DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The text of those sections of Title 35 U.S. Code not included in this section can be found in the prior office action.
The prior office actions are incorporated herein by reference. In particular, the observations with respect to claim language, and response to previously presented arguments.	
Claims 1, 2, 5-9, 12-28, now renumbered as claims 1-24, have been examined. 

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 03/31/2022, 05/23/2022, 06/17/2022, 06/30/2022 and 07/14/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

EXAMINER’S AMENDMENT
Authorization for this examiner’s amendment was given in an interview with Mr. Robyn Wagner on 09/07/2022.
If any additional fees are required during the pendency of the subject application, please charge such fees or credit any overpayment to Deposit Account No. 50-0685 (ABNOPO001C1)
Claims 1, 7, 9 and 17 have been amended as follows:
1. (Currently Amended) A system, comprising: 
a processor configured to: 
receive an email addressed to an employee of an enterprise; 
apply a first model to the email to produce a first output indicative of whether the email is representative of a non-malicious email, wherein the first model is trained using past emails addressed to the employee that have been verified as non-malicious emails; 
determine, based on the first output, that the email is potentially a malicious email; 
responsive to determining that the email is potentially a malicious email based on the first output, apply a second model to the email to produce a second output indicative of whether the email is representative of a given type of malicious email, and wherein the processor is further configured to upload information associated with the goal to a profile of the employee; and 
perform an action with respect to the email based on the second output; and 
a memory coupled to the processor and configured to provide the processor with instructions.

7. (Currently Amended) The system of claim 1, wherein at least one model included in the plurality of models determines whether content in a given email includes a link to a Hypertext Markup Language (HTML) resource.

9. (Currently Amended) The system of claim 1, wherein at least one model included in the plurality of models discovers one or more facets of [[the]] a security threat associated with the malicious email.

17. (Currently Amended) A method, comprising: 
receiving an email addressed to an employee of an enterprise; 
applying a first model to the email to produce a first output indicative of whether the email is representative of a non-malicious email, wherein the first model is trained using past emails addressed to the employee that have been verified as non-malicious emails; 
determining, based on the first output, that the email is potentially a malicious email; 
responsive to determining that the email is potentially a malicious email based on the first output, applying a second model to the email to produce a second output indicative of whether the email is representative of a given type of malicious email, wherein the second model is one of a plurality of models, each of which is respectively associated with a different type of malicious email, wherein at least one model included in the plurality of models determines a goal of the malicious email, and further comprising uploading information associated with the goal to a profile of the employee; and 
performing an action with respect to the email based on the second output.

New Claims 18-28 have been added as follows:
18. (New)	The method of claim 17, wherein the second output indicates that the email is not of the given type of malicious email, and wherein performing the action comprises forwarding the email to an inbox of the employee.

19. (New)	The method of claim 17, wherein at least one model included in the plurality of models determines whether content in a given email includes a query for data.

20. (New)	The method of claim 17, wherein at least one model included in the plurality of models includes determining whether content in a given email includes a query for funds.

21. (New)	The method of claim 17, wherein at least one model included in the plurality of models determines whether content in a given email includes a link to a Hypertext Markup Language (HTML) resource.

22. (New)	The method of claim 17, wherein at least one model included in the plurality of models determines whether a given email includes an attachment.

23. (New)	The method of claim 17, wherein at least one model included in the plurality of models discovers one or more facets a security threat associated with the malicious email.

24. (New)	The method of claim 17, wherein the plurality of models collectively produce a plurality of outputs when applied to the email, and wherein the processor is further configured to apply a third model designed to aggregate at least two of the plurality of outputs produced into a comprehensible visualization component.

25. (New)	The method of claim 17, wherein the second output indicates that the email includes a link to a Hypertext Markup Language (HTML) resource, and wherein performing the action comprises:
following the link so that the HTML resource is accessed using a virtual web browser;
extracting a Document Object Model (DOM) for the HTML resource through the virtual web browser; and
analyzing the DOM to determine whether the link represents a security threat.

