DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/16/2021.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Applicant should note that the large number of references in the attached IDSs have been considered by the examiner in the same manner as other documents in Office search files are considered by the examiner while conducting a search of the prior art in a proper field of search. See MPEP 609.05(b). Applicant is invited to point out any particular reference(s) in the IDS that they believe may be of particular relevance to the instant claimed invention in response to this Office Action. It is desirable to avoid the submission of long lists of documents if it can be avoided. If a long list is submitted, highlight those documents which have been specifically brought to applicant’s attention and/or are known to be of most significance. See Penn Yan Boats, Inc. v. Sea Lark Boats, Inc., 359 F. Supp. 948, 175 USPQ 260 (S.D. Fla. 1972), aff ’d, 479 F.2d 1338, 178 USPQ 577 (5th Cir. 1973), cert. denied, 414 U.S. 874 (1974).  But cf. Molins PLC v. Textron Inc., 48 F.3d 1172, 33 USPQ2d 1823 (Fed. Cir. 1995).

Drawings
The drawings were received on 04/16/2021.  These drawings are accepted.

Claim Objections
Claim 1 is objected to because of the following informalities:  
Claim 1 states “one or more processors” in line 17. It should be “the one or more processors”.  
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 13-17 are rejected under 35 U.S.C. 112(b). Claims 13-17 respectively recite the limitation "being configured to perform the security action".  There is insufficient antecedent basis for this limitation in the claim. For the sole purpose of prior art analysis, examiner has interpreted the limitation to recite as follows "being configured to perform a security action".

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1- 20 of U.S. Patent No. US 11019076 B1 (hereinafter “Pat-076”). Although the claims at issue are not identical, they are not patentably distinct from each other since claims 1-20 of Pat-075 contains every elements of claims 1-20 of instant application. Thus, Claims 1-20 are anticipated by Pat-076. Please refer to the table below for the detailed comparison.
Instant Application 17/233217
Pat-076
1, 19 and 20
one or more processors configured to: 
one or more memory coupled to the one or more processors and configured to provide the one or more processors with instructions.


track an identity profile of a user using previous message communications of the user; 

receive a message identified as potentially from the user; 

identify and obtain the identity profile of the user; 

extract information from a header of the received message; 

determine a security risk assessment of the received message at least in part by comparing the extracted information with one or more corresponding entries of the identity profile of the user including by being configured to detect a change between at least a portion of the extracted information and at least one entry of the identity profile of the user and evaluating the detected change based on a likelihood-of-change probability associated with a likelihood that the at least one entry of the identity profile would change over time, wherein the likelihood-of-change probability is based on previously detected changes overtime in the previous message communications of the user; and 













perform a security action based on the determined security risk assessment; and 



20

a processor; and
a memory coupled with the processor, wherein the memory is configured to provide the processor with instructions which when executed cause the processor to:

track an identity profile of a user using previous message communications of the user;

receive a message identified as potentially from the user;

identify and obtaining the identity profile of the user;

extract information from a header of the received message;

determining a security risk assessment of the received message at least in part by comparing the extracted information with one or more corresponding entries of the identity profile of the user including by detecting a change between at least a portion of the extracted information and at least one entry of the identity profile of the user and evaluating the detected change based on a likelihood-of-change probability associated with a likelihood that the at least one entry of the identity profile would change over time, 






wherein the likelihood-of-change probability is determined using previously detected changes over time in the previous message communications of the user including by computing a measurement of a distribution of a frequency of changes between different types of mail user agents used by the user; and




perform a security action based on the determined security risk assessment.





