DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This office action is in response to amendment filed on 12/18/2020.  The Applicant amended claims 1, 6, 8, 13, and 15.  The Applicant has canceled claims 3, 5, 10, 12, and 18.  The Applicant has added claims 24-29.  Claims 1, 6-8, 13-15, and 19-29 have been examined.  This action is Final.


Response to Amendments

Applicant's arguments filed 12/18/2020 have been fully considered but they are not persuasive. 
On page 11 of the Applicant’s arguments, the Applicant argues “it is respectfully submitted that the rejected claims are patentable over the art of record based on at least the third criterion of obviousness: none of the references alone or in combination teach, suggest, or disclose each claim limitation of the independent claims. Independent Claim 1 recites (inter alia) "...determining scripts associated with the website using a webextension application programming interface; blocking the website if a script associated with the website is blacklisted; obtaining a string format of each of the determined scripts associated with the website using an Extensible Markup Language/Hypertext Transfer Protocol request; analyzing the string format of each of the determined scripts to determine if a specific script is related to cryptomining malware; blocking the website if the specific script is related to cryptomining malware; and sending one or more uniform resource locators associated with the website to a security engine for further analysis when usage of a computer processing unit increases more than a threshold amount during access to the website." 
             (A).  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.

On pages 11-12 of the Applicant’s arguments, the Applicant argues “no reference includes a feature for determining scripts associated with the website using a webextension application programming interface, blocking the website if a script associated with the website is blacklisted, obtaining a string format of each of the determined scripts associated with the website using an Extensible Markup Language/Hypertext Transfer Protocol request, analyzing the string format of each of the determined scripts to determine if a specific script is related to cryptomining malware, blocking the website if the specific script is related to cryptomining malware, and sending one or more uniform resource locators associated with the website to a security engine for further analysis when usage of a computer processing unit increases more than a threshold amount during access to the website”. 

           (B).  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date 

Claims 1, 8, 15, and 21-29 are rejected under 35 U.S.C. 103 as being unpatentable over Kaul (8,903,941) in view of Napchi et al (2018/0139180) in view of Wan et al (9,398,032), in view of Bogorad (8,185,956), in view of Be’ery (2017/0339165) and further in view of Hazay et al (2019/0364057).

As per claim 1, Kaul discloses a method comprising:
     identifying a website (Kaul: col. 1, lines 62-63, col. 5, lines 25-33, receives a webpage (i.e. identifying a website) associated with a uniform resource locator (URL));
     determining scripts associated with the website (Kaul: col. 2, lines 9-10, col. 5, lines 30-33, identifying a scripts within a webpage);
     blocking the website if a script associated with the website is blacklisted (Kaul: col. 5, lines 34-37, col. 10, lines 33-40, blocking the webpage (i.e. website) if a script associated with the webpage is blacklisted);
     obtaining a string format of each of the determined scripts associated with the website (Kaul: col. 13, lines 25-36,  obtaining a string format (i.e. script text within HTML code, Javascript, ASP, Python etc..) of each of the determined scripts associated with the webpage);
Kaul does not explicitly disclose using a webextension application programming interface; and send to a security engine for further analysis when usage of a computer processing unit increases during access to the website.


