Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to patent application as filed on 8/29/2022.
This action is made Final.

	Claims 1 – 20 are pending in the case. Claims 1, 8 and 15 are independent claims. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/12/2022, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner. 

Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 8 and 15 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 6, 8-10, 12-17, 19, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Edwards (US 20190020682) in view of Tyler (USPUB 20200137110) and further in view of Shi (USPUB 20170344743 A1).

Claim 1:
Edwards teaches A computer implemented method in a data processing system comprising a processor and a memory (0077-78) comprising instructions, which are executed by the processor to cause the processor to implement the method for validating a network host listed in a body of an email (Abstract), the method comprising: receiving, by the processor, the email (Fig 3 and 0130: an email to be displayed is intercepted); copying, by the processor, an original body field of the email into a new body field (0134, 0136: “the message editor…creates an edited copy of the suspected phishing email and the pop-up window generator…displays the edited copy of the suspected phishing email; the display 280 on the client 102 displays the notifications in a preview screen in a user's inbox such that the user is displayed a modified copy of the email with the hazards highlighted”); converting, by the processor, a text representation of the network host into a link in the new body field (Figs 5-9 and 0134, 0136: In some embodiments, the message editor…adds warning flags to the body of the email. In some embodiments, the message editor…changes aspects of the font of some text in the body of the email. In some embodiments, the message editor adds or removes text from the body of the email. In some embodiments, pop-up window generator…generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor…creates an edited copy of the suspected phishing email and the pop-up window generator…displays the edited copy of the suspected phishing email; the warning notifications are displayed within a box inserted between the header and the body of the suspected phishing email. In other embodiments, the warning box can be added across multiple users and email services. In another embodiment, the display…shows the notification to the user when the user hovers over part of the suspected phishing email”); adding, by the processor, a mouseover text for the link into the new body field, wherein the mouseover text includes a URL of a threat analytics result ( (Figs 5-9 and 0126, 0134, 0160: In some embodiments, pop-up window generator 273 generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor 274 creates an edited copy of the suspected phishing email and the pop-up window generator 273 displays the edited copy of the suspected phishing email… In some embodiments, the pop-up window comprises one or more of training for the user on phishing emails and links to access training on phishing emails. In some embodiments, the pop-up window comprises information or statistics about the identified hazards in the email… FIG. 9 is an illustration of the system notifying a user that an email may be a phishing email by showing a link with one or more flags, including a suspicious number of subdomains and .com is not used as the top-level domain in a received mail that the system has identified as suspect. The client-side analysis engine analyzes the email, through different domain analysis modules, including subdomain analysis and top-level domain analysis. Through each of these analysis, the suspicious features of the email are identified, and as demonstrated in FIG. 9, it can be shown to the user through a pop-up box, which explains to the user that the email is suspicious of being a phishing email and why”).

Edwards, by itself, does not seem to completely teach modifying, by the processor, a text style of the link in the new body field according to a threat analytics result from a threat analytics service; and displaying, by the processor, the email in the new body field, wherein the email includes the link having a modified text style.
The Examiner maintains that these features were previously well-known as taught by Tyler.
Tyler teaches modifying, by the processor, a text style of the link in the new body field according to a threat analytics result from a threat analytics service; and displaying, by the processor, the email in the new body field, wherein the email includes the link having a modified text style (0207-209: Upon analysis, the threat detection and warning system is configured to output security-related information to the user…the visual indication may include at least one of a notification, icon, pop-up warning, and modification of one or more visual aspects of the content displayed on a user interface of the computing device or remote computing device. For example, the visual indication may include text and/or color indicating whether the content is safe or unsafe for subsequent user interaction…The safety assessment may include an indication of whether the content is safe or potentially harmful if the user interacts with such content with regard to a security standpoint”).
Edwards and Tyler are analogous art because they are from the same problem-solving area, determining if a link in an email message poses a threat and subsequent handling of the email message.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Tyler before him or her, to combine the teachings of Edwards and Tyler. The rationale for doing so would have been to obtain the benefit of presenting the link and email message in a manner with which its threat level is easy to visually determine, as taught by Tyler (0208).
Therefore, it would have been obvious to combine Edwards and Tyler to obtain the invention as specified in the instant claim(s).
Edwards, by itself, does not seem to completely teach connecting the link to a threat analytic platform website for threat analysis service.
The Examiner maintains that these features were previously well-known as taught by Shi.
Shi teaches connecting the link to a threat analytic platform website for threat analysis service (0015: “the threat detection engine 104 is configured to detect and determine a measurement in the form of a risk level/score of a Web asset, e.g., a file or an URL. Specifically, the threat detection engine 104 is configured to perform qualitative and/or quantitative data analysis on the received Web asset to determine if the Web asset has been tampered with, e.g., including malicious contents and/or viruses that may adversely affect other hosted Web assets and/or computing resources of the target Web application or site 112, or client systems having downloaded the Web asset from the target Web application or site 112…In the case where the threat detection engine 104 runs on a separate host, it may be invoked by the Web asset assessment engine 102 via, for a non-limiting example, via one or more HTTP Application Program Interface (API) calls, wherein the Web asset to be assessed is passed to the threat detection engine 104, which in turn provides the risk score of the Web asset back to the Web asset assessment engine”).
Edwards and Shi are analogous art because they are from the same problem-solving area, determining threat levels of URLs.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Shi before him or her, to combine the teachings of Edwards and Shi. The rationale for doing so would have been to obtain the benefit of providing detailed results of the threat analysis.
Therefore, it would have been obvious to combine Edwards and Shi to obtain the invention as specified in the instant claim(s).

