DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed on 12/06/2019.

Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 11/18/2019.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 4, 6, 7, 12, 14, 15, and 19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Claims 6, 14, and 19 each recites the limitation “determining the list of web sites.” In this regard, claim 1 recites “a list of web sites.” That is, the list in claim 1 is one (1) list. Thus, it is unclear as to what is meant by the limitation “determining.” Does the claims include multiple lists? Or does the limitation “determining” mean a kind of updating? 
Claims 7 and 15 each recites the limitation “the plurality of factors include newly registered domains, suspicious domains flagged by heuristic signatures, unclassified domains in a network security system, country-specific domains, a targeted scan based on Content Management System (CMS).” It is unclear as to whether the plurality of factors include all of the listed factors, that is, newly registered domains, suspicious domains flagged by heuristic signatures, unclassified domains in a network security system, country-specific domains, [and] a targeted scan based on Content Management System (CMS), or at least one of the listed factors.  


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 

Claims 1, 3-7, 9, 11-15, 17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Cho et al. (US 2016/0065613 A1; hereinafter, “Cho” ) in view of Trevelyan (US 2013/0219281 A1; hereinafter, “Trevelyan”).

Regarding claim 1:
Cho teaches:
A non-transitory computer-readable storage medium having computer-readable code stored thereon for programming a server (para. [0107]: A method of detecting malicious code based on the Web according to at least one embodiment of the present invention may be implemented in the form of program instructions that can be executed by a variety of computer means, and may be stored in a computer-readable storage medium) to performs steps of:
receiving a list of web sites (para. [0040]: The URL collection unit 210 collects and stores the URL information of at least one web server. The system 200 for detecting malicious code based on the Web may access a website using link information, such as a URL; para. [0041]: The data crawling unit 220 crawls and stores contents data present in a website based on the URL information stored in the URL collection unit 210. --- Note that crawls contents data present in a website based on the URL information stored in the URL collection unit 210 teaches receiving a list of web site; here, the URL information of at least one web server stored in the URL collection unit 210 teaches a list of web sites);
... browsing to each web site in the list (para. [0041]: The data crawling unit 220 crawls and stores contents data present in a website based on the URL information stored in the URL collection unit 210; para. [0042]: In this case, the system 200 for detecting malicious code based on the Web may access a webpage using an IE component module, which enables results, equivalent to those in the case of access using a web browser, to be collected. --- Note that crawls contents data present in a website based on the URL information stored in the URL collection unit 210 and access a webpage teaches browsing to each web site in the list);
receiving a response based on the browsing (para. [0041]: The data crawling unit 220 crawls and stores contents data present in a website based on the URL information stored in the URL collection unit 210; para. [0044]: The data crawling unit 220 accesses the Web using not only the source code (HTML) of a website but also the IE component module, thereby also crawling and storing additionally collected data, such as an image, encoding JavaScript, and a style sheet. --- Note that stores contents data present in a website teaches receiving a response based on the browsing); and
analyzing the response to classify each web site as malicious or not based on a plurality of techniques including JavaScript (JS) obfuscation detection based on de-obfuscation (para. [0090]: As described above, the method of detecting malicious code based on the Web according to the present invention may verify not only a document inside the website A 610 but also the security of other websites 620 to 640 linked by the document; para. [0111]: The present invention has the advantage of enabling IE-level analysis via not only simple analysis related to HTML but also the analysis of various types of contents, such as an image, encoding JavaScript, a style sheet, etc; para. [0092]: Referring to FIG. 7, the method of detecting malicious code based on the Web according to the embodiment of the present invention may have the basic function of detecting a script (an external linker) intended for inducement to re-direction to a malicious code homepage using a web document external tag and alerting a user to the script as malicious code. In this case, even when a linker outside a web document is obfuscated or encoded, the linker is detected by decryption or decoding and is then filtered out. Since well-known method are used as encoding and decoding methods used in this case, the encoding and decoding methods do not fall within the important range of the present invention, and a detailed description thereof is omitted. --- Note that analysis via not only simple analysis related to HTML but also the analysis of various types of contents, such as encoding JavaScript teaches analyzing the response to classify each web site as malicious or not based on a plurality of techniques including JavaScript (JS) obfuscation detection; verify not only a document inside the website A 610 but also the security of websites 620 teaches classify each web site as malicious or not; the analysis of various types of contents such as encoding JavaScript (i.e., obfuscated), and the linker (i.e., script) is detected by decryption or decoding (i.e., de-obfuscated) teaches analyzing JavaScript (JS) obfuscation detection based on de-obfuscation).
Cho is silent about:
anonymously browsing to each web site …
Trevelyan, in the same field of endeavor, teaches:
anonymously browsing to each web site … (para. [0011]: According to a first aspect of the invention, there is provided a processor engine for improving at least one identified website's profile. The processor engine comprises at least one processor arranged to: select and load at least one target list comprising at least one website whose profile is to be improved; create an Internet connection; and open a web browser and access at least one website from the loaded at least one target list. The at least one processor is further arranged to: navigate automatically through each of the at least one accessed website(s) for a period of time; close the web browser and the anonymous Internet connection; and repeat a number of times the open, navigate automatically at least one from a group comprising the same website, a different website from the target list and close of the web browser; para. [0016]: According to an optional feature, the at least one processor may be arranged to create a connection to the Internet that is anonymous and substantially unique (noting that it is ‘substantially unique’ as there is a finite amount of IP addresses available). In this manner, the Internet search engine may not be able to recognise the originating (source) IP address and may only be able to see the IP address provided by the anonymous web proxy application. --- Note that create a connection to the Internet that is anonymous teaches anonymously browsing to each web site).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cho’s system by enhancing Cho’s system to access the website anonymously, as taught by Trevelyan, in order that no footprint from a single IP address is left.
The motivation is to hide or disguise the intention to affect a website's (URL) position on a search engine's page ranking due to the switching between a plurality of separate Internet connections.

