Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
	This application claims the benefit of and priority to U.S. Provisional Patent Application Ser. No. 62/863,991, filed Jun. 20, 2019, and entitled “Integrating Targeted Attack Protection (TAP) and Isolation,” which is incorporated by reference herein in its entirety.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/16/2022 was filed after the mailing date of the Non-Final Office Action on 03/01/2022. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
DETAILED ACTION
	This Office Action is in response to an amendment application received on 05/05/2022. In the amendment, applicant has amended claims 1, 3-5, 13, 15-17 and 20. Claims 2, 6-12, 14 and 18-19 remain original. No claim has been cancelled and no new claim has been added.
	For this Office Action, claims 1-20 have been received for consideration and have been examined. 
Response to Arguments
Claim Objections
	Applicant’s amendments to independent claims have been reviewed and appear to overcome the objections. Therefore claim objection has been withdrawn. 
Claim Rejections – 35 USC § 103
Applicant’s arguments, filed 05/05/2022, with respect to the rejection(s) of claim(s) under 35 USC § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of new amendments to the claims.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, regards as the invention.
Independent claims 1, 13 and 20 recites “wherein determining the risk profile associated with the first request received from the first user computing device includes determining that the first uniform resource locator associated with the first email message is associated with a specific category by matching site contents from the first uniform resource locator with information defined in one or more category templates”.
Examiner notes that the clause "by matching site contents from the first URL with information defined in one or more category templates" is technologically improper.  A "URL" does not have or consist of "site contents", because a URL is an alphanumeric string that is an address (i.e., "locator") for a resource (e.g., potentially a "web site").  Web sites, which can be accessed via a corresponding URL, do have "site contents".  However, a person of ordinary skill in the art would not refer to "the content being accessed via a URL" using the phrase "content from the URL" because the URL itself has contents.  Thus the phrase "site contents from the first URL" creates unnecessary ambiguity and a person of ordinary skill in the art would not be able to determine whether the claim limitation is referring to i) "by matching site contents, of a web site accessed via the first URL, with information defined in one or more category templates”; or ii) “by matching contents of the first URL with information defined in one or more category templates".  Option i) would require retrieving the content pointed to by the URL and analyzing the retrieved content against templates; whereas option ii) is analyzing the URL itself.
Both of these concepts appear supported by applicant's own specification. Option ii) is supported by par [0058]  ("... analyze the text and/or character pattern of the URL string to predict whether the corresponding page is potentially malicious or likely legitimate (e.g., by calculating a risk score based on the text and/or character pattern of the URL string and evaluating whether the risk score exceeds a predetermined threshold). ")  Option i) is supported by par [0059] ("... analyze one or more headers and/or other header content of a page corresponding to the first uniform resource locator...  to determine whether the page is potentially malicious or likely legitimate (e.g., by comparing such headers and/or header content to predefined templates and/or records identifying headers and/or header content associated with pages that have been labeled as malicious and/or legitimate). )".
Examiner notes that Applicant’s distinction in [0058] and [0059] between the URL itself and the page corresponding to the URL is clear, however, claim limitations lack this clarity and therefore creates indefiniteness issues.
For purposes of further examination the phrase would be interpreted as "by matching site contents accessed using the first URL with information defined in one or more category templates".
Dependent claims inherit these deficiencies.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 9-17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Quinlan., (WO2012094040A1) in view of Jakobsson., (US20180091453A1) and further in view of Wyatt et al., (US20140195604A1).
Regarding claim 1, Quinlan discloses:
A computing platform (i.e., Proxy Server 300; See FIG. 1), comprising:
at least one processor; a communication interface; and memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to:
receive, via the communication interface, from a first user computing device (i.e., User Terminal 120(a); See FIG. 1), a first request (i.e. clicking by the user on the link of the URL is construed as ‘first request for first URL access’) for a first uniform resource locator associated with a first email message ([0026] The processor 220 may, for example, rewrite the URLs before a user receives the email message. After a user clicks on the link of the URL, the processor 220 then may redirect the user to the proxy server 300 instead of the web server that may be hosting the content associated with the URL);
identify that the first uniform resource locator associated with the first email message corresponds to a first potentially-malicious site ([0033-0035] discloses in light of Figures. 5 & 6 that proxy server determines [identifies] if the URL presented in the electronic message is suspicious or not based on analysis performed in step 510).