Claim 2:
Edwards teaches wherein the mouseover text further includes the threat analytics result wherein the threat analytics result includes a risk score (Figs 5-9 and 0126, 0134, 0160: In some embodiments, pop-up window generator 273 generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor 274 creates an edited copy of the suspected phishing email and the pop-up window generator 273 displays the edited copy of the suspected phishing email… In some embodiments, the pop-up window comprises one or more of training for the user on phishing emails and links to access training on phishing emails. In some embodiments, the pop-up window comprises information or statistics about the identified hazards in the email… FIG. 9 is an illustration of the system notifying a user that an email may be a phishing email by showing a link with one or more flags, including a suspicious number of subdomains and .com is not used as the top-level domain in a received mail that the system has identified as suspect. The client-side analysis engine analyzes the email, through different domain analysis modules, including subdomain analysis and top-level domain analysis. Through each of these analysis, the suspicious features of the email are identified, and as demonstrated in FIG. 9, it can be shown to the user through a pop-up box, which explains to the user that the email is suspicious of being a phishing email and why”).

Claim 3:
Edwards teaches adding, by the processor, a new field into the email, and updating, by the processor, the new body field, wherein the new field includes a plurality of parameters including the link, a name of the threat analytics service, the risk score, and a modification of the text style (Figs 5-9 and 0126, 0134, 0160: In some embodiments, pop-up window generator 273 generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor 274 creates an edited copy of the suspected phishing email and the pop-up window generator 273 displays the edited copy of the suspected phishing email… In some embodiments, the pop-up window comprises one or more of training for the user on phishing emails and links to access training on phishing emails. In some embodiments, the pop-up window comprises information or statistics about the identified hazards in the email… FIG. 9 is an illustration of the system notifying a user that an email may be a phishing email by showing a link with one or more flags, including a suspicious number of subdomains and .com is not used as the top-level domain in a received mail that the system has identified as suspect. The client-side analysis engine analyzes the email, through different domain analysis modules, including subdomain analysis and top-level domain analysis. Through each of these analysis, the suspicious features of the email are identified, and as demonstrated in FIG. 9, it can be shown to the user through a pop-up box, which explains to the user that the email is suspicious of being a phishing email and why”. Though Edward’s pop up window presents the link and the equivalent to the claimed risk score, Edwards does not expressly discuss the pop up window presenting a name of the threat analytics service and a modification of the text style. The Examiner maintains that it would have been obvious to one of ordinary skill in the art at the time of the invention to add more information to the pop up window such as the name of the threat analytics service and a modification of the text style, as the inclusion of further details regarding the conducted threat analysis or the adjustment of the text style would have been obvious design choices).

Claim 5:
Edwards, by itself, does not seem to completely teach receiving, by the processor, a result whether the link is resolvable from a Domain Name System (DNS) resolver; and modifying, by the processor, the text style of the link in the new body field according to the result from the DNS resolver.
The Examiner maintains that these features were previously well-known as taught by Tyler.
Tyler teaches receiving, by the processor, a result whether the link is resolvable from a Domain Name System (DNS) resolver; and modifying, by the processor, the text style of the link in the new body field according to the result from the DNS resolver (0194, 0201-202 and 0207-209: Domain names are also used as simple identification labels to indicate ownership or control of a resource. Such examples are the realm identifiers used in the Session Initiation Protocol (SIP), the DKIM Domain Keys used to verify DNS domains in e-mail systems, and in many other Uniform Resource Identifiers (URIs)… a decision module based on inspection of domain registrar information with the threat detection and warning system…comparing the domain of a link within an email message (or a web page) being examined (referred to as the “suspect domain”) with a well-known target domain. It should be noted that, as an initial step, the system…is configured to compare the suspect domain with a plurality of known and trusted domains (i.e., “target domains”) stored in one or more of the databases…The system…is further configured to determine a level of resemblance between the suspect domain and one or more of the trusted domains based on an initial comparison…Both the target domain(s)…and the suspect domain… by necessity, register certain information, specifically DNS metadata…respectively, with a domain registrar…If the suspect is a poor match with the target domain, the domain and associated message are flagged as being highly suspect. After analyzing the domains, the threat detection and warning system…is configured to either flag the message or web page…as containing a questionable link and thereby advise the user that it poses a potential threat, flag the message or web page…as being safe and containing a safe link and thereby advise the user that it does not pose a potential threat…the visual indication may include at least one of a notification, icon, pop-up warning, and modification of one or more visual aspects of the content displayed on a user interface of the computing device or remote computing device. For example, the visual indication may include text and/or color indicating whether the content is safe or unsafe for subsequent user interaction. As an example, the color may include the color red, or one or more shades thereof, indicating that the content is unsafe and the color green, or one or more shades thereof, indicating that the content is safe”).
Edwards and Tyler are analogous art because they are from the same problem-solving area, determining if a link in an email message poses a threat and subsequent handling of the email message.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Tyler before him or her, to combine the teachings of Edwards and Tyler. The rationale for doing so would have been to obtain the benefit of presenting the link and email message in a manner with which its threat level is easy to visually determine, as taught by Tyler (0208).
Therefore, it would have been obvious to combine Edwards and Tyler to obtain the invention as specified in the instant claim(s).

