SYSTEMS AND METHODS FOR SYSTEMATIZING LINKS INCLUDED IN EMAIL MESSAGES

zhuDETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This action is responsive to communication received on 11/12/2025. Claims 1-20 are pending and stand as originally presented. The Examiner recommends filing a written authorization for Internet communication in response to the present action. Doing so permits the USPTO to communicate with Applicant using Internet email to schedule interviews or discuss other aspects of the application. Without a written authorization in place, the USPTO cannot respond to Internet correspondence received from Applicant. The preferred method of providing authorization is by filing form PTO/SB/439, available at: https://www.uspto.gov/patent/forms/forms. See MPEP § 502.03 for other methods of providing written authorization. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 5, 10-13, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Lesperance US 11,677,783 and further in view of Daniell US 2004/0068545. Regarding claims 1, 11 and 19, Lesperance teaches method, computer program product and an Information Handling System (IHS) comprising: a processor; and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution, cause the Information Handling System (IHS) to: receive a request to identify one or more links in an email message(user input indicating potential spam/malicious email received, Col 2 Lines 22-54 the system analyzed content of the email for attached files, hyperlinks, and assessed for potential maliciousness. ¶Col15, 35-40 ) [ The method may further include receiving a user input indicative of the email being potentially malicious, storing the email in a predetermined database, and scanning the predetermined database to obtain the email. Receiving a user input may include generating a user interface selectable by a user to indicate that the email is potentially malicious. The scannable objects may include text objects and binary objects. The method may further include generating a report in a form of email, and transmitting the report to a security analyst computing device. The report may include an email subject, a list of attachments, the findings, the item scores, and the score. Col 2 Lines 22-54] [(69) Regarding the email body 522, a score can depend on whether the email includes a link to a file with a suspicious extension (523), whether the email includes a misleading hyperlink (525), whether the email contains a suspicious character type (526), and whether the email contains a short text body with attachment (527). Col 15, 35-40] identify one or more links in the email message(scan elements in email and extract links, link include attached files of various types, executable files, hyperlinks Col 12 Line 42 - Col 13 Line 42) [(49) Regarding an HTML email, the system can scan for all elements and pull out the href attributes and extract valid links. In addition, the system can check to see if the display text of an element is a link. If it is, the system can verify that the domain of the display text is the same as the actual link. If they're different, the system can flag it as malicious. Then, the system can scan the raw html as the text scanning described above. Next the system can parse all of the inline css and try to parse all of the selector texts as domains. This can help exclude what look like domains to the URL extraction regex, from the results and leave full links only. The system can scan all of the headers as the header scanning described above. The system can look for odd characteristics in the subject. (50) Regarding text objects, the system can scan such text objects as the text scanning described above, scan all of the headers (if any) as the header scanning described above, and look for odd characteristics of the subject. Regarding binary objects, the system can scan such binary objects as the binary scanning described above. (51) Regarding Office docs, the system can perform the same steps for Word, Excel, and Powerpoint. Binary Office docs (e.g., .doc vs .docx) may not be parsed as well due to library limitations. The system can pull out all valid hyperlink objects. The system can scan the text contents as the text scanning above and include it as an interesting string. The system can find any images and/or objects and include them as binaries. The system can extract all macros and include them as interesting strings. In some implementations, the system can mark the email as malicious. (52) Regarding PDFs, if the system attempts to parse a PDF doc but can't (e.g., due to the doc is encrypted or some permissions are blocking it), the system can flag the doc as malicious. Although there is a chance that such flagging is a false positive, a security analyst can further investigate to finalize the categorization. (53) The system can extract the text out of a PDF doc. In some implementations, the library can be used to make sure that if the pdf text is created by overlaying text boxes on top of each other then it shows the final output and not just the embedded strings in the pdf. The system can scan a PDF doc as the text scanning. The PDF doc can be scanned to identify an interesting string contained therein. If there is no or very little text, then the system can flag that since it probably indicates it's just a picture which is common in phishing so it's hard to scan. If the PDF contains a link, that's called out as an additional finding. If the PDF is mostly link, that also increases the score. If the length of the text is way less than the total size, then that might be an indicator that there's a bunch of binary streams in there so the system can flag that as well. (54) The system can collect scripts (e.g., Javascripts) from a PDF doc, and mark them as malicious and/or include them as interesting strings. Optionally, a security analyst can review a PDF doc and identify places of scripts that are missing. The system can scan a PDF doc