Regarding claim 3:
Cho in view of Trevelyan teaches:
The non-transitory computer-readable storage medium of claim 1. 
Cho teaches:
wherein the JS obfuscation detection is performed by de-obfuscating JS content and utilizing heuristics to determine if the de-obfuscated JS content is malicious (para. [0111]: The present invention has the advantage of enabling IE-level analysis via not only simple analysis related to HTML but also the analysis of various types of contents, such as an image, encoding JavaScript, a style sheet, etc; para. [0092]: Referring to FIG. 7, the method of detecting malicious code based on the Web according to the embodiment of the present invention may have the basic function of detecting a script (an external linker) intended for inducement to re-direction to a malicious code homepage using a web document external tag and alerting a user to the script as malicious code. In this case, even when a linker outside a web document is obfuscated or encoded, the linker is detected by decryption or decoding and is then filtered out. Since well-known method are used as encoding and decoding methods used in this case, the encoding and decoding methods do not fall within the important range of the present invention, and a detailed description thereof is omitted; para. [0050]: the malicious code candidate extraction unit 240 may detect malicious code using a wide range of patterns, unlike the conventional technology, when extracting a malicious code candidate, and may filter out a pattern, matching secure pattern information stored in the secure pattern database 250, from an extracted malicious code candidate, thereby reducing the false negative detection rate; para. [0062]: The pattern learning unit 270 generates new malicious pattern information by analyzing the regularity of the malicious pattern or the correlation of the secure pattern with the malicious pattern based on the malicious code output by the secure pattern filtering unit 260, and adds the generated malicious pattern information to the malicious pattern database 230. --- Note that the analysis of various types of contents such as encoding JavaScript teaches the JS obfuscation detection is performed to determine if the JS content is malicious; the linker (i.e., script) is detected by decryption or decoding (i.e., de-obfuscation) teaches performed by de-obfuscating JS content; detect malicious code by matching secure pattern information teaches performed by utilizing heuristics; generates new malicious pattern information by analyzing the regularity of the malicious pattern teaches heuristics).

