Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: 
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention
is not identically disclosed as set forth in section 102, if the differences between the claimed
invention and the prior art are such that the claimed invention as a whole would have been obvious
before the effective filing date of the claimed invention to a person having ordinary skill in the art
to which the claimed invention pertains. Patentability shall not be negated by the manner in which
the invention was made.
Claims 1-20 are rejected under 35 U.S.C 103 as be unpatentable over Bjorn (US 2018/0152471 A1), in view of Oprea (US 9,635,049 B1), and in further view of DeVal (US 2009/0122704 A1). 

Regarding Claim 1
Bjorn discloses:
A computing platform, comprising: at least one processor; a communication interface communicatively coupled to the at least one processor; and memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: monitor an electronic messaging server associated with an enterprise organization; based on monitoring the electronic messaging server associated with the enterprise organization, identify bi-directional messaging traffic between one or more enterprise domains associated with the enterprise organization and one or more external domains not associated with the enterprise organization; based on identifying the bi-directional messaging traffic between the one or more enterprise domains associated with the enterprise organization and the one or more external domains not associated with the enterprise organization, select a plurality of external domains for a conversation detection process (¶48: “In some embodiments, determining whether the sender of the message has an established relationship with the intended recipient includes obtaining a social, organizational, communication, collaboration, business and/or other relationship information of the sender and/or the intended recipient. Information about the sender and/or other users connected/related to the intended recipient may be obtained by requesting the desired information from a service. It is determined that the sender of the message has an established relationship with the intended recipient if the sender is included in this list as having a sufficient relationship with the intended recipient. Otherwise it is determined that the sender of the message does not have an established relationship with the intended recipient. In another example, an identifier (e.g., email address) of the sender of the message is provided to the service and the service provides information about the sender (e.g., information about the sender gathered across various different message repositories, contact lists and social networks). This information about the sender is used to assess a strength of a relationship between the sender and the intended recipient of the message (e.g., along with message history between them), and if the strength value of the relationship is greater than a threshold value, it is determined that the sender of the message has an established relationship with the intended recipient. Otherwise it is determined that the sender of the message does not have an established relationship with the intended recipient.”); 
Bjorn does not disclose the following limitation “compute an initial set of rank-ordered external domains”
Oprea discloses:
compute an initial set of rank-ordered external domains (Column 7, Line 33: “The scores are utilized to characterize a subset of the set of rare domains as suspicious domains in the given iteration. For example, the belief propagation algorithm may be configured to return a list of suspicious domains ranked in order of their respective scores. The belief propagation algorithm terminates responsive to at least one of a highest score among the scores of the suspicious domains being below a threshold, and a maximum number of iterations being reached.”)
Given the teaching of Oprea, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of generating a rank-order of suspicious external domains that can contain malware. One of ordinary skill in the art would have been motivated to modify the teaching of Bjorn in view of Oprea, as Oprea recognizes that by implementing this feature an external domain with the highest risk score will be terminated in order to prevent that external domain from spreading malware to an enterprise domain (Column 7, Line 33).
Bjorn discloses:
1) for each external domain of the plurality of external domains selected for the conversation detection process: a) identifying a first number of messages sent from an enterprise domain of the one or more enterprise domains to the external domain; b) identifying a second number of messages received at the one or more enterprise domains from the external domain (¶48: “Along with headers or portions of these, the data structure can store counts (e.g., how many times these were observed) and time intervals for the observations. For example, the number of times a particular message feature (e.g., message header item) was observed in received messages from the sender within a recent window of time (e.g., within a threshold time period and/or numerical count of past messages) and timestamps of each associated received message from the sender can be tracked and stored.”; 97 “For example, by observing and analyzing message traffic of the user and patterns of message recipients and senders, contacts that receive messages from the user and contacts that send messages to the user can be determined and correlated to infer and determine trust, frequency, and/or importance of interaction and relationship between the user and the contact to identify one or more of these contacts as a trusted contact. In one example, if a threshold number of messages has been sent to and from a contact for a user, the contact is identified as a trusted contact and added to a stored list of trusted contacts for the user.”); 
Bjorn and Oprea do not disclose the following limitation “c) computing a first ratio and a second ratio, wherein: the first ratio is the first number divided by the second number, and the second ratio is the second number divided by the first number; d) identifying a difference between the first ratio and the second ratio”
DeVal discloses:
c) computing a first ratio and a second ratio, wherein: the first ratio is the first number divided by the second number, and the second ratio is the second number divided by the first number; d) identifying a difference between the first ratio and the second ratio (¶14: “The method further comprises calculating a number of out-of-dialog messages received over a second fixed interval of time. The method additionally comprises calculating a first ratio equal to an average number of the in-dialog messages received over the first fixed interval of time divided by an average number of the out-of-dialog messages received over the second fixed interval of time. Further, the method comprises calculating a second ratio equal to a maximum number of messages allowed over a period of time divided by a number of messages admitted on a previous interval of time. Additionally, the method comprises calculating a maximum number of the out-of-dialog messages to be sent to a particular server over the period of time based on the first ratio and the second ratio when an overload condition has been detected.”); 
Given the teaching of Deval, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of generating two individual ratios incorporating a message received and sent to an enterprise domain. One of ordinary skill in the art would have been motivated to modify the teachings of Bjorn and Oprea in view of DeVal, as DeVal recognizes that by implementing this feature a system can identify the difference between a first ratio and the second ratio and determine if an overload condition has been detected (¶14).