as text scanning described above so that any domains, links, IPS, etc. in scripts can be pulled out. (55) The system can render each page of a PDF doc as an image and include in the binaries, thereby permitting a security analyst to review the PDF doc without actually opening it. In addition or alternatively, the system can extract all hyperlinks out of a PDF doc, similarly to the process of extracting scripts. In addition or alternatively, the system can extract file streams out of a PDF doc, and parse them as binary objects described above. In addition or alternatively, the system can extract embedded pictures in a PDF doc., Col 12 Line 42 - Col 13 Line 42] Lesperance teaches identifying links and determining the type of links(i.e. categorizing ) and generating and displaying a listing of links and other elements found in an email(see fig 6A, Col 14 Line 60 -Col 13 Line 11). [(63) Regarding the attachment 510, an email can be assigned a predetermined score depending on whether the attachment contains an image (530, 540), an embedded resource (532), a link (534, 538), a macro (535), a script (536), no text (544), little text (546), a text with a link (548), a text length less than a binary length (550), and mostly links (552). In addition, a score is assigned based on whether the attachment is encrypted (542) or an encrypted compressed file (558). Further, a score is assigned depending on whether the attachment has a suspicious file extension (554) (e.g., an extension not included in a predefined extensions list which may include, for example, dll, doc, docb, docm, docx, dot, dotm, dotx, exe, hta, jar, msi, pdf, pot, potm, potx, ppam, pps, ppsm, ppsx, ppt, pptm, pptx, rar, sldm, sldx, wbk, xla, xlam, xll, xlm, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, and xlw) or an executable (556) (e.g., “.exe”). Scores can be different based on a type of the attachment, such as editable docs (e.g., Microsoft Word, Excel, and PowerPoint), PDFs, compressed files (e.g., Zip), etc. Col 14 Line 60- Col 15 Line 11]. Lesperance does not teach a specific display of such a summary include arrange each of the one or more links in one of a plurality of categories; and display the arranged links for view by a user. Daniell in the same field of endeavor teaches a similar system for handling attached content in emails. Daniell teaches arrange each of the one or more links in one of a plurality of categories and display the arranged links for view by a user(attachment name and type of attachment according. Are arranged in tabular format organized by type, ¶ 7, Fig 17) [0007] After an electronic mail with an attachment is received by an electronic messaging client, the electronic messaging recognizes the type of attachment encoding and converts the attached file back to its binary form. To access this binary file, the recipient needs an application installed on the recipient's computer that can execute or access that particular type of file. Often, in a Windows environment, the application that is needed to execute the binary file is already associated with the filename extension of the binary file, so that a user's command to open the binary file will cause the application to access the binary file. It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Lesperance with displaying identified links arranges into categories/types as taught by Daniell. The reason for this modification would be to provide a visual more concise visual summary/report of link present in an email. Regarding claims 2 and 12, Lesperance teaches wherein the program instructions, upon execution, further cause the IHS to receive the request according to user input(user input indicating potential spam/malicious email received, Col 2 Lines 22-54) [ The method may further include receiving a user input indicative of the email being potentially malicious, storing the email in a predetermined database, and scanning the predetermined database to obtain the email. Receiving a user input may include generating a user interface selectable by a user to indicate that the email is potentially malicious. The scannable objects may include text objects and binary objects. The method may further include generating a report in a form of email, and transmitting the report to a security analyst computing device. The report may include an email subject, a list of attachments, the findings, the item scores, and the score. Col 2 Lines 22-54] Regarding claim 10, Lesperance teaches wherein the one or more links comprise at least one of an alpha-numerical text string, an icon, or an image(Col 12 Line 42 - Col 13 Line 42) [(49) Regarding an HTML email, the system can scan for all elements and pull out the href attributes and extract valid links. In addition, the system can check to see if the display text of an element is a link. If it is, the system can verify that the domain of the display text is the same as the actual link. If they're different, the system can flag it as malicious. Then, the system can scan the raw html as the text scanning described above. Next the system can parse all of the inline css and try to parse all of the selector texts as domains. This can help exclude what look like domains to the URL extraction regex, from the results and leave full links only. The system can scan all of the headers as the header scanning described above. The system can look for odd characteristics in the subject. (50) Regarding text objects, the system can scan such text objects as the text scanning described above, scan all of the headers (if any) as the header scanning described above, and look for odd characteristics of the subject. Regarding binary objects, the system can scan such binary objects as the binary scanning described above. (51) Regarding Office docs, the system can perform the same steps for Word, Excel, and Powerpoint. Binary Office docs (e.g., .doc vs .docx) may not be parsed as well due to library limitations. The system can pull