26. (New)	The method of claim 17, wherein the second output indicates that the email includes a primary link to a resource hosted by a network-accessible hosting service, and wherein performing the action comprises:
following the primary link so that the resource is accessed using a virtual web browser;
discovering whether any secondary links to secondary resources are present by examining content of the resource through the virtual web browser;
for each secondary link, following the secondary link so that the corresponding secondary resource is accessed using the virtual web browser and analyzing content of the corresponding secondary resource to determine whether the secondary link represents a security threat; and
determining whether the primary link represents a security threat based on whether any secondary links were determined to represent security threats.

27. (New)	The method of claim 17, 
wherein the second output indicates that the email includes a link to a Hypertext Markup Language (HTML) resource, and wherein performing the action comprises:
following the link so that the HTML resource is accessed using a virtual web browser;
capturing a screenshot of the HTML resource through the virtual web browser; 
applying a computer vision algorithm designed to identify similarities between the screenshot and a library of verified sign-in websites; and
determining whether the link represents a security threat based on an output produced by the computer vision algorithm.

28. (New)	The method of claim 17, wherein the second output indicates that the email includes an attachment, and wherein performing the action comprises:
opening the attachment within a secure processing environment; and
determining whether the attachment represents a security threat based on an analysis of content of the attachment.

Allowable Subject Matter
Claims 1, 2, 5-9, 12-28 are allowed over prior art of record.

Response to Arguments
Applicant’s arguments, see Remarks filed on 05/23/2022, have been fully considered and are persuasive.  

Examiner's Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
Independent claims 1 and 17 are allowed in view of the examiner’s amendment and for reasons presented by the applicant in the Remarks. Claims 2, 5-9, 12-16 and 18-28 depend on one of the above independent claims and are therefore, allowed by virtue of their dependency.
Prior art of record Bruss teaches: A logistic regression classifier is trained using an employee’s emails. When a new email is detected, the unstructured data of the email such as subject-line data and body text along with semi-structured data such as header data is analyzed by the classifier. Based on the analysis, the classifier determines whether the email is likely malicious. Prior art of record Caspi teaches: a first malware detector comprising a deep learning neural network detects whether a file consists of malware. If the file constitutes malware, the first malware detector transmits the file to a malware determination system to determine the category of the malware. The malware determination system comprises of a machine learning model that determines probabilities that the malware belongs to one or more categories. Depending on the category of malware, appropriate cure is performed. Prior art of record Luo teaches: A classification model comprises of k+1 machine learning models where k represents k-1 types of virus and 1 type of normal file and k is greater than or equal to 2. The features of a file to be analyzed are extracted and converted into vectors. The vectors are fed into the classification model where the k+1 machine learning models analyze the vectors and classify the file to a specific type of virus. Prior art US 10834127 to Yeh et al teaches: A trained machine learning model receives a target email addressed to an employee from a sender and determines the intention (goal) of the target email by finding a reference BEC (business email compromise) email from collected BEC email samples that is most similar to the received email. An email's intention is what the sender is trying to accomplish or induce the recipient to perform. Email intentions include: requesting for money, requesting for a password, ask for a particular sensitive information etc. When the target email is determined to be a BEC email based on the similarity between the target email and reference BEC email, an action such as stamping the target email with a warning message before sending it to the recipient is performed. 
However, the prior arts fail to teach: “upload information associated with the goal to a profile of the employee”, i.e., prior arts teach determining the intention (goal) of email but fail to teach uploading the information regarding the intention to the employee’s profile. 
None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 10601865 to Mesdaq et al: A non-transitory computer readable storage medium having stored thereon instructions when executable by a processor perform operations including responsive to receiving an email including a URL, conducting an analysis of the email including: (i) analyzing a header and a body, and (ii) analyzing the URL; analyzing contents of a web page directed to by the URL; generating a score indicating a level of confidence the email is associated with a phishing attack based on at least one of the analysis of the email or the analysis of the contents of the web page; and responsive to the score being below a threshold, virtually processing the web page to determine whether the web page is associated with the phishing attack is shown.
	
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438