2
The system of claim 1, wherein the likelihood-of-change probability is determined not using the detected change but only using the previously detected changes over time in the previous message communications of the user.
2
The system of claim 1, wherein the likelihood-of-change probability is determined not using the detected change but only using the previously detected changes over time in the previous message communications of the user.
3
The system of claim 1, wherein the extracted information includes information identifying an operating system used by a sender of the received message.
3
The system of claim 1, wherein the extracted information includes information identifying an operating system used by a sender of the received message.
5
The system of claim 1, wherein the extracted information includes information identifying a script used by a sender of the received message.
5
The system of claim 1, wherein the extracted information includes information identifying a script used by a sender of the received message.
6
The system of claim 1, wherein being configured to identify and obtain the identity profile of the user includes being configured to identify the identity profile of the user with a display name of a sender of the received message.
6
The system of claim 1, wherein being configured to identify and obtain the identity profile of the user includes being configured to identify the identity profile of the user with a display name of a sender of the received message.
7
The system of claim 1, wherein being configured to determine the security risk assessment includes being configured to determine that the user of the identity profile is likely not a sender of the received message.
7
The system of claim 1, wherein being configured to determine the security risk assessment includes being configured to determine that the user of the identity profile is likely not a sender of the received message.
8
The system of claim 1, wherein being configured to compare the extracted information with the one or more corresponding entries of the identity profile of the user includes being configured to determine that although a mail user agent utilized by the received message does not exactly match a mail user agent specified in the identity profile, the mail user agent utilized by the received message is a newer version of the mail user agent utilized specified in the identity profile
8
The system of claim 1, wherein being configured to compare the extracted information with the one or more corresponding entries of the identity profile of the user includes being configured to determine that although a mail user agent utilized by the received message does not exactly match a mail user agent specified in the identity profile, the mail user agent utilized by the received message is a newer version of the mail user agent utilized specified in the identity profile
9
The system of claim 1, wherein being configured to determine the security risk assessment of the received message includes being configured to determine that the message has likely been compromised by a phishing attack at least in part by determining that a sender message account of the received message matches an entry in the identity profile as a trusted message account but a device identifier extracted from the received message does not match a trusted device identifier in the identity profile and a network utilized to send the received message does not match a trusted network specified in the identity profile.
9
The system of claim 1, wherein being configured to determine the security risk assessment of the received message includes being configured to determine that the message has likely been compromised by a phishing attack at least in part by determining that a sender message account of the received message matches an entry in the identity profile as a trusted message account but a device identifier extracted from the received message does not match a trusted device identifier in the identity profile and a network utilized to send the received message does not match a trusted network specified in the identity profile.
10
The system of claim 1, wherein being configured to determine the security risk assessment of the received message includes being configured to determine that the received message is likely a part of a display name deception attack at least in part by determining that a sender message account of the received message does not match an entry in the identity profile but a sender display name of the received message matches an entry in the identity profile and a device identifier extracted from the received message does not match a trusted device identifier in the identity profile and a network utilized to send the received message does not match a trusted network specified in the identity profile.
10
The system of claim 1, wherein being configured to determine the security risk assessment of the received message includes being configured to determine that the received message is likely a part of a display name deception attack at least in part by determining that a sender message account of the received message does not match an entry in the identity profile but a sender display name of the received message matches an entry in the identity profile and a device identifier extracted from the received message does not match a trusted device identifier in the identity profile and a network utilized to send the received message does not match a trusted network specified in the identity profile.
11
The system of claim 1, wherein being configured to determine the security risk assessment of the received message includes being configured to determine that the received message was sent by malware at least in part due to determining that the received message was sent using automation but the identity profile does not identify the user as being trusted to send messages using automation.
11
The system of claim 1, wherein being configured to determine the security risk assessment of the received message includes being configured to determine that the received message was sent by malware at least in part due to determining that the received message was sent using automation but the identity profile does not identify the user as being trusted to send messages using automation.
12
The system of claim 1, wherein being configured to determine the security risk assessment of the received message includes being configured to determine that the received message was sent by the user despite a network utilized to send the received message not matching a trusted network specified in the identity profile at least in part because a sender message account of the message matches an entry in the identity profile as a trusted message account and a device identifier extracted from the message matches a trusted device identifier in the identity profile.
12
The system of claim 1, wherein being configured to determine the security risk assessment of the received message includes being configured to determine that the received message was sent by the user despite a network utilized to send the received message not matching a trusted network specified in the identity profile at least in part because a sender message account of the message matches an entry in the identity profile as a trusted message account and a device identifier extracted from the message matches a trusted device identifier in the identity profile.
13
The system of claim 1, wherein being configured to perform the security action includes being configured to update the identity profile based on the extracted information of the received message.
13
The system of claim 1, wherein being configured to perform the security action includes being configured to update the identity profile based on the extracted information of the received message.
14
The system of claim 1, wherein being configured to perform the security action includes being configured to add a device identifier to the identity profile of the user based on a determination that a sufficient number of messages have been received with the device identifier from a trusted account and via a trusted network.
14
The system of claim 1, wherein being configured to perform the security action includes being configured to add a device identifier to the identity profile of the user based on a determination that a sufficient number of messages have been received with the device identifier from a trusted account and via a trusted network.
15
The system of claim 1, wherein being configured to perform the security action includes being configured to add a new message account identifier of a new account to the identity profile of the user based on a determination that a sufficient number of messages have been received from the new account specifying a trusted device identifier and a trusted network.
15
The system of claim 1, wherein being configured to perform the security action includes being configured to add a new message account identifier of a new account to the identity profile of the user based on a determination that a sufficient number of messages have been received from the new account specifying a trusted device identifier and a trusted network.
16
The system of claim 1, wherein being configured to perform the security action includes being configured to modify a display name of a sender of the message prior to allowing an intended recipient of the received message to access the received message.
16
The system of claim 1, wherein being configured to perform the security action includes being configured to modify a display name of a sender of the message prior to allowing an intended recipient of the received message to access the received message.
17
The system of claim 1, wherein being configured to perform the security action includes being configured to perform one or more of the following: sending a verification challenge to an alternative contact of a sender of the received message; performing additional analysis of the received message; quarantining the received message; blocking the received message; executing an executable included in the received message in a sandbox or a virtual machine; adding a warning to the received message; and moving the received message to a different folder.
17
The system of claim 1, wherein being configured to perform the security action includes being configured to perform one or more of the following: sending a verification challenge to an alternative contact of a sender of the received message; performing additional analysis of the received message; quarantining the received message; blocking the received message; executing an executable included in the received message in a sandbox or a virtual machine; adding a warning to the received message; and moving the received message to a different folder.
18
The system of claim 1, wherein the likelihood-of-change probability is based on a measurement of a distribution of a frequency of changes in the previously detected changes overtime in the previous message communications of the user.
20
the likelihood-of-change probability is determined using previously detected changes over time in the previous message communications of the user including by computing a measurement of a distribution of a frequency of changes between different types of mail user agents used by the user



