DETAILED ACTION

Currently pending claims are 2 – 20 (Claim 1 cancelled).

Double Patenting 

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees.  See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).  A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application.  See 37 CFR 1.130(b).
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer.  A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).


Claim(s) 2 – 20 are rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claim 1 – 20 of U.S. Patent No. 9,596,264. Although the conflicting claims are not identical, they are not patentably distinct from each other such as sanboxing and analyzing a behavior of a target file / program content in another computer environment separate from the user computer environment, which is evidently an obvious feature in view of the available prior-arts in the field – accordingly, because the listed claims of U.S. Patent virtually contain(s) every element of the listed claims of the instant application and thus anticipate the claim(s) of the instant application. Claim(s) of the instant application therefore is/are not patently distinct from the earlier patent claim(s) and as such is/are unpatentable over obvious-type double patenting.  A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001)”.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 2 – 6, 10 – 14 and 18 – 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Field et al. (U.S. Patent 8,544,086) and in view of Kato et al. (U.S. Patent 7,690,023) – and in view of U.S. Patent Craddock et al. (U.S. Patent 9,185,064) used as an additional evidence to support the Official Notice (pls. see below).  


As per claim 2, 10 & 18, Field teaches a method for protecting users from malicious content, the method comprising:
retrieving, by a hardware processor, a URL link in an electronic message sent to a user in a user computer environment, the URL link pointing at linked content (Field: Figure 8, Abstract & Col. 8 Line 43 – 67: (a) retrieving and downloading a file via e-mail to the user’s local computer (Col. 8 Line 58 – 60) and (b) such a retrieved file can be tagged with a URL (as a file’s origin) when the file is obtained from an exernal source (Col. 8 Line 43 – 50)).  Examiner notes Field does not disclose expressly retrieve the URL link from an electronic message – 
However, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to recognize a modification of retrieving an URL link from an electronic message because it is common and well-known in the field (i.e. as an Official Notice) to embed a URL link within an e-mail (i.e. from an external source) –  On this regard, a U.S. Patent Craddock et al. (U.S. Patent 9,185,064) is also provided as an additional evidence enclosed in the record of 892 to further support the rationale of rejection for the clarity as follows – 
Craddock teaches to retrieve the URL link from an electronic message (Craddock: Col. 1 Line 22 – 25 / Line 57 – 61: It is common to embed a URL link within an e-mail (i.e. from an external source) and examining the retrieved file associated with the URL in a secure sandbox environment), which can thus be combined obviously within the Field’s system of retrieving and downloading a file via e-mail to the user’s local computer (see below).

computing for the URL link a plurality of selection criteria factors (Field: see above & Col. 11 Line 35 – 39 / Line 43 – 48 and Col. 8 Line 1 – 27: for example, (a) if the URL is within one of the white-list, which is identified as trustworthy, no restrictions is required and the target URL can be carried out on the local computer system accordingly, and (b) the URL can be selected based on a pularity of (different) trust levels to determine whether sanboxing or quarantining is required);   
for each of the plurality of selection criteria factors, comparing the selection criteria factor to a corresponding factor threshold and determining whether the selection criteria factor exceeds the corresponding factor threshold (Field: see above & Col. 11 Line 35 – 39 / Line 43 – 48 and Col. 8 Line 20 – 27: (a) each range of the trust levels constitutes a corresponding “threshold” factor and (b) in case the trust level between 3 – 7 within a full range of 0 – 10, sandboxing the URL for analysis); and 
if any of the selection criteria factors exceeds the corresponding factor threshold, automatically queuing the URL link for sandboxing, the sandboxing including analyzing behavior of the URL link in another computer environment separate (see below) from the user computer environment (Field || : see above & Col. 8 Line 20 – 27: sandboxing the URL for analysis when a trust level of the target URL is between a threshold factor of 3 – 7 within a full range of 0 – 10) – see below:
However, Field does not expressly disclose sandboxing a behavior of the URL link (i.e. a target file tagged by a URL link) in another computer environment separate from the user computer environment.
Kato teaches sanboxing and analyzing a behavior of a target file / program content in another computer environment separate from the user computer environment (Kato: Col. 5 Line 54 – 57, Col. 4 Line 59 – 61 and Col. 1 Line 38 – 42: providing a secured sandbox mechanism by employing a risk-limited sandbox, in conformity with a security policy, to enable an analysis and execution of a target file / program in a sandbox which is distinguished from the user’s ordinary (local) process execution environment). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of sanboxing and analyzing a behavior of a target file / program content (pointed by a URL link) in another computer environment separate from the user computer environment because Kato teaches to alternatively, effectively and securely providing a secured sandbox mechanism by employing a risk-limited sandbox, in conformity with a security policy, to enable an analysis and execution of a target file / program in a sandbox which is distinguished from the user’s ordinary (local) process execution environment (see above) within the Field’s system of examining a target file, associated with a tagged URL link, in a sandbox environment for preventing malicious behavior from an unauthorized source (see above). 