Napchi discloses determining scripts associated with the website using a webextension application programming interface (Napchi: para. 0006, 0141, 0183, detecting scripts (i.e. webpage code/DOM) associated with the website(i.e. webpage) using Mutation Observer(i.e. webextension application programming interface); and send to a security engine for further analysis when usage of a computer processing unit increases during access to the website (Napchi: para. 0065, 0070, 0125, 0172,  increase processor utilization when user visits the webpage (i.e. during access to the website)).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to include using a webextension application programming interface; and send to a security engine for further analysis when usage of a computer processing unit increases during access to the website of Napchi with Kaul are analogous in the art of determining if a script is malicious, the motivation is that the webextension API is used to monitor for changes of the web page associated with scripts; thereby, providing a real-time monitoring of components of the web page code that can detect real-time deviations, and thus a degradation in user experience of a visitor to the web page (Napchi: para. 0070).
Kaul and Napchi do not explicitly disclose analyzing the string format of each of the determined scripts to determine if a specific script is related to malware; and blocking the website if the specific script is related to malware.
Wan discloses analyzing the string format of each of the determined scripts to determine if a specific script is related to malware (Wan: col. 1, lines 48-51, col. 3, lines 35-42, 55-60, 61-67, col. 4, lines 1-14, See Fig. 3 #310, #312, #314, See Fig. 4 #406, script analyzer server analyzes the unique script (i.e. specific script) to determine if a specific script (i.e. unique script) is related to malware (i.e. malicious)); and blocking the website if the specific script is related to malware (Wan: See Fig. 3 #316, col. 4, lines 15-24,  security action(s)(i.e. blocking).

Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention analyzing the string format of each of the determined scripts to determine if a specific script is related to malware; and blocking the website if the specific script is related to malware to combine the teachings of Wan with the combination method/system of Kaul-Napchi, both are analogous in the art of determining if a website and script are malicious.  One would have been motivated to include analyzing the string format of each of the determined scripts to determine if a specific script is related to malware; and blocking the website if the specific script is related to malware of Wan, because an antivirus scanner has limitations in scanning for scripts on web pages, thus the method of Wan is an efficient method of scanning scripts for malware (Wan: col. 1, lines 29-32).  
Kaul, Napchi, and Wan do not explicitly disclose send one or more uniform resource locators associated with a website to a security engine for further analysis when usage of a computer processing unit increases more than a threshold amount.
Bogorad discloses send one or more uniform resource locators associated with a website to a security engine for further analysis when usage of a computer processing unit increases more than a threshold amount (Bogorad: col. 4, lines 47-58, col. 5, lines 34-43, col. 9, lines 20-31).
It would have been obvious to one of ordinary skill in the art at the time of the effective filing date before the claimed invention to include send one or more uniform resource locators associated with a website to a security engine for further analysis when usage of a computer

 processing unit increases more than a threshold amount of Bogorad with the combination of Kaul-Napchi-Wan all are analogous in the art of detecting for malware, the motivation is that an increase in the CPU usage above a recorded baseline (i.e. threshold) may be indicative of a 
malware infection, thus further analysis needs to be conducted to determine if the website is malicious or not, thus this is an effective security measure (Bogorad: col. 4, lines 54-59).

             Kaul, Napchi, Wan, and Bogorad, do not explicitly discloses using an Extensible Markup Language/Hypertext Transfer Protocol request.
	Be’ery discloses using an Extensible Markup Language/Hypertext Transfer Protocol request (Be’ery: para. 0064, 0105, 0143, HTTP request (Hypertext Transfer Protocol)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention using an Extensible Markup Language/Hypertext Transfer Protocol of Be’ery with the method/system of Kaul-Napchi-Wan-Bogorad combination, all are analogous in the art analyzing scripts.  One would have been motivated to include using an Extensible Markup Language/Hypertext Transfer Protocol request of Be’ery is a security measure that insures the HTTP request obtains the string format in order to determine is the script is malicious or not (Be’ery: para. 0064).
Kaul, Napchi, Wan, Bogorad, and Be’ery do not disclose cryptomining.
Hazay discloses the cryptomining (Hazay: para. 0012, 0017, cryptocurrency mining script (i.e. cryptomining malware)).
	Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to include cryptomining of Hazay with the

method/system of Kaul-Napchi-Wan-Bogorad-Be’ery combination, all are analogous in the art of detecting for malware.  One would have been motivated to include cryptomining, because cryptocurrency mining consumes a lot of energy, and crypto-currency is a relatively new technology that has evolved in recent years and is getting more attention (Hazay: para. 0014). 

