DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 08/06/2019, 11/14/2019, 11/18/2019, 02/19/2020, 02/24/2020, 04/23/2020, 06/02/2020, and 08/14/2020 are being considered by the examiner.
Drawings
The drawings are objected to because 
They do not include the reference number 58 for a data center mentioned in the description.
Fig. 5A 104 recites the word FEATERS instead of FEATURES.  
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4, 6, 10-13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 2019/0104154 A1 to Kumar et al. hereinafter(“Kumar”), in view of U.S. Patent No. 9,130,988  B2 to Seifert et al. hereinafter(“Seifert”)

Regarding claim 1, Kumar teaches:
A system for detection of security threats and/or malicious actions, comprising: 
one or more processors and at least one memory (Kumar, Fig. 4, ¶ [0071], processor 402 and memory 410) having a plurality of instructions (Kumar, Fig. 4, ¶ [0072], software module with multiple instructions) that when executed by the one or more processors implement one or more components are configured to: 
receive a request (Kumar, Fig. 3A, ¶ [0065], receiving a request like URL or email that includes a URL) seeking information or data related to a user's credentialing or personal information (Kumar, ¶ [0064], URL of a login webpage requesting user credential and personal information like username, password, email address, social security number and birthday), and determine whether the request is associated with a webpage or requestor that is known to be malicious or known to be safe (Kumar, Fig. 3A, ¶ [0066], determining by step 306 that includes analyzing the URL to check whether it is benign or phishing); 
if the request is not determined to be associated with a known malicious or known safe webpage or requestor, obtain a screenshot related to the request (Kumar, Fig. 3A 308, ¶ [0066], if the URL is cannot be determined to be either benign or phishing then a screenshot of the webpage to which the URL resolves is obtained); 
submit the screenshot to a machine learning model (Kumar, Fig. 1, ¶ [0043 and 0047], machine learning model. Screenshot is submitted to the content fetcher 104 which is part of the machine learning model. See also ¶ [0024]), and generate a … that the request is malicious or non-malicious based on screenshot information identified and extracted from the screenshot using the machine learning model (Kumar, ¶ [0027 and 0069-0070], model calculates set of confidences to determine highest confidence. The highest confidence is used to determine if the requesting URL is phishing or non-phishing); and 
if the … that the request is malicious exceeds a prescribed threshold, classify the request and/or webpage and/or requestor associated therewith as a malicious (Kumar, Fig. 3A 3B, ¶ [0068-0070], highest confidence exceeds predefined threshold then it is determined as malicious URL) and/or generate and provide an alarm, alert, or notification (Kumar, Fig. 3a 3b block 322, ¶ [0070], if it is a phishing attack then alert is issued to a network or cybersecurity analyst).
Kumar does not teach the limitation of generating or calculating a probability. Seifert remedies and teaches producing a probability score (Seifert, col. 14 lines 9-33). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kumar with the teachings of Seifert to calculate the probability score with the motivation to increase the confidence of a true match based on multiple interest points of an image or a screenshot (Seifert, col. 18, lines 49-58).

Regarding claim 2, Kumar in view of Seifert teaches:
The system of claim 1, wherein the request comprises at least one of a webpage or an email requesting the user's information or credentials (Kumar, ¶ [0011], URL request resolving to webpage that is a login webpage through which user enters their credentials. See also ¶ [0019] for login webpages of banks or other online companies like Apple, Netflix etc.).

Regarding claim 3, Kumar in view of Seifert teaches:
(Kumar, ¶ [0019], URL request resolving to webpage that is a login webpage for bank accounts or other online accounts like Apple, Netflix, etc.).
Kumar does not teach the limitation that the information or data sought by the request for information includes links to webpages as a combination to the webpages with a login form as taught by Kumar. Seifert remedies and teaches that the request for information includes hyperlinks to webpages based on the search request (Seifert, col. 4 lines 1-11, the search request returns list of hyperlinks referencing webpages). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kumar with the teachings of Seifert to also have requests that include links to webpages with the motivation to also capture requests for phishing that include landing pages such as search engines, advertisements and other references to landing pages that provide links to other webpages (Seifert, col. 1 lines 49-58)

Regarding claim 4, Kumar in view of Seifert teaches:
The system of claim 1, wherein the one or more components include a detection and extraction processor (Kumar, ¶ [0057-0058], Fig. 2, URL extractor and Pre-Filter make up the detection and extraction processor) configured to compare the information or data sought by the request for information to information or data of a Blacklist and/or a Whitelist to determine whether the request for information is associated with a site or requestor that is a known to be malicious or known to be safe (Kumar, ¶ [0058], URL extractor extracts the URL and Pre-filter performs scans against whitelist and blacklist to determine URLs associated with cyberattacks or to be benign).

