Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
This application claims the benefit of and priority to U.S. Provisional Patent Application Ser. No. 62/863,991, filed Jun. 20, 2019, and entitled “Integrating Targeted Attack Protection (TAP) and Isolation,” which is incorporated by reference herein in its entirety.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/28/2022 has been entered.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/30/2022 was filed after the mailing date of the Final Office Action on 07/27/2022. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
DETAILED ACTION
This Office Action is in response to a Request for Continued Examination (RCE) application received on 10/28/2022. In the RCE, claims 1, 13 and 20 have been amended. Claims 5 and 17 have been cancelled. Claims 2-4, 6-12, 14-16 and 18-19 remain original. 
For this Office Action, claims 1-4, 6-16 and 18-20 have been received for consideration and have been examined. 
Response to Arguments
Claim Rejections – 35 USC § 112
Applicant’s amendments to independent claims, filed 10/28/2022, with respect to claim rejections under 35 USC § 112(b) have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn. 
Claim Rejections – 35 USC § 103
Applicant’s arguments, filed 10/28/2022, with respect to the rejection(s) of claim(s) under 35 USC § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of new amendments to the independent claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 9-16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Quinlan., (WO2012094040A1) in view of Jakobsson., (US20180091453A1) and further in view of Mesdaq et al., (US10601865B1).
Regarding claim 1, Quinlan discloses:
A computing platform (i.e., Proxy Server 300; See FIG. 1), comprising:
at least one processor; a communication interface; and memory storing computer-readable instructions that, when executed by the at least one processor, cause the computing platform to:
receive, via the communication interface, from a first user computing device (i.e., User Terminal 120(a); See FIG. 1), a first request (i.e. clicking by the user on the link of the URL is construed as ‘first request for first URL access’) for a first uniform resource locator associated with a first email message ([0026] The processor 220 may, for example, rewrite the URLs before a user receives the email message. After a user clicks on the link of the URL, the processor 220 then may redirect the user to the proxy server 300 instead of the web server that may be hosting the content associated with the URL);
identify that the first uniform resource locator associated with the first email message corresponds to a first potentially-malicious site ([0033-0035] discloses in light of Figures. 5 & 6 that proxy server determines [identifies] if the URL presented in the electronic message is suspicious or not based on analysis performed in step 510).
Quinlan fails to disclose:
in response to identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site, determine a risk profile associated with the first request received from the first user computing device, wherein determining the risk profile associated with the first request received from the first user computing device includes identifying that a user of the first user computing device is included in a very attacked persons group associated with the enterprise organization and dynamically determined from an enterprise organization-specific index of users and wherein determining the risk profile associated with the first request received from the first user computing device further includes determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching header content of a page corresponding to a site associated with the first URL with information defined in one or more category templates; and based on the risk profile associated with the first request received from the first user computing device, execute an isolation method to provide limited access to the first uniform resource locator associated with the first email message.
However, Jakobsson discloses:
	in response to identifying (i.e. message is identified as potentially risky by the system) that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site ([0040] In some embodiments, a risk score associated with a message is a heuristically computed score … whether the message contents match a high-risk pattern (e.g., contains a URL associated with a site that is not trusted; [0048] For example, consider a potentially risky email message that contains a text component, a URL and an attachment, and which has an associated sender profile. Assume that this message is identified as potentially risky by the system. The system then replaces the URL with a proxy URL, changes the extension of the attachment to make it not possible to execute), 
determine a risk profile (i.e., risk profile of the user of the first user computing device [intended recipient of the message]; See [0055]) associated with the first request received from the first user computing device ([0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk); 
wherein determining the risk profile associated with the first request received from the first user computing device includes identifying that a user of the first user computing device is included in a very attacked persons group associated with the enterprise organization (i.e., the user receives large amount of emails due to having a public profile in the organization and therefore considered to be part of ‘a very attacked persons group’) and dynamically determined from an enterprise organization-specific index of users (i.e., the first user, the second user and the third user as mentioned in [0055]) and wherein determining the risk profile associated with the first request received from the first user computing device ([0055] discloses determining the category of a user based on his ranking/profile in an organization, i.e., when such user receives large amount of emails due to having a public profile in the organization and therefore considered to be part of ‘a very attacked persons group’); and 
based on the risk profile (i.e., based on risk profile of the first user) associated with the first request received from the first user computing device, execute an isolation method to provide limited access (i.e., modify/quarantine/block the message) to the first uniform resource locator associated with the first email message ([0055] The first user, correspondingly, is protected by screening for traffic that is deceptive, e.g., that comes from untrusted entities that are named in a way that is similar to trusted entities; when emails arrive from such an entity, the emails are modified/quarantined (e.g., as previously described) or blocked; [0065] If at 220, it is determined that a security threat has been detected, at 224, a security action is performed … preventing access to content referenced by a URL included in the message).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan reference and include a message analysis system which is able to evaluate a risk of a message before it is delivered to a intended recipient, as disclosed by Jakobsson.