Claim 6:
Edwards, by itself, does not seem to completely teach parsing, by the processor, the threat analytics result to obtain a risk score.
The Examiner maintains that these features were previously well-known as taught by Tyler.
Tyler teaches parsing, by the processor, the threat analytics result to obtain a risk score (0095-96).
Edwards and Tyler are analogous art because they are from the same problem-solving area, determining if a link in an email message poses a threat and subsequent handling of the email message.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Tyler before him or her, to combine the teachings of Edwards and Tyler. The rationale for doing so would have been to obtain the benefit of presenting the link and email message in a manner with which its threat level is easy to visually determine, as taught by Tyler (0208).
Therefore, it would have been obvious to combine Edwards and Tyler to obtain the invention as specified in the instant claim(s).

Claim 8:
Edwards teaches A computer program product for validating a network host listed in a body of an email, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor (0085-86) to cause the processor to: receive the email (Fig 3 and 0130: an email to be displayed is intercepted); copy an original body field of the email into a new body field (0134, 0136: “the message editor…creates an edited copy of the suspected phishing email and the pop-up window generator…displays the edited copy of the suspected phishing email; the display 280 on the client 102 displays the notifications in a preview screen in a user's inbox such that the user is displayed a modified copy of the email with the hazards highlighted”); convert a text representation of the network host into a link in the new body field (Figs 5-9 and 0134, 0136: In some embodiments, the message editor…adds warning flags to the body of the email. In some embodiments, the message editor…changes aspects of the font of some text in the body of the email. In some embodiments, the message editor adds or removes text from the body of the email. In some embodiments, pop-up window generator…generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor…creates an edited copy of the suspected phishing email and the pop-up window generator…displays the edited copy of the suspected phishing email; the warning notifications are displayed within a box inserted between the header and the body of the suspected phishing email. In other embodiments, the warning box can be added across multiple users and email services. In another embodiment, the display…shows the notification to the user when the user hovers over part of the suspected phishing email”) add a mouseover text for the link into the new body field, wherein the mouseover text includes a URL of a threat analytics result ( (Figs 5-9 and 0126, 0134, 0160: In some embodiments, pop-up window generator 273 generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor 274 creates an edited copy of the suspected phishing email and the pop-up window generator 273 displays the edited copy of the suspected phishing email… In some embodiments, the pop-up window comprises one or more of training for the user on phishing emails and links to access training on phishing emails. In some embodiments, the pop-up window comprises information or statistics about the identified hazards in the email… FIG. 9 is an illustration of the system notifying a user that an email may be a phishing email by showing a link with one or more flags, including a suspicious number of subdomains and .com is not used as the top-level domain in a received mail that the system has identified as suspect. The client-side analysis engine analyzes the email, through different domain analysis modules, including subdomain analysis and top-level domain analysis. Through each of these analysis, the suspicious features of the email are identified, and as demonstrated in FIG. 9, it can be shown to the user through a pop-up box, which explains to the user that the email is suspicious of being a phishing email and why”).

Edwards, by itself, does not seem to completely teach modifying, by the processor, a text style of the link in the new body field according to a threat analytics result from a threat analytics service; and displaying, by the processor, the email in the new body field, wherein the email includes the link having a modified text style.
The Examiner maintains that these features were previously well-known as taught by Tyler.
Tyler teaches modifying, by the processor, a text style of the link in the new body field according to a threat analytics result from a threat analytics service; and displaying, by the processor, the email in the new body field, wherein the email includes the link having a modified text style (0207-209: Upon analysis, the threat detection and warning system is configured to output security-related information to the user…the visual indication may include at least one of a notification, icon, pop-up warning, and modification of one or more visual aspects of the content displayed on a user interface of the computing device or remote computing device. For example, the visual indication may include text and/or color indicating whether the content is safe or unsafe for subsequent user interaction…The safety assessment may include an indication of whether the content is safe or potentially harmful if the user interacts with such content with regard to a security standpoint”).
Edwards and Tyler are analogous art because they are from the same problem-solving area, determining if a link in an email message poses a threat and subsequent handling of the email message.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Tyler before him or her, to combine the teachings of Edwards and Tyler. The rationale for doing so would have been to obtain the benefit of presenting the link and email message in a manner with which its threat level is easy to visually determine, as taught by Tyler (0208).
Therefore, it would have been obvious to combine Edwards and Tyler to obtain the invention as specified in the instant claim(s).

Edwards, by itself, does not seem to completely teach connecting the link to a threat analytic platform website for threat analysis service.
The Examiner maintains that these features were previously well-known as taught by Shi.
Shi teaches connecting the link to a threat analytic platform website for threat analysis service (0015: “the threat detection engine 104 is configured to detect and determine a measurement in the form of a risk level/score of a Web asset, e.g., a file or an URL. Specifically, the threat detection engine 104 is configured to perform qualitative and/or quantitative data analysis on the received Web asset to determine if the Web asset has been tampered with, e.g., including malicious contents and/or viruses that may adversely affect other hosted Web assets and/or computing resources of the target Web application or site 112, or client systems having downloaded the Web asset from the target Web application or site 112…In the case where the threat detection engine 104 runs on a separate host, it may be invoked by the Web asset assessment engine 102 via, for a non-limiting example, via one or more HTTP Application Program Interface (API) calls, wherein the Web asset to be assessed is passed to the threat detection engine 104, which in turn provides the risk score of the Web asset back to the Web asset assessment engine”).
Edwards and Shi are analogous art because they are from the same problem-solving area, determining threat levels of URLs.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Shi before him or her, to combine the teachings of Edwards and Shi. The rationale for doing so would have been to obtain the benefit of providing detailed results of the threat analysis.
Therefore, it would have been obvious to combine Edwards and Shi to obtain the invention as specified in the instant claim(s).