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 6, 7, 13, 15, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 20160014151 A1) in view of Helsper et al. (US 20060168066 A1 hereinafter “Helsper”) in view of Foster et al. (US 9027134 B2 hereinafter “Foster”, IDS filed on 04/16/2021).
Regarding independent claim 1, Prakash discloses a system, comprising (Fig. 5A): 
track an identity profile of a user using previous message communications of the user (par. 0116, obtaining one or more message characteristic by parsing the received message from a sender based on a set of predetermined message characteristics at steps 510a-550a (“using previous message communications of user”). A classification engine is applied to the message characteristic to define a message characteristic pattern (“track an identity profile of a user”); See a specific example of parsing the received message in para. 0134. The classification engine will be utilized to create the actual sender message characteristic pattern for John Smith. The name John Smith could be used to receive all actual sender message characteristic patterns created for a John Smith (example of the “track an identity profile of a user”)); 
receive a message identified as potentially from the user (par. 0116, receiving a new received message at 560a); 
identify and obtain the identity profile of the user (par. 0116, applying the classification engine to the new received message to define a new received message characteristic pattern (“identify and obtain the identity profile of the user”) at 570 a); 
extract information from a header of the received message (par. 0116: the message characteristic comprising one or more of a sender message characteristic or a recipient message characteristic, storing the message characteristic in a database at 540 a (“extract information”); par. 0070, the message characteristic comprising a message metadata present in a header portion of the received message (“header of the receive message”)); 
perform a security action based on the determined security risk assessment (par. 0116, using the results of the comparison to influence the likelihood of the received message being a phishing message at 590a (“perform a security action”)); and 
one or more memory coupled to the one or more processors and configured to provide the one or more processors with instructions (par. 0229-0230, processor 810 and memory 820 are capable of receiving the instructions and/or data and processing the instructions of a computer program for execution within the computer system).
Although Prakash teaches “comparing the new received message characteristic pattern” in paragraph 0116, it does not explicitly teaches “determine a security risk assessment of the received message at least in part by comparing the extracted information with one or more corresponding entries of the identity profile of the user including by being configured to detect a change between at least a portion of the extracted information and at least one entry of the identity profile of the user”.
Helsper in analogous art discloses the system, wherein determine a security risk assessment of the received message at least in part by comparing the extracted information with one or more corresponding entries of the identity profile of the user including by being configured to [[detect a change]] between at least a portion of the extracted information and at least one entry of the identity profile of the user (par. 0091-0094, the email message is scored based on one factor based on the level of trust associated with a URL extracted from the email 402 (“the extracted information with one corresponding entry of the identity profile of the user”, the instant application states, in par. 0044, the identity profile including “a time zone and an IP address”). The level of trust associated with the URL is determined as a function of an IP address associated with the URL. It is determined if one or more of the URLs are associated with a Trusted Server. The IP address associated with the URL may be determined by querying a DNS server (analogous to “detect a change”, cures by Foster below). For example, if each of the one or more URLs are associated with a Trusted Server, the risk score is optimized to reflect that the email is less likely to be a phishing email 503 (“comparing the extracted information with corresponding entries”)). 
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash with the teachings of Helsper to determine a security risk assessment of the received message at least in part by comparing the extracted information with one or more corresponding entries of the identity profile of the user including by being configured to detect a change between at least a portion of the extracted information and at least one entry of the identity profile of the user. One of ordinary skill in the art would have been motivated to make this modification because the server (or the system) parses the email message to obtain information which is used in an algorithm to create a phishing score (or the security risk assessment). If the phishing score exceeds a predetermined threshold, the email is determined to be a phishing email message (para. 0017).
Although Helsper teaches “determining if one or more of the URLs are associated with a Trusted Server”, the combination does not teach “evaluating the detected change based on a likelihood-of-change probability associated with a likelihood that the at least one entry of the identity profile would change over time, wherein the likelihood-of-change probability is based on previously detected changes overtime in the previous message communications of the user”.
In a same field of endeavor, Foster states the invention regarding scoring algorithm of a user profile, for example, assigning a confidence level to a social risk score, to prevent purposes of phishing user data, or spreading computer viruses.
Foster in analogous art further discloses the system, wherein evaluating the detected change based on a likelihood-of-change probability associated with a likelihood that the at least one entry of the identity profile would change over time (col. 19 ln. 03-10, The security analysis engine 101 may determine a confidence score for the risk score (“likelihood-of-change probability associated w/ a likelihood”). The confidence score may be statistically determined (“evaluating the detected change based on a likelihood-of-change probability over time”, according para. 0045, the instant application states that “statistics allow a determination of the likelihood that various aspects of a message”. Thus, Examiner asserts that the confidence score is considered as the likelihood-of-change probability), and may be used to indicate the reliability of the determined risk score), 
wherein the likelihood-of-change probability is based on previously detected changes overtime in the previous message communications of the user (col. 19 ln. 10-31, The confidence score  is for a current risk score, take into account previously determined risk scores (“likelihood-of-change probability is based on previously detected changes overtime”). For the risk score, the security analysis engine 101 may compare one or more generated references to one or more known references. The one or more known references may be references to characteristics of identified data that may have been previously analyzed and assigned a level of risk by the security analysis engine 101 during a set time period (See, col 08 ln. 34-39), “only using the previously detected changes over time”)).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash and Helsper with the teachings of Foster to evaluate the detected change based on a likelihood-of-change probability associated with a likelihood that the at least one entry of the identity profile would change over time, wherein the likelihood-of-change probability is based on previously detected changes overtime in the previous message communications of the user. One of ordinary skill in the art would have been motivated to make this modification because a risk score is determined based on each of the comparisons, and a confidence score for the risk score is determined (col. 01 ln. 54-61). Thus, defense engine (or the system) identifies live attacks can be paired with a predictive analysis framework that identifies dormant risks before attacks occur since the predictive analysis framework can be driven by a scoring algorithm.

Regarding claim 2, the combination of Prakash, Helsper and Foster discloses the system of claim 1, wherein the likelihood-of-change probability is determined not using the detected change but only using the previously detected changes over time in the previous message communications of the user (col. 19 ln. 10-31, The confidence score  is for a current risk score, take into account previously determined risk scores (“likelihood-of-change probability is based on previously detected changes overtime”). For the risk score, the security analysis engine 101 may compare one or more generated references to one or more known references. The one or more known references may be references to characteristics of identified data that may have been previously analyzed and assigned a level of risk by the security analysis engine 101 during a set time period (See, col 08 ln. 34-39), “only using the previously detected changes over time”)).

Regarding claim 4, the combination of Prakash, Helsper and Foster discloses the system of claim 1, wherein the extracted information includes information identifying a computer network used by a sender of the received message (Prakash: par. 070, a geography associated with an IP address of the sender; the IP address of the sender cross referenced with a geo-IP database to determine the location of the sender).

Regarding claim 6, the combination of Prakash, Helsper and Foster discloses the system of claim 1, wherein being configured to identify and obtain the identity Attorney Docket No. AGARPOO7C174 PATENTprofile of the user includes being configured to 
identify the identity profile of the user with a display name of a sender of the received message (Prakash: par. 0070-0071, the message characteristic comprising: a message metadata present a name of the sender, a from and a reply to email address (“a sender of the received message”). The value of the message characteristics representing the name of the message sender is compared to the recipient background information and if the name of the message sender is not found the message is marked as being more dangerous (“identify and obtain the identity Attorney Docket No. AGARPOO7C174 PATENTprofile of the user”); par. 0244, The configuration and management module 176 may then output logs of received messages and any associated phishing activity for viewing on a display device (“display name of a sender of the received message” when the names are not matched)).

