DETAILED ACTION

Response to Remark

This communication is considered fully responsive to the amendment filed on 09/13/22.
a. All of the pending claims have been amended.
b. Rejection to claim under 35 USC § 112 is withdrawn since it has being amended accordingly.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-3, 7-10, 12-14, 16, 18-21, 23-25, 27, and 29 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Jakobsson et al. (US 2018/0375877, “Jakobsson”).
Regarding claim 1, Jakobsson discloses an apparatus to process an electronic communication, the apparatus comprising:
- a trusted communication identifier including (See ¶.30, the identity (e.g., including display name, email address, domain, and identity conveyed by or associated with content of the email) and that of entities that are trusted): 
- a contact identifier to (See ¶.30, one of the contact identifiers): 
- compare sender information from the electronic communication to contact information from a contact datastore (See, 1004 fig.10, ‘A sender of the message exactly matches a trusted contact?’; See ¶.51, profiling the message may include storing information about and/or included in the message in a database to track historical observations about the sender of the message, the recipient of the message, and/or the content portion of the message; See ¶.57, an assessment is made on whether the resource identifier refers to known malicious content by comparing at least a portion of the resource identifier to a known list and/or obtaining and analyzing content referenced by the resource identifier; See ¶.67, the encrypted value and/or the original resource identifier may be used to look up in a database the associated context information; See ¶.70, examples of the associated context information (e.g., stored in a database entry associated with at least a portion of the alternative resource identifier or encrypted and included in the alternative resource identifier) include: a display name, an address, an associated security risk, and any other information associated with a sender of the original message);
- determine that a communication has not previously been sent from a recipient of the electronic communication to the sender of the electronic communication when the sender information from the electronic communication is not found in the contact datastore (See 1004 & 1008 fig.10, ‘A sender of the message exactly matches a trusted contact?’ ‘The sender of the message is similar to a trusted contact?’; See ¶.212, the message is identified as suspicious if a recipient identified in the message has not previously sent a message to the sender of the message); and 
- after determining that the communication has not been previously sent (See 1004 & 1008 fig.10 and 1402 fig.14A, identify a message as suspicious), provide an alert message that the sender information from the electronic communication is unknown (See 1404 & 1406 fig.14A, an automatic reply to the message is sent requesting verification of an identity of the sender of the message); and
- a user action determiner to store the sender information from the electronic communication in the contact datastore (See fig. 14B, store suspicious email address such as “ppeterson14014@yahoo.com” to compare; See ¶.71, the database storing the context information may store information indefinitely; until it has been accessed and a determination made; for a fixed amount of time, such as one week; until a positive (safe) decision has been made; until a negative decision (high risk) has been made, in which case the original URL may be placed on a block list; and/or until a user action has been performed, such as placing the message in the trash folder, or according to a policy that is associated with the recipient or his or her organization; See 89, blacklist; See ¶.94, a whitelist) after a response to the electronic communication has been sent (See 1406 & 1408 fig.14A, send an automatic reply to the message is sent requesting verification of an identity of the sender of the message; See ¶.218, if the sender has provided a valid identity in response to the automatic reply in 1406, the message is allowed to be fully accessible by the specified recipient).

