DETAILED ACTION
Examiner acknowledges receipt of Applicant’s amendment filed on 11/12/2025
Claims 1-4, 7-8, 10-13, and 15-18 are currently amended
Claims 1-20 are pending
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Examiner has fully considered Applicant’s amendments to the Specification and Claims in the arguments filed on 11/12/2025. Claims 1-20 remain pending in the application. Examiner has withdrawn the objections, 101 rejections, and 112(b) rejections of the claims in view of the amendments.
Response to Arguments
Applicant’s arguments filed 11/12/2025, with respect to the rejections of independent claims 1, 10, and 15 and their corresponding dependent claims under 35 USC 103 have been fully considered and are persuasive. Therefore, the rejections have been withdrawn. However, upon further consideration, new ground(s) of rejection are made in view of the previously applied references from Cisco and Tiwari, in addition to newly applied references from Mears (US 8407789 B1), hereinafter Mears, and Baldwin et al. (US 20140279569 A1), hereinafter Baldwin. Specifically, the added combination of Mears and Baldwin is sufficient to teach the amended limitations “determining an order to provide emails for review to a first user of a first role prior to a second user of a second role based on a determination that a first risk associated with a first type of content is higher than a second risk associated with a second type of content” and “responsive to receiving the approval of the email for the first type of content: providing the email to the second user of the second role, wherein users of the second role are authorized to review the second type of content and receiving, from the second user, approval of the email for the second type of content”.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-2, 5-11, 14-16, and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cisco Systems, Inc. (2023, August 22), User Guide for AsyncOS 14.2.3 Refresh for Cisco Secure Email Gateway – MD (Maintenance Deployment). Access from: https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-2-3/User_Guide/b_ESA_Admin_Guide_14-2-3.pdf), hereinafter Cisco, in view of Mears (US 8407789 B1), hereinafter Mears, and Baldwin et al. (US 20140279569 A1), hereinafter Baldwin.
Regarding Claim 1:
Cisco teaches a computer-implemented method comprising: receiving an email for processing (Cisco – P. 269: A content filter scans either incoming or outgoing messages); prior to delivering the email to a recipient, providing the email to a set of scanners, wherein one or more of the scanners: are associated with a respective type of content; and are configured to detect whether the email includes the respective type of content (Cisco – P. 269: Content filters scan messages on a per-user (sender or recipient) basis … A condition is a “trigger” that determines whether the email gateway uses the filter on a message that matches the associated mail policy … In the content filter conditions, when you add filter rules that search for certain patterns in the message body or attachments, you can specify the minimum threshold for the number of times the pattern must be found … You can specify this threshold for text, smart identifiers, or content dictionary terms; and P. 270: Table 32: Content Filter Conditions); receiving, from the set of scanners, an identification of a plurality of types of content in the email (Cisco – P. 192-194: Message Filter Action Variables, with attention to “Matched Content”; and P. 939-940: When you configure a quarantine action for messages that match Attachment Content conditions, Message Body or Attachment conditions, Message body conditions, or the Attachment content conditions, you can view the matched content in the quarantined message. When you display the message body, the matched content is highlighted in yellow, except for DLP policy violation matches. You can also use the $MatchedContent action variable to include the matched content from message or content filter matches in the message subject. If the attachment contains the matched content, the attachment’s contents are displayed, as well as the reason it was quarantined, whether it was due to a DLP policy violation, content filter condition, message filter condition, or Image Analysis verdict; and Figure 71: Matched Content Viewed in the Policy Quarantine); [based on the order:] providing the email to the first user of the first role, wherein users of the first role are authorized to review the first type of content (Cisco – P. 925: When an email gateway detects possible malware or content that is not allowed by your organization in incoming or outgoing messages, it can send those messages to a quarantine instead of deleting them immediately; and P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 938: If a message is present in one or more other quarantines, the “In other quarantines” column in the quarantine message list will show “Yes,” regardless of whether you have permissions to access those other quarantines. A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides. Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply: • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides. • If a message is marked as Deleted in any quarantine, it cannot be delivered from any other quarantine in which it resides. (It can still be released.)); and receiving, from the first user, approval of the email for the first type of content (Cisco – P. 937: Manually processing messages means to manually select a Message Action for the message from the Message Actions page. You can perform the following actions on messages: Delete, Release, Delay Scheduled Exit from quarantine, Send a Copy of messages to email addresses that you specify, Move a message from one quarantine to another; and P. 938: Releasing a message affects only the queues to which the user has access); [responsive to receiving the approval of the email for the first type of content:] providing the email to the second user of the second role, wherein users of the second role are authorized to review the second type of content (Cisco – P. 925: When an email gateway detects possible malware or content that is not allowed by your organization in incoming or outgoing messages, it can send those messages to a quarantine instead of deleting them immediately; and P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 938: If a message is present in one or more other quarantines, the “In other quarantines” column in the quarantine message list will show “Yes,” regardless of whether you have permissions to access those other quarantines. A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides. Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply: • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides. • If a message is marked as Deleted in any quarantine, it cannot be delivered from any other quarantine in which it resides. (It can still be released.)) and receiving, from the second user, approval of the email for the second type of content (Cisco – P. 925: When an email gateway detects possible malware or content that is not allowed by your organization in incoming or outgoing messages, it can send those messages to a quarantine instead of deleting them immediately; and P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 937: Manually processing messages means to manually select a Message Action for the message from the Message Actions page. You can perform the following actions on messages: Delete, Release, Delay Scheduled Exit from quarantine, Send a Copy of messages to email addresses that you specify, Move a message from one quarantine to another; and P. 938: Releasing a message affects only the queues to which the user has access); and responsive to receiving approvals for each type of content, delivering the email to a recipient (Cisco – P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 937: Manually processing messages means to manually select a Message Action for the message from the Message Actions page. You can perform the following actions on messages: Delete, Release, Delay Scheduled Exit from quarantine, Send a Copy of messages to email addresses that you specify, Move a message from one quarantine to another; and P. 938: A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides. Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply: • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides; and P. 929: Release—The message is released for delivery).
Cisco does not expressly teach determining an order to provide emails for review to a first user of a first role prior to a second user of a second role based on a determination that a first risk associated with a first type of content is higher than a second risk associated with a second type of content; based on the order … providing the email to the first user … providing the email to the second user.