Regarding claim 7, the combination of Prakash, Helsper and Foster discloses the system of claim 1, wherein being configured to determine the security risk assessment includes being configured to 
determine that the user of the identity profile is likely snot a sender of the received message (par. 0071, if the name of the message sender is not found the message is marked as being more dangerous  (“being snot likely a sender of the received message”)).

Regarding claim 13, the combination of Prakash, Helsper and Foster discloses the system of claim 1, wherein being configured to perform the security action includes 10being configured to 
update the identity profile based on the extracted information of the received message (col, 19 ln44-55., the security analysis engine 101 may generate a reference for each of the one or more additional characteristics (1017). Security analysis engine 101 may, for instance, create a reference to a characteristic by tagging the characteristic, and may store the reference in a database that is accessible to the security analysis engine 101 (“update the identity profile based on the extracted information of the received message”). The security analysis engine may compare the additional references to one or more known references (1019) (another type of  “update the identity profile”)).

Regarding claim 15, the combination of Prakash, Helsper and Foster discloses the system of claim 1, wherein being configured to perform the security action includes being configured to 
add a new message account identifier of a new account to the identity profile of the user based on a determination that a sufficient number of messages have been received from the new account specifying a trusted device identifier and a trusted network (Prakash: par. 0144-0145, the method further comprises training a classification engine on a minimum number of historical messages (“a sufficient number of messages”) from the actual sender to create at least one new actual sender message characteristic pattern (“add a new message account identifier of a new account to the identity profile of the user”), and the at least one new actual sender message characteristic pattern comprises at least one positive actual sender message characteristic label (“a trusted device identifier and a trusted network”) whereby a positive comparison of the at least one second message characteristic to the at least one positive actual sender message characteristic label increases the probability that the indicated sender is the actual sender).

Regarding independent claim 19, Prakash discloses a method, comprising: 
tracking an identity profile of a user using previous message communications of the user (par. 0116, obtaining one or more message characteristic by parsing the received message from a sender based on a set of predetermined message characteristics at steps 510a-550a (“using previous message communications of user”). A classification engine is applied to the message characteristic to define a message characteristic pattern (“track an identity profile of a user”); See a specific example of parsing the received message in para. 0134. The classification engine will be utilized to create the actual sender message characteristic pattern for John Smith. The name John Smith could be used to receive all actual sender message characteristic patterns created for a John Smith (“track an identity profile of a user”)); 
extracting information from a header of the received message (par. 0116: the message characteristic comprising one or more of a sender message characteristic or a recipient message characteristic, storing the message characteristic in a database at 540 a (“extract information”); par. 0070, the message characteristic comprising a message metadata present in a header portion of the received message (“header of the receive message”)); 
performing a security action based on the determined security risk assessment (par. 0116, using the results of the comparison to influence the likelihood of the received message being a phishing message at 590a (“perform a security action”)).
Although Prakash teaches “comparing the new received message characteristic pattern” in paragraph 0116, it does not explicitly teaches “determining a security risk assessment of the received message at least in part by comparing the extracted information with one or more corresponding entries of the identity profile of the user including by detecting a change between at least a portion of the extracted information and at least one entry of the identity profile of the user”.
Helsper in analogous art discloses the method, wherein determining a security risk assessment of the received message at least in part by comparing the extracted information with one or more corresponding entries of the identity 10profile of the user including by detecting a change between at least a portion of the extracted information and at least one entry of the identity profile of the user (par. 0091-0094, the email message is scored based on one factor based on the level of trust associated with a URL extracted from the email 402 (“the extracted information with one corresponding entry of the identity profile of the user”, the instant application states, in par. 0044, the identity profile including “a time zone and an IP address”). The level of trust associated with the URL is determined as a function of an IP address associated with the URL. It is determined if one or more of the URLs are associated with a Trusted Server. The IP address associated with the URL may be determined by querying a DNS server (analogous to “detect a change”, cures by Foster below). For example, if each of the one or more URLs are associated with a Trusted Server, the risk score is optimized to reflect that the email is less likely to be a phishing email 503 (“comparing the extracted information with corresponding entries”)). 
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash with the teachings of Helsper to determining a security risk assessment of the received message at least in part by comparing the extracted information with one or more corresponding entries of the identity profile of the user including by detecting a change between at least a portion of the extracted information and at least one entry of the identity profile of the user. One of ordinary skill in the art would have been motivated to make this modification because the server (or the method) parses the email message to obtain information which is used in an algorithm to create a phishing score (or the security risk assessment). If the phishing score exceeds a predetermined threshold, the email is determined to be a phishing email message (para. 0017).
Although Helsper teaches “determining if one or more of the URLs are associated with a Trusted Server”, the combination does not teach “evaluating the detected change based on a likelihood-of-change probability associated with a likelihood that the at least one entry of the identity profile would change over time, wherein the likelihood-of-change probability is based on previously detected changes overtime in the previous message communications of the user”.
Foster in analogous art further discloses the method, wherein evaluating the detected change based on a likelihood-of-change probability associated with a likelihood that the at least one entry of the identity profile would change over time (col. 19 ln. 03-10, The security analysis engine 101 may determine a confidence score for the risk score (“likelihood-of-change probability associated w/ a likelihood”). The confidence score may be statistically determined (“evaluating the detected change based on a likelihood-of-change probability over time”, according para. 0045, the instant application states that “statistics allow a determination of the likelihood that various aspects of a message”. Thus, Examiner asserts that the confidence score is considered as the likelihood-of-change probability), and may be used to indicate the reliability of the determined risk score), 
wherein the likelihood-of-change probability is based on previously detected changes overtime in the previous message iscommunications of the user (col. 19 ln. 10-31, The confidence score  is for a current risk score, take into account previously determined risk scores (“likelihood-of-change probability is based on previously detected changes overtime”). For the risk score, the security analysis engine 101 may compare one or more generated references to one or more known references. The one or more known references may be references to characteristics of identified data that may have been previously analyzed and assigned a level of risk by the security analysis engine 101 during a set time period (See, col 08 ln. 34-39), “only using the previously detected changes over time”)).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash and Helsper with the teachings of Foster to evaluate the detected change based on a likelihood-of-change probability associated with a likelihood that the at least one entry of the identity profile would change over time, wherein the likelihood-of-change probability is based on previously detected changes overtime in the previous message communications of the user. One of ordinary skill in the art would have been motivated to make this modification because a risk score is determined based on each of the comparisons, and a confidence score for the risk score is determined (col. 01 ln. 54-61). Thus, defense engine (or the system) identifies live attacks can be paired with a predictive analysis framework that identifies dormant risks before attacks occur since the predictive analysis framework can be driven by a scoring algorithm.