Quinlan fails to disclose:
in response to identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site, determine a risk profile associated with the first request received from the first user computing device, wherein determining the risk profile associated with the first request received from the first user computing device includes determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching site contents accessed using the first URL with information defined in one or more category templates; and based on the risk profile associated with the first request received from the first user computing device, execute an isolation method to provide limited access to the first uniform resource locator associated with the first email message.
However, Jakobsson discloses:
	 in response to identifying (i.e. message is identified as potentially risky by the system) that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site ([0040] In some embodiments, a risk score associated with a message is a heuristically computed score … whether the message contents match a high-risk pattern (e.g., contains a URL associated with a site that is not trusted; [0048] For example, consider a potentially risky email message that contains a text component, a URL and an attachment, and which has an associated sender profile. Assume that this message is identified as potentially risky by the system. The system then replaces the URL with a proxy URL, changes the extension of the attachment to make it not possible to execute), 
determine a risk profile (i.e., risk profile of the user of the first user computing device [intended recipient of the message]; See [0055]) associated with the first request received from the first user computing device ([0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk); and 
based on the risk profile (i.e., based on risk profile of the first user) associated with the first request received from the first user computing device, execute an isolation method to provide limited access (i.e., modify/quarantine/block the message) to the first uniform resource locator associated with the first email message ([0055] The first user, correspondingly, is protected by screening for traffic that is deceptive, e.g., that comes from untrusted entities that are named in a way that is similar to trusted entities; when emails arrive from such an entity, the emails are modified/quarantined (e.g., as previously described) or blocked; [0065] If at 220, it is determined that a security threat has been detected, at 224, a security action is performed … preventing access to content referenced by a URL included in the message).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan reference and include a message analysis system which is able to evaluate a risk of a message before it is delivered to a intended recipient, as disclosed by Jakobsson.
The motivation to detect risk of the message before it is delivered to the intended recipient is to protect the intended recipient from potential malicious content.
The combination of Quinlan and Jakobson fails to disclose:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching site contents accessed using the first URL with information defined in one or more category templates.
However, Wyatt discloses:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching site contents accessed using the first URL with information defined in one or more category templates (See Figures. 10-11 in light of [0067] & [0072-0074] discloses technique for identifying categories of an intercepted identifier of the universal resource locator (URL) based on sub-categories, and sub-sub-categories that the identifier may be associated with the URL which user is trying to access).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan and Jakobson references and include a method and system for detecting malicious and safe URLs by identifying the category of the URL based on various categories or sub-categories, as disclosed by Wyatt.
	The motivation to include such a method and system is to protect the user accessing the URL from exposure to potentially malicious URLs.
Regarding claim 2, the combination of Quinlan, Jakobsson and Wyatt discloses:
	The computing platform of claim 1,
wherein the first uniform resource locator associated with the first email message is an embedded link in the first email message that was rewritten by an email filtering engine (See FIG. 2; i.e. designation process logic 400) hosted on the computing platform (Quinlan: [0019] Generally, the suspicious message designation process logic 400 is configured to determine whether email messages received at email server 200 contain one of a plurality of attacks such as advance fee fraud scams (commonly known as "419 scams"), malware or suspicious URLs and to designate any suspicious URLs to be rewritten to point to the proxy server 300; [0024] If an email message is determined to contain a URL, processor 220 determines whether the email message contains at least one suspicious URL at 430, and if the email message is determined to contain at least one suspicious URL, processor 220 designates, at 440, that the suspicious URL is to be rewritten to point to proxy server 300), and
wherein identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site comprises identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site using a URL defense (UD) tool (See FIG. 3; i.e., proxy processing logic 500) hosted on the computing platform (Quinlan: [0005] FIG. 2 is a block diagram of an example of an email server device configured to perform a suspicious message designation process to identify emails that are suspicious and warrant further protections by the proxy server; [0024] Turning to FIG. 4, an example of a flow chart for the suspicious message designation process logic 400 is now described. At 410, email server 200 receives an email message that is intended to be delivered to one or more users at user terminals 120(a)-120(c). At 420, processor 220 scans the email message to determine whether the email message contains at least one URL. If an email message is determined to contain a URL, processor 220 determines whether the email message contains at least one suspicious URL at 430).