However, Mears teaches determining an order to provide emails for review to a first user of a first role prior to a second user of a second role based on a determination that a first risk associated with a first type of content is higher than a second risk associated with a second type of content (Mears – Col. 1, Line 39-45: In order to combat the seemingly ever increasing volume of undesirable content, numerous security systems are currently available that include two or more filters, or "stages", with each filter/stage being implemented to block, or filter out, a specific type of undesirable content. Typically, using these multiple filter/stage security systems, a given e-mail, IM, or file is subjected to each filter/stage in a defined sequence; and Col. 2, Line 26-30: the nature and priority of the filtering desired/necessary can be different, and change at different rates, based on the individual user of the multiple filter/stage security system and the type of undesirable content that specific user must deal with; and Col. 2, Line 31-56: As a simple example, a given user may initially purchase and implement a multiple filter/stage security system for the purpose of virus detection/blocking … the initial set up of a multiple filter/stage security system for the user may include a sequence whereby a given e-mail, IM, or file is first subjected to a virus detection/blocking filter/stage and then a spam detection/blocking filter/stage … given the user's emphasis on virus protection desired at the time of implementation of the multiple filter/stage security system, the initial sequence may be desirable. However, over time, and in some cases a relatively short period of time, it is quite possible that spam will become a far bigger issue for the user than viruses and/or it may be that many viruses are now being transmitted via spam. As a result of this change in circumstances, and the nature of the treat to this user, it might be highly advantageous to change the sequence of the multiple filter/stage security system so that the relatively low cost spam detection/blocking filter/stage is implemented before the relatively high cost virus detection/blocking filter/stage; and Col. 4, Line 24-29: In one embodiment, the given multiple filter/stage security system is initially implemented such that the two or more filters/stages are used in a defined initial sequence based on … a perceived threat and/or based on user priorities); based on the order … providing the email to the first user … providing the email to the second user (Mears – Col. 1, Line 39-45: In order to combat the seemingly ever increasing volume of undesirable content, numerous security systems are currently available that include two or more filters, or "stages", with each filter/stage being implemented to block, or filter out, a specific type of undesirable content. Typically, using these multiple filter/stage security systems, a given e-mail, IM, or file is subjected to each filter/stage in a defined sequence; and Col. 2, Line 26-30: the nature and priority of the filtering desired/necessary can be different, and change at different rates, based on the individual user of the multiple filter/stage security system and the type of undesirable content that specific user must deal with; and Col. 4, Line 24-29: In one embodiment, the given multiple filter/stage security system is initially implemented such that the two or more filters/stages are used in a defined initial sequence based on … a perceived threat and/or based on user priorities).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco, further incorporating Mears to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Mears’s teaching of a user-priority-based sequence of e-mail security review stages into Cisco’s hierarchical email quarantine for ensuring email security. Mears’s prioritized sequence of security checks would allow users to customize the review hierarchy to maximize security and efficiency based on per-system preferences, including perceived threat/risk.
The combination of Cisco and Mears does not expressly teach providing the email to the first user … responsive to receiving the approval … providing the email to the second user.
However, Baldwin teaches providing [the email] to the first user … responsive to receiving the approval … providing [the email] to the second user (Baldwin – Paragraph [0003]: Content approval may refer to the process through which approval of a particular content item (and/or revisions thereto) may be managed … In certain instances, it may be appropriate to obtain tiered approval for a content item (e.g., approval from a series of individuals, with the content item being submitted to the next approver(s) in the series based upon receiving approval from the preceding approver(s) in the series).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco and Mears, further incorporating Baldwin to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Baldwin’s teaching of a previous-approval-gated progression through a series of approvers into Cisco and Mears’s hierarchical email quarantine for ensuring email security. Baldwin is directed to approvals of content items such as documents, webpages, software code segments, etc.. However, Baldwin teaches an approval pipeline requiring the approval of a previous reviewer to advance the processing. Thus, one of ordinary skill in the art would be motivated to apply this structure and workflow into Cisco and Mears’s analogous series of reviewers wherein each individual approval is required for ultimate acceptance. This combination would provide the obvious benefit of structural organization in the email review process, in addition to concrete step-by-step security assurance.
Regarding Claim 2:
The combination of Cisco, Mears, and Baldwin teaches the method of claim 1.
Cisco further teaches wherein the method further comprises: prior to providing the email to the second user, determining that a policy has been updated for the second type of content; and in response to the determining, providing the email to a scanner from the set of scanners configured to detect the second type of content prior to providing the email to the user of the second role (Cisco – P. 424: The Outbreak Filters feature uses three tactics to protect your users from outbreaks: • Delay. Outbreak Filters quarantines messages that may be part of a virus outbreak or non-viral attack. While quarantined, the email gateways receives updated outbreak information and rescans the message to confirm whether it’s part of an attack; and P. 426: Outbreak Filters are powered by Cisco’s unique Context Adaptive Scanning Engine (CASE). CASE leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis, based on real-time analysis of messaging threats … Based on the message’s threat level, CASE recommends a period of time to quarantine the message to prevent an outbreak. CASE also determines the rescan intervals so it can reevaluate the message based on updated Outbreak Rules from SIO. The higher the threat level, the more often it rescans the message while it is quarantined. CASE also rescans messages when they’re released from the quarantine. A message can be quarantined again if CASE determines that it is spam or contains a virus upon rescan).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 5:
The combination of Cisco, Mears, and Baldwin teaches the method of claim 1.
Cisco further teaches further comprising: responsive to receiving the email, setting a content identifier for each type of content to false; and responsive to the email being reviewed for each type of content and the email being approved for each type of content, setting respective content identifiers to true (Cisco – P. 270: In the content filter conditions, when you add filter rules that search for certain patterns in the message body or attachments, you can specify the minimum threshold for the number of times the pattern must be found. When AsyncOS scans the message, it totals the “score” for the number of matches it finds in the message and attachments. If the minimum threshold is not met, the regular expression does not evaluate to true. You can specify this threshold for text, smart identifiers, or content dictionary terms; and Table 32: Content Filter Conditions, including setting matching thresholds for identifying conditions as “true” per email).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 6:
The combination of Cisco, Mears, and Baldwin teaches the method of claim 1.
Cisco further teaches wherein multiple users are assigned to a particular type of content and the email stays in quarantine until it is approved by each of the multiple users (Cisco – P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 938: A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides. Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply: • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 7:
The combination of Cisco, Mears, and Baldwin teaches the method of claim 1.
Cisco further teaches further comprising … providing the email to a third user of a third role, wherein users of the third role are authorized to review the email for innocuous spam and bulk emails, and responsive to the email not being reviewed for a predetermined amount of time by the third user of the third role, delivering the email to the recipient (Cisco – P. 926: Quarantine types table, including Spam and various other types of content for review; and P. 927-928: Messages are automatically removed from the quarantine under the following circumstances: • Normal Expiration—the configured retention time is met for a message in the quarantine. You specify a retention time for messages in each quarantine. Each message has its own specific expiration time, displayed in the quarantine listing. Messages are stored for the amount of time specified unless another circumstance described in this topic occurs; and P. 928-929: The default action is performed on messages in a policy, virus, or outbreak quarantine when any situation described in Retention Time for Messages in Quarantines , on page 927, occurs. There are two primary default actions: • Delete—The message is deleted. • Release—The message is released for delivery).
