DETAILED ACTION
This action is response to communication:  response to original application filed on 11/04/2019.
Claims 1-17 are currently pending in this application.  
The IDS filed on 11/05/2019 has been accepted.  

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 4, 5, 8, and 10-17 are  rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-19 of U.S. Patent No. 9,674,213, 1-18 of 9,961,101, and 1-20 of 10,505,968.  Although the claims at issue are not identical, they are not patentably distinct from each other because all the limitations in the present application are found in the parent patents.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:


Claims 1-17 are rejected under 35 U.S.C. 101 because the claimed invention lacks patentable utility. 
As per claims 1-16, the preamble of the independent claims recite a method/system for implementing a phishing assessment of a target computer.  However, the independent claims recite this is performed by performing a phishing attack.  The claims in general are directed toward generating a phishing attack.  This is not “useful.”  Although the intended purpose in the preamble is directed toward a phishing assessment, this does not cure the claims.  For example, a malicious user or hacker may perform all the steps of generating a webpage to phish a victim.  The malicious user, after performing the attack, may assess the security of the system after performing its attack.  Although the purpose of the claims may be directed toward generating an assessment, the claims themselves is not directed toward anything "useful" as the claims themselves are directed toward generating an attack.   
As per claim 17, preamble of the claim recites a method for testing a susceptibility of a computer network.  However, the claim is recited toward just implementing a phishing attack.  This is not useful as it does not provide any identifiable benefit and not capable of use (only useful for malicious reasons).  Thus, the claim lacks utility and is directed toward 101.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-6, and 9-17 are rejected under 35 U.S.C. 103 as being unpatentable over Chapman US Patent Application publication 2013/0198846 (hereinafter Chapman), in view of 
Ethical Hacking, “How to create fake or Phishing web page for gmail”, November 23, 2010, found at breakthesecurity.cysecurity.org/2010/11/how-to-create-fake-or-phishing-web-page-for-gmail.html, hereinafter Ethical Hacking)

As per claim 1, Chapman teaches a method for implementing a phishing campaign for testing computer security, the method comprising: constructing, using one or more computer processors, a phishing campaign including (Chapman abstract and throughout): generating a phishing domain name based on a legitimate domain name associated with a target entity (); building a phishing web page based on one or more attributes of a legitimate web page associated with the target entity or a legitimate web page of a service provider associated with the target entity (paragraph 17 with creating web page; see also paragraph 41; see paragraphs 48, 60, 64 wherein domains may be from its own system or public web page servers; see 
	Although Chapman teaches generating phishing scams utilizing web pages, Chapman does not explicitly teach generating a phishing domain based on a legitimate domain name associated with a target entity). However, this would have been obvious.  Genearting phishing domain names based on legitimate domain names is notoriously well known in the art.  For example, see Ethical Hacking (steps 3-5; step 5 with generating the domain name of choice; also see also Note on bottom with utilizing free short url sites to make users believe the phishing web page url).
	At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of Chapman with Ethical Hacking.  Ethical Hacking is in the same area of technology (network security, in particular, phishing) and it would have been obvious to combine Ethical Hacking as it provides more details on how implement better phishing schemes by stealing passwords of users (see intro paragraph of Ethical hacking).

	As per claim 4, the Chapman combination teaches wherein setting the one or more phishing communication ectors includes: setting a first phishing communication vector, and setting a second phishing communication vector that is distinct from the first communication vector; building the one or more phishing communication includes: building a first phishing communication for the first communication vector, and building a second phishing communication for the second communication vector (see Chapman paragraph 49 with different vectors such as different addresses, different times, different campaigns, etc; see also paragraph 69 and 71 with multiple emails for some recipients).
	As per claim 5, the Chapman combination teaches wherein the first phishing communication is transmitted through the first phishing communication vector, and the second phishing communication is transmitted through the second phishing communication vector (paragraph 49 with multiple campains at different times, addresses, etc; also see paragraphs 69 and 71 with multiple email messages).
	As per claim 6, the Chapman combination teaches wherein the first phishing communication vector, working in concert with the second communication vector, includes the phishing communication that directs a distinct phishing target to the second phishing communication comprising the second phishing communication (see paragraph 71 with multiple vectors, with second phishing email sent to those who responded to the first phishing email).
	As per claim 9, Chapman as modified teaches setting a deployment schedule for deploying the phishing campaign according to a spaced repetition technique that increases a 
As per claim 10, the Chapman combination eaches wherein implementing the phishing campaign includes implementing the phishing campaign via a web-based software platform operable on a web server or a distributed computing system (Chapman paragarph 32 and 33 with implemented on an appliance connected via the internet; see also Figure 1).
As per claim 11, the Chapman combination teaches authorizing an administrator to administer the phishing campaign, wherein authorizing the administrator includes setting an expiring authorization for the administrator that limits a duration that the administrator can deploy the phishing campaign (Chapman paragraph 15-17 and claims 2-4 wherein administer is allowed to perform actions; paragraph 68 wherein administrator can set a target end date; after end date, no more emails will be sent out which thus limits the duration the administrator from deploying the campaign).
As per claim 12, the Chapman combination eaches setting a deployment schedule for deplying the phishing campaign based on network communication metrics of the target entity, wherein the deployment schedule includes one or more deployment times that correspond to a highest computer network communication traffic period of the target entity (paragraphs 69-71 with different factors taken into consideration when sending the phishing emails; for example, see paragraph 71 wherein sending more phising emails to those who have been fooled (thus a highest communication traffic) ).

