (Currently Amended) A method for training users to classify and mitigate security 
threats in a digital communication network, the method comprising: 
transmitting a training communication to a user, wherein the training communication has at least one suspicious content indicator; 
receiving a digital communication from the user, wherein the digital communication has been identified as suspicious by the user; 
parsing the digital communication to identify the at least one suspicious content indicator; 
determining whether the digital communication received from the user is the same as the training communication; 
when the digital communication received from the user is the same as the training communication, sending the user a notification indicating completion of training; 
determining whether the digital communication has been previously processed; 
when the digital communication has been previously processed, determining when the digital communication is related to phishing; and {P57918 05316409.DOCX}6Attorney Docket No. P57918Application No. 16/400,493 
when the digital communication is related to phishing, performing at least one processing activity for at least a second time in order to determine a source of the phishing, 
wherein at least one from among the parsing of the digital communication, the performing of the at least one processing activity, the determining of whether the digital communication comprises malicious content, and the performing of the at least one mitigation activity comprises applying a machine learning module that is trained using a set of communications that are exemplary of malicious or suspicious content.  

Examiner’s Comments
Applicant's amendments and arguments see pages 8-15 of the Remarks, filed 06/15/2022 have been fully considered and are persuasive. In response to applicant’s arguments regarding the independent claims 1, 10 and 19 after a complete search of the entire relevant prior art the examiner has determined the claims are in condition for allowance. The previous 103 rejections of claims 1-20 have been withdrawn.
Allowable Subject Matter
Applicant's arguments have been considered and are determined to be persuasive. Accordingly, the previously presented rejections are withdrawn.
Claims 1-7, 9-16, and 18-20 are allowed.
The following is an examiner's statement of reasons for allowance:
The closest prior art, as previously recited, Higbee 20180191754, Vaithilingham 20100306845 A1, and Hunt 20200204587 A1 are also generally directed to a computer implemented method for classifying and mitigating security threats in a digital communication network, the method comprising; a system for classifying and mitigating security threats in digital communication networks, the system comprising; and a method for training users to classify and mitigate security threats in a digital communication network, the method comprising: receiving a digital communication from a user, wherein the digital communication has been identified as suspicious by the user; [Higbee, ¶0034: the systems and methods described herein can be used to raise the acuity of the individual in identifying phishing attack messages and provide a means for identifying and reporting those messages so that remedial action can be taken with reduced time between arrival of the attack message and the remedial action. ¶0055: When a message is received on a computing device of an individual, the user may report the message as a possible phishing attack. When reported, a network server device then receives a notification indicating that the one or more users has reported the message as a possible phishing attack.] parsing the digital communication to identify at least one content indicator; [Higbee, ¶0035: For messages that are not simulated phishing messages, the message or the source of the message can be assigned a credibility score similar to the reputation score of users of the system. ¶0069: reported messages are received at the network server. The reported messages are checked against rules stored in the system. The rules can be written for YARA or another tool that enables determining whether message or attachment data contains defined textual or binary patterns (e.g. regex parsing, etc.). ¶0103: As a message meets specific reporting thresholds, the rules module can be automatically implemented or an administrator can implement the rules upon review. This can include extraction of header information, content information or any other information that the management console module is capable of extracting.] performing at least one processing activity based on the at least one content indicator, wherein performance of the at least one processing activity generates an output; [Higbee, ¶0094: Further processing can be used to determine whether the message is malicious. Rules can be used to determine whether a reported message is suspicious or malicious. As non-limiting examples, maliciousness may be determined based on any URLs in the message, the content of the site at the URL, or an attachment to the message. ¶0159: The threat information derived from messages can be provided, by an API or other means, such as but not limited to an Indicator of Compromise (IOC), to a sandbox 1810, Aresight™, Splunk™, SIEM, or a logging system. As non-limiting examples of the further processing that may be performed by the network security device, sandboxing systems can be used to evaluate artifacts, such as attachments and hashes, domains and URL analysis (sandboxing), and virus data lookups (VirusTotal™).] determining whether the digital communication comprises malicious content based on the output generated by the at least one processing activity; [Higbee, ¶0094: Rules can be used to determine whether a reported message is suspicious or malicious. As non-limiting examples, maliciousness may be determined based on any URLs in the message, the content of the site at the URL, or an attachment to the message. ¶0110: the system provides the predefined