The motivation to detect risk of the message before it is delivered to the intended recipient is to protect the intended recipient from potential malicious content.
The combination of Quinlan and Jakobsson fails to disclose:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching header content of a page corresponding to a site associated with the first URL with information defined in one or more category templates.
However, Mesdaq discloses:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category (i.e., as mentioned in FIG. 6; steps 604-605 for determining category of the URL) by matching header content of a page corresponding to a site associated with the first URL with information defined in one or more category templates (Abstract; Col. 7, Line # 16-33 discloses that ‘static analysis logic 120’ analysis the URL in the email which includes fetching the web page content (e.g., HTML source code and associated metadata) and analyzing the header and body contents of the web page; also see FIG. 7; Col. 12, Line # 27-59 discloses in steps 703-704 analyzing by the web page analysis logic correlating the attributes extracted from the headers of the fetched web page with the attributes extracted from the email to determine the consistency between the sources).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan and Jakobsson references and include a system and method for analyzing a web page directed to by a URL in an email, as disclosed by Mesdaq.
	The motivation to include such a method and system is to protect the user accessing the URL from exposure to potentially malicious URLs.
Regarding claim 2, the combination of Quinlan, Jakobsson and Mesdaq discloses:
	The computing platform of claim 1,
wherein the first uniform resource locator associated with the first email message is an embedded link in the first email message that was rewritten by an email filtering engine (See FIG. 2; i.e. designation process logic 400) hosted on the computing platform (Quinlan: [0019] Generally, the suspicious message designation process logic 400 is configured to determine whether email messages received at email server 200 contain one of a plurality of attacks such as advance fee fraud scams (commonly known as "419 scams"), malware or suspicious URLs and to designate any suspicious URLs to be rewritten to point to the proxy server 300; [0024] If an email message is determined to contain a URL, processor 220 determines whether the email message contains at least one suspicious URL at 430, and if the email message is determined to contain at least one suspicious URL, processor 220 designates, at 440, that the suspicious URL is to be rewritten to point to proxy server 300), and
wherein identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site comprises identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site using a URL defense (UD) tool (See FIG. 3; i.e., proxy processing logic 500) hosted on the computing platform (Quinlan: [0005] FIG. 2 is a block diagram of an example of an email server device configured to perform a suspicious message designation process to identify emails that are suspicious and warrant further protections by the proxy server; [0024] Turning to FIG. 4, an example of a flow chart for the suspicious message designation process logic 400 is now described. At 410, email server 200 receives an email message that is intended to be delivered to one or more users at user terminals 120(a)-120(c). At 420, processor 220 scans the email message to determine whether the email message contains at least one URL. If an email message is determined to contain a URL, processor 220 determines whether the email message contains at least one suspicious URL at 430).
Regarding claim 3, the combination of Quinlan, Jakobsson and Mesdaq discloses:
	The computing platform of claim 1, wherein determining the risk profile associated with the first request received from the first user computing device comprises determining that the first uniform resource locator associated with the first email message is associated with a first web category (i.e., URL related to reputable bank) (Quinlan: [0023] The website that the phishing URL links to may appear to the user as a reputable business or organization website. For example, a user may click on the phishing URL link and may then be directed to a website that appears as one for a reputable bank).	