Regarding independent claim 20, it is a computer program product being embodied in a non-transitory computer readable storage medium claim that corresponds to claim 19. Therefore, the claim is rejected for at least the same reasons.


Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 20160014151 A1) in view of Helsper et al. (US 20060168066 A1 hereinafter “Helsper”) in view of Foster et al. (US 9027134 B2 hereinafter “Foster”, IDS filed on 04/16/2021) as applied to claim 1 above, and further in view of Avritch et al.(US 20070143407 A1 hereinafter Avritch).
Regarding claim 3, Foster teaches, in para. 0070, a messaging client a software used by the sender or sender organization. However, the combination of Prakash, Helsper and Foster does not explicitly teaches “the extracted information includes information identifying an operating system used by a sender of the received message”.
Avritch in an analogous art discloses the system of claim 1, wherein the extracted information includes information identifying an operating system used by a sender of the received message (claim. 0103, d) at the receiver's side, … d2) processing the received result-incorporated e-mail message to assess the integrity of the e-mail message, wherein: the request further comprises sender verification information; …further comprising: providing the sender verification information from a database associated with an operating system of the client computer at the sender's side (“extracted information includes information identifying an operating system used by a sender”)).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash, Helsper and Foster to incorporate the teachings of Avritch by providing extracted information includes information identifying an operating system used by a sender of the received message. One of ordinary skill in the art would have been motivated to make this modification because the verification information automatically synchronizes the sender verification information in the operating system database and corresponding sender verification information at the service (claim, 104). Thus, the e-mail message can verify the integrity of the message (par. 0006).


Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 20160014151 A1) in view of Helsper et al. (US 20060168066 A1 hereinafter “Helsper”) in view of Foster et al. (US 9027134 B2 hereinafter “Foster”, IDS filed on 04/16/2021) as applied to claim 1 above, and further in view of Coueignoux (US 20060053279 A1).
Regarding claim 5, the combination of Prakash, Helsper and Foster teaches all of the elements of the current invention as stated above except “the extracted information includes information identifying a script used by a sender of the received message”. 
Coueignoux in an analogous art discloses the system of claim 1, wherein the extracted information includes information identifying a script used by a sender of the received message (par. 0065, While list 68 expresses how filter inbox application 8 will exploit the confidential information provided by sender (SA) 1 or stored in SA profile 16, plan 23 further comprises sequential script 25 (see steps 253-254, “a script used by a sender”) and guidance message list 26 to manage the discovery of this information).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash, Helsper and Foster to incorporate the teachings of Coueignoux by including extracted information identifying a script used by a sender of the received message. One of ordinary skill in the art would have been motivated to make this modification because the script allowed to manage the discovery of the confidential information of a present sender.


Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 20160014151 A1) in view of Helsper et al. (US 20060168066 A1 hereinafter “Helsper”) in view of Foster et al. (US 9027134 B2 hereinafter “Foster”, IDS filed on 04/16/2021) as applied to claim 1 above, and further in view of Chen et al. (US 9009824 B1 hereinafter “Chen”).
Regarding claim 8, the combination of Prakash, Helsper and Foster discloses the system of claim 1, wherein being configured to compare the extracted information with the one or more corresponding entries of the identity profile of the user (Foster: col 18. ln. 28-col. 19 ln. 02, the engine 101 identifies data (step 1001), determines characteristics (step 1003) and generates references (step 1005, “extracted information”). The engine 101 compares one or more generated references to one or more known references (step 1007, “comparing the extracted information with corresponding entries”)).
However, the combination does not teach “determine that although a mail user agent utilized by the received message does not exactly match a mail user agent specified in the identity profile”.
In a same field of endeavor, Chen discloses the system, wherein identity profile of the user includes being configured to 
determine that although a mail user agent utilized by the received message does not exactly match a mail user agent specified in the identity profile (col. 3 ln. 61-64, the phishing analysis module 223 may evaluate similarity between two points, i.e., two MTAs, on the MTA map based on the number of emails with the same signatures sent by or from the two points (“determining the received message does not exactly match a mail user agent”)), 
the mail user agent utilized 10by the received message is a newer version of the mail user agent utilized specified in the identity profile (col. 3 ln. 28-31, The phishing analysis module 223 may also continually update the listing of reference MTA groups 224 with new data and provide the updates to the subscribing computers (“the mail user agent utilized 10by the received newer version message”)).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash, Helsper and Foster to incorporate the teachings of Chen by determining that although a mail user agent utilized by the received message does not exactly match a mail user agent specified in the identity profile, the mail user agent utilized 10by the received message is a newer version of the mail user agent utilized specified in the identity profile. One of ordinary skill in the art would have been motivated to make this modification because reference MTA groups identified by the phishing analysis module from the MTA map may be output as a listing of reference MTA groups, which may be provided to a phishing detector. Therefore, the phishing detector may identify phishing by looking for an MTA (col. 6 ln 64-col.7 ln. 06). 