	As per claim 8, rejected under similar scope as claim 1.

As per claim 15, Kaul discloses an apparatus to determine a presence of cryptomining malware, the apparatus comprising:
memory (Kaul: See Fig. 4, memory #406);
at least one processor (Kaul: See Fig. 4 #402 CPU); and
a security engine, the security engine configured to (Kaul: See Fig. 4, transcoding services module #110(i.e. security engine)): 
identify a website (Kaul: col. 1, lines 62-63, col. 5, lines 25-33, receives a webpage (i.e. identifying a website) associated with a uniform resource locator (URL));
determine one or more uniform resource locators associated with the website (Kaul: col. 1, lines 65-67, determine if the URL(i.e. uniform resource locator) associated with the webpage); 
block the website if a uniform resource locator associated with the website is blacklisted (Kaul: col. 1, lines 66-67, col. 5, lines 38-40, block the webpage if the URL associated the webpage is blacklisted);
determine scripts associated with the website (Kaul: col. 2, lines 9-10, col. 5, lines 30-33, identifying a scripts within a webpage); 
(Kaul: col. 5, lines 34-37, col. 10, lines 33-40, blocking the webpage (i.e. website) if a script associated with the webpage is blacklisted); 
obtain a string format of each of the determined scripts associated with the website (Kaul: col. 13, lines 25-36,  obtaining a string format (i.e. script text within HTML code, Javascript, ASP, Python etc..) of each of the determined scripts associated with the webpage).
Kaul does not explicitly disclose using a webextension application programming interface; and send to a security engine for further analysis when usage of a computer processing unit increases during access to the website.
Napchi discloses determining scripts associated with the website using a webextension application programming interface (Napchi: para. 0006, 0141, 0183, detecting scripts (i.e. webpage code/DOM) associated with the website(i.e. webpage) using Mutation Observer(i.e. webextension application programming interface); and send to a security engine for further analysis when usage of a computer processing unit increases during access to the website (Napchi: para. 0065, 0070, 0125, 0172,  increase processor utilization when user visits the webpage (i.e. during access to the website)).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to include using a webextension application programming interface; and send to a security engine for further analysis when usage of a computer processing unit increases during access to the website of Napchi with Kaul are analogous in the art of determining if a script is malicious, the motivation is that the webextension API is used to monitor for changes of the web page associated with scripts; thereby, providing a real-time monitoring of components of the web page code that can detect (Napchi: para. 0070).

Kaul and Napchi do not explicitly disclose analyzing the string format of each of the determined scripts to determine if a specific script is related to malware; and blocking the website if the specific script is related to malware.
Wan discloses analyzing the string format of each of the determined scripts to determine if a specific script is related to malware (Wan: col. 1, lines 48-51, col. 3, lines 35-42, 55-60, 61-67, col. 4, lines 1-14, See Fig. 3 #310, #312, #314, See Fig. 4 #406, script analyzer server analyzes the unique script (i.e. specific script) to determine if a specific script (i.e. unique script) is related to malware (i.e. malicious)); and blocking the website if the specific script is related to malware (Wan: See Fig. 3 #316, col. 4, lines 15-24,  security action(s)(i.e. blocking).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention analyzing the string format of each of the determined scripts to determine if a specific script is related to malware; and blocking the website if the specific script is related to malware to combine the teachings of Wan with the combination method/system of Kaul-Napchi, both are analogous in the art of determining if a website and script are malicious.  One would have been motivated to include analyzing the string format of each of the determined scripts to determine if a specific script is related to malware; and blocking the website if the specific script is related to malware of Wan, because an antivirus scanner has limitations in scanning for scripts on web pages, thus the method of Wan is an efficient method of scanning scripts for malware (Wan: col. 1, lines 29-32).  