Regarding claim 4, the combination of Quinlan, Jakobsson and Mesdaq discloses:
The computing platform of claim 1, wherein determining the risk profile associated with the first request received from the first user computing device comprises determining one or more user-specific risk factors associated with a user of the first user computing device (Jakobsson: [0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk).
Regarding claim 9, the combination of Quinlan, Jakobsson and Mesdaq discloses:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises providing data associated with the first potentially-malicious site to a phishing analysis service that is configured to return an indication of whether the first potentially-malicious site is a phishing site (Quinlan: [0016] The email server 200 executes suspicious message designation process logic 400 to evaluate email messages with uniform resource identifiers (URIs) associated with content (e.g., content hosted by on one of the websites 130(1)-130(N)) to designate any incoming messages as being suspicious, that is, possibly being associated with a phishing scam or other malicious type of attack).
Regarding claim 10, the combination of Quinlan, Jakobsson and Mesdaq discloses:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises providing a user-selectable option to break out of isolation after data associated with the first potentially-malicious site is analyzed (Jakobsson: See FIG. 9; Step 912; [0150] If at 910 it is determined that the second risk analysis results in a determination that the message meets the second criteria, at 912, content of the message that was previously prevented from being accessed by the specified recipient is provided to the specified recipient of the message).
Regarding claim 11, the combination of Quinlan, Jakobsson and Mesdaq discloses:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises controlling input to the first potentially-malicious site (Quinlan: [0035] Turning to FIG. 6, a block diagram is shown that depicts the operations of the proxy server 300 when delivering protected or safe content associated with a URL to a user terminal, e.g., user terminal 120(a). In FIG. 6, when a user located at user terminal 120(a) clicks on a link of a suspicious URL, the user is directed to proxy server 300 instead of the original destination of the suspicious URL since the URL has been rewritten to point to the proxy server 300. If the content associated with the original destination of the suspicious URL, shown at reference numeral 610, is not malicious (i.e. if the suspicious URL is not a malicious URL), then content 610 is displayed to the user in a protected or safe version through proxy server 300 (as shown in 620) with one or more warnings as described above).
Regarding claim 12, the combination of Quinlan, Jakobsson and Mesdaq discloses:
The computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to:
receive, via the communication interface, from a second user computing device (i.e., User Terminal 120(b)/(c); See FIG. 1), a second request for a second uniform resource locator associated with a second email message (Quinlan: [0026] After a user clicks on the link of the URL, the processor 220 then may redirect the user to the proxy server 300 instead of the web server that may be hosting the content associated with the URL);
identify (i.e., redirection of the user by the proxy server to the proxy server instead of web server is interpreted as identifying the URL as malicious) that the second uniform resource locator associated with the second email message corresponds to a second potentially-malicious site (Quinlan: [0026] Redirecting the user to the proxy server 300 instead of the web server allows for controlled and safe navigation to content associated with the URL. The proxy server 300 performs additional checks for malware, phishing and other content on the destination URL to provide a level of protection to the user);
in response to identifying (i.e. identified as potentially risky by the system) that the second uniform resource locator associated with the second email message corresponds to the second potentially-malicious site (Jakobsson: [0040] In some embodiments, a risk score associated with a message is a heuristically computed score … whether the message contents match a high-risk pattern (e.g., contains a URL associated with a site that is not trusted; [0048] For example, consider a potentially risky email message that contains a text component, a URL and an attachment, and which has an associated sender profile. Assume that this message is identified as potentially risky by the system. The system then replaces the URL with a proxy URL, changes the extension of the attachment to make it not possible to execute), 
determine a risk profile (i.e., risk profile of the user of the first user computing device [intended recipient of the message]; See [0055]) associated with the second request received from the second user computing device (Jakobsson: [0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk); and
based on the risk profile (i.e., based on risk profile of the first user) associated with the second request received from the second user computing device, execute a second isolation method to provide limited access (i.e., modify/quarantine/block the message) to the second uniform resource locator associated with the second email message (Jakobsson: [0055] The first user, correspondingly, is protected by screening for traffic that is deceptive, e.g., that comes from untrusted entities that are named in a way that is similar to trusted entities; when emails arrive from such an entity, the emails are modified/quarantined (e.g., as previously described) or blocked; [0065] If at 220, it is determined that a security threat has been detected, at 224, a security action is performed … preventing access to content referenced by a URL included in the message).