Claim 9, 10  and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 20160014151 A1) in view of Helsper et al. (US 20060168066 A1 hereinafter “Helsper”) in view of Foster et al. (US 9027134 B2 hereinafter “Foster”, IDS filed on 04/16/2021) as applied to claim 1 above, and further in view of Johansson et al.  (US 9491155 B1 hereinafter “Johansson”).
Regarding claim 9, the combination of Prakash, Helsper and Foster discloses the system of claim 1, wherein being configured to determine the security risk assessment of the received message includes being configured to 
determine that the message has likely been compromised by a phishing attack at least in part by determining that a sender 15message account of the received message matches an entry in the identity profile as a trusted message account (Prakash: par. 0070-0071, message characteristics selected from the group consisting of: a from and a reply to email address or identifier of the sender (“sender message account”). Message characteristics from the message sender's information and background may be compared to the recipient background information retrieved from at least one social network and the comparison may be used as one of one or more factors (“matching a sender 15message account of the received message to an entry in the identity profile”) in determining if the message is a phishing attempt (“determining compromised message by phishing attack”).
Although Prakash teaches, in clm. 12, that training a classification engine with an at least one additional received message from one or more other senders who are not the actual sender to update the at least one actual sender message characteristic pattern (analogous to “but a device identifier… ”), the combination does not teach “but a device identifier extracted from the received message does not match a trusted device identifier in the identity profile and a network utilized to send the received message does not match a trusted network specified in the identity profile”.
Johansson in analogous art disclose the system wherein but a device identifier extracted from the received message does not match a trusted device identifier in the identity profile (col. 6 ln. 66-col. 7 ln. 13, the device ID from the requesting user device 102 and compare it to the previously stored device ID associated with the user ID 116. If the device IDs match (if not “extracted device identifier not match a trusted device identifier”), the user 104 may be provided access to the service 108(2) through the account 112(2)) and 
a network utilized to send the received message does not match a trusted network specified in the identity profile (col. 9 ln. 42-51, the identity confidence level (“trusted network specified in the identity profile”) may be based at least partly on reputations of the entities in the social graph data 216. The reputation of an entity may indicate a degree to which the entity is trusted within a social network. (if the determined identity confidence is lower than a predetermined threshold level “received message does not match a trusted network specified in the identity profile”)).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash, Helsper and Foster with the teachings of Johansson to detect that a device identifier extracted from the received message does not match a trusted device identifier in the identity profile and a network utilized to send the received message does not match a trusted network specified in the identity profile. One of ordinary skill in the art would have been motivated to make this modification because on creating the account, a mapping between the device ID and the user ID may be stored in a table or other data structure. Thus, If the device IDs match, the user may be provided access to the service through the account (col. 6 ln. 66-col. 7 ln. 13). In addition, the identity of the user may be verified if the determined identity confidence level meets or exceeds a predetermined threshold level (col.9 ln. 49-51). 

Regarding claim 10, the combination of Prakash, Helsper and Foster all elements of the current invention as stated in claim 1. 
Prakash further discloses the system of claim 1, wherein being configured to determine the security risk 20assessment of the received message includes being configured to 
determine that the received message is likely a part of a display name deception attack at least in part (Prakash: par. 0070-0071, the value of the message characteristics representing the name of the message sender is compared to the recipient background information and if the name of the message sender is not found the message is marked as being more dangerous (“determine that the received message is likely a part of a display name deception attack”); par. 0244, The configuration and management module 176 may then output logs of received messages and any associated phishing activity for viewing on a display device (“display name” when the names are not matched))
by determining a sender message account of the received message does not match an entry in the identity profile but a sender display name of the received message matches an entry in the identity profile (Prakash: par. 0194, new received electronic message against one or more misspellings of the identity characteristic for received electronic message; and increasing a probability that the new received electronic message is a phishing message based upon a matched comparing of identity characteristic (if the probability is low “sender display name of the received message matches an entry in the identity profile”) for new received electronic message against one or more misspellings of the identity characteristic for received electronic message is true (“account of the received message does not match an entry in the identity profile”)).
However, the combination dose not teach “a device identifier extracted from the received message does not match a trusted device identifier in the identity profile and a network utilized to send the received message does not match a trusted network specified in the identity profile”.
Johansson in analogous art disclose the system, wherein a device identifier extracted from the received message does not match a trusted device identifier 25in the identity profile (col. 6 ln. 66-col. 7 ln. 13, the device ID from the requesting user device 102 and compare it to the previously stored device ID associated with the user ID 116. If the device IDs match (if not “extracted device identifier not match a trusted device identifier”), the user 104 may be provided access to the service 108(2) through the account 112(2)) and 
a network utilized to send the received message does not match a trusted network specified in the identity profile (col. 9 ln. 42-51, the identity confidence level (“trusted network specified in the identity profile”) may be based at least partly on reputations of the entities in the social graph data 216. The reputation of an entity may indicate a degree to which the entity is trusted within a social network. (if the determined identity confidence is lower than a predetermined threshold level “received message does not match a trusted network specified in the identity profile”)).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash, Helsper and Foster with the teachings of Johansson to detect that a device identifier extracted from the received message does not match a trusted device identifier in the identity profile and a network utilized to send the received message does not match a trusted network specified in the identity profile. One of ordinary skill in the art would have been motivated to make this modification because on creating the account, a mapping between the device ID and the user ID may be stored in a table or other data structure. Thus, If the device IDs match, the user may be provided access to the service through the account (col. 6 ln. 66-col. 7 ln. 13). In addition, the identity of the user may be verified if the determined identity confidence level meets or exceeds a predetermined threshold level (col.9 ln. 49-51).