Bogorad discloses send one or more uniform resource locators associated with a website to a security engine for further analysis when usage of a computer processing unit increases more than a threshold amount (Bogorad: col. 4, lines 47-58, col. 5, lines 34-43, col. 9, lines 20-31).
It would have been obvious to one of ordinary skill in the art at the time of the effective filing date before the claimed invention to include send one or more uniform resource locators associated with a website to a security engine for further analysis when usage of a computer processing unit increases more than a threshold amount of Bogorad with the combination of Kaul-Napchi-Wan all are analogous in the art of detecting for malware, the motivation is that an increase in the CPU usage above a recorded baseline (i.e. threshold) may be indicative of a malware infection, thus further analysis needs to be conducted to determine if the website is malicious or not, thus this is an effective security measure (Bogorad: col. 4, lines 54-59).
            Kaul, Napchi, Wan, and Bogorad, do not explicitly discloses using an Extensible Markup Language/Hypertext Transfer Protocol request.
	Be’ery discloses using an Extensible Markup Language/Hypertext Transfer Protocol request (Be’ery: para. 0064, 0105, 0143, HTTP request (Hypertext Transfer Protocol)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention using an Extensible Markup Language/Hypertext Transfer Protocol of Be’ery with the method/system of Kaul-Napchi-Wan-Bogorad combination, all are analogous in the art analyzing scripts.  One would have been motivated to include using an Extensible Markup Language/Hypertext Transfer Protocol request (Be’ery: para. 0064).

Kaul, Napchi, Wan, Bogorad, and Be’ery do not disclose cryptomining.
Hazay discloses the cryptomining (Hazay: para. 0012, 0017, cryptocurrency mining script (i.e. cryptomining malware)).
	Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to include cryptomining of Hazay with the method/system of Kaul-Napchi-Wan-Bogorad-Be’ery combination, all are analogous in the art of detecting for malware.  One would have been motivated to include cryptomining, because cryptocurrency mining consumes a lot of energy, and crypto-currency is a relatively new technology that has evolved in recent years and is getting more attention (Hazay: para. 0014). 

As per claim 21, Kaul, Napchi, Wan, Bogorad, Be’ery, and Hazay discloses the method of Claim 1. further comprising:
Napchi further discloses communicating a notification to a user when usage of the computer processing unit increases more than the threshold amount during access to the website (Napchi: para. 0069-0070).
Same motivation as claim 1 above.





As per claim 22, Kaul, Napchi, Wan, Bogorad, Be’ery, and Hazay discloses the method of Claim 1. 
Napchi further discloses communicating, to a user, an option to allow access to the website when usage of the computer processing unit increases more than the threshold amount during access to the website (Napchi: para. 0070, 0130, option to allow (i.e. user sets the rules to define tolerable reduction in performance, allowable).

It would have been obvious to one of ordinary skill in the art at the time of the effective filing date before the claimed invention to include communicating, to a user, an option to allow access to the website when usage of the computer processing unit increases more than the threshold amount during access to the website of Napchi with Kaul-Wan-Bogorad-Be’ery-Hazay all are analogous in the art of detecting malware, the motivation is that providing a user the option to allow access to the website when usage of CPU increases is a flexible method of allowing user the opportunity or determine if the reduction in performance is tolerable (Napchi: para. 0130).

As per claim 23, Kaul, Napchi, Wan, Bogorad, Be’ery, and Hazay discloses the method of Claim 22.   
Napchi further discloses wherein access to the website and scripts related to the website are blocked if the user does not allow access to the website (Napchi: para. 0010, 0041, 0065, 0130).
Same motivation as claim 1.

As per claims 24 and 27, are rejected under the same basis as claim 21.
As per claims 25 and 28, are rejected under the same basis as claim 22.
As per claims 26 and 29, are rejected under the same basis as claim 23.

Claims 6-7, 13-14, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kaul (8,903,941) in view of Napchi et al (2018/0139180) in view of Wan et al (9,398,032), and in view of Bogorad (8,185,956), in view of Be’ery (2017/0339165) in view of Hazay et al (2019/0364057) and further in view of Landa (2015/0200961).