Regarding claim 3, the combination of Quinlan, Jakobsson and Wyatt discloses:
	The computing platform of claim 1, wherein determining the risk profile associated with the first request received from the first user computing device comprises determining that the first uniform resource locator associated with the first email message is associated with a first web category (i.e., URL related to reputable bank) (Quinlan: [0023] The website that the phishing URL links to may appear to the user as a reputable business or organization website. For example, a user may click on the phishing URL link and may then be directed to a website that appears as one for a reputable bank).	
Regarding claim 4, the combination of Quinlan, Jakobsson and Wyatt discloses:
The computing platform of claim 1, wherein determining the risk profile associated with the first request received from the first user computing device comprises determining one or more user-specific risk factors associated with a user of the first user computing device (Jakobsson: [0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk).
Regarding claim 5, the combination of Quinlan, Jakobsson and Wyatt discloses:
The computing platform of claim 1, wherein determining the risk profile associated with the first request received from the first user computing device comprises identifying that a user of the first user computing device is included in a very attacked persons group associated with an enterprise organization (Jakobsson: [0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message. Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization, and many of the emails sent to her attempt to trick her to install trojans or to steal her login credentials).
Regarding claim 9, the combination of Quinlan, Jakobsson and Wyatt discloses:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises providing data associated with the first potentially-malicious site to a phishing analysis service that is configured to return an indication of whether the first potentially-malicious site is a phishing site (Quinlan: [0016] The email server 200 executes suspicious message designation process logic 400 to evaluate email messages with uniform resource identifiers (URIs) associated with content (e.g., content hosted by on one of the websites 130(1)-130(N)) to designate any incoming messages as being suspicious, that is, possibly being associated with a phishing scam or other malicious type of attack).
Regarding claim 10, the combination of Quinlan, Jakobsson and Wyatt discloses:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises providing a user-selectable option to break out of isolation after data associated with the first potentially-malicious site is analyzed (Jakobsson: See FIG. 9; Step 912; [0150] If at 910 it is determined that the second risk analysis results in a determination that the message meets the second criteria, at 912, content of the message that was previously prevented from being accessed by the specified recipient is provided to the specified recipient of the message).
Regarding claim 11, the combination of Quinlan, Jakobsson and Wyatt discloses:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises controlling input to the first potentially-malicious site (Quinlan: [0035] Turning to FIG. 6, a block diagram is shown that depicts the operations of the proxy server 300 when delivering protected or safe content associated with a URL to a user terminal, e.g., user terminal 120(a). In FIG. 6, when a user located at user terminal 120(a) clicks on a link of a suspicious URL, the user is directed to proxy server 300 instead of the original destination of the suspicious URL since the URL has been rewritten to point to the proxy server 300. If the content associated with the original destination of the suspicious URL, shown at reference numeral 610, is not malicious (i.e. if the suspicious URL is not a malicious URL), then content 610 is displayed to the user in a protected or safe version through proxy server 300 (as shown in 620) with one or more warnings as described above).
Regarding claim 12, the combination of Quinlan, Jakobsson and Wyatt discloses:
The computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to:
receive, via the communication interface, from a second user computing device (i.e., User Terminal 120(b)/(c); See FIG. 1), a second request for a second uniform resource locator associated with a second email message (Quinlan: [0026] After a user clicks on the link of the URL, the processor 220 then may redirect the user to the proxy server 300 instead of the web server that may be hosting the content associated with the URL);
identify (i.e., redirection of the user by the proxy server to the proxy server instead of web server is interpreted as identifying the URL as malicious) that the second uniform resource locator associated with the second email message corresponds to a second potentially-malicious site (Quinlan: [0026] Redirecting the user to the proxy server 300 instead of the web server allows for controlled and safe navigation to content associated with the URL. The proxy server 300 performs additional checks for malware, phishing and other content on the destination URL to provide a level of protection to the user);
in response to identifying (i.e. identified as potentially risky by the system) that the second uniform resource locator associated with the second email message corresponds to the second potentially-malicious site (Jakobsson: [0040] In some embodiments, a risk score associated with a message is a heuristically computed score … whether the message contents match a high-risk pattern (e.g., contains a URL associated with a site that is not trusted; [0048] For example, consider a potentially risky email message that contains a text component, a URL and an attachment, and which has an associated sender profile. Assume that this message is identified as potentially risky by the system. The system then replaces the URL with a proxy URL, changes the extension of the attachment to make it not possible to execute), 
determine a risk profile (i.e., risk profile of the user of the first user computing device [intended recipient of the message]; See [0055]) associated with the second request received from the second user computing device (Jakobsson: [0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk); and
based on the risk profile (i.e., based on risk profile of the first user) associated with the second request received from the second user computing device, execute a second isolation method to provide limited access (i.e., modify/quarantine/block the message) to the second uniform resource locator associated with the second email message (Jakobsson: [0055] The first user, correspondingly, is protected by screening for traffic that is deceptive, e.g., that comes from untrusted entities that are named in a way that is similar to trusted entities; when emails arrive from such an entity, the emails are modified/quarantined (e.g., as previously described) or blocked; [0065] If at 220, it is determined that a security threat has been detected, at 224, a security action is performed … preventing access to content referenced by a URL included in the message).