out all valid hyperlink objects. The system can scan the text contents as the text scanning above and include it as an interesting string. The system can find any images and/or objects and include them as binaries. The system can extract all macros and include them as interesting strings. In some implementations, the system can mark the email as malicious. Claims 3, 5, 13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Lesperance/Daniell as applied to claims 1 and 11 above, and further in view of Zhu US 2012/0158626 Regarding claims 3 and 13, Lesperance/Daniell do not teach wherein the program instructions, upon execution, further cause the IHS to display a plurality of Uniform Resource Locators (URLs) associated with the links. Zhu in the same field of endeavor as the invention teaches a system for categorization of URLs. Zhu teaches wherein the program instructions, upon execution, further cause the IHS to display a plurality of Uniform Resource Locators (URLs) associated with the links(classify URL and indicate in a web browser URl is malicious or not) . [0016] Classification models are employed to detect malicious URLs and categorize the malicious URLs as a phishing URL, a spamming URL, a malware URL, or a multiple-type attack URL which attempts to launch multiple different types of attacks (e.g., any combination of phishing, spamming, and malware attacks). Although this document describes classification models, a single classification model may be implemented to perform functions described herein. In various embodiments, if a malicious URL is detected, then the system will indicate that the URL is a malicious URL to a web user or web browser executing on a computing system. It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Lesperance/Daniell with displaying an indication that an URL is malicious as taught by Zhu. The reason for this modification would be to provide address information on a hyperlink that is deemed malicious. Regarding claims 5 and 15, Lesperance/Daniell do not teach wherein the program instructions, upon execution, further cause the IHS to identify the one or more links using a Machine Learning (ML) process. Zhu in the same field of endeavor as the invention teaches a system for categorization of URLs. Zhu teaches wherein the program instructions, upon execution, further cause the IHS to identify the one or more links using a Machine Learning (ML) process. [0024] In various embodiments, the known set of malicious URLs collected for the training data are already labeled as phishing URLs, spamming URLs, malware URLs, or multi-type attack URLs. For example, when selecting known malicious URLs to train the classification models, the system may select a set of known phishing URLs. Therefore, when the system employs the machine learning algorithms to develop decision criteria for the classification models, the decision criteria that decide whether a malicious URL is a phishing URL may be developed based on URL features common to phishing URLs. Similarly, the system may select a set of known spamming URLs, a set of known malware URLs, and a set of known multi-type URLs to train the classification models to label a malicious URL according to the different types of attacks. Thus, the system may split the known set of malicious URLs into separate lists including known phishing URLs, known spamming URLs, and known malware URLs. By definition, multi-type attack URLs may appear on two or more of the separate lists. It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Lesperance/Daniell with machine learning based URL classification as taught by Zhu. The reason for this implement machine learning based URl classification that can be continually trained and updated to better classify URLs(see Zhu ¶29). Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Lesperance/Daniell as applied to claim 1 above, and further in view of Eggleston US 2016/0063016. Regarding claims 4 and 14, the combination of Lesperance/Daniell teaches displaying links arranged in a table by category but does not teach wherein the program instructions, upon execution, further cause the IHS to display the links in a table with each column representing one of the plurality of categories. Eggleston in the same field of endeavor as the invention teaches system for organizing and displaying hyperlinks. Eggleston teaches displaying links arranged in a table by category but does not teach wherein the program instructions, upon execution, further cause the IHS to display the links in a table with each column representing one of the plurality of categories(organize sort links into type and display each type in a column. ¶s43,44, Fig. 7). [0043] Continuing at Step 325, the system is further configured to search the one or more selected sources for published content that is related to the received keyword. In particular embodiments, the system is further configured to search the multiple selected sources in Step 310 for the received keyword of Step 305 in multiple manners. In particular embodiments, the keyword search across a traditional search engine (i.e. Google®, Yahoo®, Bing®, etc.) may include results to a variety of media types (i.e. news articles, blogs, Vimeo videos, etc.). In various embodiments, these results may be parsed from the respective search engine results such that only certain types of media results will be searched. Further search limiting parameters may be implemented by the user (i.e. to limit search results to those within a set data range, to limit results to a specific source type (i.e. non-blog sources for news, etc.), to limit search results to those published within a set time from the current date and time, or to sort search results by any variety of factors (rating based on relevance, rating based on views, chronologically, etc.). [0044] Continuing at Step 330, the system is further configured to generate a listing of hyperlinks for the published content, which may be organized