Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
	  Applicant's submission filed on 9/8/2022 has been entered. Claim(s) 1-6, 8-9,  11-16, 18, 20-24 is/are pending in the application. Note, many of the limitations in the claims are contingent limitation and therefore may not be given patentable weight.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8-9, 11-16, 18, 20-24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Verma (U.S. Patent App Pub 20150067833) in view of Greevy (U.S. Patent 10904266) and Higbee (U.S. Patent App Pub 20180191754).
	Regarding claim 1,
Verma teaches a computer-implemented method for automatically analyzing a potentially malicious email, the method comprising: parsing the potential phishing email by converting the potential phishing email into scannable objects, and scanning the objects to collect findings about the potential phishing email; (See figure 5, paragraphs 93-95, Verma teaches parsing an email into header links and email and run through a classifier ie scan these components)
calculating a score of the potential phishing email based on a phishing rule by: (See paragraphs 76, 105, Verma teaches calculate a phishing score)
assigning item scores to the findings, respectively, based on the phishing rule; and calculating the score being a total of the item scores; (See paragraphs 76, 81, 89, Verma teaches assigning score for each classifier)
determining the potential phishing email to be a malicious email if the score exceeds a threshold value and (See paragraphs 76, 81, 89, Verma teaches a score above 0 i.e. 1 is considered a malicious phishing email)
Verma does not explicitly teach but Greevy teaches checking the potential phishing email against a whitelist. (See column 2 lines 28-54, column 6 line 12-31, Greevy teaches checking an email against a whitelist)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have known to combine the teachings of Greevy with Verma because both deal with email filters. The advantage of incorporating the above limitation(s) of Greevy into Verma is that Greevy teaches the computer system automatically authorize transmission of emails sent from email addresses within the organization domain without further checks for authenticity according to the method, thus reducing overhead and computational power scanning internal emails for spoofing attempts, therefore making the overall system more robust and efficient. (See paragraphs [0004] - [0006], Greevy)
Verma and Greevy do not explicitly teach but Higbee teaches retrieving a potential phishing email from a database for automatic analysis, (See paragraphs 56-60, 78-80, figure 15, Higbee teaches  a user dashboard to input email issues the user can report fishing fig 5b) the database storing one or more emails that have been identified as potential phishing by one or more users using one or more user computing devices; (See paragraphs 56-61, 72, 103, fig 5b  Higbee teaches  database storing the emails potential phishing after being sent or marked as potential phishing)
if the potential phishing is not identified as benign based on the whitelist; generating a report in a form of email, the report including an email subject, a list of attachments, the findings, the item scores, and the score; and transmitting the report to a security analyst computing device. (See paragraphs 61-62, 78-80, figure 15, Higbee teaches attachments, scores and a report available to the user)
	*This limitation is contingent (MPEP 211.04II) and therefore the BRI does not require this step. However, the examiner has still rejected this limitation. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have known to combine the teachings of Higbee with Verma and Greevy because both deal with email filters. The advantage of incorporating the above limitation(s) of Higbee into Verma and Greevy is that Higbee teaches a security analysts are enabled to efficiently analyze and respond to phishing attacks and analysis and response as users fine-tune is improved, therefore making the overall system more robust and efficient. (See paragraphs [0004] , [0027], Higbee)

	Regarding claim 2,
Verma, Greevy and Higbee teach the method of claim 1, wherein the phishing rule defines first items that categorize emails as malicious, the method further comprising: categorizing the email as the malicious email if the findings include one or more of the first items from the phishing rule. (See paragraphs 79-80, Verma teaches categorizing email as malicious based on item)

	Regarding claim 3,
Verma, Greevy and Higbee teaches the method of claim 1.
Greevy further teaches wherein the whitelist defines second items that categorize emails as benign, the method further comprising: categorizing the email as a benign email if the findings include one or more of the second items from the whitelist. (See column 6lines 11-31, Greevy teaches checking a whitelist to determine if a email is benign) See motivation to combine for claim 1.

	Regarding claim 4,
Verma, Greevy and Higbee teaches the method of claim 1.
Greevy further teaches further comprising: determining the  potential phishing email as a benign email if the score does not exceed the threshold value or if the potential phishing email is identified as benign based on the whitelist; and storing the benign email in a benign email database. (See column 10 line 44-67, Greevy teaches  threshold below keeping email) See motivation to combine for claim 1.

	Regarding claim 5,
Verma, Greevy and Higbee teaches the method of claim 4.
Greevy further teaches further comprising: updating the whitelist; and updating the phishing rule.(See column 13 line 19-33, column 16 line 65 – column 17 line 7, Greevy teaches updating whitelist and overall rule for phishing)  See motivation to combine for claim 1.

	Regarding claim 6,
Verma, Greevy and Higbee teaches the method of claim 5, further comprising: 
Greevy further teaches  scanning the benign email database for retesting at a predetermined schedule, wherein scanning the benign email database comprises: checking the benign email against the updated whitelist; (See claims 14, 17, column 1 line 45, column 54, and column 5 line 46-65, Greevy teaches calculating thresholds and checking them against scores and rules)
calculating a second score of the benign email based on the updated phishing rule by: assigning second item scores to the findings, respectively, based on the updated phishing rule; and calculating the second score being a total of the second item scores; and determining the benign email to be a malicious email if the second score exceeds the threshold value and if the benign email is not identified as benign based on the updated whitelist. (See claims 14, 17, column 1 line 45, column 54 and column 5 line 46-65,, Greevy teaches calculating multiple scores and checking threshold to see if email was malicious) See motivation for claim 1.
	