Regarding claim 13, Quinlan discloses:
	A method, comprising:
at a computing platform comprising at least one processor, a communication interface, and memory:
receiving, via the communication interface, from a first user computing device (i.e., User Terminal 120(a); See FIG. 1), a first request (i.e. clicking by the user on the link of the URL is construed as ‘first request for first URL access’) for a first uniform resource locator associated with a first email message ([0026] The processor 220 may, for example, rewrite the URLs before a user receives the email message. After a user clicks on the link of the URL, the processor 220 then may redirect the user to the proxy server 300 instead of the web server that may be hosting the content associated with the URL);
identifying that the first uniform resource locator associated with the first email message corresponds to a first potentially-malicious site ([0033-0035] discloses in light of Figures. 5 & 6 that proxy server determines [identifies] if the URL presented in the electronic message is suspicious or not based on analysis performed in step 510).
Quinlan fails to disclose:
in response to identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site, determine a risk profile associated with the first request received from the first user computing device, wherein determining the risk profile associated with the first request received from the first user computing device includes determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching site contents accessed using the first URL with information defined in one or more category templates; and based on the risk profile associated with the first request received from the first user computing device, execute an isolation method to provide limited access to the first uniform resource locator associated with the first email message.
However, Jakobsson discloses:
	 in response to identifying (i.e. identified as potentially risky by the system) that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site ([0040] In some embodiments, a risk score associated with a message is a heuristically computed score … whether the message contents match a high-risk pattern (e.g., contains a URL associated with a site that is not trusted; [0048] For example, consider a potentially risky email message that contains a text component, a URL and an attachment, and which has an associated sender profile. Assume that this message is identified as potentially risky by the system. The system then replaces the URL with a proxy URL, changes the extension of the attachment to make it not possible to execute), 
determine a risk profile (i.e., risk profile of the user of the first user computing device [intended recipient of the message]; See [0055]) associated with the first request received from the first user computing device ([0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk); and 
based on the risk profile (i.e., based on risk profile of the first user) associated with the first request received from the first user computing device, execute an isolation method to provide limited access (i.e., modify/quarantine/block the message) to the first uniform resource locator associated with the first email message ([0055] The first user, correspondingly, is protected by screening for traffic that is deceptive, e.g., that comes from untrusted entities that are named in a way that is similar to trusted entities; when emails arrive from such an entity, the emails are modified/quarantined (e.g., as previously described) or blocked; [0065] If at 220, it is determined that a security threat has been detected, at 224, a security action is performed … preventing access to content referenced by a URL included in the message).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan reference and include a message analysis system which is able to evaluate a risk of a message before it is delivered to a intended recipient, as disclosed by Jakobsson.
The motivation to detect risk of the message before it is delivered to the intended recipient is to protect the intended recipient from potential malicious content.
The combination of Quinlan and Jakobson fails to disclose:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching site contents accessed using the first URL with information defined in one or more category templates.
However, Wyatt discloses:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching site contents accessed using the first URL with information defined in one or more category templates (See Figures. 10-11 in light of [0067] & [0072-0074] discloses technique for identifying categories of an intercepted identifier of universal resource locator (URL) based on sub-categories, and sub-sub-categories that the identifier may be associated with the URL which user is trying to access).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan and Jakobson references and include a method and system for detecting malicious and safe URLs by identifying the category of the URL based on various categories or sub-categories, as disclosed by Wyatt.
	The motivation to include such a method and system is to protect the user accessing the URL from exposure to potentially malicious URLs.