Regarding claim 13, Quinlan discloses:
	A method, comprising:
at a computing platform comprising at least one processor, a communication interface, and memory:
receiving, via the communication interface, from a first user computing device (i.e., User Terminal 120(a); See FIG. 1), a first request (i.e. clicking by the user on the link of the URL is construed as ‘first request for first URL access’) for a first uniform resource locator associated with a first email message ([0026] The processor 220 may, for example, rewrite the URLs before a user receives the email message. After a user clicks on the link of the URL, the processor 220 then may redirect the user to the proxy server 300 instead of the web server that may be hosting the content associated with the URL);
identifying that the first uniform resource locator associated with the first email message corresponds to a first potentially-malicious site ([0033-0035] discloses in light of Figures. 5 & 6 that proxy server determines [identifies] if the URL presented in the electronic message is suspicious or not based on analysis performed in step 510).
Quinlan fails to disclose:
in response to identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site, determine a risk profile associated with the first request received from the first user computing device, wherein determining the risk profile associated with the first request received from the first user computing device includes identifying that a user of the first user computing device is included in a very attacked persons group associated with the enterprise organization and dynamically determined from an enterprise organization-specific index of users and wherein determining the risk profile associated with the first request received from the first user computing device further includes determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching header content of a page corresponding to a site associated with the first URL with information defined in one or more category templates; and based on the risk profile associated with the first request received from the first user computing device, execute an isolation method to provide limited access to the first uniform resource locator associated with the first email message.
However, Jakobsson discloses:
	in response to identifying (i.e. message is identified as potentially risky by the system) that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site ([0040] In some embodiments, a risk score associated with a message is a heuristically computed score … whether the message contents match a high-risk pattern (e.g., contains a URL associated with a site that is not trusted; [0048] For example, consider a potentially risky email message that contains a text component, a URL and an attachment, and which has an associated sender profile. Assume that this message is identified as potentially risky by the system. The system then replaces the URL with a proxy URL, changes the extension of the attachment to make it not possible to execute), 
determine a risk profile (i.e., risk profile of the user of the first user computing device [intended recipient of the message]; See [0055]) associated with the first request received from the first user computing device ([0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk); 
wherein determining the risk profile associated with the first request received from the first user computing device includes identifying that a user of the first user computing device is included in a very attacked persons group associated with the enterprise organization (i.e., the user receives large amount of emails due to having a public profile in the organization and therefore considered to be part of ‘a very attacked persons group’) and dynamically determined from an enterprise organization-specific index of users (i.e., the first user, the second user and the third user) and wherein determining the risk profile associated with the first request received from the first user computing device ([0055] discloses determining the category of a user based on his ranking/profile in an organization, i.e., when such user receives large amount of emails due to having a public profile in the organization and therefore considered to be part of ‘a very attacked persons group’); and 
based on the risk profile (i.e., based on risk profile of the first user) associated with the first request received from the first user computing device, execute an isolation method to provide limited access (i.e., modify/quarantine/block the message) to the first uniform resource locator associated with the first email message ([0055] The first user, correspondingly, is protected by screening for traffic that is deceptive, e.g., that comes from untrusted entities that are named in a way that is similar to trusted entities; when emails arrive from such an entity, the emails are modified/quarantined (e.g., as previously described) or blocked; [0065] If at 220, it is determined that a security threat has been detected, at 224, a security action is performed … preventing access to content referenced by a URL included in the message).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan reference and include a message analysis system which is able to evaluate a risk of a message before it is delivered to a intended recipient, as disclosed by Jakobsson.