Baldwin further teaches responsive to the email being approved for the second type of content, providing the email to a third user (Baldwin – Paragraph [0003]: Content approval may refer to the process through which approval of a particular content item (and/or revisions thereto) may be managed … In certain instances, it may be appropriate to obtain tiered approval for a content item (e.g., approval from a series of individuals, with the content item being submitted to the next approver(s) in the series based upon receiving approval from the preceding approver(s) in the series).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 8:
The combination of Cisco, Mears, and Baldwin teaches the method of claim 1.
Cisco further teaches further comprising: determining that a threshold amount of time has passed since providing the email to be reviewed for a particular type of content; and providing the email to a scanner of the set of scanners configured to rescan the email for the particular type of content (Cisco – P. 927-928: Messages are automatically removed from the quarantine under the following circumstances: • Normal Expiration—the configured retention time is met for a message in the quarantine. You specify a retention time for messages in each quarantine. Each message has its own specific expiration time, displayed in the quarantine listing. Messages are stored for the amount of time specified unless another circumstance described in this topic occurs; and P. 928-929: The default action is performed on messages in a policy, virus, or outbreak quarantine when any situation described in Retention Time for Messages in Quarantines , on page 927, occurs. There are two primary default actions: • Delete—The message is deleted. • Release—The message is released for delivery; and P. 940-941: When a message is released from all queues in which is has been quarantined, the following rescanning occurs, depending on the features enabled for the email gateway and for the mail policy that originally quarantined the message: • Messages released from Policy and Virus quarantines are rescanned by the anti-virus, advanced malware protection, and graymail engines. • Messages released from the Outbreak quarantine are rescanned by the anti-spam, AMP, and anti-virus engines. (For information about rescanning of messages while in the Outbreak quarantine, see ) • Messages released from the File Analysis quarantine are rescanned for threats. • Messages with attachments are rescanned by the file reputation service upon release from Policy, Virus, and Outbreak quarantines. Upon rescanning, if the verdict produced matches the verdict produced the previous time the message was processed, the message is not re-quarantined. Conversely, if the verdict is different, the message could be sent to another quarantine).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 9:
The combination of Cisco, Mears, and Baldwin teaches the method of claim 1.
Cisco further teaches further comprising receiving a denial of approval for a particular email for at least one type of content, and in response to receiving the denial, discarding the email (Cisco – P. 937: Manually processing messages means to manually select a Message Action for the message from the Message Actions page. You can perform the following actions on messages: • Delete; and P. 938: A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides).
The motivation to combine the arts is the same as that of Claim 1.
Regarding Claim 10:
Cisco teaches receiving an email for processing (Cisco – P. 269: A content filter scans either incoming or outgoing messages); prior to delivering the email to a recipient, providing the email to a set of scanners, wherein one or more of the scanners: are associated with a respective type of content; and are configured to detect whether the email includes the respective type of content (Cisco – P. 269: Content filters scan messages on a per-user (sender or recipient) basis … A condition is a “trigger” that determines whether the email gateway uses the filter on a message that matches the associated mail policy … In the content filter conditions, when you add filter rules that search for certain patterns in the message body or attachments, you can specify the minimum threshold for the number of times the pattern must be found … You can specify this threshold for text, smart identifiers, or content dictionary terms; and P. 270: Table 32: Content Filter Conditions); receiving, from the set of scanners, an identification of a plurality of types of content in the email (Cisco – P. 192-194: Message Filter Action Variables, with attention to “Matched Content”; and P. 939-940: When you configure a quarantine action for messages that match Attachment Content conditions, Message Body or Attachment conditions, Message body conditions, or the Attachment content conditions, you can view the matched content in the quarantined message. When you display the message body, the matched content is highlighted in yellow, except for DLP policy violation matches. You can also use the $MatchedContent action variable to include the matched content from message or content filter matches in the message subject. If the attachment contains the matched content, the attachment’s contents are displayed, as well as the reason it was quarantined, whether it was due to a DLP policy violation, content filter condition, message filter condition, or Image Analysis verdict; and Figure 71: Matched Content Viewed in the Policy Quarantine); [based on the order:] providing the email to the first user of the first role, wherein users of the first role are authorized to review the first type of content (Cisco – P. 925: When an email gateway detects possible malware or content that is not allowed by your organization in incoming or outgoing messages, it can send those messages to a quarantine instead of deleting them immediately; and P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 938: If a message is present in one or more other quarantines, the “In other quarantines” column in the quarantine message list will show “Yes,” regardless of whether you have permissions to access those other quarantines. A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides. Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply: • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides. • If a message is marked as Deleted in any quarantine, it cannot be delivered from any other quarantine in which it resides. (It can still be released.)); and receiving, from the first user, approval of the email for the first type of content (Cisco – P. 937: Manually processing messages means to manually select a Message Action for the message from the Message Actions page. You can perform the following actions on messages: Delete, Release, Delay Scheduled Exit from quarantine, Send a Copy of messages to email addresses that you specify, Move a message from one quarantine to another; and P. 938: Releasing a message affects only the queues to which the user has access); providing the email to the second user of the second role, wherein users of the second role are authorized to review the second type of content (Cisco – P. 925: When an email gateway detects possible malware or content that is not allowed by your organization in incoming or outgoing messages, it can send those messages to a quarantine instead of deleting them immediately; and P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 938: If a message is present in one or more other quarantines, the “In other quarantines” column in the quarantine message list will show “Yes,” regardless of whether you have permissions to access those other quarantines. A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides. Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply: • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides. • If a message is marked as Deleted in any quarantine, it cannot be delivered from any other quarantine in which it resides. (It can still be released.)); and receiving, from the second user, approval of the email for the second type of content (Cisco – P. 925: When an email gateway detects possible malware or content that is not allowed by your organization in incoming or outgoing messages, it can send those messages to a quarantine instead of deleting them immediately; and P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 937: Manually processing messages means to manually select a Message Action for the message from the Message Actions page. You can perform the following actions on messages: Delete, Release, Delay Scheduled Exit from quarantine, Send a Copy of messages to email addresses that you specify, Move a message from one quarantine to another; and P. 938: Releasing a message affects only the queues to which the user has access); and responsive to receiving approvals for each type of content, delivering the email to the recipient (Cisco – P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 937: Manually processing messages means to manually select a Message Action for the message from the Message Actions page. You can perform the following actions on messages: Delete, Release, Delay Scheduled Exit from quarantine, Send a Copy of messages to email addresses that you specify, Move a message from one quarantine to another; and P. 938: A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides. Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply: • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides; and P. 929: Release—The message is released for delivery).