Regarding claim 8,
Verma and Greevy and Higbee teach the method of claim 1.
Higbee further teaches wherein the one or more user computing devices are configured to: generating a user interface selectable by a user to indicate that the email is potentially malicious. (See paragraphs 58-60, figure 5b, 78-80, figure 15, Higbee teaches  a user dashboard)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to have known to combine the teachings of Higbee with Verma and Greevy because both deal with email filters. The advantage of incorporating the above limitation(s) of Higbee into Verma and Greevy is that Higbee teaches a security analysts are enabled to efficiently analyze and respond to phishing attacks and analysis and response as users fine-tune is improved, therefore making the overall system more robust and efficient. (See paragraphs [0004] , [0027], Higbee)

	Regarding claim 9,
Verma, Greevy and Higbee teaches the method of claim 1, wherein the scannable objects include text objects and binary objects. (See paragraphs 14, 165, Verma)

Claims 11-16 list all the same elements of claims 1-6 but in system form rather than method form.  Therefore, the supporting rationale of the rejection to claims 1-6 applies equally as well to claims 11-16.  Furthermore with regards to the limitation of a server comprising: a data processing apparatus; and a memory device storing instructions that when executed by the data processing apparatus cause the server to perform operations comprising: (See paragraphs 62, 78, Verma)

Claims 18 list all the same elements of claims 8,  but in system form rather than method form.  Therefore, the supporting rationale of the rejection to claims  8, applies equally as well to claims 8. 

Claims 20 list all the same elements of claims 1,  but in medium form rather than method form.  Therefore, the supporting rationale of the rejection to claims 1, applies equally as well to claims 20.  Further A non-transitory computer-readable medium having stored therein a program for causing a computer to execute a process of analyzing a potentially malicious email, the process comprising: (See paragraphs 62, 132, Verma)

Regarding claim 21,
Verma, Greevy and Higbee teaches the method of claim 6, wherein scanning the benign email database further comprises: determining the benign email to remain benign if the second score does not exceed the threshold value or if the benign email is identified as benign based on the updated whitelist.
Claims 22 list all the same elements of claims 21,  but in server form rather than medium form.  Therefore, the supporting rationale of the rejection to claims  21, applies equally as well to claims 22. 

Claims 23 list all the same elements of claims 21,  but in server form rather than medium form.  Therefore, the supporting rationale of the rejection to claims  21, applies equally as well to claims 23. 

Claims 24 list all the same elements of claims 5-6,  but in server form rather than medium form.  Therefore, the supporting rationale of the rejection to claims  5-6, applies equally as well to claims 24. 

Response to Arguments
Applicant's arguments filed 9/8/2022 have been fully considered but they are not persuasive. 

Applicant Argues: As such, Higbee fails to teach or suggest "retrieving a potential phishing email from a database for automatic analysis, the database storing one or more emails that have been identified as potential phishing by one or more users using one or more user computing devices" as required in claim 1.
Examiner’s response: Examiner respectfully disagrees and points to paragraph 56 and figure 5b of Higbee.This section teaches in any of the embodiments, a single graphical user interface action (e.g., one-click of a button, one-touch of a button) may be sufficient to trigger the notification to be sent to the network device. Examples of such a graphical reporting button are illustrated in FIGS. 5A and 5B. The graphical user interface can include a label to the effect of “Report Phishing” as a button 520, or may be presented as a contextual menu item 510. In some embodiments, a single click of a user-interface element may be sufficient to report a simulated phishing message generated by the system described herein. In such embodiments, identifying information relating to the reported message and/or the user who reported the message may be communicated to the network server device while the body of the message is not transmitted to the network server device. In further embodiments, when reporting a suspicious message not generated by the system, an additional confirmation dialog may be presented to the user before all of some the message is communicated to the network server device for further processing. This section teaches that the user designates a email as potential phishing and these is sent to the system for further processing. Paragraphs 58-59 of Higbee further expound on this.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure and located in the PTO-892 form. 
Examiner’s note: There are limitations in claims 1-4, 6, 11-14, 16, 20-24 that may be contingent (MPEP 211.04II) and therefore the BRI of these limitations may render them with no patentable weight. 
1.Prakash, U.S. Patent 9154514, teaches systems and methods for analyzing electronic messages for phishing detection are disclosed. In one example embodiment, whether a received email message is a phishing message is determined based on the outcome of a comparison of a recipient background information to a email characteristic wherein the recipient background information is obtained from an online social network. In some embodiments, whether the received email message is a phishing message is determined by comparing a new received email message profile to an email characteristic profile to determine whether the new received email message profile is similar to the email characteristic profile. In some embodiments, whether the received email message is a phishing message is determined by comparing the email characteristics of the new received email message with pattern characteristics. In some embodiments, the determination is made by comparing a email characteristics of the received message with a historical email characteristic.
2. Marinescu, U.S. Patent App 20120244500 , teaches a system, method and computer program product for detecting leadership in a socio-technical environment based on the chronologic distribution of artifacts. The system and method captures and makes use of chronologic information as a predictor of causality in the dissemination of artifacts. A measure of leadership is based in part on the amount of relevant artifacts generated as a result, and temporal causality is used to detect this. The system method and computer program product further determines the patterns of behavior that govern a socio-technical context. By defining a set of patterns and comparing them with the interactions observed within a socio-technical network issues are discoverable.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to NINOS DONABED whose telephone number is (571)272-8757.  The examiner can normally be reached on Monday - Friday 8:00pm - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John FOLLANSBEE can be reached on (571)272-3964.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/NINOS DONABED/Primary Examiner, Art Unit 2444