As per claim 6, Kaul, Napchi, Wan, Bogorad, Be’ery, and Hazay discloses the method of Claim 1.
 Kaul, Napchi, Wan, Bogorad, Be’ery, and Hazay do not explicitly disclose wherein the string format of each of the determined scripts associated with the website are analyzed using a regular expression analysis to determine if the specific script is related to malware.
Landa discloses wherein the string format of each of the determined scripts associated with the website are analyzed using a regular expression analysis to determine if the specific script is related to malware (Landa: para. 0009, 0017, specific script (i.e. containing certain characters).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention the string format of each of the determined scripts associated with the website are analyzed using a regular expression analysis to determine if the specific script is related to malware of Landa with the method/system of Kaul-Napchi-Wan-(Landa: para. 0009).

As per claim 7, Kaul, Napchi, Wan, and Bogorad, Be’ery, Hazay, and Landa discloses the method of Claim 6.
Kaul, Napchi, Wan, Bogorad, Be’ery, Hazay and Landa do not disclose adding the specific script to a suspicious script database.
Wan discloses adding the specific script to a suspicious script database (Wan: col. 4, lines 50-62, adding specific scrip to script database).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention adding the specific script to a suspicious script database of Wan with the method/system of Kaul-Napchi-Wan-Bogorad-Be’ery-Hazay-Landa combination, all are analogous in the art of analyzing scripts.  One would have been motivated to include adding the specific script to a suspicious script database of Wan, because this ensures that the most updated information about scripts is included in the script database to be able to efficiently check which scripts are suspicious (Wan: col. 4, lines 57-61).

As per claim 13-14, rejected under similar scope as claims 6-7 respectively.


As per claim 19, Kaul, Napchi, Wan, Bogorad, Be’ery, and Hazay discloses the apparatus of claim 15.
 Kaul, Napchi, Wan, Bogorad, Be’ery, and Hazay do not explicitly disclose wherein the string format of each of the determined scripts associated with the website are analyzed using a regular expression analysis to determine if the specific script is related to malware.
Landa discloses wherein the string format of each of the determined scripts associated with the website are analyzed using a regular expression analysis to determine if the specific script is related to malware (Landa: para. 0009, 0017, specific script (i.e. containing certain characters).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention the string format of each of the determined scripts associated with the website are analyzed using a regular expression analysis to determine if the specific script is related to malware of Landa with the method/system of Kaul-Napchi-Wan-Bogorad-Be’ery-Hazay combination, all are analogous in the art of detecting malware.  One would have been motivated to include the string format of each of the determined scripts associated with the website are analyzed using a regular expression analysis to determine if the specific script is related to malware of Landa, because this method is a defensive measure that includes regular expressions configured to parse a string and determine the existence of malicious code (Landa: para. 0009).




As per claim 20, Kaul, Napchi, Wan, Bogorad, Be’ery, Hazay and Landa discloses the apparatus of claim 19.  
Kaul, Napchi, Wan, Bogorad, Be’ery, Hazay, and Landa do not disclose adding the specific script to a suspicious script database.
Wan discloses adding the specific script to a suspicious script database (Wan: col. 4, lines 50-62, adding specific scrip to script database).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention adding the specific script to a suspicious script database of Wan with the method/system of Kaul-Napchi-Bogorad-Be’ery-Hazay-Landa combination, all are analogous in the art of detecting malware.  One would have been motivated to include adding the specific script to a suspicious script database of Wan, because this ensures that the most updated information about scripts is included in the script database to be able to efficiently check which scripts are suspicious (Wan: col. 4, lines 57-61).

                                                             Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791.  The examiner can normally be reached on M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.










Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



3/16/2021
/J.E.J/Examiner, Art Unit 2439                                                                                                                                                                                                        

/KARI L SCHMIDT/Primary Examiner, Art Unit 2439