Opera discloses:
and e) applying a weight value to the difference based on a quantity of messages corresponding to the first number and the second number, resulting in a weighted difference value for the external domain; and 2) ranking the plurality of external domains selected for the conversation detection process based on each external domain's corresponding weighted difference value; remove, from the initial set of rank-ordered external domains, a set of one or more known outlier domains, resulting in a final set of rank-ordered external domains (Column 7, Line 33: “The scores are utilized to characterize a subset of the set of rare domains as suspicious domains in the given iteration. For example, the belief propagation algorithm may be configured to return a list of suspicious domains ranked in order of their respective scores. The belief propagation algorithm terminates responsive to at least one of a highest score among the scores of the suspicious domains being below a threshold, and a maximum number of iterations being reached.; and execute one or more enhanced protection actions associated with at least one external domain of the final set of rank-ordered external domains.”). 
Given the teaching of Oprea, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of generating a rank-order of suspicious external domains that can contain malware. One of ordinary skill in the art would have been motivated to modify the teaching of Bjorn in view of Oprea, as Oprea recognizes that by implementing this feature an external domain with the highest risk score will be terminated in order to prevent that external domain from spreading malware to an enterprise domain (Column 7, Line 33).
Bjorn and Oprea discloses: 
and execute one or more enhanced protection actions associated with at least one external domain of the final set of rank-ordered external domains (Oprea Column 7, Line 33: “The scores are utilized to characterize a subset of the set of rare domains as suspicious domains in the given iteration. For example, the belief propagation algorithm may be configured to return a list of suspicious domains ranked in order of their respective scores. The belief propagation algorithm terminates responsive to at least one of a highest score among the scores of the suspicious domains being below a threshold, and a maximum number of iterations being reached.”; Bjorn ¶184: “In some embodiments, the message is identified as suspicious if a spam detector, a virus detector, and/or a malware detector has detected that the message includes a spam, virus, or malware. At 1404, the message is prevented from being fully accessible by the specified recipient of the message. For example, at least a portion of the message is modified or removed. In another example, the message is quarantined and not delivered to the recipient.”).
Given the teaching of Oprea, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of generating a rank-order of suspicious external domains that can contain malware. One of ordinary skill in the art would have been motivated to modify the teaching of Bjorn in view of Oprea, as Oprea recognizes that by implementing this feature an external domain with the highest risk score will be terminated in order to prevent that external domain from spreading malware to an enterprise domain (Column 7, Line 33).