Regarding claim 6, Kumar in view of Seifert teaches:
The system of claim 1, wherein the screenshot information includes user interface elements (Kumar, ¶ [0020], keypoints corresponding to screenshots like UI design elements such as logos, layout and visual elements. See ¶ [0015] for design elements), logos (Kumar, ¶ [0019]), slogans, trademarks (Kumar, ¶ [0020], screenshot keypoints to capture common branding), phrases, keywords, images (Kumar ¶ [0024], screenshots having webpage images), indicia, or combinations thereof.

Regarding claim 10, Kumar in view of Seifert teaches:
A method for detecting or classifying malicious activities, comprising: 
(Kumar, Fig. 3A, ¶ [0064-0065], receiving a request like URL or email that includes a URL. URL of a login webpage requesting user credential and personal information like username, password, email address, social security number and birthday. See also ¶ [0019] for URL requests of login pages of banks and other online accounts); 
obtaining one or more screenshots associated with the request (Kumar, Fig. 3A 308, ¶ [0066], if the URL is cannot be determined to be either benign or phishing then a screenshot of the webpage to which the URL resolves is obtained); 
providing the one or more screenshots and the request information to a classifier including a machine learning model (Kumar, Fig. 1, ¶ [0043 and 0047], classifier and machine learning model. URL and screenshot are submitted to the content fetcher 104 which is part of the machine learning model which also includes classifier. See also ¶ [0024]); 
generating with the machine learning model a … or confidence level that the request is malicious based at least in part on identified screenshot information from the one or more screenshots and the request information (Kumar, ¶ [0027 and 0069-0070], model calculates set of confidences to determine highest confidence. The highest confidence is used to determine if the requesting URL is phishing or non-phishing); 
if the … or confidence level that the request is malicious exceeds a prescribed threshold, classifying the request and/or an actor associated with the request as malicious (Kumar, Fig. 3A 3B, ¶ [0068-0070], highest confidence exceeds predefined threshold then it is determined as malicious URL) and generating an alert, notification or alarm (Kumar, Fig. 3a 3b block 322, ¶ [0070], if it is a phishing attack then alert is issued to a network or cybersecurity analyst) … 
Kumar does not teach the limitation of generating or calculating a probability and blocking further communication with the request and/or the actor associated with malicious request. Seifert remedies and teaches producing a probability score (Seifert, col. 14 lines 9-33) and blocking further communication with the request and/or the actor associated with malicious request by blocking malicious pages that show up in the search results (Seifert, col. 22 lines 11-23). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kumar with the teachings of Seifert to calculate the probability score and block further communication with malicious pages with the motivation to increase the confidence of a true match based on multiple interest points of an image or a screenshot (Seifert, col. 18, lines 49-58) and to (Seifert, col. 6 lines 48-53).

Regarding claim 11, Kumar in view of Seifert teaches:
The method of claim 10, wherein the request compromises a webpage or email requesting a user's login information or credentials (Kumar, ¶ [0011], URL request resolving to webpage that is a login webpage through which user enters their credentials. See also ¶ [0019] for login webpages of banks or other online companies like Apple, Netflix etc.).

Regarding claim 12, Kumar in view of Seifert teaches:
The method of claim 11, wherein the information or data related to the request includes iterate URLs, POST requests, email data in a data center, emails forwarded by user, webpages with a login form, or combinations thereof (Kumar, ¶ [0019], URL request resolving to webpage that is a login webpage for bank accounts or other online accounts like Apple, Netflix, etc.).

Regarding claim 13, Kumar in view of Seifert teaches:
The method of claim 11, further comprising: 
comparing the information or data related to the request information to information or data in a blacklist and/or a whitelist to determine whether the request is a known malicious or known safe request (Kumar, ¶ [0058], URL extractor extracts the URL and Pre-filter performs scans against whitelist and blacklist to determine URLs associated with cyberattacks or to be benign)

Regarding claim 15, it is rejected as claim 6.

Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 2019/0104154 A1 to Kumar et al. hereinafter(“Kumar”), in view of U.S. Patent No. 9,130,988  B2 to Seifert et al. hereinafter(“Seifert”), as applied to claims 4 and 11 and further in view of U.S. Patent No. 9,558,352 B1 to Dennison et al. hereinafter(“Dennison”)