Cisco does not expressly teach determining an order to provide emails for review to a first user of a first role prior to a second user of a second role based on a determination that a first risk associated with a first type of content is higher than a second risk associated with a second type of content; based on the order … providing the email to the first user … providing the email to the second user.
However, Mears teaches determining an order to provide emails for review to a first user of a first role prior to a second user of a second role based on a determination that a first risk associated with a first type of content is higher than a second risk associated with a second type of content (Mears – Col. 1, Line 39-45: In order to combat the seemingly ever increasing volume of undesirable content, numerous security systems are currently available that include two or more filters, or "stages", with each filter/stage being implemented to block, or filter out, a specific type of undesirable content. Typically, using these multiple filter/stage security systems, a given e-mail, IM, or file is subjected to each filter/stage in a defined sequence; and Col. 2, Line 26-30: the nature and priority of the filtering desired/necessary can be different, and change at different rates, based on the individual user of the multiple filter/stage security system and the type of undesirable content that specific user must deal with; and Col. 2, Line 31-56: As a simple example, a given user may initially purchase and implement a multiple filter/stage security system for the purpose of virus detection/blocking … the initial set up of a multiple filter/stage security system for the user may include a sequence whereby a given e-mail, IM, or file is first subjected to a virus detection/blocking filter/stage and then a spam detection/blocking filter/stage … given the user's emphasis on virus protection desired at the time of implementation of the multiple filter/stage security system, the initial sequence may be desirable. However, over time, and in some cases a relatively short period of time, it is quite possible that spam will become a far bigger issue for the user than viruses and/or it may be that many viruses are now being transmitted via spam. As a result of this change in circumstances, and the nature of the treat to this user, it might be highly advantageous to change the sequence of the multiple filter/stage security system so that the relatively low cost spam detection/blocking filter/stage is implemented before the relatively high cost virus detection/blocking filter/stage; and Col. 4, Line 24-29: In one embodiment, the given multiple filter/stage security system is initially implemented such that the two or more filters/stages are used in a defined initial sequence based on … a perceived threat and/or based on user priorities); based on the order … providing the email to the first user … providing the email to the second user (Mears – Col. 1, Line 39-45: In order to combat the seemingly ever increasing volume of undesirable content, numerous security systems are currently available that include two or more filters, or "stages", with each filter/stage being implemented to block, or filter out, a specific type of undesirable content. Typically, using these multiple filter/stage security systems, a given e-mail, IM, or file is subjected to each filter/stage in a defined sequence; and Col. 2, Line 26-30: the nature and priority of the filtering desired/necessary can be different, and change at different rates, based on the individual user of the multiple filter/stage security system and the type of undesirable content that specific user must deal with; and Col. 4, Line 24-29: In one embodiment, the given multiple filter/stage security system is initially implemented such that the two or more filters/stages are used in a defined initial sequence based on … a perceived threat and/or based on user priorities).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco, further incorporating Mears to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Mears’s teaching of a user-priority-based sequence of e-mail security review stages into Cisco’s hierarchical email quarantine for ensuring email security. Mears’s prioritized sequence of security checks would allow users to customize the review hierarchy to maximize security and efficiency based on per-system preferences, including perceived threat/risk.
The combination of Cisco and Mears does not expressly teach A computing device comprising: one or more processors; and one or more non-transitory computer-readable media coupled to the one or more processors, having instructions stored thereon that, when executed by the one or more processors, cause the one or more processors to perform operations; providing the email to the first user … responsive to receiving the approval … providing the email to the second user.
However, Baldwin teaches A computing device comprising: one or more processors; and one or more non-transitory computer-readable media coupled to the one or more processors, having instructions stored thereon that, when executed by the one or more processors, cause the one or more processors to perform operations (Baldwin – Paragraph [0026]: It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks; and Paragraph [0027]: These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner); providing [the email] to the first user … responsive to receiving the approval … providing [the email] to the second user (Baldwin – Paragraph [0003]: Content approval may refer to the process through which approval of a particular content item (and/or revisions thereto) may be managed … In certain instances, it may be appropriate to obtain tiered approval for a content item (e.g., approval from a series of individuals, with the content item being submitted to the next approver(s) in the series based upon receiving approval from the preceding approver(s) in the series).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco and Mears, further incorporating Baldwin to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Baldwin’s teaching of a previous-approval-gated progression through a series of approvers into Cisco and Mears’s hierarchical email quarantine for ensuring email security. Baldwin is directed to approvals of content items such as documents, webpages, software code segments, etc.. However, Baldwin teaches an approval pipeline requiring the approval of a previous reviewer to advance the processing. Thus, one of ordinary skill in the art would be motivated to apply this structure and workflow into Cisco and Mears’s analogous series of reviewers wherein each individual approval is required for ultimate acceptance. This combination would provide the obvious benefit of structural organization in the email review process, in addition to concrete step-by-step security assurance.
Regarding Claim 11:
The combination of Cisco, Mears, and Baldwin teaches the device of claim 10.
Cisco further teaches wherein the method further comprises: prior to providing the email to the second user, determining that a policy has been updated for the second type of content; and in response to the determining, providing the email to a scanner from the set of scanners configured to detect the second type of content prior to providing the email to the user of the second role (Cisco – P. 424: The Outbreak Filters feature uses three tactics to protect your users from outbreaks: • Delay. Outbreak Filters quarantines messages that may be part of a virus outbreak or non-viral attack. While quarantined, the email gateways receives updated outbreak information and rescans the message to confirm whether it’s part of an attack; and P. 426: Outbreak Filters are powered by Cisco’s unique Context Adaptive Scanning Engine (CASE). CASE leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis, based on real-time analysis of messaging threats … Based on the message’s threat level, CASE recommends a period of time to quarantine the message to prevent an outbreak. CASE also determines the rescan intervals so it can reevaluate the message based on updated Outbreak Rules from SIO. The higher the threat level, the more often it rescans the message while it is quarantined. CASE also rescans messages when they’re released from the quarantine. A message can be quarantined again if CASE determines that it is spam or contains a virus upon rescan).
The motivation to combine the arts is the same as that of Claim 10.
Regarding Claim 14:
The combination of Cisco, Mears, and Baldwin teaches the device of claim 10.
Cisco further teaches wherein the operations further include: responsive to receiving the email, setting a content identifier for each type of content to false; and responsive to the email being reviewed for each type of content and the email being approved for each type of content, setting respective content identifiers to true (Cisco – P. 270: In the content filter conditions, when you add filter rules that search for certain patterns in the message body or attachments, you can specify the minimum threshold for the number of times the pattern must be found. When AsyncOS scans the message, it totals the “score” for the number of matches it finds in the message and attachments. If the minimum threshold is not met, the regular expression does not evaluate to true. You can specify this threshold for text, smart identifiers, or content dictionary terms; and Table 32: Content Filter Conditions, including setting matching thresholds for identifying conditions as “true” per email).
