Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the application 16/752,034 filed on 07/21/2021; Claims 1, 16, 18-20  have been amended; Claims 10-15 have been canceled; Claim 21-27 have been added; Claims 1, 16, and 21 are independent claims.  Claims 1, 3, 5-9, 16, 18-20, 21-and 27 have been examined and are pending.
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Mrs. Possett, Ramya (No.: 59,597) has agreed and authorized the Examiner to amend claims 1, 16, and 21. Canceled claims 3, 18, and 22.
Examiner’s Amendments
Claims
Replacing claims 1-27 as following:
1.  (Currently Amended) A method for identifying security events from a set of web requests, the method comprising:
 	obtaining, for each individual web request of the set of web requests, a screenshot of a corresponding web path resulting from the individual web request;
		applying a perceptual hash to each obtained screenshot to generate a set of hashed screenshots; 

		applying a cryptographic hash to each of the obtained screenshots;
		associating a value of the cryptographic hash with the corresponding obtained screenshot; 
grouping the set of hashed screenshots into multiple grouped sets of hashed screenshots based on corresponding hash value of the set of hashed screenshots, the multiple grouped set of hashed screenshots including a first grouped set of hashed screenshots having a value within a first predetermined threshold of each other and a second grouped set of hashed screenshots having a value within a second predetermined threshold of each other; 
comparing a first screenshot of the set of hashed screenshots with the first grouped set of hashed screenshots and the second grouped set of hashed screenshots; and
		determining whether a security event exists based on the comparison of the first screenshot and based on a set of values of the perceptual hash associated with the set of web requests and a set of values of the cryptographic hash associated with the set of web requests;
  ordering the set of hashed screenshots by hash value;[[ and]]
		removing, from the set of hashed screenshots, a subset of the hashed screenshots that have a similar hashed value;
		wherein determining whether the security event exists comprises: recommending, based on a similarity metric applied to the corresponding subset of the set of hashed screenshots, removal of the first screenshot of a corresponding first web path resulting from a first web request of the set of web requests, the first screenshot comprising an automated response to the first web request that indicates  a non-normal response for the first web request, the non-normal response comprising a response that indicates a resource is not found or an illegitimate response is provided; and
		wherein removing the subset of the hashed screenshots comprises: removing the first screenshot to the corresponding first web path.

2-4.   (Cancelled)

5.  (Original)	The method of claim 1, wherein applying the perceptual hash further comprises: 
		selecting a similarity metric for the perceptual hash, wherein the similarity metric is measured based on a number of bytes of the resulting hash.

6.  (Previously Presented)	The method of claim 1, further comprising:
providing for display the set of hashed screenshots, ordered by corresponding hash value.

7.  (Previously Presented)	The method of claim 6, wherein grouping further comprises:
		grouping multiple subsets of the set of hashed screenshots based on corresponding hash value of the set of hashed screenshots; and 
wherein providing for display further comprises:
providing for display a representative screenshot for each of the multiple grouped sets of screenshots.



9.  (Previously Presented)	The method of claim 1, 
wherein grouping further comprises: 
grouping multiple subsets of the hashed screenshots based on corresponding hash value of the set of hashed screenshots; and
wherein determining further comprises: 
training a machine-learning model with the multiple grouped sets of screenshots; and
using the machine-learning model for the determination. 

10 - 15.  (Cancelled)	

16.  (Currently Amended)	A non-transitory machine-readable storage medium comprising instructions executable by a hardware 
instructions to obtain, for each individual web request of the set of web requests, a screenshot of the corresponding web path resulting from the individual web request; 
instructions to apply a perceptual hash to each obtained screenshot to generate a set of hashed screenshots; 

		instructions to apply a cryptographic hash to each of the obtained screenshots;
		instructions to associate a value of the cryptographic hash with the corresponding obtained screenshot; 
  instructions to group the set of hashed screenshots into multiple grouped sets of hashed screenshots based on corresponding hash value of the set of hashed screenshots, the multiple grouped set of hashed screenshots including a first grouped set of hashed screenshots having a value within a first predetermined threshold of each other and a second grouped set of hashed screenshots having a value within a second predetermined threshold of each other;
 instructions to compare a first screenshot of the set of hashed screenshots with the first grouped set of hashed screenshots and the second grouped set of hashed screenshots; 
instructions to determine whether a security event exists based on the comparison of the first screenshot and based on a set of values of the perceptual hash associated with the set of web requests and a set of values of the cryptographic hash associated with the set of web requests;
instructions to order the set of hashed screenshots by hash value; [[and]]
	instructions to remove, from the set of hashed screenshots, a subset of the hashed screenshots that have a similar hashed value;
            wherein determining whether the security event exists comprises: recommending, based on a similarity metric applied to the corresponding subset of the set of hashed screenshots, removal of the first screenshot of a corresponding first web path resulting from a first web request of the set of web requests, the first screenshot comprising an automated response to the first web request that indicates  a non-normal response for the first web request, the non-normal response comprising a response that indicates a resource is not found or an illegitimate response is provided; and
		wherein removing the subset of the hashed screenshots comprises: removing the first screenshot to the corresponding first web path.

17-18.  (Cancelled)	

19.  (Previously Presented)	The non-transitory machine-readable storage medium of claim 16, wherein the instructions to apply the hash comprise: 
		instructions to select one or multiple types of hashes to be applied to the set of screenshots, wherein the types of hashes include: a perceptual hash; or a cryptographic hash;
		instructions to select, for each hash to be applied to the set of screenshots, a similarity metric;
		instructions to apply, for each hash to be applied, the corresponding hash with the similarity metric to each of the obtained screenshots.