Regarding claim 2, Jakobsson discloses “further including a contact information initializer to: obtain at least one of a communication history associated with an application on a user device or contacts associated with the application on the user device; and store, in the contact datastore, second contact information associated with the at least one of the communication history or the contacts, wherein the at least one of the communication history or the contacts were utilized to send one or more communications from the user device (See ¶.51, profiling the message may include storing information about and/or included in the message in a database to track historical observations about the sender of the message; See ¶.83, This is a score that depends on the sender and his or her historical risk behavior (such as distributing dangerous messages, links, and attachments); the sender's role (such as being an influential person); the role of any party whose identifying information resembles the sender, where this party is known by and/or trusted by the recipient; the recipient and his or her historical risk behavior (such as opening dangerous messages, clicking on dangerous links, and opening dangerous attachments, where an item is considered dangerous if it or its format is correlated with risk); See ¶.84, The scores can be derived from past interaction with emails; past results in training sessions; past browsing history; and configurations made by the sender/recipient or admins associated with either of these. Context here is also historical—given the benefit of hindsight. Very often attacks are much clearer after they have passed. This is useless information in many security approaches, since the danger has moved on. But with historical data, notably unavailable to the web crawler or proxy, actions by the given user taken months ago may be evaluated in light of everything learned since the actions. And if this can color the assessment of the risk of the user's actions today, it can greatly ameliorate the dangers posed by their actions tomorrow on threats not yet understand. This can be a general measurement of the “gullibility” and “value” of the target, but can be even more specific to a behavior or attack type—over the past year, it may be noted that a user will blindly click on anything that looks related to their social media presence. This can then be used to tune the risk of a specific link in a message to that user. Lastly, this historical data can be used to project increased exposure proactively. If historical data shows a user has engaged with a previous threat or it has been observed in previous campaigns, it is known that their email address and/or identity is known to bad actors, and this may be utilized to evaluate new threats).”

Regarding claim 3, Jakobsson discloses “wherein the application on the user device is a first application on the user device, and wherein the communication history associated with a second application on the user device (See ¶.84, the scores can be derived from past interaction with emails; past results in training sessions; past browsing history; and configurations made by the sender/recipient or admins associated with either of these. Context here is also historical—given the benefit of hindsight. Very often attacks are much clearer after they have passed. This is useless information in many security approaches, since the danger has moved on. But with historical data, notably unavailable to the web crawler or proxy, actions by the given user taken months ago may be evaluated in light of everything learned since the actions. And if this can color the assessment of the risk of the user's actions today, it can greatly ameliorate the dangers posed by their actions tomorrow on threats not yet understand. This can be a general measurement of the “gullibility” and “value” of the target, but can be even more specific to a behavior or attack type—over the past year, it may be noted that a user will blindly click on anything that looks related to their social media presence. This can then be used to tune the risk of a specific link in a message to that user. Lastly, this historical data can be used to project increased exposure proactively. If historical data shows a user has engaged with a previous threat or it has been observed in previous campaigns, it is known that their email address and/or identity is known to bad actors, and this may be utilized to evaluate new threats. For example, if a resource identifier shows up for multiple receivers, and it is known that the same set of recipients were victims of previous attacks, a higher risk can be ascribed to the resource identifiers even before evaluating it because of the correlation. There are many circumstances where an email address that has been exposed this way may be known and thus any resource identifiers sent to that user can be given a more aggressive check).”

Regarding claim 7, Jakobsson discloses “further including a new contact monitor to: determine if a new contact is added to contacts associated with an application; and after determining the new contact is added, store contact information associated with the new contact in the contact datastore (See ¶.75, wherein the receiving system of the new recipient may add to the database of contextual information to describe the context as seen by the second and new recipient. It is also possible to add a second alternative resource identifier associated with this second-recipient context).”

Regarding claim 8, Jakobsson discloses “further including a malicious content scanner to determine if the electronic communication includes a uniform resource locator (URL) or an attachment file (See ¶.30, a URL hyperlink in an email is identified, and the URL hyperlink in the email is modified to reference an alternative URL prior to delivery. The alternative URL can be used to obtain the original URL hyperlink as well as contextual information associated with the email. When the alternative URL is visited by a message recipient, a determination is made on the security associated with the original URL and/or the associated email and/or the associated sender, utilizing the contextual information and the URL assessment. Here, the assessment of the URL can be done by performing one of rendering, partially rendering, automatically interacting with the associated site, making an assessment of the associated site behavior, including spawning of processes or other webpage rendering requests, and making an assessment of the domain and subdomain of the URL, including reputation, age, and contextual use. This decision can be done as soon as possible after the URL is identified, in batch mode, as a result of the user clicking on the modified URL in the delivered email, or as a result of an external event, such as notification of a risk or attack potentially affecting the recipient. Context relating to the email is used, including text in the email, logos and other graphics in the email, the recipient of the email and whether this user normally receives emails with URLs of a similar type according to a security classification, and based on the sender, whether the sender is a trusted party, and if the sender is not considered a trusted part, whether there is any potential likeness between the identity (e.g., including display name, email address, domain, and identity conveyed by or associated with content of the email) and that of entities that are trusted by the recipients, or trusted by many users like the recipient).”