The motivation to combine the arts is the same as that of Claim 10.
Regarding Claim 15:
Cisco teaches receiving an email for processing (Cisco – P. 269: A content filter scans either incoming or outgoing messages); prior to delivering the email to a recipient, providing the email to a set of scanners, wherein one or more of the scanners: are associated with a respective type of content; and are configured to detect whether the email includes the respective type of content (Cisco – P. 269: Content filters scan messages on a per-user (sender or recipient) basis … A condition is a “trigger” that determines whether the email gateway uses the filter on a message that matches the associated mail policy … In the content filter conditions, when you add filter rules that search for certain patterns in the message body or attachments, you can specify the minimum threshold for the number of times the pattern must be found … You can specify this threshold for text, smart identifiers, or content dictionary terms; and P. 270: Table 32: Content Filter Conditions); receiving, from the set of scanners, an identification of a plurality of types of content in the email (Cisco – P. 192-194: Message Filter Action Variables, with attention to “Matched Content”; and P. 939-940: When you configure a quarantine action for messages that match Attachment Content conditions, Message Body or Attachment conditions, Message body conditions, or the Attachment content conditions, you can view the matched content in the quarantined message. When you display the message body, the matched content is highlighted in yellow, except for DLP policy violation matches. You can also use the $MatchedContent action variable to include the matched content from message or content filter matches in the message subject. If the attachment contains the matched content, the attachment’s contents are displayed, as well as the reason it was quarantined, whether it was due to a DLP policy violation, content filter condition, message filter condition, or Image Analysis verdict; and Figure 71: Matched Content Viewed in the Policy Quarantine); [based on the order:] providing the email to the first user of the first role, wherein users of the first role are authorized to review the first type of content (Cisco – P. 925: When an email gateway detects possible malware or content that is not allowed by your organization in incoming or outgoing messages, it can send those messages to a quarantine instead of deleting them immediately; and P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 938: If a message is present in one or more other quarantines, the “In other quarantines” column in the quarantine message list will show “Yes,” regardless of whether you have permissions to access those other quarantines. A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides. Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply: • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides. • If a message is marked as Deleted in any quarantine, it cannot be delivered from any other quarantine in which it resides. (It can still be released.)); and receiving, from the first user, approval of the email for the first type of content (Cisco – P. 937: Manually processing messages means to manually select a Message Action for the message from the Message Actions page. You can perform the following actions on messages: Delete, Release, Delay Scheduled Exit from quarantine, Send a Copy of messages to email addresses that you specify, Move a message from one quarantine to another; and P. 938: Releasing a message affects only the queues to which the user has access); providing the email to the second user of the second role, wherein users of the second role are authorized to review the second type of content (Cisco – P. 925: When an email gateway detects possible malware or content that is not allowed by your organization in incoming or outgoing messages, it can send those messages to a quarantine instead of deleting them immediately; and P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 938: If a message is present in one or more other quarantines, the “In other quarantines” column in the quarantine message list will show “Yes,” regardless of whether you have permissions to access those other quarantines. A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides. Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply: • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides. • If a message is marked as Deleted in any quarantine, it cannot be delivered from any other quarantine in which it resides. (It can still be released.)); and receiving, from the second user, approval of the email for the second type of content (Cisco – P. 925: When an email gateway detects possible malware or content that is not allowed by your organization in incoming or outgoing messages, it can send those messages to a quarantine instead of deleting them immediately; and P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 937: Manually processing messages means to manually select a Message Action for the message from the Message Actions page. You can perform the following actions on messages: Delete, Release, Delay Scheduled Exit from quarantine, Send a Copy of messages to email addresses that you specify, Move a message from one quarantine to another; and P. 938: Releasing a message affects only the queues to which the user has access); and responsive to receiving approvals for each type of content, delivering the email to the recipient (Cisco – P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 937: Manually processing messages means to manually select a Message Action for the message from the Message Actions page. You can perform the following actions on messages: Delete, Release, Delay Scheduled Exit from quarantine, Send a Copy of messages to email addresses that you specify, Move a message from one quarantine to another; and P. 938: A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides. Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply: • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides; and P. 929: Release—The message is released for delivery).
Cisco does not expressly teach determining an order to provide emails for review to a first user of a first role prior to a second user of a second role based on a determination that a first risk associated with a first type of content is higher than a second risk associated with a second type of content; based on the order … providing the email to the first user … providing the email to the second user.
However, Mears teaches determining an order to provide emails for review to a first user of a first role prior to a second user of a second role based on a determination that a first risk associated with a first type of content is higher than a second risk associated with a second type of content (Mears – Col. 1, Line 39-45: In order to combat the seemingly ever increasing volume of undesirable content, numerous security systems are currently available that include two or more filters, or "stages", with each filter/stage being implemented to block, or filter out, a specific type of undesirable content. Typically, using these multiple filter/stage security systems, a given e-mail, IM, or file is subjected to each filter/stage in a defined sequence; and Col. 2, Line 26-30: the nature and priority of the filtering desired/necessary can be different, and change at different rates, based on the individual user of the multiple filter/stage security system and the type of undesirable content that specific user must deal with; and Col. 2, Line 31-56: As a simple example, a given user may initially purchase and implement a multiple filter/stage security system for the purpose of virus detection/blocking … the initial set up of a multiple filter/stage security system for the user may include a sequence whereby a given e-mail, IM, or file is first subjected to a virus detection/blocking filter/stage and then a spam detection/blocking filter/stage … given the user's emphasis on virus protection desired at the time of implementation of the multiple filter/stage security system, the initial sequence may be desirable. However, over time, and in some cases a relatively short period of time, it is quite possible that spam will become a far bigger issue for the user than viruses and/or it may be that many viruses are now being transmitted via spam. As a result of this change in circumstances, and the nature of the treat to this user, it might be highly advantageous to change the sequence of the multiple filter/stage security system so that the relatively low cost spam detection/blocking filter/stage is implemented before the relatively high cost virus detection/blocking filter/stage; and Col. 4, Line 24-29: In one embodiment, the given multiple filter/stage security system is initially implemented such that the two or more filters/stages are used in a defined initial sequence based on … a perceived threat and/or based on user priorities); based on the order … providing the email to the first user … providing the email to the second user (Mears – Col. 1, Line 39-45: In order to combat the seemingly ever increasing volume of undesirable content, numerous security systems are currently available that include two or more filters, or "stages", with each filter/stage being implemented to block, or filter out, a specific type of undesirable content. Typically, using these multiple filter/stage security systems, a given e-mail, IM, or file is subjected to each filter/stage in a defined sequence; and Col. 2, Line 26-30: the nature and priority of the filtering desired/necessary can be different, and change at different rates, based on the individual user of the multiple filter/stage security system and the type of undesirable content that specific user must deal with; and Col. 4, Line 24-29: In one embodiment, the given multiple filter/stage security system is initially implemented such that the two or more filters/stages are used in a defined initial sequence based on … a perceived threat and/or based on user priorities).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco, further incorporating Mears to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Mears’s teaching of a user-priority-based sequence of e-mail security review stages into Cisco’s hierarchical email quarantine for ensuring email security. Mears’s prioritized sequence of security checks would allow users to customize the review hierarchy to maximize security and efficiency based on per-system preferences, including perceived threat/risk.