Claim 9:
Edwards teaches add a mouseover text for the link into the new body field, wherein the mouseover text includes the threat analytics result and a URL of the threat analytics result, wherein the threat analytics result includes a risk score (Figs 5-9 and 0126, 0134, 0160: In some embodiments, pop-up window generator 273 generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor 274 creates an edited copy of the suspected phishing email and the pop-up window generator 273 displays the edited copy of the suspected phishing email… In some embodiments, the pop-up window comprises one or more of training for the user on phishing emails and links to access training on phishing emails. In some embodiments, the pop-up window comprises information or statistics about the identified hazards in the email… FIG. 9 is an illustration of the system notifying a user that an email may be a phishing email by showing a link with one or more flags, including a suspicious number of subdomains and .com is not used as the top-level domain in a received mail that the system has identified as suspect. The client-side analysis engine analyzes the email, through different domain analysis modules, including subdomain analysis and top-level domain analysis. Through each of these analysis, the suspicious features of the email are identified, and as demonstrated in FIG. 9, it can be shown to the user through a pop-up box, which explains to the user that the email is suspicious of being a phishing email and why”).


Claim 10:
Edwards teaches add a new field into the email, and updating, by the processor, the new body field, wherein the new field includes a plurality of parameters including the link, a name of the threat analytics service, the risk score, and a modification of the text style (Figs 5-9 and 0126, 0134, 0160: In some embodiments, pop-up window generator 273 generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor 274 creates an edited copy of the suspected phishing email and the pop-up window generator 273 displays the edited copy of the suspected phishing email… In some embodiments, the pop-up window comprises one or more of training for the user on phishing emails and links to access training on phishing emails. In some embodiments, the pop-up window comprises information or statistics about the identified hazards in the email… FIG. 9 is an illustration of the system notifying a user that an email may be a phishing email by showing a link with one or more flags, including a suspicious number of subdomains and .com is not used as the top-level domain in a received mail that the system has identified as suspect. The client-side analysis engine analyzes the email, through different domain analysis modules, including subdomain analysis and top-level domain analysis. Through each of these analysis, the suspicious features of the email are identified, and as demonstrated in FIG. 9, it can be shown to the user through a pop-up box, which explains to the user that the email is suspicious of being a phishing email and why”. Though Edward’s pop up window presents the link and the equivalent to the claimed risk score, Edwards does not expressly discuss the pop up window presenting a name of the threat analytics service and a modification of the text style. The Examiner maintains that it would have been obvious to one of ordinary skill in the art at the time of the invention to add more information to the pop up window such as the name of the threat analytics service and a modification of the text style, as the inclusion of further details regarding the conducted threat analysis or the adjustment of the text style would have been obvious design choices).
Claim 12:
Edwards, by itself, does not seem to completely teach receiving, by the processor, a result whether the link is resolvable from a Domain Name System (DNS) resolver; and modifying, by the processor, the text style of the link in the new body field according to the result from the DNS resolver.
The Examiner maintains that these features were previously well-known as taught by Tyler.
Tyler teaches receiving, by the processor, a result whether the link is resolvable from a Domain Name System (DNS) resolver; and modifying, by the processor, the text style of the link in the new body field according to the result from the DNS resolver (0194, 0201-202 and 0207-209: Domain names are also used as simple identification labels to indicate ownership or control of a resource. Such examples are the realm identifiers used in the Session Initiation Protocol (SIP), the DKIM Domain Keys used to verify DNS domains in e-mail systems, and in many other Uniform Resource Identifiers (URIs)… a decision module based on inspection of domain registrar information with the threat detection and warning system…comparing the domain of a link within an email message (or a web page) being examined (referred to as the “suspect domain”) with a well-known target domain. It should be noted that, as an initial step, the system…is configured to compare the suspect domain with a plurality of known and trusted domains (i.e., “target domains”) stored in one or more of the databases…The system…is further configured to determine a level of resemblance between the suspect domain and one or more of the trusted domains based on an initial comparison…Both the target domain(s)…and the suspect domain… by necessity, register certain information, specifically DNS metadata…respectively, with a domain registrar…If the suspect is a poor match with the target domain, the domain and associated message are flagged as being highly suspect. After analyzing the domains, the threat detection and warning system…is configured to either flag the message or web page…as containing a questionable link and thereby advise the user that it poses a potential threat, flag the message or web page…as being safe and containing a safe link and thereby advise the user that it does not pose a potential threat…the visual indication may include at least one of a notification, icon, pop-up warning, and modification of one or more visual aspects of the content displayed on a user interface of the computing device or remote computing device. For example, the visual indication may include text and/or color indicating whether the content is safe or unsafe for subsequent user interaction. As an example, the color may include the color red, or one or more shades thereof, indicating that the content is unsafe and the color green, or one or more shades thereof, indicating that the content is safe”).
Edwards and Tyler are analogous art because they are from the same problem-solving area, determining if a link in an email message poses a threat and subsequent handling of the email message.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Tyler before him or her, to combine the teachings of Edwards and Tyler. The rationale for doing so would have been to obtain the benefit of presenting the link and email message in a manner with which its threat level is easy to visually determine, as taught by Tyler (0208).
Therefore, it would have been obvious to combine Edwards and Tyler to obtain the invention as specified in the instant claim(s).