As per claim(s) 3, 11 & 19, the claims contain(s) similar limitations to claim(s) 1 and thus is/are rejected with the same rationale.

As per claim 4 & 12, Field as modified teaches determining whether the URL link is included in a uniform resource indicator (URI) blacklist and discarding the URL link from sandboxing if the URL link is included in the URI blacklist (Field: Figure 8 / E-814  & Abstract / Line 12 – 15, Col. 3 Line 41 – 47 / Line 25 – 30, Col. 8 Line 26 – 27 / Line 43 – 50 / Line 12 – 13, Col. 9 Line 59 – 67, Col. 10 Line 59 – 67 and Col. 3 Line 27 – 30: (a) Examiner notes any digital content received from an external source, e.g. from a trustworthy or untrustworthy network site(s), is qualified as an electronic message (Col. 3 Line 41 – 47 / Line 25 – 30) (b) a file can be tagged with the original information being received and the “tagging information” can include, at least, a “URL” (Col. 8 Line 43 – 50) and (c) one of filtering elements for the malicious content (malware) includes, at least, a “Blacklist" data storage to identify the received content is originated from an untrustworthy network site (Fig. 8 / E-814 and Col. 3 Line 27 – 30), wherein the malicious content can be blocked (Abstract / Line 12 – 15) or (completely) guaranteed before admitted to the computer system (Col. 8 Line 26 – 27 and Col. 10 Line 59 – 67) or disabled regarding the crucial networking capability (Col. 8 Line 12 – 13) and as such, Field teaches if the URL is included in a blacklist, discarding the URL (either temporarily or permanently) depending on the analyzed situation(s) that meets the recited claim language).

As per claim 5 & 13, Field as modified teaches determining whether the URL link has been sandboxed for analysis within a configurable preceding time period and discarding the URL link from sandboxing if the URL link has been sandboxed for analysis within the configurable preceding time period (Field: Abstract / Line 12 – 15, Col. 8 Line 20 – 27 and Col. 6 Line 23 – 27 / Line 62 – 64 and Col. 8 Line 7 – 8 Line 12 – 13 and Col. 10 Line 59 – 67: the received content can be placed in a sandbox and checked whether it is possessing any malicious malware (Col. 6 Line 23 – 26) and if the file / content has an indication as being known to be malware, then the assigned trust level can be “zero (0)” (Col. 6 Line 62 – 64) and subsequently, in a case that the trust level is fairly low (Col. 8 Line 7 – 8), the analyzed content can be disabled regarding the crucial networking capability (Col. 8 Line 12 – 13) or (completely) guaranteed before admitted to the computer system (Col. 8 Line 26 – 27 and Col. 10 Line 59 – 67) or said malicious content can be blocked (Abstract / Line 12 – 15) and as such, Field teaches discarding the URL from sandboxing (either temporarily or permanently) depending on the analyzed situation(s) – i.e. in case that the URL link has been sandboxed for analysis recently or within the configurable preceding time period).  

As per claim 6 & 14, Field as modified teaches determining whether a normalized version of the URL link has a domain name that is in a domain ignore list or a domain blacklist and discarding the URL link from sandboxing if the normalized version of the URL has a domain name that is in the domain ignore list or the domain blacklist (Field: Col. 8 Line 43 – 50 and Col. 9 Line 59 – 67: (a) normalizing a URL with the tagging, at least, of the domain name and the resource of the file's origin and (b) the blacklist being identified based on, at least, the user’s confidence on the source of the “domain” name) and the identified URL can be completely quarantined – i.e. discarding the URL).