Regarding Claim 2
Bjorn discloses:
The computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: send, to an internal enterprise user device, a request for one or more manually identified domains for a security scoring process; and receive, from the internal enterprise user device (¶34: “In some embodiments, recipient message server 106 performs a risk analysis for an incoming message at least in part by performing an authenticity and/or reputation analysis to determine an overall measure of risk (e.g., risk score). Performing authenticity analysis may include determining a measure of confidence that a sender identified in the message (e.g., domain of sender) is the actual sender of the message. Performing reputation analysis may include determining a measure that an identified sender of the email (e.g., domain of sender) is likely to send a message that is of value to a recipient (e.g., likelihood of sending message that a recipient would want/desire to receive).”), one or more enterprise resource planning (ERP) export files or one or more curated lists that specify the one or more manually identified domains (¶92: “Next, any traffic associated with a subdomain and domain that is not on the list of subdomains/domains that are known to send legitimate traffic is flagged, and, depending on a policy and/or contents, quarantined, blocked, marked up, or escalated for additional scrutiny.”), wherein executing the one or more enhanced protection actions comprises executing at least one enhanced protection action on at least one of the one or more manually identified domains (¶94: “The security action may include revoking access to the message, deleting the message, forwarding the message, reporting the message, further modifying the message, moving the message (e.g., to a different folder), preventing access to a portion of the message, providing an additional warning, and/or performing further analysis.”).
Regarding Claim 3
Bjorn discloses:
The computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: apply one or more additional automated methods to identify one or more automatically identified domains, wherein the one or more additional automated methods comprise one or more of: inspecting domain name system (DNS) records, applying one or more heuristics, applying machine learning algorithms, using methods for domain identification, applying natural language processing algorithms, or extrapolating based on common industry data, wherein the one or more enhanced protection actions are further associated with at least one of the one or more automatically identified domains (¶105: “In some embodiments, determining the measure of global reputation for the sender includes analyzing domain registration history and Domain Name System (i.e., DNS) activity of the sender. For example, a sender that is typically reputable will register a domain name far ahead of time prior to the use of the domain while a less reputable sender will likely temporarily utilize a domain for a short period of time prior to moving on to another domain and will register a domain within a short amount of time prior to the use of the domain. In some embodiments, determining the measure of global reputation includes utilizing a component factor value determined based on the domain registration history and DNS activity analysis (e.g., add, multiply, subtract, etc. using the factor value). For example, the factor value is based at least in part on a length of time since registration of a domain of the sender, an amount of time between registration of the domain and a first use of the domain to send a message, Internet content (e.g., webpage) located at a URI utilizing the domain of the sender, an entity that registered the domain of the sender, etc.”).
Regarding Claim 4
Bjorn discloses:
The computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: apply a security scoring process to the final set of rank-ordered external domains, including the at least one external domain, to compute a weighted security score for the at least one external domain of the final set of rank-ordered external domains (¶55: “In some embodiments, analyzing the message for security risks includes performing a plurality of analyses and determining a risk component score for each of the analyses. These component scores are then combined (e.g., added, weighted then added, averaged, etc.) to determine an overall risk score. In some embodiments, each of the component scores is associated with one or more specific types of risk and a separate total score is calculated for each of the different types of risk based on its associated component scores.”). 
Regarding Claim 5
Bjorn discloses:
The computing platform of claim 4, wherein applying the security scoring process to the final set of rank-ordered external domains comprises evaluating the at least one external domain based on one or more of: a security posture corresponding to the at least one external domain, historical threat information corresponding to the at least one external domain, trust metrics, reputation data, or external data corresponding to security of the at least one external domain (¶48-49: “This information about the sender is used to assess a strength of a relationship between the sender and the intended recipient of the message (e.g., along with message history between them), and if the strength value of the relationship is greater than a threshold value, it is determined that the sender of the message has an established relationship with the intended recipient. Otherwise it is determined that the sender of the message does not have an established relationship with the intended recipient. If at 206, it is determined that the message was received from the sender that has an established relationship contact with the intended recipient of the message, at 208 the message is analyzed for security risks using historical observations associated with the sender of the message with respect to the intended recipient of the message.”; ¶72: “A risk score can be computed based on the headers and the extent to which they match known good and known bad traffic. In one scoring example, a score of 100 is generated when all headers match those of the sender's past headers. A score of 35 is computed for another previously non-observed sender that fails to match any other previous sender.”).