Regarding claim 9, Jakobsson discloses “further including the malicious content scanner to determine if the URL included in the electronic communication is malicious (See ¶.224, an unwanted URL/attachment is one that is judged likely to be associated with risk, e.g., using a blacklist or an anti-virus scan; See ¶.32, improves anti-virus filtering based on contextual information and threat information relating to the threat vector used for message delivery; See ¶.121, This can be done in a multiplicity of ways, including detonating each file, determining whether any of the files match an anti-virus signature, determining whether any of the files has executable code segments in it, etc).”

Regarding claim 10, Jakobsson discloses “further including the malicious content scanner to determine if the attachment file included in the electronic communication is malicious (See ¶.224, an unwanted URL/attachment is one that is judged likely to be associated with risk, e.g., using a blacklist or an anti-virus scan; See ¶.32, improves anti-virus filtering based on contextual information and threat information relating to the threat vector used for message delivery).”

Regarding claim 12, it is a non-transitory claim corresponding to an apparatus claim 1 and is therefore rejected for the similar reasons set forth in the rejection of the claim.

Regarding claims 13 and 14, they are claims corresponding to claims 2 & 3, respectively and are therefore rejected for the similar reasons set forth in the rejection of the claims.

Regarding claim 16, Jakobsson discloses “wherein the contact datastore is accessible across different user devices (See ¶.138, the list of recipients may correspond to the recipients/email servers accessible (e.g., list of email domains being managed) by an analysis server. In some embodiments, each email server of each recipient performs its own determination of its measure of local reputation for the sender. In some embodiments, the measure of local reputation is determined dynamically. For example, when a recipient receives a message from the sender, the recipient determines the measure of local reputation for the sender).”

Regarding claims 18-21, they are claims corresponding to claims 7-10, respectively and are therefore rejected for the similar reasons set forth in the rejection of the claims.

Regarding claim 23, it is a method claim corresponding to the apparatus claim 1 and is therefore rejected for the similar reasons set forth in the rejection of the claim.

Regarding claims 24, 25, 27, and 29, they are claims corresponding to claims 2, 3, 16, & 7, respectively and are therefore rejected for the similar reasons set forth in the rejection of the claims.