Claim 13:
Edwards in view of Tyler teaches every feature of claim 8.
Edwards, by itself, does not seem to completely teach obtain the threat analytics result through a RESTful API.
The Examiner maintains that these features were previously well-known as taught by Shi.
Shi teaches obtain the threat analytics result through a RESTful API (0016-17: the threat summary and reporting (TSR) engine…is configured to generate a report that summarizes the threat posed by a Web asset once the Web asset has been evaluated by the threat detection engine…and a risk score has been generated for the Web asset. Here, the threat summary report includes quantified and/or qualified information of the risks and specific threats posed by the Web asset…the threat summary and reporting engine…is also configured to provide the report, upon request, to a user/system administrator of the target Web application or site…the policies are created based on the report from the threat summary and reporting engine…and may include filtering and mitigating rules with respect to the hosted Web assets on the target Web application or site 112 protected by the Web application security device 110…the protection policy application engine 108 has compatible protocol knowledge for communications with the Web application security device 110 and is configured to access and insert the policies the Web application security device…by invoking a trusted API of the Web application security device…the trusted API is a RESTful API that uses HTTP requests to GET, PUT, POST and DELETE data”).
Edwards and Shi are analogous art because they are from the same problem-solving area, determining threat levels of URLs.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Shi before him or her, to combine the teachings of Edwards and Shi. The rationale for doing so would have been to obtain the benefit of providing detailed results of the threat analysis.
Therefore, it would have been obvious to combine Edwards and Shi to obtain the invention as specified in the instant claim(s).

Claim 14:
Edwards, by itself, does not seem to completely teach obtain the threat analytics result from a HTTP response in response to a GET command of the RESTful API.
The Examiner maintains that these features were previously well-known as taught by Shi.
Shi teaches obtain the threat analytics result from a HTTP response in response to a GET command of the RESTful API (0016-17: the threat summary and reporting (TSR) engine…is configured to generate a report that summarizes the threat posed by a Web asset once the Web asset has been evaluated by the threat detection engine…and a risk score has been generated for the Web asset. Here, the threat summary report includes quantified and/or qualified information of the risks and specific threats posed by the Web asset…the threat summary and reporting engine…is also configured to provide the report, upon request, to a user/system administrator of the target Web application or site…the policies are created based on the report from the threat summary and reporting engine…and may include filtering and mitigating rules with respect to the hosted Web assets on the target Web application or site 112 protected by the Web application security device 110…the protection policy application engine 108 has compatible protocol knowledge for communications with the Web application security device 110 and is configured to access and insert the policies the Web application security device…by invoking a trusted API of the Web application security device…the trusted API is a RESTful API that uses HTTP requests to GET, PUT, POST and DELETE data”).
Edwards and Shi are analogous art because they are from the same problem-solving area, determining threat levels of URLs.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Shi before him or her, to combine the teachings of Edwards and Shi. The rationale for doing so would have been to obtain the benefit of providing detailed results of the threat analysis.
Therefore, it would have been obvious to combine Edwards and Shi to obtain the invention as specified in the instant claim(s).

Claim 15:
Edwards teaches A system for validating a network host listed in a body of an email, the system comprising: (0085-86) a processor configured to: receive the email (Fig 3 and 0130: an email to be displayed is intercepted); copy an original body field of the email into a new body field (0134, 0136: “the message editor…creates an edited copy of the suspected phishing email and the pop-up window generator…displays the edited copy of the suspected phishing email; the display 280 on the client 102 displays the notifications in a preview screen in a user's inbox such that the user is displayed a modified copy of the email with the hazards highlighted”); convert a text representation of the network host into a link in the new body field (Figs 5-9 and 0134, 0136: In some embodiments, the message editor…adds warning flags to the body of the email. In some embodiments, the message editor…changes aspects of the font of some text in the body of the email. In some embodiments, the message editor adds or removes text from the body of the email. In some embodiments, pop-up window generator…generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor…creates an edited copy of the suspected phishing email and the pop-up window generator…displays the edited copy of the suspected phishing email; the warning notifications are displayed within a box inserted between the header and the body of the suspected phishing email. In other embodiments, the warning box can be added across multiple users and email services. In another embodiment, the display…shows the notification to the user when the user hovers over part of the suspected phishing email”) add a mouseover text for the link into the new body field, wherein the mouseover text includes a URL of a threat analytics result (Figs 5-9 and 0126, 0134, 0160: In some embodiments, pop-up window generator 273 generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor 274 creates an edited copy of the suspected phishing email and the pop-up window generator 273 displays the edited copy of the suspected phishing email… In some embodiments, the pop-up window comprises one or more of training for the user on phishing emails and links to access training on phishing emails. In some embodiments, the pop-up window comprises information or statistics about the identified hazards in the email… FIG. 9 is an illustration of the system notifying a user that an email may be a phishing email by showing a link with one or more flags, including a suspicious number of subdomains and .com is not used as the top-level domain in a received mail that the system has identified as suspect. The client-side analysis engine analyzes the email, through different domain analysis modules, including subdomain analysis and top-level domain analysis. Through each of these analysis, the suspicious features of the email are identified, and as demonstrated in FIG. 9, it can be shown to the user through a pop-up box, which explains to the user that the email is suspicious of being a phishing email and why”).