Regarding Claim 6
Bjorn discloses:
The computing platform of claim 5, wherein applying the security scoring process to the final set of rank-ordered external domains results in: one or more domain scores corresponding to the at least one external domain, one or more sender scores corresponding to a specific sender of one or more messages originating at the at least one external domain, or one or more message scores corresponding to a specific message originating from the at least one external domain (¶29: “In some embodiments, in response to a determination that the sender of the electronic message does not have an established relationship with the intended recipient, it is determined whether an electronic message account of the sender of the electronic message is likely an independently controlled account. For example, a message that was sent from an account that belongs to a large organization that closely controls who can send a message via its domain is not an independently controlled account whereas a personal email message account is an independently controlled account. In response to a determination that the electronic message account of the sender of the electronic message is likely an independently controlled account, the message is analyzed to determine whether the message is an automatically generated message. For example, a header of the message is analyzed to determine whether the message was automatically generated using a script or a program. In response to a determination that the message is an automatically generated message, a security action is performed. For example, the electronic message may be blocked if a sufficiently high level of risk is detected and/or the message may be modified to include a warning about a security risk if a sufficiently medium level of risk is detected based on the analysis. If no or low level of risk is detected, the message may be allowed to be access by the intended recipient by delivering the message to a message inbox of the recipient.”).
Regarding Claim 7
Bjorn discloses:
The computing platform of claim 6, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: determine a weighted grade for the at least one external domain based on the weighted security score for the at least one external domain (¶55: “In some embodiments, analyzing the message for security risks includes performing a plurality of analyses and determining a risk component score for each of the analyses. These component scores are then combined (e.g., added, weighted then added, averaged, etc.) to determine an overall risk score. In some embodiments, each of the component scores is associated with one or more specific types of risk and a separate total score is calculated for each of the different types of risk based on its associated component scores.”).
Regarding Claim 8
Bjorn discloses:
The computing platform of claim 7, wherein executing the one or more enhanced protection actions associated with the at least one external domain comprises: comparing the weighted grade to a first enhanced protection threshold; in response to determining that the weighted grade does not exceed the first enhanced protection threshold, executing one or more informative protection actions; and in response to determining that the weighted grade exceeds the first enhanced protection threshold: comparing the weighted grade to a second enhanced protection threshold, in response to determining that the weighted grade does not exceed the second enhanced protection threshold, executing one or more active protection actions, and in response to determining that the weighted grade exceeds the second enhanced protection threshold, executing one or more automatic protection actions (¶39: “At 204, the message is profiled. In some embodiments, step 204 is only performed if it is determined that a security risk associated the message is below a threshold (e.g., risk score determined in 208 and/or 210 is below a threshold). Profiling the message includes storing information about and/or included in the message in a database to track historical observations about the sender of the message.”; ¶58: “At 212, based on a result of the analysis, a security action is performed, if applicable. In some embodiments, either in 208 or 210, one or more security risk scores are determined and based on these score(s), a security action is selected among different security action options. The selected security action is performed. The security risk score may indicate that the message is of medium risk (e.g., risk score is above the first threshold but below a second threshold) and the message is modified to include a warning prior to being allowed to be accessed by the intended recipient (e.g., allow the modified message to a message inbox of the intended recipient). Otherwise, the security risk score may indicate that the message is of high risk (e.g., risk score is above the second threshold) and the message not allowed to be accessed by the intended recipient (e.g., send the message to an administrator for further analysis).”).
Regarding Claim 9
Bjorn discloses:
The computing platform of claim 8, wherein executing the one or more informative protection actions comprises: generating one or more alerts, reports, enhanced security configurations, or guidelines corresponding to electronic messaging security; and sending, to an internal enterprise user device, the one or more alerts, reports, enhanced security configurations, or guidelines (¶58: “The security risk score may indicate that the message is of medium risk (e.g., risk score is above the first threshold but below a second threshold) and the message is modified to include a warning prior to being allowed to be accessed by the intended recipient (e.g., allow the modified message to a message inbox of the intended recipient). Otherwise, the security risk score may indicate that the message is of high risk (e.g., risk score is above the second threshold) and the message not allowed to be accessed by the intended recipient (e.g., send the message to an administrator for further analysis).”).