chronologically. In various embodiments, the system is configured to search across the selected sources in Step 325 for results relevant to the keyword selected by the user in Step 305. When the results of the search are returned, the system, in various embodiments, may be configured to generate a list of hyperlinks that is sorted first by relevance. In some embodiments, once the system determines particular results that meet a threshold relevancy, or meet another pre-determined characteristic (e.g. views, pages linking to, utilizing a proprietary ranking system, etc.), the results selected from the returned results are ordered chronologically. It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Lesperance/Daniell with displaying categories of link sorted into columns as taught by Eggleston. The reason for this modification would be to provide a alternate arrangement to display categorized links that is a simple substitution of a category by row method of display as taught by Daniell to a category by column as taught by Eggleston. Claims 6, 16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lesperance/Daniel/Zhu as applied to claims 5 and 19 above, and further in view of Aliyev US 2021/0021639. Regarding claims 6, 16 and 20, the combination of Lesperance/Daniell/Zhu teaches upon execution, further cause the IHS to, using the ML process, identify one or more malicious links. Lesperance/Daniell/Zhu do not teach highlight the identified malicious links displayed for the user. Aliyev in the same field of endeavor as the invention teaches a system for detecting harmful links. Aliyev teaches wherein the program instructions highlight the identified malicious links displayed for the user(highlight or displaying a particular color a malicious link). [0192] In various embodiments, the electronic device 301 may display the attribute (e.g., the color, size, underline, or highlight) of an object (e.g., a part of text) connected to a harmful link differently from those of other objects. For example, the indicators 1120 and 1140 may be data resulting from changing the color of some of the characters constituting the text shown in the web page 1101 from a default color (e.g., black) to another color (e.g., red). For example, some of the characters the color of which is changed may be characters deviating from a designated ASCII code range. [0209] In various embodiments, the second indicator 1420 may be data resulting from changing the attribute (e.g., a highlight attribute) or the state (e.g., active/inactive) of text (e.g., an email address) connected to one harmful link. For example, as the second indicator 1420 for the text is included in the web page 1401, the text may be highlighted and displayed, or a function (e.g., provision of an email-related action pop-up 1320) corresponding to the link connected to the text may be prevented from being executed. [0216] According to an embodiment, an indicator may include data resulting from changing the attribute (e.g., the color, size, underline, or highlight) of at least a part of an object connected to a harmful link. It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Lesperance/Daniell/Zhu with highlight malicious links as taught by Aliyev. The reason for this modification would be to visually distinguish harmful links. Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Lesperance/Daniell/Zhu as applied to claim 5 above, and further in view of Stewart US 2014/0324741. Regarding 7 and 17, Lesperance/Daniell/Zhu do not teach wherein the program instructions, upon execution, further cause the IHS to: receive user input for migrating at least one link from one category to another category; and use the migrated link to train the ML process. Stewart in the same field of endeavor teaches a system for classification of Spam URLs. Stewart teaches wherein the program instructions, upon execution, further cause the IHS to: receive user input for migrating at least one link from one category to another category; and use the migrated link to train the ML process(user may appeal link classification which changes classification and training of machine learning URL distingusher¶s58,76). [0058] Alternatively, the classifier configuration module 329 can automatically identify one or more non-content features that distinguish URL dissemination anomalies from the expected scenarios of information dissemination via machine learning. For example, the classifier configuration module 329 can take in all available non-content features and train against known spam URL chunks and/or known reliable URL chunks. For another example, the classifier configuration module 329 can train against known spammer accounts and known reliable sender accounts to determine which sender dimension best differentiate the two types of accounts. The non-content features that best distinguishes the spam URL chunks can be stored in the feature list store 328. [0076] Users may appeal a classification state of a URL chunk. For example, a URL chunk in one of the "bad" states, such as the bad state 410, the malware URL state 412, or the phishing URL state 414, may return the suspicious state 406 or the allowable state 408 based on a user appeal. Likewise, a URL chunk in the suspicious state 406 may change to the allowable state 408 based on a user appeal. The user appeal process may be automated, where certain number of appeals initializes a change of classification. The user appeals may be monitored by the URL classification module as well. It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Lesperance/Daniell/Zhu with user feedback to change classification. The reason for this modification would be to improve machine learning classifier. Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Lesperance/Daniell as applied to claim 1 above, and further in view of Mo 2018/0300759. Regarding claims 8 and 18 Lesperance/Daniell do no teach wherein the program instructions, upon execution, further cause the IHS to: receive user input for adding another category and one or more criteria to be associated with the additional category; and establish the additional category according to the user input. Mo in the same field of endeavor as the invention teaches a system for link category determination. Mo teaches wherein the program instructions, upon execution, further cause the IHS to: receive user input for adding another category and one or more criteria to be associated with the additional category; and establish the additional category according to the user input [0152] Furthermore, in the category configuration of the navigation, a category may be added by a user, an existing application being used may be added, invoked and used, or a service provided by the information search relay server 120 may be additionally requested and used. [0170] There is included an information verification step at which the information search relay server 120 verifies advertisement information, shopping information, or the like received from an advertiser. At the information verification step, whether display information input by an advertiser matches link information is determined. Furthermore, whether the link information includes malicious code is determined. It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Lesperance/Daniell with the function of adding additional categories by a user. The reason for this modification would be to allow updates to machine learning based malicious/non-malicious link determination. Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Lesperance/Daniell as applied to claim 1 above and further in view of Agea US 2020/0162484. Regarding claim 9. Lesperance/Daniell do not teach wherein the acts of identifying the one or more links, arranging each of the links, and displaying the arranged links are performed by a plugin configured with an email client that stores the email message. Agea in the same field of endeavor as the invention teaches a system for determining malicious URLs. Agea teaches wherein the acts of identifying the one or more links, arranging each of the links, and displaying the arranged links are performed by a plugin configured with an email client that stores the email message(URL monitoring and detection using plugin, ¶s135,136). [0135] As part of the core system, a small module for validating results has been implemented. This service is basically aimed at monitoring all URLs entered into the task planner In order to control the results obtained by executing the plugins. These results will be stored on the Mass Storage system by means of another micro-service dedicated to normalising and uploading data, the Data Processor. [0136] This is primarily an engine for executing plugins and modules, with the following characteristics: [0137] Based on the kind of crimeserver, identifying the plugin or plugins to be executed, even being able to execute multiple modules for the same URL. [0138] The relation between URL and modules being executed is 1 to N, so that N modules can be concurrently executed on different machines. [0139] Through the sinkholing controller, manage the modification of the DNS pointer or IP traffic mirroring. [0140] Through the auto-provisioning layer, managing the creation of different droplets or virtual machines that would allow the plugins or modules to be executed. Requesting, when demanded, a free auto-provisioned machine that can be used to execute the plugin. [0141] Loading the plugin or module in the remote machine with the credentials provided by the auto-provisioning layer. [0142] Scheduled execution of modules. This enables all modules or plugins require regular execution to be monitored. [0143] It will include a pre-processing, a processing/execution of the plugin per se and a post-processing logic, in other words, the actions to be taken once the execution of the plugin has been completed. [0144] The results from the tasks launched by the Task Manager are stored in a relational database based on MySQL (or on other type of relational database), in this way all the results can be delivered to URL Controller. This database must include information about the plugins, with information about the plugin type, identifier, description and execution requirements for the plugin, etc. Information about the execution status of the virtual machines/droplets will also be stored, such as the status of the machine, errors, programs being executed, recent activity, workload, etc. It should be pointed out that this database is intermediary, which is a requirement for the temporary management of the task. It would have been obvious to a person of ordinary skill in the art at the time of the effective filing of the instant application to modify Lesperance/Daniell with link classifier implemented as a plugin as taught by Agea. The reason for this modification would be to add malicious link detection function to email systems that can be updated easily. Applicant Remarks Applicant remarks that Cao does not teach displaying of categorized links is found persuasive. However claim 1, 11 and 19 stand rejected over Lesperance in further view of Daniell as presented above. This action is made non-final responsive to new cited art that is not necessitated by amendment. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tom Y. Chang whose telephone number is 571-270-5938. The examiner can normally be reached on Monday-Friday from 9am to 5pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise, can be reached on (571)272-3865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center. Status information for published applications may be obtained from Patent Center. Status information for unpublished applications is available through Patent Center for authorized users only. Should you have questions about access to Patent Center, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form. /TOM Y CHANG/ Primary Examiner, Art Unit 2455 fzhu