Response to Arguments
Applicant's arguments filed have been fully considered but they are not persuasive.
At pages 11-13, with respect to independent claims 1, , 12, and 23, applicant argues that Jakobsson fails to disclose “store the sender information from the electric communication in the contact datastore after a response to the electric communication has been sent”, as set forth in claim 1. [applicant’s emphasis added].
In reply, the limitations “store the sender information from the electronic communication in the contact datastore” read on:
¶.[0035] of Jakobsson discloses “one way to implement an auditing mechanism uses the stored records, including information of the context, sender and recipient, along with the actions (or lack thereof) identified as taken by the end user, which is detected as the recipient interacts with the modified resource identifier, and to store this information. This is later used to compile statistics of risky behavior.”
Fig. 14B of Jakobsson discloses “store suspicious email address such as “ppeterson14014@yahoo.com” to compare.”
¶.[0066] of Jakobsson discloses, “the original resource identifier is mapped to a handle value (e.g., any alphanumeric value that may be the same or different from the original resource identifier) and included in an alternative resource identifier generated for the original resource identifier. The network domain of the alternative resource identifier may be the selected network domain of a security service and the handle value is included in the alternative resource identifier as at least a part of a URL argument (e.g., after “?” character), subdomain, path, and/or filename. This handle value can be later extracted from the alternative resource identifier and used as a lookup into a database (e.g., including a message storage) that associates the handle value to the corresponding original resource identifier and associated context information. For example, when the alternative resource identifier is determined for the original resource identifier, a corresponding database entry is stored in the database.”
¶.[0071] of Jakobsson discloses “the database storing the context information may store information indefinitely; until it has been accessed and a determination made; for a fixed amount of time, such as one week; until a positive (safe) decision has been made; until a negative decision (high risk) has been made, in which case the original URL may be placed on a block list; and/or until a user action has been performed, such as placing the message in the trash folder, or according to a policy that is associated with the recipient or his or her organization.”
¶.[0080] of Jakobsson discloses “examples of the associated context information (e.g., stored in a database entry associated with at least a portion of the alternative resource identifier or encrypted and included in the alternative resource identifier) include: a display name, an address, an associated security risk, and any other information associated with a sender of the original message; a display name, an address, an associated security risk, and any other information associated with an intended recipient of the original message).”
¶.[0124] of Jakobsson discloses “the trusted contacts include contacts that have been specifically identified by the user. In some embodiments, information about the trusted contacts is stored. For example, the trusted contacts for the user are stored in a database of trusted contacts. This database may track trusted contacts for a plurality of different users and allows trusted contacts to be retrieved for a specific identified user. The stored information of each contact may include one or more of the following: email address, associated name (e.g., display name), relationship identifier, identifying image (e.g., contact photo), username, instant message identifier, address, phone number, a measure of trust, a measure of message interaction, and any other identifier utilized to identify a sender or a receiver of a message).”
The limitations “after a response to the electronic communication has been sent” read on:
¶.[0053] of Jakobsson discloses “sending a message to the sender to determine whether it automatically forwards responses; generating a security challenge sent to the sender (e.g., if this is not responded to, it is indicative of higher risk and if it is responded to in an anomalous manner, that is also indicative of higher risk); generating a challenge sent to an alternative account of the sender (e.g., another email address associated with the sender); sending an SMS message to a phone number associated with the sender; placing an automated call to a phone number associated with the sender (e.g., requesting a confirmation or a response from the user associated with the account the security challenge is sent to); modifying content of the message; removing an attachment from the message; not allowing an executable of the message to be executed and/or be included in the message; performing additional automated scrutiny of the message (e.g., including its content portion); performing additional manual scrutiny of the message (e.g., including its content portion); quarantining the message; blocking the message; delivering the message; augmenting the message to reduce the risk associated with it (e.g., modifying its attachments); modifying a display name of the sender; removing a display name of the sender; adding a warning to a display name of the message; adding a warning to a content of the message; analyzing attachments of the message by attempting to execute them in a sandbox or virtual machine; adding a warning to the message prior to allowing the message to be accessed by the intended recipient; and moving the message to a special folder identifying its higher risk.”
[1406 & 1408 Fig.14A] of Jakobsson discloses, “send an automatic reply to the message is sent requesting verification of an identity of the sender of the message.”
    
    PNG
    media_image1.png
    598
    554
    media_image1.png
    Greyscale

¶.[0183] of Jakobsson discloses “a reply address of a sender of the message is modified prior to allowing the message to be accessed by a recipient user of the message. In the event where the message does not have a reply address, a “Reply-To:” field is automatically added to the message. This can be a real email address, different from the “from” address of the received message, and act as a quarantine for outgoing responses to high-risk emails. In such a quarantine, the recipient system can carefully verify (e.g., whether automatically or using manual effort, or a combination thereof) that the outgoing message is safe before it is automatically sent to the “from” address of the received email.”
¶.[0218] of Jakobsson discloses “if the sender has provided a valid identity in response to the automatic reply in 1406, the message is allowed to be fully accessible by the specified recipient.” Therefore, the examiner disagrees respectfully.

                                      Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.

Contact Information

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jung Park whose telephone number is 571-272-8565. The examiner can normally be reached on Mon-Fri during 7:00-3:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Derrick Ferris can be reached on 571-272-3123.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/JUNG H PARK/Primary Examiner, Art Unit 2411