The motivation to detect risk of the message before it is delivered to the intended recipient is to protect the intended recipient from potential malicious content.
The combination of Quinlan and Jakobsson fails to disclose:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching header content of a page corresponding to a site associated with the first URL with information defined in one or more category templates.
However, Mesdaq discloses:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching header content of a page corresponding to a site associated with the first URL with information defined in one or more category templates (Abstract; Col. 7, Line # 16-33 discloses that ‘static analysis logic 120’ analysis the URL in the email which includes fetching the web page content (e.g., HTML source code and associated metadata) and analyzing the header and body contents of the web page; also see FIG. 7; Col. 12, Line # 27-59 discloses in steps 703-704 analyzing by the web page analysis logic correlating the attributes extracted from the headers of the fetched web page with the attributes extracted from the email to determine the consistency between the sources).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan and Jakobsson references and include a system and method for analyzing a web page directed to by a URL in an email, as disclosed by Mesdaq.
	The motivation to include such a method and system is to protect the user accessing the URL from exposure to potentially malicious URLs.
Regarding claim 14, the combination of Quinlan, Jakobsson and Mesdaq discloses:
The method of claim 13,
wherein the first uniform resource locator associated with the first email message is an embedded link in the first email message that was rewritten by an email filtering engine (See FIG. 2; i.e. designation process logic 400) hosted on the computing platform (Quinlan: [0019] Generally, the suspicious message designation process logic 400 is configured to determine whether email messages received at email server 200 contain one of a plurality of attacks such as advance fee fraud scams (commonly known as "419 scams"), malware or suspicious URLs and to designate any suspicious URLs to be rewritten to point to the proxy server 300; [0024] If an email message is determined to contain a URL, processor 220 determines whether the email message contains at least one suspicious URL at 430, and if the email message is determined to contain at least one suspicious URL, processor 220 designates, at 440, that the suspicious URL is to be rewritten to point to proxy server 300), and
wherein identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site comprises identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site using a URL defense (UD) tool (See FIG. 3; i.e., proxy processing logic 500) hosted on the computing platform (Quinlan: [0005] FIG. 2 is a block diagram of an example of an email server device configured to perform a suspicious message designation process to identify emails that are suspicious and warrant further protections by the proxy server; [0024] Turning to FIG. 4, an example of a flow chart for the suspicious message designation process logic 400 is now described. At 410, email server 200 receives an email message that is intended to be delivered to one or more users at user terminals 120(a)-120(c). At 420, processor 220 scans the email message to determine whether the email message contains at least one URL. If an email message is determined to contain a URL, processor 220 determines whether the email message contains at least one suspicious URL at 430).
Regarding claim 15, the combination of Quinlan, Jakobsson and Mesdaq discloses:
The method of claim 13, wherein determining the risk profile associated with the first request received from the first user computing device comprises determining that the first uniform resource locator associated with the first email message is associated with a first web category (i.e., URL related to reputable bank) (Quinlan: [0023] The website that the phishing URL links to may appear to the user as a reputable business or organization website. For example, a user may click on the phishing URL link and may then be directed to a website that appears as one for a reputable bank).
Regarding claim 16, the combination of Quinlan, Jakobsson and Mesdaq discloses:
The computing platform of claim 1, wherein determining the risk profile associated with the first request received from the first user computing device comprises determining one or more user-specific risk factors associated with a user of the first user computing device (Jakobsson: [0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk).