The combination of Cisco and Mears does not expressly teach A non-transitory computer-readable medium with instructions stored thereon that, responsive to execution by a processing device, causes the processing device to perform operations; providing the email to the first user … responsive to receiving the approval … providing the email to the second user.
However, Baldwin teaches A non-transitory computer-readable medium with instructions stored thereon that, responsive to execution by a processing device, causes the processing device to perform operations (Baldwin – Paragraph [0026]: It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks; and Paragraph [0027]: These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner); providing [the email] to the first user … responsive to receiving the approval … providing [the email] to the second user (Baldwin – Paragraph [0003]: Content approval may refer to the process through which approval of a particular content item (and/or revisions thereto) may be managed … In certain instances, it may be appropriate to obtain tiered approval for a content item (e.g., approval from a series of individuals, with the content item being submitted to the next approver(s) in the series based upon receiving approval from the preceding approver(s) in the series).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco and Mears, further incorporating Baldwin to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Baldwin’s teaching of a previous-approval-gated progression through a series of approvers into Cisco and Mears’s hierarchical email quarantine for ensuring email security. Baldwin is directed to approvals of content items such as documents, webpages, software code segments, etc.. However, Baldwin teaches an approval pipeline requiring the approval of a previous reviewer to advance the processing. Thus, one of ordinary skill in the art would be motivated to apply this structure and workflow into Cisco’s analogous series of reviewers wherein each individual approval is required for ultimate acceptance. This combination would provide the obvious benefit of structural organization in the email review process, in addition to concrete step-by-step security assurance.
Regarding Claim 16:
The combination of Cisco, Mears, and Baldwin teaches the computer-readable medium of claim 15.
Cisco further teaches wherein the method further comprises: prior to providing the email to the second user, determining that a policy has been updated for the second type of content; and in response to the determining, providing the email to a scanner from the set of scanners configured to detect the second type of content prior to providing the email to the user of the second role (Cisco – P. 424: The Outbreak Filters feature uses three tactics to protect your users from outbreaks: • Delay. Outbreak Filters quarantines messages that may be part of a virus outbreak or non-viral attack. While quarantined, the email gateways receives updated outbreak information and rescans the message to confirm whether it’s part of an attack; and P. 426: Outbreak Filters are powered by Cisco’s unique Context Adaptive Scanning Engine (CASE). CASE leverages over 100,000 adaptive message attributes tuned automatically and on a regular basis, based on real-time analysis of messaging threats … Based on the message’s threat level, CASE recommends a period of time to quarantine the message to prevent an outbreak. CASE also determines the rescan intervals so it can reevaluate the message based on updated Outbreak Rules from SIO. The higher the threat level, the more often it rescans the message while it is quarantined. CASE also rescans messages when they’re released from the quarantine. A message can be quarantined again if CASE determines that it is spam or contains a virus upon rescan).
The motivation to combine the arts is the same as that of Claim 15.
Regarding Claim 19:
The combination of Cisco, Mears, and Baldwin teaches the computer-readable medium of claim 15.
Cisco further teaches wherein the operations further include: responsive to receiving the email, setting a content identifier for each type of content to false; and responsive to the email being reviewed for each type of content and the email being approved for each type of content, setting respective content identifiers to true (Cisco – P. 270: In the content filter conditions, when you add filter rules that search for certain patterns in the message body or attachments, you can specify the minimum threshold for the number of times the pattern must be found. When AsyncOS scans the message, it totals the “score” for the number of matches it finds in the message and attachments. If the minimum threshold is not met, the regular expression does not evaluate to true. You can specify this threshold for text, smart identifiers, or content dictionary terms; and Table 32: Content Filter Conditions, including setting matching thresholds for identifying conditions as “true” per email).
The motivation to combine the arts is the same as that of Claim 15.
Regarding Claim 20:
The combination of Cisco, Mears, and Baldwin teaches the computer-readable medium of claim 15.
Cisco further teaches wherein multiple users are assigned to a particular type of content and the email stays in quarantine until it is approved by each of the multiple users (Cisco – P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles; and P. 934: You can distribute message review and processing tasks to other administrative users. For example: • The Human Resources team can review and manage the Policy Quarantine. • The Legal team can manage the Confidential Material Quarantine. You assign access privileges to these users when you specify settings for a quarantine. In order to add users to quarantines, the users must already exist. Each user may have access to all, some, or none of the quarantines; and P. 938: A message in multiple quarantines: • Is not delivered unless it has been released from all of the quarantines in which it resides. If it is deleted from any quarantine, it will never be delivered. • Is not deleted from any quarantine until it has been deleted or released from all quarantines in which it resides. Because a user wanting to release a message may not have access to all of the quarantines in which it resides, the following rules apply: • A message is not released from any quarantine until it has been released from all of the quarantines in which it resides).
The motivation to combine the arts is the same as that of Claim 15.
Claim(s) 3, 12, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cisco in view of Mears, Baldwin, and Neystadt et al. (US 20250133111 A1), hereinafter Neystadt.
Regarding Claim 3:
The combination of Cisco, Mears, and Baldwin teaches the method of claim 1.
The combination of Cisco, Mears, and Baldwin does not expressly teach further comprising: generating a confidence score for the email that the set of scanners correctly categorized the email: and responsive to the confidence score failing to meet a confidence threshold value, quarantining the email without delivering the email to the recipient.