categories: Phishing Simulation (i.e. the report contains email sent by the system during a simulated phishing campaign), Non-Malicious (i.e. the report contains safe, solicited email; internal email; or misreported email), Spam (i.e. the report contains unsolicited emails), Crimeware (i.e. the report contains malicious, mass-targeted malware), and Advanced Threats] performing at least one mitigation activity when the digital communication comprises malicious content [Higbee, ¶0059: the system at the client computing device can move the reported message to a “Deleted Items” or “Junk” folder, or apply a corresponding deleted or junk label, or take no action with respect to moving the message. ¶0060: If the message is determined not to be a phishing message, it is returned to a normal accessible status. If it is determined to be a phishing message, then the message can be deleted or moved into “Junk” folder or such action be taken. ¶0160: URLs identified using rules, recipes, or by manual identification can be provided to a network security device, such as a firewall, to enable blocking of those URLs.] determining whether the digital communication has been previously processed; [Higbee, ¶¶0068, 0098, and 0120: previously determined suspicious message performs checks] when the digital communication has been previously processed, determining when the digital communication is related to phishing, [Higbee, ¶¶0037, 0063, 0086, and 0098: A simulated phishing attack message may be generated in a phishing simulation module. The phishing simulation module may provide a template message that can contain placeholders for, e.g., an employee name, etc.; where previously determined suspicious message performs checks] and when the digital communication is related to phishing, performing at least one processing activity to determine a source of the phishing. [Vaithilingham et al 20100306845 A1, ¶0052: steps of identifying the digital communication 215 from a source 210 as being a potentially phishing email, appending a tag (e.g., metadata) to the digital communication 215 that indicates the digital communication 215 has an unsafe status, and implementing solutions to protect and inform a user 250. ¶¶0082-0084; Hunt et al 20200204587 A1 [Fig. 5, steps 505-507 OR Fig. 6, steps 607-608; 0107-0110, 0111-0112, 0114*-0116, 0120-0122: previous analysis of phishing; 0147**-0148 and 0150: analyze to identify sources of phishing features]
wherein at least one from among the parsing of the digital communication, the performing of the at least one processing activity, the determining of whether the digital communication comprises malicious content, and the performing of the at least one mitigation activity comprises applying a machine learning module that is trained using a set of communications that are exemplary of malicious or suspicious content. [Higbee2, ¶0136: Messages can be clustered based on the application of rules to messages that have been reported as suspicious; similarities can be identified based on application of YARA rules to messages. Some embodiments use n-gram analysis. ¶0141: clustering technique based on machine learning, k-means, and others.]
However, none of Higbee, Vaithilingham, and Hunt teach or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims, claims 1, 10, and 19.  For example, none of the cited prior art teaches or suggest determining whether the digital communication has been previously processed; when the digital communication has been previously processed, determining when the digital communication is related to phishing; and when the digital communication is related to phishing, performing at least one processing activity for at least a second time in order to determine a source of the phishing, in view of other limitations of claims 1, 10, and 19.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
The closest prior art made of record are:
Vaithilingham et al (20100306845 A1) teaches computer-readable media and computerized methods for governing treatment of digital communications (e.g., emails and instant messages) upon identifying the communications as potentially phishing emails are provided. A service provider is employed to control behavior of an account that is assigned to an intended recipient of the communications. Controlling the behavior of the account is described in the context of a non-web mail server that renders a UI display, which is not dynamically configurable by the service provider. In one solution, controlling behavior alerts a user to the presence of communications identified as potentially phishing by aggregating these communications in a separate folder. In another solution, controlling behavior facilitates protecting the user by replacing the content of the potentially phishing communications with a warning message. This warning message optionally includes a URL link to a web browser where the user can view the original content of the potentially phishing communications. (¶0052).
Rambo et al (10652276 B1) teaches anti-phishing computing systems and methods. A first computer that hosts an online software application with which an end user or customer has an account generates an electronic message and independent confirmation data and transmits electronic message data and the confirmation data to a second computer, which updates an activity log for the end user's account such that the confirmation data is associated with the electronic message data in the activity log. The confirmation data may be a randomly generated number and incorporate an identifier of the online software application. The electronic message including the confirmation data is transmitted to the end user computing device such that using the activity log and multiple confirmation data transmissions to different computing systems can be used to confirm that a source of the electronic message was the online software application and that the electronic message is not a fraudulent phishing electronic message. (Col 4, lines 1-5).