As per claim(s) 20, the claims contain(s) similar limitations to claim(s) 1 – 6 and thus is/are rejected with the same rationale.

Claims 7 – 9 & 15 – 17 are rejected under 35 U.S.C. 103(a) as being unpatentable over Field et al. (U.S. Patent 8,544,086), in view of Kato et al. (U.S. Patent 7,690,023), and in view of Balupari et al. (U.S. Patent 8,677,487) – and in view of U.S. Patent Craddock et al. (U.S. Patent 9,185,064) used as an additional evidence to support the Official Notice (pls. see above).  

As per claim 7 & 15, determining whether a number of messages containing the URL link exceeds a message count threshold and discarding the URL from sandboxing if the number of messages containing the URL link exceeds the message count threshold (Field: see above) || (Balupari: Col. 8 Line 14 – 20 and Col. 5 Line 48 – 51: determining if the number of URL(s) being received is below a threshold, then it is still lack of sufficient evidence to make the conclusion; otherwise, if the number of URL(s) being received is exceeding the threshold (i.e. for a gray-list / tracked-list), then the malicious metric that the traffic is more likely generated by a non-human user (i.e. botnet) and thus it should require sandboxing to determine the malicious characteristics).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of determining whether a number of messages containing the URL link exceeds a message count threshold and discarding the URL from sandboxing if the number of messages containing the URL link exceeds the message count threshold because Balupari teaches to alternatively, effectively and securely determine if the number of URL(s) being received is below a threshold, then it is still lack of sufficient evidence to make the conclusion; otherwise, if the number of URL(s) being received is exceeding the threshold (i.e. for a gray-list / tracked-list), then the malicious metric that the traffic is more likely generated by a non-human user (i.e. botnet) and thus it should require sandboxing to determine the malicious characteristics (see above) within the Field’s system of examining a target file, associated with a tagged URL link, in a sandbox environment for preventing malicious behavior from an unauthorized source (see above). 

As per claim 8 & 16, Balupari (& Field as modified) teaches determining whether a count of messages containing the URL link and associated with the domain name exceeds a domain count threshold and discarding the URL link if the count of messages containing the URL link and associated with the domain name exceeds the domain count threshold (Field: see above) || (Balupari: Col. 8 Line 14 – 30, Col. 10 line 15 – 21 and Col. 5 Line 48 – 51: a “unique domain count” threshold is set to determine whether to allocate the URL into the “ignored-list” from sandboxing – i.e. not placed (discarding) the URL link into (from) sandboxing).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of determining whether a count of messages containing the URL link and associated with the domain name exceeds a domain count threshold because Balupari teaches to alternatively, effectively and securely preset a “unique domain count” threshold to determine whether to allocate the URL into the “ignored-list” from sandboxing – i.e. discarding the URL link from sandboxing (see above) within the Field’s system of examining a target file, associated with a tagged URL link, in a sandbox environment for preventing malicious behavior from an unauthorized source (see above). 

As per claim 9 & 17, Balupari (& Field as modified) teaches determining whether a sandbox has received a number of URLs that meet a predetermined sandbox limit and discarding the URL link if the sandbox has received the number of URLs that meet the predetermined sandbox limit (Field: see above) || (Balupari: Col. 8 Line 14 – 20 and Col. 5 Line 48 – 51: determining if the number of URL(s) being received is below the sandbox limit, then it is still lack of sufficient evidence to make the conclusion; otherwise, if the number of URL(s) being received is exceeding the sandbox limit – i.e. a limit to conclude the “positive” malicious characteristics of the URL (i.e. a black-list) and is no longer needed for further sandboxing analysis).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of determining whether a sandbox has received a number of URLs that meet a predetermined sandbox limit and discarding the URL link if the sandbox has received the number of URLs that meet the predetermined sandbox limit because Balupari teaches to alternatively, effectively and securely determine if the number of URL(s) being received is below the sandbox limit, then it is still lack of sufficient evidence to make the conclusion; otherwise, if the number of URL(s) being received is exceeding the sandbox limit – i.e. a limit to conclude the “positive” malicious characteristics of the URL (i.e. a black-list) and is no longer needed for further sandboxing analysis (see above) within the Field’s system of examining a target file, associated with a tagged URL link, in a sandbox environment for preventing malicious behavior from an unauthorized source (see above). 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2384 – 2022
---------------------------------------------------