Regarding claim 14, the combination of Quinlan, Jakobsson and Wyatt discloses:
The method of claim 13,
wherein the first uniform resource locator associated with the first email message is an embedded link in the first email message that was rewritten by an email filtering engine (See FIG. 2; i.e. designation process logic 400) hosted on the computing platform (Quinlan: [0019] Generally, the suspicious message designation process logic 400 is configured to determine whether email messages received at email server 200 contain one of a plurality of attacks such as advance fee fraud scams (commonly known as "419 scams"), malware or suspicious URLs and to designate any suspicious URLs to be rewritten to point to the proxy server 300; [0024] If an email message is determined to contain a URL, processor 220 determines whether the email message contains at least one suspicious URL at 430, and if the email message is determined to contain at least one suspicious URL, processor 220 designates, at 440, that the suspicious URL is to be rewritten to point to proxy server 300), and
wherein identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site comprises identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site using a URL defense (UD) tool (See FIG. 3; i.e., proxy processing logic 500) hosted on the computing platform (Quinlan: [0005] FIG. 2 is a block diagram of an example of an email server device configured to perform a suspicious message designation process to identify emails that are suspicious and warrant further protections by the proxy server; [0024] Turning to FIG. 4, an example of a flow chart for the suspicious message designation process logic 400 is now described. At 410, email server 200 receives an email message that is intended to be delivered to one or more users at user terminals 120(a)-120(c). At 420, processor 220 scans the email message to determine whether the email message contains at least one URL. If an email message is determined to contain a URL, processor 220 determines whether the email message contains at least one suspicious URL at 430).
Regarding claim 15, the combination of Quinlan, Jakobsson and Wyatt discloses:
The method of claim 13, wherein determining the risk profile associated with the first request received from the first user computing device comprises determining that the first uniform resource locator associated with the first email message is associated with a first web category (i.e., URL related to reputable bank) (Quinlan: [0023] The website that the phishing URL links to may appear to the user as a reputable business or organization website. For example, a user may click on the phishing URL link and may then be directed to a website that appears as one for a reputable bank).
Regarding claim 16, the combination of Quinlan, Jakobsson and Wyatt discloses:
The computing platform of claim 1, wherein determining the risk profile associated with the first request received from the first user computing device comprises determining one or more user-specific risk factors associated with a user of the first user computing device (Jakobsson: [0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk).
Regarding claim 17, the combination of Quinlan, Jakobsson and Wyatt discloses:
The method of claim 13, wherein determining the risk profile associated with the first request received from the first user computing device comprises identifying that a user of the first user computing device is included in a very attacked persons group associated with an enterprise organization (Jakobsson: [0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message. Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization, and many of the emails sent to her attempt to trick her to install trojans or to steal her login credentials).
Regarding claim 20, Quinlan discloses:
One or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, a communication interface, and memory, cause the computing platform to:
receive, via the communication interface, from a first user computing device (i.e., User Terminal 120(a); See FIG. 1), a first request (i.e. clicking by the user on the link of the URL is construed as ‘first request for first URL access’) for a first uniform resource locator associated with a first email message ([0026] The processor 220 may, for example, rewrite the URLs before a user receives the email message. After a user clicks on the link of the URL, the processor 220 then may redirect the user to the proxy server 300 instead of the web server that may be hosting the content associated with the URL);
identify that the first uniform resource locator associated with the first email message corresponds to a first potentially-malicious site ([0033-0035] discloses in light of Figures. 5 & 6 that proxy server determines [identifies] if the URL presented in the electronic message is suspicious or not based on analysis performed in step 510).
Quinlan fails to disclose:
in response to identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site, determine a risk profile associated with the first request received from the first user computing device, wherein determining the risk profile associated with the first request received from the first user computing device includes determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching site contents accessed using the first URL with information defined in one or more category templates; and based on the risk profile associated with the first request received from the first user computing device, execute an isolation method to provide limited access to the first uniform resource locator associated with the first email message.