Regarding claim 20, Quinlan discloses:
One or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, a communication interface, and memory, cause the computing platform to:
receive, via the communication interface, from a first user computing device (i.e., User Terminal 120(a); See FIG. 1), a first request (i.e. clicking by the user on the link of the URL is construed as ‘first request for first URL access’) for a first uniform resource locator associated with a first email message ([0026] The processor 220 may, for example, rewrite the URLs before a user receives the email message. After a user clicks on the link of the URL, the processor 220 then may redirect the user to the proxy server 300 instead of the web server that may be hosting the content associated with the URL);
identify that the first uniform resource locator associated with the first email message corresponds to a first potentially-malicious site ([0033-0035] discloses in light of Figures. 5 & 6 that proxy server determines [identifies] if the URL presented in the electronic message is suspicious or not based on analysis performed in step 510).
Quinlan fails to disclose:
in response to identifying that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site, determine a risk profile associated with the first request received from the first user computing device, wherein determining the risk profile associated with the first request received from the first user computing device includes identifying that a user of the first user computing device is included in a very attacked persons group associated with the enterprise organization and dynamically determined from an enterprise organization-specific index of users and wherein determining the risk profile associated with the first request received from the first user computing device further includes determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching header content of a page corresponding to a site associated with the first URL with information defined in one or more category templates; and based on the risk profile associated with the first request received from the first user computing device, execute an isolation method to provide limited access to the first uniform resource locator associated with the first email message.
However, Jakobsson discloses:
	in response to identifying (i.e. message is identified as potentially risky by the system) that the first uniform resource locator associated with the first email message corresponds to the first potentially-malicious site ([0040] In some embodiments, a risk score associated with a message is a heuristically computed score … whether the message contents match a high-risk pattern (e.g., contains a URL associated with a site that is not trusted; [0048] For example, consider a potentially risky email message that contains a text component, a URL and an attachment, and which has an associated sender profile. Assume that this message is identified as potentially risky by the system. The system then replaces the URL with a proxy URL, changes the extension of the attachment to make it not possible to execute), 
determine a risk profile (i.e., risk profile of the user of the first user computing device [intended recipient of the message]; See [0055]) associated with the first request received from the first user computing device ([0055] In some embodiments, the modification of the message is based on a risk profile associated with the intended recipient of the message … Consider three users belonging to the same organization. The first user is exposed to a large amount of dangerous email due to having a public profile within the organization … The second user is not exposed to a lot of attacks, but reacts to emails very quickly by clicking on URLs, opening attachments, and by responding to them regardless of whether the emails are identified as secure or not. A third person is not exposed to many attacks and is not reacting in a risky manner. It is identified that the three users are exposed to different types of risk); 
wherein determining the risk profile associated with the first request received from the first user computing device includes identifying that a user of the first user computing device is included in a very attacked persons group associated with the enterprise organization (i.e., the user receives large amount of emails due to having a public profile in the organization and therefore considered to be part of ‘a very attacked persons group’) and dynamically determined from an enterprise organization-specific index of users (i.e., the first user, the second user and the third user) and wherein determining the risk profile associated with the first request received from the first user computing device ([0055] discloses determining the category of a user based on his ranking/profile in an organization, i.e., when such user receives large amount of emails due to having a public profile in the organization and therefore considered to be part of ‘a very attacked persons group’); and 
based on the risk profile (i.e., based on risk profile of the first user) associated with the first request received from the first user computing device, execute an isolation method to provide limited access (i.e., modify/quarantine/block the message) to the first uniform resource locator associated with the first email message ([0055] The first user, correspondingly, is protected by screening for traffic that is deceptive, e.g., that comes from untrusted entities that are named in a way that is similar to trusted entities; when emails arrive from such an entity, the emails are modified/quarantined (e.g., as previously described) or blocked; [0065] If at 220, it is determined that a security threat has been detected, at 224, a security action is performed … preventing access to content referenced by a URL included in the message).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan reference and include a message analysis system which is able to evaluate a risk of a message before it is delivered to a intended recipient, as disclosed by Jakobsson.
The motivation to detect risk of the message before it is delivered to the intended recipient is to protect the intended recipient from potential malicious content.
The combination of Quinlan and Jakobsson fails to disclose:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching header content of a page corresponding to a site associated with the first URL with information defined in one or more category templates.