Regarding claim 12, the combination of Prakash, Helsper and Foster discloses the system of claim 1, wherein being configured to determine the security risk assessment of the received message includes being configured to 
determine that the received message was sent by the user because a sender message account of the message matches an entry in the identity profile as a trusted message account (Prakash: par. 0070-0071, message characteristics selected from the group consisting of: a from and a reply to email address or identifier of the sender (“sender message account”). Message characteristics from the message sender's information and background may be compared to the recipient background information retrieved from at least one social network and the comparison may be used as one of one or more factors in determining if the message is a phishing attempt (“determine that the received message was sent by the user”).
However, the combination does not teach “a device identifier extracted from the message matches a trusted device identifier in the identity profile”. 
 Johansson in analogous art disclose the system, wherein a device identifier extracted from the message matches a trusted device identifier in the identity profile (col. 6 ln. 66-col. 7 ln. 13, the device ID from the requesting user device 102 and compare it to the previously stored device ID associated with the user ID 116. If the device IDs match (“extracted device identifier match a trusted device identifier”))
Although Prakash teaches that, in clm. 12, training a classification engine with an at least one additional received message from one or more other senders who are not the actual sender to update the at least one actual sender message characteristic pattern (analogous to “despite a network utilized to …”), it does not explicitly teaches “despite a network utilized to send the received message not matching a trusted network specified in the identity profile at least in part”.
Johansson in analogous art further discloses the system despite a network utilized to send the received message not 5matching a trusted network specified in the identity profile at least in part (col. 9 ln. 42-51, the identity confidence level (“trusted network specified in the identity profile”) may be based at least partly on reputations of the entities in the social graph data 216. The reputation of an entity may indicate a degree to which the entity is trusted within a social network. (if the determined identity confidence is lower than a predetermined threshold level “received message does not match a trusted network specified in the identity profile”)).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash with the teachings of Johansson to include information for example, a device identifier extracted from the message matches a trusted device identifier in the identity profile and a network utilized to send the received message not matching a trusted network specified in the identity profile at least in part. One of ordinary skill in the art would have been motivated to make this modification because on creating the account, a mapping between the device ID and the user ID may be stored in a table or other data structure. Thus, If the device IDs match, the user may be provided access to the service through the account (col. 6 ln. 66-col. 7 ln. 13). In addition, the identity of the user may be verified if the determined identity confidence level meets or exceeds a predetermined threshold level (col.9 ln. 49-51).


Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 20160014151 A1) in view of Helsper et al. (US 20060168066 A1 hereinafter “Helsper”) in view of Foster et al. (US 9027134 B2 hereinafter “Foster”, IDS filed on 04/16/2021) as applied to claim 1 above, and further in view of Davis et al. (US 20110191847 A1 hereinafter “Davis”).
Regarding claim 11, the combination of Prakash, Helsper and Foster teaches all of the elements of the current invention as stated above except “determine the security risk assessment of the received message includes being configured to determine that the received message was sent by malware at least in part due to determining that the received message was 30sent using automation but the identity profile does not identify the user as being trusted to send Attorney Docket No. AGARP007C175 PATENTmessages using automation.”
Davis in an analogous art discloses the system of claim 1, wherein being configured to determine the security risk assessment of the received message includes being configured to
determine that the received message was sent by malware at least in part due to determining that the received message was 30sent using automation but the identity profile does not identify the user as being trusted to send Attorney Docket No. AGARP007C175 PATENTmessages using automation (par. 0049, a network entity 46 may be assigned a poor trust rating (“not identify the user as being trusted”) (e.g., if several nodes 24 controlled by the network entity 46 are commandeered by malware or form a botnet, or if the network entity 46 is comparatively tolerant of undesirable activities 34 of controlled nodes 24, such as the transmission of spam)).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash, Helsper and Foster to incorporate the teachings of Davis by determining the security risk assessment of the received message includes being configured to determine that the received message was sent by malware at least in part due to determining that the received message was 30sent using automation but the identity profile does not identify the user as being trusted to send Attorney Docket No. AGARP007C175 PATENTmessages using automation. One of ordinary skill in the art would have been motivated to make this modification because the network entity trust rating may allow detecting the messages by malware or formed by botnet.


Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 20160014151 A1) in view of Helsper et al. (US 20060168066 A1 hereinafter “Helsper”) in view of Foster et al. (US 9027134 B2 hereinafter “Foster”, IDS filed on 04/16/2021) as applied to claim 1 above, and further in view of Vempati et al. (US 20200092291 A1 hereinafter “Vempati”).
Regarding claim 14, the combination of Prakash, Helsper and Foster all elements of the current invention as stated in claim 1 above except “being configured to perform the security action includes being configured to add a device identifier to the identity profile of the user based on a determination that a sufficient number of messages have been received with the device identifier from a trusted account and via a trusted network”.
Vempati in analogous art discloses the system of claim 1, wherein being configured to perform the security action includes being configured to 
add a device identifier to the identity profile of the user based on a determination that a sufficient number of messages have been received with the device identifier isfrom a trusted account and via a trusted network (par. 0026, user computing devices 102, 104 and 106 are registered and the customer can login to server computer 110 using a software application on each on user computing devices 102, 104 and 106 (“a trusted account and via a trusted network”); par. 0041, User computing devices 102,104, 106 send their unique identifiers to server computer 110 as part of a registration process for user computing devices 102, 104, 106 (“a sufficient number of messages have been received with the device identifier”). As part of the registration process, server computer 110 stores the unique identifiers in a table. Then, server computer 110 adds each unique device identifier to a profile of permissible electronic computing devices for the customer (“add a device identifier to the identity profile of the user”)).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash, Helsper and Foster to incorporate the teachings of Vempati by adding a device identifier to the identity profile of the user based on a determination that a sufficient number of messages have been received with the device identifier from a trusted account and via a trusted network. One of ordinary skill in the art would have been motivated to make this modification because server computer (or the “system”) can then check current login sessions and for each current login session can determine whether the unique device identifier from the smartphone is listed in a table of registered devices for customers of any of the current login sessions (par. 0029).


Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 20160014151 A1) in view of Helsper et al. (US 20060168066 A1 hereinafter “Helsper”) in view of Foster et al. (US 9027134 B2 hereinafter “Foster”, IDS filed on 04/16/2021) as applied to claim 1 above, and further in view of Pocklington et al. (US 20090228583 A1 hereinafter “Pocklington”).
Regarding claim 16, the combination of Prakash, Helsper and Foster teaches all elements of the current invention as stated in claim 1 above except “being configured to perform the security action includes being configured to modify a display name of a sender of the message prior to allowing an intended recipient of the received message to access the received message”.
Pocklington in an analogous art discloses the system of claim 1, wherein being configured to perform the security action includes being configured to 
modify a display name of a sender of the message prior to allowing an intended recipient of the received message to access the received message (par. 3, content and attachments prior to sending, changing the order of name listing, sending to multiple email addresses or aliases for a same person, etc.).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash, Helsper and Foster to incorporate the teachings of Pocklington by performing the security action includes being configured to modify a display name of a sender of the message prior to allowing an intended recipient of the received message to access the received message. One of ordinary skill in the art would have been motivated to make this modification because the sender may fail to consider all the necessary options or characteristics, or may make a mistake in handling a message characteristic, thereby sending an electronic communication that does not achieve an intended result.


Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 20160014151 A1) in view of Helsper et al. (US 20060168066 A1 hereinafter “Helsper”) in view of Foster et al. (US 9027134 B2 hereinafter “Foster”, IDS filed on 04/16/2021) as applied to claim 1 above, and further in view of Friedman et al. (US 11140171 B1 hereinafter “Friedman”) in view of MAYLOR et al. (US 20170078321 A1 hereinafter “Maylor”).
Regarding claim 17, the combination of Prakash, Helsper and Foster discloses the system of claim 1, wherein being configured to perform the security action includes being configured to perform one or more of the following: 
quarantining the received message (Prakash: par. 0089, the methods may further comprise quarantining a received message determined to be the phishing message as a quarantined message); 
blocking the received message (Prakash: par. 0095, users to specify a message as a phishing attempt and use the message characteristics of this flagged message to filter received messages to other users and recipients in the organization); 
adding a warning to the received message; and moving the received message to a different folder (Prakash: par. 0027, alerting the recipient organization regarding the danger of the new received message comprises steps such as removing the new received message from a mailbox of the recipient, moving the new received message from the mailbox of the recipient to another messaging folder, or altering a visible message characteristic of the new received message). 
However, the combination does not explicitly teach “sending a verification challenge to an 25alternative contact of a sender of the received message; performing additional analysis of the received message.”
Friedman in an analogous art explicitly discloses sending a verification challenge to an 25alternative contact of a sender of the received message (col. 2 ln. 19-30, identity-verification protocol involves using alternative contact information included in the user account record to verify that a request for access originates with the authorized user. For example, if the user indicates to the service provider that her password has been lost, the service provider can send a message to an email address or phone number included in the user account record); 
performing additional analysis of the received message (col. 2 ln. 19-30, the message can contain a secret confirmation code (“performing additional analysis”) that the user can provide back to the service provider to prove that she is the authorized user—or at least that she has access to the authorized user's phone or email account);
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash, Helsper and Foster to incorporate the teachings of Friedman by sending a verification challenge to an alternative contact of a sender of the received message; performing additional analysis of the received message. One of ordinary skill in the art would have been motivated to make this modification because it may prove that she is the authorized user—or at least that she has access to the authorized user's phone or email account (col. 2 ln. 19-30).
 However, the combination of Prakash, Foster and Friedman does not teach “executing an executable included in the received message in a sandbox or a virtual machine”.
Maylor in an analogous art explicitly discloses executing an executable included in the received message in a sandbox or a virtual machine (par. 0021, the secure resource access subsystem may be configured to open the file in a sandbox environment; par. 0098, Sandbox environments may for example include virtual machines, specialized applications, specialized electronic message clients, or managed cloud applications).	
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash, Foster and Friedman to incorporate the teachings of Maylor by executing an executable included in the received message in a sandbox or a virtual machine. One of ordinary skill in the art would have been motivated to make this modification because opening a file in a sandbox environment allowed to mitigate potential threats from the file (par. 0021).


Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Prakash (US 20160014151 A1) in view of Helsper et al. (US 20060168066 A1 hereinafter “Helsper”) in view of Foster et al. (US 9027134 B2 hereinafter “Foster”, IDS filed on 04/16/2021) as applied to claim 1 above, and further in view of Judge et al. (US 20060015563 A1 hereinafter “Judge”).
Regarding claim 18, the combination of Prakash, Helsper and Foster discloses the system of claim 1, wherein the likelihood-of-change probability is based on a [[Attorney Docket No. AGARPOO7C176 PATENTmeasurement of a distribution of a frequency of changes]] in the previously detected changes overtime in the previous message communications of the user (Foster: col. 19 ln. 03-22, The security analysis engine 101 may determine a confidence score for the risk score (1011). The confidence score may be statistically determined, and may be used to indicate the reliability of the determined risk score associated with the social entity. The confidence score (“likelihood-of-change probability”) is for a current risk score, take into account previously determined risk scores, including risk scores provided by third parties).
However, it does not explicitly teach “a measurement of a distribution of a frequency of changes”.
Judge in a analogous art discloses a measurement of a distribution of a frequency of changes (par. 0034, generate an optimized set of values along with an associated set of thresholds and actions and that can be generated periodically to keep a message profiler 100 updated with the latest protection against the frequent changes in the score distributions of classification techniques operating on the constantly changing message flow patterns).
Before the effective filing date, it would have been obvious for one of ordinary skill in the art to have modified the elements disclosed by Prakash, Helsper and Foster to incorporate the teachings of Judge by including a measurement of a distribution of a frequency of changes. One of ordinary skill in the art would have been motivated to make this modification because it may allow for specifying multiple thresholds and applying a different action or actions at each threshold, which would signify the increased confidence of the message profiler in the result of the classification. Thus effectiveness and accuracy of a message profiler can be improve (par. 0033-0034). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Gillum et al. (US 20100095374 A1) - GRAPH BASED BOT-USER DETECTION (See clm. 2 and par. 0049)
Malnoe (US 20030200108 A1) - Master dispenser display with multiple communication interfaces allowing virtual transaction ticket (See par. 0111)

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW SUH whose telephone number is (571)270-5524. The examiner can normally be reached 9:00 AM- 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/A.S./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493