As per claim 14, it would have been obvious over the Chapman combination wherein setting the level of difficulty of the phishing campaign is based on a sophistication classification of the plurality of phishing targets, setting the level of difficulty of the phishing campaign includes a first sophistication level when the sophistication classification is below a sophistication threshold and setting the level of difficulty of the phishing campaign includes a second sophistication level when the sophisitication classification satisfies or exceeds the sophistication threshold (obvious over Chapman; see paragraph 40 with categorization of employees; see further paragraph 71 with sending more emails to those who have been susceptible; as Chapman teaches setting levels of difficulty based on history and also phishing assemsnets based on the high access employees, it would have been obvious to one of ordinary skill in the art to set levels of difficulty based on high-access classifications as problems riseing from high-access classification employees may damage a system more and would have been obvious to correct such issues; further, setting levels of difficulty based on high-access classifications is merely a design choice; also see pragarphs 62 and 63 with further tests on susceptibility of employees). 
As per claim 15, Chapman as modified teaches setting a testing duration of the phishing campaign to a predetermined period, wherein setting the testing duration includes randomly selecting a subset of the plurality of phishing targets to test via the phishing campaign over 
Claim 16 is rejected using the same basis of arguments used to reject claim 1 above.
Claim 17 is rejected using the same basis of arguments used to reject claim 1 above. 

Claims 2 and 3 are rejected under 35 U.S.C. 103 as being unpatentable the Chapman combination as applied above, and further in view of Miller US Patent Application Publication 2014/0115704 (hereinafter Miller).
As per claim 2, The Chapman combination does not explicitly teach wherein generating the phishing domain name includes: selecting at least one homoglyphic transformation technique from a plurality of distinct homogloyphic transformation techniques; automatically generating the phishing domain name based on transforming the legitimate domain name using the homoglyphic transformation technique.  However, such limitations would have been obvious.  Ethical Hacking already teaches generating web page urls with free short url sites to make users believe that it is the correct URL.  Further, Chapman teaches that generating phshihg websites may utilize templates which allows users a high level of technical control over web page design.  Thus, choosing a homoglopyic transformation technique would have been obvious over the references as it would allow the generation of webpages that look like a legitimate webpage, thus producing more user believability (see note in Chapman which creates URLs to establish believability).  For a further teaching on homoglyphic transformation and phishing, see Miller (paragraph 1, wherein phishing websites may utilize homoglyph attacks which creates spoofed domain names that look like real domain names; see also paragraph 14 with multiple homoglyph techniques, with techniques/substitutions for different letters). 

Claim 3 is rejected similarly using the same basis of arguments used to reject claim 2.  See further paragraph 14 wherein multiple homoglyphic techniques may be used (see paragraph 14 with different homoglpyh set for different letters/characters of the alphabet; see also Chapman in paragraph 61 with multiple templates for generating phishing webpages).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Chapman combination with Miller.  One of ordinary skill in the art would have been motivated to perform such an addition to create domain names that look the same as the real domain name (paragraph 1 of Miller).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable the Chapman combination as applied above, and further in view of Hulten et al. US Patent Application Publication 2009/0006575 (hereinafter Hulten).
As per claim 8, Chapman as modified teaches setting one or more phishing communication vectors, but does not explicitly teach identifying an optimal phishing communication vector for each of the plurality of phishing targets based on identifying a vector usage for each of the plurality of phishing targets, and setting the optimal phishing communication vector as at least one of the one or more phishing communication vectors for each of the plurality of phishing targets.  However, this would have been obvious.  For example, 
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Chapman combination with Hulten.  One of ordinarys kill in the art would have been motivated to perform such an addition to more easily steal sensitive data from a user by impersonating websites that the user is known to visit. 

Allowable Subject Matter
Claim 7 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 101 set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter: 
As per claim 7, the prior art cited above teaches multiple elements of the claims, but the limitations, combined with the independent claims, would not have been obvious over the cited art of record. 

	

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON KAI YIN GEE whose telephone number is (571)272-6431.  The examiner can normally be reached on Monday-Friday 8:30-5:00 PST Pacific.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/JASON K GEE/Primary Examiner, Art Unit 2495