Edwards, by itself, does not seem to completely teach modifying, by the processor, a text style of the link in the new body field according to a threat analytics result from a threat analytics service; and displaying, by the processor, the email in the new body field, wherein the email includes the link having a modified text style.
The Examiner maintains that these features were previously well-known as taught by Tyler.
Tyler teaches modifying, by the processor, a text style of the link in the new body field according to a threat analytics result from a threat analytics service; and displaying, by the processor, the email in the new body field, wherein the email includes the link having a modified text style (0207-209: Upon analysis, the threat detection and warning system is configured to output security-related information to the user…the visual indication may include at least one of a notification, icon, pop-up warning, and modification of one or more visual aspects of the content displayed on a user interface of the computing device or remote computing device. For example, the visual indication may include text and/or color indicating whether the content is safe or unsafe for subsequent user interaction…The safety assessment may include an indication of whether the content is safe or potentially harmful if the user interacts with such content with regard to a security standpoint”).
Edwards and Tyler are analogous art because they are from the same problem-solving area, determining if a link in an email message poses a threat and subsequent handling of the email message.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Tyler before him or her, to combine the teachings of Edwards and Tyler. The rationale for doing so would have been to obtain the benefit of presenting the link and email message in a manner with which its threat level is easy to visually determine, as taught by Tyler (0208).
Therefore, it would have been obvious to combine Edwards and Tyler to obtain the invention as specified in the instant claim(s).

Edwards, by itself, does not seem to completely teach connecting the link to a threat analytic platform website for threat analysis service.
The Examiner maintains that these features were previously well-known as taught by Shi.
Shi teaches connecting the link to a threat analytic platform website for threat analysis service (0015: “the threat detection engine 104 is configured to detect and determine a measurement in the form of a risk level/score of a Web asset, e.g., a file or an URL. Specifically, the threat detection engine 104 is configured to perform qualitative and/or quantitative data analysis on the received Web asset to determine if the Web asset has been tampered with, e.g., including malicious contents and/or viruses that may adversely affect other hosted Web assets and/or computing resources of the target Web application or site 112, or client systems having downloaded the Web asset from the target Web application or site 112…In the case where the threat detection engine 104 runs on a separate host, it may be invoked by the Web asset assessment engine 102 via, for a non-limiting example, via one or more HTTP Application Program Interface (API) calls, wherein the Web asset to be assessed is passed to the threat detection engine 104, which in turn provides the risk score of the Web asset back to the Web asset assessment engine”).
Edwards and Shi are analogous art because they are from the same problem-solving area, determining threat levels of URLs.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Shi before him or her, to combine the teachings of Edwards and Shi. The rationale for doing so would have been to obtain the benefit of providing detailed results of the threat analysis.
Therefore, it would have been obvious to combine Edwards and Shi to obtain the invention as specified in the instant claim(s).

Claim 16:
Edwards teaches add a mouseover text for the link into the new body field, wherein the mouseover text includes the risk score and a URL of the IP reputation database (Figs 5-9 and 0126, 0134, 0160: In some embodiments, pop-up window generator 273 generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor 274 creates an edited copy of the suspected phishing email and the pop-up window generator 273 displays the edited copy of the suspected phishing email… In some embodiments, the pop-up window comprises one or more of training for the user on phishing emails and links to access training on phishing emails. In some embodiments, the pop-up window comprises information or statistics about the identified hazards in the email… FIG. 9 is an illustration of the system notifying a user that an email may be a phishing email by showing a link with one or more flags, including a suspicious number of subdomains and .com is not used as the top-level domain in a received mail that the system has identified as suspect. The client-side analysis engine analyzes the email, through different domain analysis modules, including subdomain analysis and top-level domain analysis. Through each of these analysis, the suspicious features of the email are identified, and as demonstrated in FIG. 9, it can be shown to the user through a pop-up box, which explains to the user that the email is suspicious of being a phishing email and why”).

Claim 17:
Edwards teaches adding, by the processor, a new field into the email, and updating, by the processor, the new body field, wherein the new field includes a plurality of parameters including the link, a name of the IP reputation database, the risk score, and a modification of the text style (Figs 5-9 and 0126, 0134, 0160: In some embodiments, pop-up window generator 273 generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor 274 creates an edited copy of the suspected phishing email and the pop-up window generator 273 displays the edited copy of the suspected phishing email… In some embodiments, the pop-up window comprises one or more of training for the user on phishing emails and links to access training on phishing emails. In some embodiments, the pop-up window comprises information or statistics about the identified hazards in the email… FIG. 9 is an illustration of the system notifying a user that an email may be a phishing email by showing a link with one or more flags, including a suspicious number of subdomains and .com is not used as the top-level domain in a received mail that the system has identified as suspect. The client-side analysis engine analyzes the email, through different domain analysis modules, including subdomain analysis and top-level domain analysis. Through each of these analysis, the suspicious features of the email are identified, and as demonstrated in FIG. 9, it can be shown to the user through a pop-up box, which explains to the user that the email is suspicious of being a phishing email and why”. Though Edward’s pop up window presents the link and the equivalent to the claimed risk score, Edwards does not expressly discuss the pop up window presenting a name of the IP reputation database and a modification of the text style. The Examiner maintains that it would have been obvious to one of ordinary skill in the art at the time of the invention to add more information to the pop up window such as the name of the IP reputation database and a modification of the text style, as the inclusion of further details regarding the conducted threat analysis or the adjustment of the text style would have been obvious design choices).