Hunt et al (20200204587 A1) teaches an invention are directed to identifying phishing websites by rendering and analyzing document object model (DOM) objects associated with a website for features that indicate phishing behavior. Embodiments analyze the full scope and functionality associated with a website by executing functions embedded in a DOM object before analyzing the website for phishing activity. Accordingly, embodiments render and analyze a fully executed DOM object for phishing behavior. Embodiments may then perform steps to mediate a website that is classified as performing phishing. Thus, embodiments are configured to (1) collect website information from a variety of websites and web servers connected to the internet, (2) analyze the collected data to determine whether the website information is performing phishing, and (3) mediate websites and other actors that are determined to be performing phishing based on the results of the phishing analysis. (Fig. 5, steps 505-507 OR Fig. 6, steps 607-608; 0107-0110, 0111-0112, 0114*-0116, 0120-0122: previous analysis of phishing; 0147**-0148 and 0150: analyze to identify sources of phishing features¶).
Cohen (20160006749 A1) teaches a data analysis system that may automatically generate memory-efficient clustered data structures, automatically analyze those clustered data structures, and provide results of the automated analysis in an optimized way to an analyst. The automated analysis of the clustered data structures (also referred to herein as data clusters) may include an automated application of various criteria or rules so as to generate a compact, human-readable analysis of the data clusters. The human-readable analyses (also referred to herein as “summaries” or “conclusions”) of the data clusters may be organized into an interactive user interface so as to enable an analyst to quickly navigate among information associated with various data clusters and efficiently evaluate those data clusters in the context of, for example, a fraud investigation. Embodiments of the present disclosure also relate to automated scoring of the clustered data structures. (¶0048 0109).
Mesdaq et al (10601865 B1) teaches a non-transitory computer readable storage medium having stored thereon instructions when executable by a processor perform operations including responsive to receiving an email including a URL, conducting an analysis of the email including: (i) analyzing a header and a body, and (ii) analyzing the URL; analyzing contents of a web page directed to by the URL; generating a score indicating a level of confidence the email is associated with a phishing attack based on at least one of the analysis of the email or the analysis of the contents of the web page; and responsive to the score being below a threshold, virtually processing the web page to determine whether the web page is associated with the phishing attack is shown. (col 15, lines 4-27).
Emigh et al (20190158530 A1) teaches techniques for displaying a URL comprise receiving a URL; normalizing the URL, wherein normalizing the URL includes standardizing an encoding of a character contained in the URL; determining a first element of the URL, wherein the first element of the URL includes a domain; determining a second element of the URL; displaying the URL, wherein displaying the URL includes emphasizing the first element of the URL, and wherein emphasizing the first element of the URL includes displaying the first element of the URL using a first font attribute; and wherein displaying the URL includes displaying a first portion of the second element of the URL using a second font attribute and eliding a second portion of the second element of the URL; and responsive to an interaction with a user interface element, providing a view of the URL in its entirety.  (¶¶0073-0076, 0107-0109 and 0117-0120).
Shraim et al (20070294352 A1) teaches various embodiments of the invention provide solutions (including inter alia, systems, methods and software) for dealing with online fraud. In particular, various embodiments of the invention provide ways to incite unsolicited email messages (such as spam messages, phish messages, etc.). In accordance with some embodiments, a bait email address may be planted in a particular location on the Internet. In particular embodiments, the location of the planted email address may be tracked in order to determine which locations are relatively more likely to generate unsolicited email messages. In other embodiments, domains likely to host the bait email addresses receiving unsolicited messages may be obtained. In some cases, unsolicited messages may be analyzed and/or otherwise processed to determine whether the messages are possibly associated with a fraudulent activity. Such analysis may lead to the investigation of one or more web sites and/or to the initiation of a response against a fraudulent activity. (¶¶0093-0095 and 0100-0106).
Conclusion                                                                                                                                                                                                     	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682.  The examiner can normally be reached on Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Sakinah White Taylor/Primary Examiner, Art Unit 2497