Regarding Claim 10
Bjorn discloses:
The computing platform of claim 8, wherein executing the one or more active protection actions comprises one or more of: sending one or more commands to an enterprise user device directing the enterprise user device to enforce inbound email authentication verification, wherein enforcing the inbound email authentication verification for email comprises enforcing one or more of: SPF, DKIM, DMARC, or TLS, sending one or more commands to an internal enterprise user device or an external enterprise user device directing a user to update a security configuration of an enterprise network gateway, sending one or more commands to the internal enterprise user device directing the internal enterprise user device to configure messages from the at least one external domain to include a warning message, or sending one or more commands to the internal enterprise user device or the external enterprise user device to initiate a security awareness training program (¶74: “In some embodiments, performing a security analysis includes identifying which domains and subdomains are used to send legitimate traffic, e.g., by recording what subdomains/domains are used to originate large volumes of emails, and which are not known to be spam or fraud email. For example, “large amounts” may mean greater than a threshold value, such as 100 emails per week, or at least 0.1% of the traffic associated with a particular domain, or any traffic that is not known to be good, e.g., by being associated with correct SPF and/or DKIM data in the headers. Next, any traffic associated with a subdomain and domain that is not on the list of subdomains/domains that are known to send legitimate traffic is flagged, and, depending on a policy and/or contents, quarantined, blocked, marked up, or escalated for additional scrutiny.”; ¶117: “For example, a list of IP addresses of servers that send messages for the sender is received from a user, the sender, or a published source of information about the sender. In some embodiments, at least a portion of the sender model is determined using message authentication/validation information about the sender. For example, IP addresses associated with a domain of the sender are obtained using standardized message authentication/validation systems (e.g., using Domain-based Message Authentication (DMARC), DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), etc.).”). 
Regarding Claim 11
Bjorn discloses:
The computing platform of claim 8, wherein executing the one or more automatic protection actions comprises one or more of: sending one or more commands to an enterprise network gateway directing the enterprise network gateway to enforce inbound email authentication verification, wherein enforcing the inbound email authentication verification for email comprises enforcing one or more of: SPF, DKIM, DMARC, or TLS, or monitoring the enterprise network gateway to enforce the inbound email authentication verification (¶74: “In some embodiments, performing a security analysis includes identifying which domains and subdomains are used to send legitimate traffic, e.g., by recording what subdomains/domains are used to originate large volumes of emails, and which are not known to be spam or fraud email. For example, “large amounts” may mean greater than a threshold value, such as 100 emails per week, or at least 0.1% of the traffic associated with a particular domain, or any traffic that is not known to be good, e.g., by being associated with correct SPF and/or DKIM data in the headers. Next, any traffic associated with a subdomain and domain that is not on the list of subdomains/domains that are known to send legitimate traffic is flagged, and, depending on a policy and/or contents, quarantined, blocked, marked up, or escalated for additional scrutiny.”; ¶117: “For example, a list of IP addresses of servers that send messages for the sender is received from a user, the sender, or a published source of information about the sender. In some embodiments, at least a portion of the sender model is determined using message authentication/validation information about the sender. For example, IP addresses associated with a domain of the sender are obtained using standardized message authentication/validation systems (e.g., using Domain-based Message Authentication (DMARC), DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), etc.).”).
12. A method, comprising: at a computing platform comprising at least one processor, a communication interface, and memory: monitoring an electronic messaging server associated with an enterprise organization; based on monitoring the electronic messaging server associated with the enterprise organization, identifying bi-directional messaging traffic between one or more enterprise domains associated with the enterprise organization and one or more external domains not associated with the enterprise organization; based on identifying the bi-directional messaging traffic between the one or more enterprise domains associated with the enterprise organization and the one or more external domains not associated with the enterprise organization, selecting a plurality of external domains for a conversation detection process; computing an initial set of rank-ordered external domains by: 1) for each external domain of the plurality of external domains selected for the conversation detection process:a) identifying a first number of messages sent from an enterprise domain of the one or more enterprise domains to the external domain; b) identifying a second number of messages received at the one or more enterprise domains from the external domain; c) computing a first ratio and a second ratio, wherein: the first ratio is the first number divided by the second number, and the second ratio is the second number divided by the first number; d) identifying a difference between the first ratio and the second ratio; and e) applying a weight value to the difference based on a quantity of messages corresponding to the first number and the second number, resulting in a weighted difference value for the external domain; and 2) ranking the plurality of external domains selected for the conversation detection process based on each external domain's corresponding weighted difference value; removing, from the initial set of rank-ordered external domains, a set of one or more known outlier domains, resulting in a final set of rank-ordered external domains; and executing one or more enhanced protection actions associated with at least one external domain of the final set of rank-ordered external domains (Refer to claim 1 rejection).