Claim 19:
Edwards, by itself, does not seem to completely teach receiving, by the processor, a result whether the link is resolvable from a Domain Name System (DNS) resolver; and modifying, by the processor, the text style of the link in the new body field according to the result from the DNS resolver.
The Examiner maintains that these features were previously well-known as taught by Tyler.
Tyler teaches receiving, by the processor, a result whether the link is resolvable from a Domain Name System (DNS) resolver; and modifying, by the processor, the text style of the link in the new body field according to the result from the DNS resolver (0194, 0201-202 and 0207-209: Domain names are also used as simple identification labels to indicate ownership or control of a resource. Such examples are the realm identifiers used in the Session Initiation Protocol (SIP), the DKIM Domain Keys used to verify DNS domains in e-mail systems, and in many other Uniform Resource Identifiers (URIs)… a decision module based on inspection of domain registrar information with the threat detection and warning system…comparing the domain of a link within an email message (or a web page) being examined (referred to as the “suspect domain”) with a well-known target domain. It should be noted that, as an initial step, the system…is configured to compare the suspect domain with a plurality of known and trusted domains (i.e., “target domains”) stored in one or more of the databases…The system…is further configured to determine a level of resemblance between the suspect domain and one or more of the trusted domains based on an initial comparison…Both the target domain(s)…and the suspect domain… by necessity, register certain information, specifically DNS metadata…respectively, with a domain registrar…If the suspect is a poor match with the target domain, the domain and associated message are flagged as being highly suspect. After analyzing the domains, the threat detection and warning system…is configured to either flag the message or web page…as containing a questionable link and thereby advise the user that it poses a potential threat, flag the message or web page…as being safe and containing a safe link and thereby advise the user that it does not pose a potential threat…the visual indication may include at least one of a notification, icon, pop-up warning, and modification of one or more visual aspects of the content displayed on a user interface of the computing device or remote computing device. For example, the visual indication may include text and/or color indicating whether the content is safe or unsafe for subsequent user interaction. As an example, the color may include the color red, or one or more shades thereof, indicating that the content is unsafe and the color green, or one or more shades thereof, indicating that the content is safe”).
Edwards and Tyler are analogous art because they are from the same problem-solving area, determining if a link in an email message poses a threat and subsequent handling of the email message.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Tyler before him or her, to combine the teachings of Edwards and Tyler. The rationale for doing so would have been to obtain the benefit of presenting the link and email message in a manner with which its threat level is easy to visually determine, as taught by Tyler (0208).
Therefore, it would have been obvious to combine Edwards and Tyler to obtain the invention as specified in the instant claim(s).

Claim 20:
Edwards teaches check whether a threat analytics option is enabled, if the threat analytics option is enabled (0100: “Some aspects of the feature are added to the user's email client (e.g., outlook, Gmail) as a plug-in. The feature is enabled to intercept an email when the user tries to open or preview the email, in order to look for the hazards that are known to be associated with phishing emails”), copy an original body field of the email into a new body field (0134, 0136: “the message editor…creates an edited copy of the suspected phishing email and the pop-up window generator…displays the edited copy of the suspected phishing email; the display 280 on the client 102 displays the notifications in a preview screen in a user's inbox such that the user is displayed a modified copy of the email with the hazards highlighted”); convert a text representation of the network host into a link in the new body field (Figs 5-9 and 0134, 0136: In some embodiments, the message editor…adds warning flags to the body of the email. In some embodiments, the message editor…changes aspects of the font of some text in the body of the email. In some embodiments, the message editor adds or removes text from the body of the email. In some embodiments, pop-up window generator…generates a pop-up window that is displayed when the user clicks on or hovers over an email that has been identified as a suspected phishing email. In some embodiments, the message editor…creates an edited copy of the suspected phishing email and the pop-up window generator…displays the edited copy of the suspected phishing email; the warning notifications are displayed within a box inserted between the header and the body of the suspected phishing email. In other embodiments, the warning box can be added across multiple users and email services. In another embodiment, the display…shows the notification to the user when the user hovers over part of the suspected phishing email”).
 Edwards, by itself, does not seem to completely teach modify a text style of the link in the new body field according to a risk score from an IP reputation database; and display the email with the new body field, wherein the email includes the link having a modified text style.
The Examiner maintains that these features were previously well-known as taught by Tyler.
Tyler teaches modify a text style of the link in the new body field according to a risk score from an IP reputation database; and display the email with the new body field, wherein the email includes the link having a modified text style (0092, 0207-209: “Proxy server…receives a decoded link…from the Decode module. It then performs a safety Check…on the web page. This check may use any desired method to determine whether the web page presents known or suspected threats of any kind. Below we discuss a check method that uses whitelists and blacklists…verifying the identity of the sender of a message using for example DomainKeys Identified Mail (DKIM) or Sender Policy Framework (SPF), checking whether the name of a web page or domain is suspiciously similar to that of a known legitimate site, checking the length of time a web page or domain has been registered (under the presumption for example that many phishing sites for instance may be recent or short-lived), checking the IP address associated with a domain for suspicious geographical locations, and using a recommender system to determine a web page's safety reputation …Upon analysis, the threat detection and warning system is configured to output security-related information to the user…the visual indication may include at least one of a notification, icon, pop-up warning, and modification of one or more visual aspects of the content displayed on a user interface of the computing device or remote computing device. For example, the visual indication may include text and/or color indicating whether the content is safe or unsafe for subsequent user interaction…The safety assessment may include an indication of whether the content is safe or potentially harmful if the user interacts with such content with regard to a security standpoint”).
Edwards and Tyler are analogous art because they are from the same problem-solving area, determining if a link in an email message poses a threat and subsequent handling of the email message.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Tyler before him or her, to combine the teachings of Edwards and Tyler. The rationale for doing so would have been to obtain the benefit of presenting the link and email message in a manner with which its threat level is easy to visually determine, as taught by Tyler (0208).
Therefore, it would have been obvious to combine Edwards and Tyler to obtain the invention as specified in the instant claim(s).