However, Jakobsson discloses:
	 in response to identifying (i.e. identified as potentially risky by the system) that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site ([0040] In some embodiments, a risk score associated with a message is a heuristically computed score … whether the message contents match a high-risk pattern (e.g., contains a URL associated with a site that is not trusted; [0048] For example, consider a potentially risky email message that contains a text component, a URL and an attachment, and which has an associated sender profile. Assume that this message is identified as potentially risky by the system. The system then replaces the URL with a proxy URL, changes the extension of the attachment to make it not possible to execute), 
determine a risk profile (i.e., risk profile of the user of the first user computing device [intended recipient of the message]; See [0055]) associated with the first request received from the first user computing device ([0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk); and 
based on the risk profile (i.e., based on risk profile of the first user) associated with the first request received from the first user computing device, execute an isolation method to provide limited access (i.e., modify/quarantine/block the message) to the first uniform resource locator associated with the first email message ([0055] The first user, correspondingly, is protected by screening for traffic that is deceptive, e.g., that comes from untrusted entities that are named in a way that is similar to trusted entities; when emails arrive from such an entity, the emails are modified/quarantined (e.g., as previously described) or blocked; [0065] If at 220, it is determined that a security threat has been detected, at 224, a security action is performed … preventing access to content referenced by a URL included in the message).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan reference and include a message analysis system which is able to evaluate a risk of a message before it is delivered to a intended recipient, as disclosed by Jakobsson.
The motivation to detect risk of the message before it is delivered to the intended recipient is to protect the intended recipient from potential malicious content.
The combination of Quinlan and Jakobson fails to disclose:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching site contents accessed using the first URL with information defined in one or more category templates.
However, Wyatt discloses:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching site contents accessed using the first URL with information defined in one or more category templates (See Figures. 10-11 in light of [0067] & [0072-0074] discloses technique for identifying categories of an intercepted identifier of universal resource locator (URL) based on sub-categories, and sub-sub-categories that the identifier may be associated with the URL which user is trying to access).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan and Jakobson references and include a method and system for detecting malicious and safe URLs by identifying the category of the URL based on various categories or sub-categories, as disclosed by Wyatt.
	The motivation to include such a method and system is to protect the user accessing the URL from exposure to potentially malicious URLs.

Claims 6 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Quinlan., (WO2012094040A1) in view of Jakobsson., (US20180091453A1) in view of Wyatt et al., (US20140195604A1) and further in view of Petry et al., (US20170180413A1).
Regarding claim 6, the combination of Quinlan, Jakobsson and Wyatt fails to disclose:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises initiating a browser mirroring session with the first user computing device to provide the first user computing device with limited access to the first potentially-malicious site corresponding to the first uniform resource locator associated with the first email message.
However, Petry discloses:
wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises initiating a browser mirroring session (See [0055] & [0065] i.e., providing a highly isolated and insulated environment which is constitutes as browser mirroring session) with the first user computing device to provide the first user computing device with limited access to the first potentially-malicious site corresponding to the first uniform resource locator associated with the first email message (See FIG. 4: Step 420, Para [0110] / [0109] / [0111], [0124], [0114], [0055], [0065]  and [0096]: upon determining the access of the URL content as requested is potentially harmful and that meets the isolation condition, initializing a secure (insulated) web container to access the URL content from the web server that serves as a separate and secure proxy web browsing section, which constitutes a browser mirroring session (Para [0124] & [0055] / [0065]) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0039]: using an isolation server during a browser mirroring section), and providing limited access to the user device such as restricting downloading shared file(s), specifying a time period for which the data may be shared with another user while only allowing the user to view the content from the web server (Para [0065] & Para [0096]).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan, Jakobsson and Wyatt references and include a system for providing a user with a secure and anonymous web browsing experience, as disclosed by Petry.
The motivation to include a system for providing a user with a secure and anonymous web browsing experience is to protect the user device and minimize the risks associated with accessing potentially dangerous web content.
Regarding claim 18, the combination of Quinlan, Jakobsson and Wyatt fails to disclose:
The method of claim 13, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises initiating a browser mirroring session with the first user computing device to provide the first user computing device with limited access to the first potentially-malicious site corresponding to the first uniform resource locator associated with the first email message.