However, Mesdaq discloses:
	determining that the first uniform resource locator associated with the user request [first email message] is associated with a specific category by matching header content of a page corresponding to a site associated with the first URL with information defined in one or more category templates (Abstract; Col. 7, Line # 16-33 discloses that ‘static analysis logic 120’ analysis the URL in the email which includes fetching the web page content (e.g., HTML source code and associated metadata) and analyzing the header and body contents of the web page; also see FIG. 7; Col. 12, Line # 27-59 discloses in steps 703-704 analyzing by the web page analysis logic correlating the attributes extracted from the headers of the fetched web page with the attributes extracted from the email to determine the consistency between the sources).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan and Jakobsson references and include a system and method for analyzing a web page directed to by a URL in an email, as disclosed by Mesdaq.
	The motivation to include such a method and system is to protect the user accessing the URL from exposure to potentially malicious URLs.

Claims 6 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Quinlan., (WO2012094040A1) in view of Jakobsson., (US20180091453A1) in view of Mesdaq et al., (US10601865B1) and further in view of Petry et al., (US20170180413A1).
Regarding claim 6, the combination of Quinlan, Jakobsson and Mesdaq fails to disclose:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises initiating a browser mirroring session with the first user computing device to provide the first user computing device with limited access to the first potentially-malicious site corresponding to the first uniform resource locator associated with the first email message.
However, Petry discloses:
wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises initiating a browser mirroring session (See [0055] & [0065] i.e., providing a highly isolated and insulated environment which is constitutes as browser mirroring session) with the first user computing device to provide the first user computing device with limited access to the first potentially-malicious site corresponding to the first uniform resource locator associated with the first email message (See FIG. 4: Step 420, Para [0110] / [0109] / [0111], [0124], [0114], [0055], [0065]  and [0096]: upon determining the access of the URL content as requested is potentially harmful and that meets the isolation condition, initializing a secure (insulated) web container to access the URL content from the web server that serves as a separate and secure proxy web browsing section, which constitutes a browser mirroring session (Para [0124] & [0055] / [0065]) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0039]: using an isolation server during a browser mirroring section), and providing limited access to the user device such as restricting downloading shared file(s), specifying a time period for which the data may be shared with another user while only allowing the user to view the content from the web server (Para [0065] & Para [0096]).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan, Jakobsson and Mesdaq references and include a system for providing a user with a secure and anonymous web browsing experience, as disclosed by Petry.
The motivation to include a system for providing a user with a secure and anonymous web browsing experience is to protect the user device and minimize the risks associated with accessing potentially dangerous web content.
Regarding claim 18, the combination of Quinlan, Jakobsson and Mesdaq fails to disclose:
The method of claim 13, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises initiating a browser mirroring session with the first user computing device to provide the first user computing device with limited access to the first potentially-malicious site corresponding to the first uniform resource locator associated with the first email message.
However, Petry discloses:
wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises initiating a browser mirroring session (See [0055] & [0065] i.e., providing a highly isolated and insulated environment which is constitutes as browser mirroring session) with the first user computing device to provide the first user computing device with limited access to the first potentially-malicious site corresponding to the first uniform resource locator associated with the first email message (See FIG. 4: Step 420, Para [0110] / [0109] / [0111], [0124], [0114], [0055] and [0065] / [0096]: upon determining the access of the URL content as requested is potentially harmful and that meets the isolation condition, initializing a secure (insulated) web container to access the URL content from the web server that serves as a separate and secure proxy web browsing section, which constitutes a browser mirroring session (Para [0124] & [0055] / [0065]) – this is consistent with the disclosure of the instant specification (SPEC-PG.PUB: Para [0039]: using an isolation server during a browser mirroring section), and providing limited access to the user device such as restricting downloading shared file(s), specifying a time period for which the data may be shared with another user while only allowing the user to view the content from the web server (Para [0065] & Para [0096]).
It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan, Jakobsson and Mesdaq references and include a system for providing a user with a secure and anonymous web browsing experience, as disclosed by Petry.