20.  (Previously Presented)	The non-transitory machine-readable storage medium of claim 16, 
wherein the instructions to group further comprise: instructions to group multiple subsets of the set of hashed screenshots based on corresponding hash value of the screenshots; and


21.  (Currently Amended) A system for identifying security events from a set of web requests, the system comprising a hardware 
		obtain, for each individual web request of the set of web requests, a screenshot of a corresponding web path resulting from the individual web request; 
              apply a perceptual hash to each obtained screenshot to generate a set of hashed screenshots; 
		associate a value of the perceptual hash with the corresponding obtained screenshot; 
		apply a cryptographic hash to each of the obtained screenshots;
		associate a value of the cryptographic hash with the corresponding obtained screenshot; 
   group the set of hashed screenshots into multiple grouped sets of hashed screenshots based on corresponding hash value of the set of hashed screenshots, the multiple grouped set of hashed screenshots including a first grouped set of hashed screenshots having a value within a first predetermined threshold of each other and a second grouped set of hashed screenshots having a value within a second predetermined threshold of each other; 
  compare a first screenshot of the set of hashed screenshots with the first grouped set of hashed screenshots and the second grouped set of hashed screenshots

 order the set of hashed screenshots by hash value; [[and]]
             remove, from the set of hashed screenshots, a subset of the hashed screenshots that have a similar hashed value; 
wherein determining whether the security event exists comprises: recommending, based on a similarity metric applied to the corresponding subset of the set of hashed screenshots, removal of the first screenshot of a corresponding first web path resulting from a first web request of the set of web requests, the first screenshot comprising an automated response to the first web request that indicates  a non-normal response for the first web request, the non-normal response comprising a response that indicates a resource is not found or an illegitimate response is provided; and
	        wherein removing the subset of the hashed screenshots comprises: removing the first screenshot to the corresponding first web path.

22.  (Cancelled)	

23.  (Previously Presented)	The system of claim 21, wherein applying the perceptual hash further comprises: 
		selecting a similarity metric for the perceptual hash, wherein the similarity metric is measured based on a number of bytes of the resulting hash.


providing for display the set of hashed screenshots, ordered by corresponding hash value.

25.  (Previously Presented)	The system of claim 24, wherein grouping further comprises:
		grouping multiple subsets of the set of hashed screenshots based on corresponding hash value of the set of hashed screenshots; and 
  wherein providing for display further comprises:
  providing for display a representative screenshot for each of the multiple grouped sets of screenshots.

26.  (Previously Presented)	The system of claim 21, wherein the set of the web requests belong to domains owned by different organizations.

27.  (Previously Presented)	The system of claim 21, 
wherein grouping further comprises: 
grouping multiple subsets of the hashed screenshots based on corresponding hash value of the set of hashed screenshots; and
wherein determining further comprises: 
training a machine-learning model with the multiple grouped sets of screenshots; and
using the machine-learning model for the determination. 


Examiner's Statement of reason for Allowance

Claims 1, 5-9, 16, 19-20, 21, 23-27 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The invention is directed to a security event identification system may enable obtaining, for each of the set of web requests, a screenshot of a corresponding web path resulting from the web request; applying a hash to each obtained screenshot; and determining, based on a comparison of the hashed screenshots, whether a security event exists related to the set of web requests. 
The closest prior art are over Li et al. (“Li,” US 2021/0099484, filed Sep. 26, 2019), Kauffmann et al. (“Kauffmann,” US 2019/0130192, published May 2, 2019), and Rodriguez (“Rodriguez,” US 2019/0332921, published Oct. 31, 2019) generally directed to various aspect of the method involves obtaining a screenshot of a corresponding web path resulting from the web request.  A perceptual hash is applied to each obtained screenshot to generate a set of hashed screenshots.  The set of hashed screenshots are grouped into multiple grouped sets of hashed screenshots.  A first grouped set of hashed screenshots is compared to a second grouped set of hashed screenshots, where the multiple grouped sets of hashed screenshots provides the first grouped set and the second grouped set.  A security event is determined that exists related to the set of web requests.  The set of hashed screenshots is ordered by hash value. 
However, none of Li, Kauffmann, and Rodriguez teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent “grouping the set of hashed screenshots into multiple grouped sets of hashed screenshots based on corresponding hash value of the set of hashed screenshots, the multiple grouped set of hashed screenshots including a first grouped set of hashed screenshots having a value within a first predetermined threshold of each other and a second grouped set of hashed screenshots having a value within a second predetermined threshold of each other; comparing a first screenshot of the set of hashed screenshots with the first grouped set of hashed screenshots and the second grouped set of hashed screenshots; and determining whether a security event exists based on the comparison of the first screenshot and based on a set of values of the perceptual hash associated with the set of web requests and a set of values of the cryptographic hash associated with the set of web requests;” and “removing, from the set of hashed screenshots, a subset of the hashed screenshots that have a similar hashed value; wherein determining whether the security event exists comprises: recommending, based on a similarity metric applied to the corresponding subset of the set of hashed screenshots, removal of the first screenshot of a corresponding first web path resulting from a first web request of the set of web requests, the first screenshot comprising an automated response to the first web request that indicates  a non-normal response for the first web request, the non-normal response comprising a response that indicates a resource is not found or an illegitimate response is provided; and wherein removing the subset of the hashed screenshots comprises: removing the first screenshot to the corresponding first web path.”
This feature in light of other features describes in the independent claims 1, 16, and 21 are allowable over the prior art of record.








Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CANH LE whose telephone number is (571)270-1380.  The examiner can normally be reached on Monday-Friday: 6:00 AM-3:30 PM, other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




Examiner, Art Unit 2439
August 26th, 2021 


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439