However, Petry discloses:
wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises initiating a browser mirroring session (See [0055] & [0065] i.e., providing a highly isolated and insulated environment which is constitutes as browser mirroring session) with the first user computing device to provide the first user computing device with limited access to the first potentially-malicious site corresponding to the first uniform resource locator associated with the first email message (See FIG. 4: Step 420, Para [0110] / [0109] / [0111], [0124], [0114], [0055] and [0065] / [0096]: upon determining the access of the URL content as requested is potentially harmful and that meets the isolation condition, initializing a secure (insulated) web container to access the URL content from the web server that serves as a separate and secure proxy web browsing section, which constitutes a browser mirroring session (Para [0124] & [0055] / [0065]) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0039]: using an isolation server during a browser mirroring section), and providing limited access to the user device such as restricting downloading shared file(s), specifying a time period for which the data may be shared with another user while only allowing the user to view the content from the web server (Para [0065] & Para [0096]).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan, Jakobsson and Wyatt references and include a system for providing a user with a secure and anonymous web browsing experience, as disclosed by Petry.
The motivation to include a system for providing a user with a secure and anonymous web browsing experience is to protect the user device and minimize the risks associated with accessing potentially dangerous web content.

Claims 7-8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Quinlan., (WO2012094040A1) in view of Jakobsson., (US20180091453A1) in view of Wyatt et al., (US20140195604A1) and further in view of Ghosh et al., (US20110167492A1).
Regarding claim 7, the combination of Quinlan, Jakobsson and Wyatt fails to disclose:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from downloading one or more binary objects.
However, Ghosh discloses:
	wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from downloading one or more binary objects ([0045] The browser application's download and upload functionality may also be limited to provide enhanced computer security in one or all of the browsing modes described above. For example, in a “private” mode, the browser application 304 may prohibit all file uploads or downloads. Similarly, in a “master” or “secure-bookmark” mode, the browser application 304 may allow downloads and/or uploads but may restrict the type or storage location of files uploaded and/or downloaded. For example, in a “master” mode or “secure-bookmark” mode, the browser application 304 may prevent any executable files from being uploaded or downloaded and may limit file downloads or uploads to non-system file folders or location, non-program file folders or location, and/or the “desktop” file folder).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan, Jakobsson and Wyatt references and include a system which is able to restrict data download and upload activity when user computer is accessing a potentially malicious resource, as disclosed by Ghosh.
	The motivation to restrict data download and upload activity when user is accessing a potentially malicious resource is to provide enhanced computer security and isolate the user computer from malicious resource.
Regarding claim 8, the combination of Quinlan, Jakobsson and Wyatt fails to disclose:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from uploading one or more binary objects.
However, Ghosh discloses:
	wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from uploading one or more binary objects ([0045] The browser application's download and upload functionality may also be limited to provide enhanced computer security in one or all of the browsing modes described above. For example, in a “private” mode, the browser application 304 may prohibit all file uploads or downloads. Similarly, in a “master” or “secure-bookmark” mode, the browser application 304 may allow downloads and/or uploads but may restrict the type or storage location of files uploaded and/or downloaded. For example, in a “master” mode or “secure-bookmark” mode, the browser application 304 may prevent any executable files from being uploaded or downloaded and may limit file downloads or uploads to non-system file folders or location, non-program file folders or location, and/or the “desktop” file folder).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan, Jakobsson and Wyatt references and include a system which is able to restrict data download and upload activity when user computer is accessing a potentially malicious resource, as disclosed by Ghosh.
	The motivation to restrict data download and upload activity when user is accessing a potentially malicious resource is to provide enhanced computer security and isolate the user computer from malicious resource.
Regarding claim 19, the combination of Quinlan, Jakobsson and Wyatt fails to disclose:
The method of claim 13, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from downloading one or more binary objects.
However, Ghosh discloses:
	wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from downloading one or more binary objects ([0045] The browser application's download and upload functionality may also be limited to provide enhanced computer security in one or all of the browsing modes described above. For example, in a “private” mode, the browser application 304 may prohibit all file uploads or downloads. Similarly, in a “master” or “secure-bookmark” mode, the browser application 304 may allow downloads and/or uploads but may restrict the type or storage location of files uploaded and/or downloaded. For example, in a “master” mode or “secure-bookmark” mode, the browser application 304 may prevent any executable files from being uploaded or downloaded and may limit file downloads or uploads to non-system file folders or location, non-program file folders or location, and/or the “desktop” file folder).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan, Jakobsson and Wyatt references and include a system which is able to restrict data download and upload activity when user computer is accessing a potentially malicious resource, as disclosed by Ghosh.
	The motivation to restrict data download and upload activity when user is accessing a potentially malicious resource is to provide enhanced computer security and isolate the user computer from malicious resource.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.M.A./Patent Examiner, Art Unit 2432                                                                                                                                                                                                        
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432