The motivation to include a system for providing a user with a secure and anonymous web browsing experience is to protect the user device and minimize the risks associated with accessing potentially dangerous web content.

Claims 7-8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Quinlan., (WO2012094040A1) in view of Jakobsson., (US20180091453A1) in view of Mesdaq et al., (US10601865B1) and further in view of Ghosh et al., (US20110167492A1).
Regarding claim 7, the combination of Quinlan, Jakobsson and Mesdaq fails to disclose:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from downloading one or more binary objects.
However, Ghosh discloses:
	wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from downloading one or more binary objects ([0045] The browser application's download and upload functionality may also be limited to provide enhanced computer security in one or all of the browsing modes described above. For example, in a “private” mode, the browser application 304 may prohibit all file uploads or downloads. Similarly, in a “master” or “secure-bookmark” mode, the browser application 304 may allow downloads and/or uploads but may restrict the type or storage location of files uploaded and/or downloaded. For example, in a “master” mode or “secure-bookmark” mode, the browser application 304 may prevent any executable files from being uploaded or downloaded and may limit file downloads or uploads to non-system file folders or location, non-program file folders or location, and/or the “desktop” file folder).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan, Jakobsson and Mesdaq references and include a system which is able to restrict data download and upload activity when user computer is accessing a potentially malicious resource, as disclosed by Ghosh.
	The motivation to restrict data download and upload activity when user is accessing a potentially malicious resource is to provide enhanced computer security and isolate the user computer from malicious resource.
Regarding claim 8, the combination of Quinlan, Jakobsson and Mesdaq fails to disclose:
The computing platform of claim 1, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from uploading one or more binary objects.
However, Ghosh discloses:
	wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from uploading one or more binary objects ([0045] The browser application's download and upload functionality may also be limited to provide enhanced computer security in one or all of the browsing modes described above. For example, in a “private” mode, the browser application 304 may prohibit all file uploads or downloads. Similarly, in a “master” or “secure-bookmark” mode, the browser application 304 may allow downloads and/or uploads but may restrict the type or storage location of files uploaded and/or downloaded. For example, in a “master” mode or “secure-bookmark” mode, the browser application 304 may prevent any executable files from being uploaded or downloaded and may limit file downloads or uploads to non-system file folders or location, non-program file folders or location, and/or the “desktop” file folder).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan, Jakobsson and Mesdaq references and include a system which is able to restrict data download and upload activity when user computer is accessing a potentially malicious resource, as disclosed by Ghosh.
	The motivation to restrict data download and upload activity when user is accessing a potentially malicious resource is to provide enhanced computer security and isolate the user computer from malicious resource.
Regarding claim 19, the combination of Quinlan, Jakobsson and Mesdaq fails to disclose:
The method of claim 13, wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from downloading one or more binary objects.
However, Ghosh discloses:
	wherein executing the isolation method to provide limited access to the first uniform resource locator associated with the first email message comprises preventing the first user computing device from downloading one or more binary objects ([0045] The browser application's download and upload functionality may also be limited to provide enhanced computer security in one or all of the browsing modes described above. For example, in a “private” mode, the browser application 304 may prohibit all file uploads or downloads. Similarly, in a “master” or “secure-bookmark” mode, the browser application 304 may allow downloads and/or uploads but may restrict the type or storage location of files uploaded and/or downloaded. For example, in a “master” mode or “secure-bookmark” mode, the browser application 304 may prevent any executable files from being uploaded or downloaded and may limit file downloads or uploads to non-system file folders or location, non-program file folders or location, and/or the “desktop” file folder).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Quinlan, Jakobsson and Mesdaq references and include a system which is able to restrict data download and upload activity when user computer is accessing a potentially malicious resource, as disclosed by Ghosh.
	The motivation to restrict data download and upload activity when user is accessing a potentially malicious resource is to provide enhanced computer security and isolate the user computer from malicious resource.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/S.M.A./Patent Examiner, Art Unit 2432                                                                                                                                                                                                        
/SYED A ZAIDI/Primary Examiner, Art Unit 2432