Regarding claim 5, Kumar in view of Seifert teaches:
(Kumar, ¶ [0057-0058], Fig. 2, URL extractor and Pre-Filter make up the detection and extraction processor) is configured to compute or extract one or more features from the information or data sought by the request (Kumar, ¶ [0058], URL extractor extracts the URL and Pre-filter performs scans), … , to determine whether the request is a known safe or known malicious request (Kumar, ¶ [0058], determine URL requests are either cyberattacks or benign)
The combination of Kumar and Seifert does not teach the limitation that the detection and extraction processor is configured to include domain reputation, IP analysis, keywords in an email, domain registration age, domain registrar, domain’s SSL certificate details or combination thereof. Dennison remedies and teaches that the detection and extraction processor is configured to include IP analysis (Dennison, col. 11 lines 14-21, identifying internal and external IP addresses from the connection records), a domain registration age (Dennison, col. 20 lines 60-65, domain registration date can be used to find domain registration age), a domain registrar (Dennison, col. 21 lines 20-35). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kumar and Seifert with the teachings of Dennison to configure detection and extractor processor to include IP analysis, domain registration age and domain registrar with the motivation to assign a score determined based on the domains names satisfying a particular threshold in the list of domain names (Dennison, col. 2 lines 47-61) and also to analyze whether recently registered domain names are more likely to be associated with malicious activity or not (Dennison, col. 20 lines 36-41) 

Regarding claim 14, it is rejected as claim 5.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 2019/0104154 A1 to Kumar et al. hereinafter(“Kumar”), in view of U.S. Patent No. 9,130,988  B2 to Seifert et al. hereinafter(“Seifert”) as applied to claim 1 and further in view of U.S. Patent No. 10,834,128 B1 to Rajagopalan et al. hereinafter(“Rajagopalan”)

Regarding claim 7, Kumar in view of Seifert teaches:
The system of claim 1.
The combination of Kumar and Seifert does not teach that one or more components include a web automation framework to facilitate obtaining of the screenshot in isolation. Rajagopalan remedies (Rajagopalan, Fig. 6, col. 12 lines 45-55, URL extractor submits URL to a sandbox testing environment and takes a screenshot of the URL. URL extractor is isolated from user device, see Fig. 1). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kumar and Seifert with the teachings of Rajagopalan to include a testing automation framework or environment such as sandbox testing environment to capture the screenshot in isolation with the motivation to obtain screenshots in a secured manner without opening the URLs or links through the user’s system to capture the screenshot.

Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 2019/0104154 A1 to Kumar et al. hereinafter(“Kumar”), in view of U.S. Patent No. 9,130,988  B2 to Seifert et al. hereinafter(“Seifert”) as applied to claims 1 and 11, further in view of U.S. Pat. Appl. Publ’n No. 2019/0122258 to Bramberger et al. hereinafter(“Bramberger”)
Regarding claim 8, Kumar in view of Seifert teaches:
The system of claim 1, wherein the machine learning model includes a machine learning algorithm (Kumar, ¶ [0024], machine learning algorithm) … 
The combination of Kumar and Seifert does not teach the limitation that the machine learning model includes neural network with a regional proposal algorithm. Bramberger remedies and teaches that the machine learning model includes regional convolutional neural network (Bramberger, ¶ [0180- 0181, machine learning regional convolutional neural network). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kumar and Seifert with the teachings of Bramberger to include regional convolutional neural network in the machine learning model with the motivation to compute list of regions and a confidence score for each region of the screenshot captured to identify maliciousness of the request.

Regarding claim 16, it is rejected as claim 8.

Claims 9 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. Appl. Publ’n No. 2019/0104154 A1 to Kumar et al. hereinafter(“Kumar”), in view of U.S. Patent No. 9,130,988  
Regarding claim 9, Kumar in view of Seifert teaches: 
The system of claim 1.
The combination of Kumar and Seifert does not teach the limitation of one or more components configured to generate or update a Blacklist of known malicious requests based on the output of the machine learning model. Lin remedies and teaches generating and updating the blacklist of known malicious requests based on output of the machine learning model. (Lin, col. 4 lines 10-27, col. 7 lines 1-28, machine learning technique used to generate prediction model that outputs a score based on which the blacklist is updated with URL request). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kumar and Seifert with the teachings of Lin to generate and update the blacklist based on the output of the machine learning model so that distribution of the content based on low score in the blacklist based on machine learning model can be restricted or can be flagged as suspicious requiring further administrative review or action (Lin, col. 4 lines 10-27)

Regarding claim 17, it is rejected as claim 9.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Pope et al., U.S. Pat. Appl. Publ’n No. 2018/0288198 A1 discloses a system of network devices that apply machine learning to the hardware to identify risk associated with the network packets using blacklist and whitelist providers.
Titonis et al., U.S. Patent. No. 10,762,206 B2 discloses a method to determine malicious mobile applications using machine learning for static and behavioral analysis and sandbox environment.

Kohavi, EP 3 599 753 A1 discloses a method for detecting phishing message using semantic analysis of the URL, analysis of the webpage that the URL resolves to and statistical analysis of the URLs.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to NIRAV SHAH whose telephone number is (408)918-7592.  The examiner can normally be reached on Monday - Thursday and alternate Fridays, 7:30-4:30 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






                                                                                                                                                                                                    /CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493