Regarding Claim 13
Bjorn discloses:
The method of claim 12, further comprising: send, to an internal enterprise user device, a request for one or more manually identified domains for a security scoring process; and receive, from the internal enterprise user device, one or more enterprise resource planning (ERP) export files or one or more curated lists that specifies the one or more manually identified domains, wherein executing the one or more enhanced protection actions comprises executing at least one enhanced protection action on at least one of the one or more manually identified domains (Refer to claim 2 rejection).
Regarding Claim 14
Bjorn discloses:
The method of claim 12, further comprising: applying one or more additional automated methods to identify one or more automatically identified domains, wherein the one or more additional automated methods comprises one or more of: inspecting domain name system (DNS) records, applying one or more heuristics, applying machine learning algorithms, using methods for domain identification, applying natural language processing algorithms, or extrapolating based on common industry data, wherein the one or more enhanced protection actions are further associated with at least one of the one or more automatically identified domains (Refer to claim 3 rejection).
Regarding Claim 15
Bjorn discloses:
The method of claim 12, further comprising: applying a security scoring process to the final set of rank-ordered external domains, including the at least one external domain, to compute a weighted security score for the at least one external domain of the final set of rank-ordered external domains (Refer to claim 4 rejection).
Regarding Claim 16
Bjorn discloses:
The method of claim 15, wherein applying the security scoring process to the final set of rank-ordered external domains comprises evaluating the at least one external domain based on one or more of: a security posture corresponding to the at least one external domain, historical threat information corresponding to the at least one external domain, trust metrics, reputation data, or external data corresponding to security of the at least one external domain (Refer to claim 5 rejection).
Regarding Claim 17
Bjorn discloses:
The method of claim 16, wherein applying the security scoring process to the final set of rank-ordered external domains results in: one or more domain scores corresponding to the at least one external domain, one or more sender scores corresponding to a specific sender of one or more messages originating at the at least one external domain, or one or more message scores corresponding to a specific message originating from the at least one external domain (Refer to claim 6 rejection).
Regarding Claim 18
Bjorn discloses:
The method of claim 17, further comprising: determining a weighted grade for the at least one external domain based on the weighted security score for the at least one external domain (Refer to claim 7 rejection).
Regarding Claim 19
Bjorn discloses:
The method of claim 18, wherein executing the one or more enhanced protection actions associated with the at least one external domain comprises: comparing the weighted grade to a first enhanced protection threshold; in response to determining that the weighted grade does not exceed the first enhanced protection threshold, executing one or more informative protection actions; and in response to determining that the weighted grade exceeds the first enhanced protection threshold: comparing the weighted grade to a second enhanced protection threshold, in response to determining that the weighted grade does not exceed the second enhanced protection threshold, executing one or more active protection actions, and in response to determining that the weighted grade exceeds the second enhanced protection threshold, executing one or more automatic protection actions (Refer to claim 8 rejection).
Regarding Claim 20:
One or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, a communication interface, and memory, cause the computing platform to: monitor an electronic messaging server associated with an enterprise organization; based on monitoring the electronic messaging server associated with the enterprise organization, identify bi-directional messaging traffic between one or more enterprise domains associated with the enterprise organization and one or more external domains not associated with the enterprise organization; based on identifying the bi-directional messaging traffic between the one or more enterprise domains associated with the enterprise organization and the one or more external domains not associated with the enterprise organization, select a plurality of external domains for a conversation detection process; compute an initial set of rank-ordered external domains by: 1) for each external domain of the plurality of external domains selected for the conversation detection process: a) identifying a first number of messages sent from an enterprise domain of the one or more enterprise domains to the external domain; b) identifying a second number of messages received at the one or more enterprise domains from the external domain; c) computing a first ratio and a second ratio, wherein: the first ratio is the first number divided by the second number, and the second ratio is the second number divided by the first number; d) identifying a difference between the first ratio and the second ratio; and e) applying a weight value to the difference based on a quantity of messages corresponding to the first number and the second number, resulting in a weighted difference value for the external domain; and 2) ranking the plurality of external domains selected for the conversation detection process based on each external domain's corresponding weighted difference value; remove, from the initial set of rank-ordered external domains, a set of one or more known outlier domains, resulting in a final set of rank-ordered external domains; and execute one or more enhanced protection actions associated with at least one external domain of the final set of rank-ordered external domains (Refer to claim 1 rejection).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application Information
Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or
Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more
information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the
Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like
assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-
786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/Examiner, Art Unit 2431                                                                                                                                                                                                        

/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431