However, Neystadt teaches further comprising: generating a confidence score for the email that the set of scanners correctly categorized the email: and responsive to the confidence score failing to meet a confidence threshold value, quarantining the email without delivering the email to the recipient (Neystadt – Paragraph [0014]: An email security agent or scans or analyzes incoming emails and/or other messages that are conveyed or sent to end-users or recipients at the Protected Entity (e.g., SMS messages, IM messages, collaborative/team/workspace messaging item, website content, online posts that are accessed); performs tokenization of each such incoming (or conveyed) content or message; and converts the incoming (or conveyed) message or its tokens into indexed embeddings; and Paragraph [0018]: The email security agent may calculate the confidence score or the certainty score with regard to the legitimacy of a particular scanned email (or content), based on the features that were extracted and evaluated; and a particular email message (or content) that is determined or estimated or evaluated to be phishing-related or attack-related or malicious or fraudulent, may be handled by one or more particular fraud-mitigation/attack-prevention mechanisms; for example, the message may be deleted or discarded, or quarantined, or moved to a “Junk/Spam” folder, or flagged for particular review of a system administrator or a fraud department or of the intended recipient. In some embodiments, different confidence score values may trigger different types of remedial/preventive actions).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco, Mears, and Baldwin, further incorporating Neystadt to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Neystadt’s email categorization confidence scoring and subsequent action based thereon into Cisco, Mears, and Baldwin’s hierarchical email quarantine for ensuring email security. This addition would enhance the system by providing insight into system decisions in addition to automating responses to unusual circumstances.
Regarding Claim 12:
The combination of Cisco, Mears, and Baldwin teaches the device of claim 10.
The combination of Cisco, Mears, and Baldwin does not expressly teach wherein the operations further include: generating a confidence score for the email that the set of scanners correctly categorized the email; and responsive to the confidence score failing to meet a confidence threshold value, quarantining the email without delivering the email to the recipient.
However, Neystadt teaches wherein the operations further include: generating a confidence score for the email that the set of scanners correctly categorized the email; and responsive to the confidence score failing to meet a confidence threshold value, quarantining the email without delivering the email to the recipient (Neystadt – Paragraph [0014]: An email security agent or scans or analyzes incoming emails and/or other messages that are conveyed or sent to end-users or recipients at the Protected Entity (e.g., SMS messages, IM messages, collaborative/team/workspace messaging item, website content, online posts that are accessed); performs tokenization of each such incoming (or conveyed) content or message; and converts the incoming (or conveyed) message or its tokens into indexed embeddings; and Paragraph [0018]: The email security agent may calculate the confidence score or the certainty score with regard to the legitimacy of a particular scanned email (or content), based on the features that were extracted and evaluated; and a particular email message (or content) that is determined or estimated or evaluated to be phishing-related or attack-related or malicious or fraudulent, may be handled by one or more particular fraud-mitigation/attack-prevention mechanisms; for example, the message may be deleted or discarded, or quarantined, or moved to a “Junk/Spam” folder, or flagged for particular review of a system administrator or a fraud department or of the intended recipient. In some embodiments, different confidence score values may trigger different types of remedial/preventive actions).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco, Mears, and Baldwin, further incorporating Neystadt to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Neystadt’s email categorization confidence scoring and subsequent action based thereon into Cisco, Mears, and Baldwin’s hierarchical email quarantine for ensuring email security. This addition would enhance the system by providing insight into system decisions in addition to automating responses to unusual circumstances.
Regarding Claim 17:
The combination of Cisco, Mears, and Baldwin teaches The computer-readable medium of claim 15.
The combination of Cisco, Mears, and Baldwin does not expressly teach wherein the operations further include: generating a confidence score for the email that the set of scanners correctly categorized the email; and responsive to the confidence score failing to meet a confidence threshold value, quarantining the email without delivering the email to the recipient.
However, Neystadt teaches wherein the operations further include: generating a confidence score for the email that the set of scanners correctly categorized the email; and responsive to the confidence score failing to meet a confidence threshold value, quarantining the email without delivering the email to the recipient (Neystadt – Paragraph [0014]: An email security agent or scans or analyzes incoming emails and/or other messages that are conveyed or sent to end-users or recipients at the Protected Entity (e.g., SMS messages, IM messages, collaborative/team/workspace messaging item, website content, online posts that are accessed); performs tokenization of each such incoming (or conveyed) content or message; and converts the incoming (or conveyed) message or its tokens into indexed embeddings; and Paragraph [0018]: The email security agent may calculate the confidence score or the certainty score with regard to the legitimacy of a particular scanned email (or content), based on the features that were extracted and evaluated; and a particular email message (or content) that is determined or estimated or evaluated to be phishing-related or attack-related or malicious or fraudulent, may be handled by one or more particular fraud-mitigation/attack-prevention mechanisms; for example, the message may be deleted or discarded, or quarantined, or moved to a “Junk/Spam” folder, or flagged for particular review of a system administrator or a fraud department or of the intended recipient. In some embodiments, different confidence score values may trigger different types of remedial/preventive actions).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco, Mears, and Baldwin, further incorporating Neystadt to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Neystadt’s email categorization confidence scoring and subsequent action based thereon into Cisco, Mears, and Baldwin’s hierarchical email quarantine for ensuring email security. This addition would enhance the system by providing insight into system decisions in addition to automating responses to unusual circumstances.
Claim(s) 4, 13, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cisco in view of Mears, Baldwin, and Tiwari et al. (US 20220044179 A1), hereinafter Tiwari.
Regarding Claim 4:
The combination of Cisco, Mears, and Baldwin teaches the method of claim 1.
Cisco further teaches further comprising: identifying that the first user of the first role is authorized to review multiple types of content; wherein a number of types of content that the first user is authorized to review is greater than a number of types of content that other users are authorized to review (Cisco – P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles, including that Administrators have full access to all quarantines).
The combination of Cisco, Mears, and Baldwin does not expressly teach and wherein providing the email to the first user of the first role comprises providing the email to the first user of the first role prior to providing the email to users of other user roles.
However, Tiwari teaches and wherein providing the email to the user of the particular role comprises providing the email to the user of the first user role prior to providing the email to users of other user roles (Tiwari – Paragraph [0035]: In some embodiments, the preferred service characteristics include at least a cost, experience, and skill set of a candidate support worker. In some embodiments, the preferred service characteristics further include a time and qualification of a candidate support worker. Support workers may be the specific workers that perform the analysis and work on resolving the IT tickets. A candidate support worker may be a support worker that is being considered as a candidate to work on a ticket; and Paragraph [0040]: For example, the preferred characteristics may be a resolution time of 2 hours, an experience level of 15 years, a skillset level of 2, a qualification level of 3, and a cost of approximately $70 salary (per day, for example). The skillset level of 2 may indicate that the support worker has a moderate range of skills that they are versed in. The qualification level of 3 may indicate that the support worker is very qualified for the specific type of IT ticket issue, even if they do not have a large range of overall skills (as indicated by the skillset level). For example, a support worker may be very well versed in debugging and may have a high qualification level for debugging related IT tickets. In this example, the support worker may not have skills in areas other than debugging, however, and therefore may have a low skillset level. In another example, there may be minimal trends to the received IT tickets (in other words, there may not be multiple tickets in a same skillset), therefore a skillset of 3 may be preferred. These characteristics may be transmitted to a user interface and may be used to select one or more support workers that meet the preferred characteristics).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco, Mears, and Baldwin, further incorporating Tiwari to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Tiwari’s teaching to prioritize certain manual reviewers for handling certain issues based on an exhibited capability and qualification of the user to resolve a variety of types of problems into Cisco, Mears, and Baldwin’s hierarchical email quarantine for ensuring email security. This functionality would enable the system to route suspicious emails to users with wide-ranging skill sets first to further optimize system resources for resolving/approving the emails queued in the hierarchical quarantine taught by Cisco, Mears, and Baldwin.