Claims 4, 11 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Edwards (US 20190020682) in view of Tyler (USPUB 20200137110) and Shi, and further in view of Huang (USPUB 20030231207 A1).

Claims 4, 11 and 18:
Edwards in view of Tyler and Shi teaches every feature of claims 1, 8 and 15.
Edwards, by itself, does not seem to completely teach a content type of the new body field is text/html and a multipart subtype of an email message in the new body field is multipart/alternative.
The Examiner maintains that these features were previously well-known as taught by Huang.
Huang teaches a content type of the new body field is text/html and a multipart subtype of an email message in the new body field is multipart/alternative (0207).
Edwards and Huang are analogous art because they are from the same problem-solving area, management of emails in a personal email system.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Huang before him or her, to combine the teachings of Edwards and Huang. The rationale for doing so would have been to obtain the benefit of ensuring the email messages are compatible with any email client, as taught by Huang (0207).
Therefore, it would have been obvious to combine Edwards and Huang to obtain the invention as specified in the instant claim(s).

Claim 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Edwards (US 20190020682) in view of Tyler (USPUB 20200137110) and Shi and further in view of Sharon (USPUB 20190260769 A1).

Claim 7:
Edwards in view of Tyler and Shi teaches every feature of claim 1.
Edwards, by itself, does not seem to completely teach the link is connected to a web page showing the threat analytics result.
The Examiner maintains that these features were previously well-known as taught by Sharon.
Sharon teaches the link is connected to a web page showing the threat analytics result (0109-110: Upon detecting a potential security threat, the user…may generate a security threat information report…In general, a security threat information report may comprise as much information as the user knows about the potential security threat. Such information may include a type of threat (suspicious email, suspicious URL, suspicious WIFI network, etc.), a severity level, an affected device information, etc… a security threat information report may be transmitted via a secure webpage or via a secure chat program as part of the security operation platform”).
Edwards and Sharon are analogous art because they are from the same problem-solving area, determining threat levels of emails in an email system.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Sharon before him or her, to combine the teachings of Edwards and Sharon. The rationale for doing so would have been to obtain the benefit of providing detailed results of the threat analysis regarding the email.
Therefore, it would have been obvious to combine Edwards and Sharon to obtain the invention as specified in the instant claim(s).

Claim 13:
Edwards in view of Tyler teaches every feature of claim 8.
Edwards, by itself, does not seem to completely teach obtain the threat analytics result through a RESTful API.
The Examiner maintains that these features were previously well-known as taught by Shi.
Shi teaches obtain the threat analytics result through a RESTful API (0016-17: the threat summary and reporting (TSR) engine…is configured to generate a report that summarizes the threat posed by a Web asset once the Web asset has been evaluated by the threat detection engine…and a risk score has been generated for the Web asset. Here, the threat summary report includes quantified and/or qualified information of the risks and specific threats posed by the Web asset…the threat summary and reporting engine…is also configured to provide the report, upon request, to a user/system administrator of the target Web application or site…the policies are created based on the report from the threat summary and reporting engine…and may include filtering and mitigating rules with respect to the hosted Web assets on the target Web application or site 112 protected by the Web application security device 110…the protection policy application engine 108 has compatible protocol knowledge for communications with the Web application security device 110 and is configured to access and insert the policies the Web application security device…by invoking a trusted API of the Web application security device…the trusted API is a RESTful API that uses HTTP requests to GET, PUT, POST and DELETE data”).
Edwards and Shi are analogous art because they are from the same problem-solving area, determining threat levels of URLs.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Shi before him or her, to combine the teachings of Edwards and Shi. The rationale for doing so would have been to obtain the benefit of providing detailed results of the threat analysis.
Therefore, it would have been obvious to combine Edwards and Shi to obtain the invention as specified in the instant claim(s).

Claim 14:
Edwards, by itself, does not seem to completely teach obtain the threat analytics result from a HTTP response in response to a GET command of the RESTful API.
The Examiner maintains that these features were previously well-known as taught by Shi.
Shi teaches obtain the threat analytics result from a HTTP response in response to a GET command of the RESTful API (0016-17: the threat summary and reporting (TSR) engine…is configured to generate a report that summarizes the threat posed by a Web asset once the Web asset has been evaluated by the threat detection engine…and a risk score has been generated for the Web asset. Here, the threat summary report includes quantified and/or qualified information of the risks and specific threats posed by the Web asset…the threat summary and reporting engine…is also configured to provide the report, upon request, to a user/system administrator of the target Web application or site…the policies are created based on the report from the threat summary and reporting engine…and may include filtering and mitigating rules with respect to the hosted Web assets on the target Web application or site 112 protected by the Web application security device 110…the protection policy application engine 108 has compatible protocol knowledge for communications with the Web application security device 110 and is configured to access and insert the policies the Web application security device…by invoking a trusted API of the Web application security device…the trusted API is a RESTful API that uses HTTP requests to GET, PUT, POST and DELETE data”).
Edwards and Shi are analogous art because they are from the same problem-solving area, determining threat levels of URLs.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Edwards and Shi before him or her, to combine the teachings of Edwards and Shi. The rationale for doing so would have been to obtain the benefit of providing detailed results of the threat analysis.
Therefore, it would have been obvious to combine Edwards and Shi to obtain the invention as specified in the instant claim(s).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED H ZUBERI whose telephone number is (571)270-7761.  The examiner can normally be reached on Monday-Thursday 10AM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Cesar Paula can be reached on 571-272-4128.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/MOHAMMED H ZUBERI/               Primary Examiner, Art Unit 2177