Regarding Claim 13:
The combination of Cisco, Mears, and Baldwin teaches the device of claim 10.
Cisco further teaches wherein the operations further include: identifying that the first user of the first role is authorized to review multiple types of content; wherein a number of types of content that the first user is authorized to review is greater than a number of types of content that other users are authorized to review (Cisco – P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles, including that Administrators have full access to all quarantines).
The combination of Cisco, Mears, and Baldwin does not expressly teach and wherein providing the email to the first user of the first role comprises providing the email to the user of the first role prior to providing the email to users of other roles.
However, Tiwari further teaches and wherein providing the email to the first user of the first role comprises providing the email to the user of the first role prior to providing the email to users of other roles (Tiwari – Paragraph [0035]: In some embodiments, the preferred service characteristics include at least a cost, experience, and skill set of a candidate support worker. In some embodiments, the preferred service characteristics further include a time and qualification of a candidate support worker. Support workers may be the specific workers that perform the analysis and work on resolving the IT tickets. A candidate support worker may be a support worker that is being considered as a candidate to work on a ticket; and Paragraph [0040]: For example, the preferred characteristics may be a resolution time of 2 hours, an experience level of 15 years, a skillset level of 2, a qualification level of 3, and a cost of approximately $70 salary (per day, for example). The skillset level of 2 may indicate that the support worker has a moderate range of skills that they are versed in. The qualification level of 3 may indicate that the support worker is very qualified for the specific type of IT ticket issue, even if they do not have a large range of overall skills (as indicated by the skillset level). For example, a support worker may be very well versed in debugging and may have a high qualification level for debugging related IT tickets. In this example, the support worker may not have skills in areas other than debugging, however, and therefore may have a low skillset level. In another example, there may be minimal trends to the received IT tickets (in other words, there may not be multiple tickets in a same skillset), therefore a skillset of 3 may be preferred. These characteristics may be transmitted to a user interface and may be used to select one or more support workers that meet the preferred characteristics).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco, Mears, and Baldwin, further incorporating Tiwari to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Tiwari’s teaching to prioritize certain manual reviewers for handling certain issues based on an exhibited capability and qualification of the user to resolve a variety of types of problems into Cisco, Mears, and Baldwin’s hierarchical email quarantine for ensuring email security. This functionality would enable the system to route suspicious emails to users with wide-ranging skill sets first to further optimize system resources for resolving/approving the emails queued in the hierarchical quarantine taught by Cisco, Mears, and Baldwin.
Regarding Claim 18:
The combination of Cisco, Mears, and Baldwin teaches the computer-readable medium of claim 15.
Cisco further teaches wherein the operations further include: identifying that the first user of the first role is authorized to review multiple types of content; wherein a number of types of content that the first user is authorized to review is greater than a number of types of content that other users are authorized to review (Cisco – P. 926: Table of Quarantine Types; and P. 930: Step 7 Specify the users who can access this quarantine, including a table describing customizable user roles, including that Administrators have full access to all quarantines).
The combination of Cisco, Mears, and Baldwin does not expressly teach and wherein providing the email to the first user of the first role comprises providing the email to the user of the first role prior to providing the email to users of other roles.
However, Tiwari further teaches and wherein providing the email to the first user of the first role comprises providing the email to the user of the first role prior to providing the email to users of other roles (Tiwari – Paragraph [0035]: In some embodiments, the preferred service characteristics include at least a cost, experience, and skill set of a candidate support worker. In some embodiments, the preferred service characteristics further include a time and qualification of a candidate support worker. Support workers may be the specific workers that perform the analysis and work on resolving the IT tickets. A candidate support worker may be a support worker that is being considered as a candidate to work on a ticket; and Paragraph [0040]: For example, the preferred characteristics may be a resolution time of 2 hours, an experience level of 15 years, a skillset level of 2, a qualification level of 3, and a cost of approximately $70 salary (per day, for example). The skillset level of 2 may indicate that the support worker has a moderate range of skills that they are versed in. The qualification level of 3 may indicate that the support worker is very qualified for the specific type of IT ticket issue, even if they do not have a large range of overall skills (as indicated by the skillset level). For example, a support worker may be very well versed in debugging and may have a high qualification level for debugging related IT tickets. In this example, the support worker may not have skills in areas other than debugging, however, and therefore may have a low skillset level. In another example, there may be minimal trends to the received IT tickets (in other words, there may not be multiple tickets in a same skillset), therefore a skillset of 3 may be preferred. These characteristics may be transmitted to a user interface and may be used to select one or more support workers that meet the preferred characteristics).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to modify Cisco, Mears, and Baldwin, further incorporating Tiwari to arrive at the conclusion of the claimed invention. One would be motivated to incorporate Tiwari’s teaching to prioritize certain manual reviewers for handling certain issues based on an exhibited capability and qualification of the user to resolve a variety of types of problems into Cisco, Mears, and Baldwin’s hierarchical email quarantine for ensuring email security. This functionality would enable the system to route suspicious emails to users with wide-ranging skill sets first to further optimize system resources for resolving/approving the emails queued in the hierarchical quarantine taught by Cisco, Mears, and Baldwin.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Kim (US 20240007498 A1) teaches a method for sequential processing of emails through a hierarchical architecture including analyses for different threat types
Schafer et al. (US 10333974 B2) teaches systems and methods for analyzing suspicious emails by identifying and individually scoring email components
Judge (US 8631495 B2) teaches systems and methods for detecting threatening communications by extracting features and examining the features against a set of self-updating rules
Leddy et al. (US 20200067861 A1) teaches a system the implements updatable and variably-configurable filters to detect malicious messages
Jeyakumar et al. (US 20200344251 A1) teaches a system for identifying security threats in emails using a plurality of models implemented in order to detect threats in order of increasing/more particular risks
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS JOSEPH DILUZIO whose telephone number is (703)756-1229. The examiner can normally be reached Mon - Fri -- 7:30 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/NICHOLAS JOSEPH DILUZIO/Examiner, Art Unit 2498
/YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498