Regarding claim 4:
Cho in view of Trevelyan teaches:
The non-transitory computer-readable storage medium of claim 3. 
Cho teaches:
wherein the heuristics include a presence of any of a new JS function and a domain in the de-obfuscated JS content (para. [0062]: The pattern learning unit 270 generates new malicious pattern information by analyzing the regularity of the malicious pattern or the correlation of the secure pattern with the malicious pattern based on the malicious code output by the secure pattern filtering unit 260, and adds the generated malicious pattern information to the malicious pattern database 230; para. [0111]: The present invention has the advantage of enabling IE-level analysis via not only simple analysis related to HTML but also the analysis of various types of contents, such as an image, encoding JavaScript, a style sheet, etc; para. [0092]: Referring to FIG. 7, the method of detecting malicious code based on the Web according to the embodiment of the present invention may have the basic function of detecting a script (an external linker) intended for inducement to re-direction to a malicious code homepage using a web document external tag and alerting a user to the script as malicious code. In this case, even when a linker outside a web document is obfuscated or encoded, the linker is detected by decryption or decoding and is then filtered out. Since well-known method are used as encoding and decoding methods used in this case, the encoding and decoding methods do not fall within the important range of the present invention, and a detailed description thereof is omitted. --- Note that generates new malicious pattern information by analyzing the regularity of the malicious pattern teaches heuristics; the various types of contents such as encoding JavaScript teaches a new JS function, here, it is unclear as to what is meant by the limitation “new”, thus for the sake of examination, it is interpreted as a JS function; detected by decryption or decoding teaches in the de-obfuscated JS content; further noted that for the sake of examination, the limitation “any of a new JS function and a domain” is interpreted as a new JS function or a domain. In addition, Cho further teaches a domain (see paras. [0096]-[0099])).

Regarding claim 5:
Cho in view of Trevelyan teaches:
The non-transitory computer-readable storage medium of claim 1, wherein the plurality of techniques further includes …
Cho teaches:
(para. [0094]: Furthermore, in this case, the method of detecting malicious code based on the Web according to the embodiment of the present invention may detect a shellcode intended for inducement to hidden malicious code by detecting code packaged by a specific packer; para. [0095]: In this case, three types of events that are detected may include a tag event using a script, an iframe tag or the like, a link event using a tag, and an exploit-related event that executes actual malicious code. --- Note that detect a shellcode intended for inducement to hidden malicious code and detected may include an iframe tag teaches detection of hidden Inline Frames in the response).

Regarding claim 6:
Cho in view of Trevelyan teaches:
The non-transitory computer-readable storage medium of claim 1, wherein the computer-readable code stored is further configured to program the server to performs steps of …
Cho is silent about:
determining the list of web sites periodically based on a plurality of factors.
Trevelyan teaches:
determining the list of web sites periodically based on a plurality of factors (para. [0035]: The at least one processor in a processor engine may enable a user to specify a number of websites to visit and navigate. In subsequently accessing these websites, statistics from the website may be provided to search and, thus, the website(s) page ranking on the Internet search engine may be affected. In some examples of the present invention, the at least one processor in a processor engine may be arranged to access the website and automatically navigate around the website for a period of time, in order to register ‘sufficient’ activity/interest in the web-site according to any Internet search engine rules, before the program exits. The at least one processor in a processor engine may then select a new IP address, for example from a different country and perhaps using a different browser or a different language and repeats the processpara. [0071]: In 442, a user or subscriber may be provided with an opportunity to enter one or more website(s) and/or a target list that is to be promoted. In 445, the program loads a target list of one or more website(s) that are to be promoted. Thereafter, in 455, the Internet web browser reads the target list provided in 445 and accesses one or more of the identified websites. In 457, the program automatically navigates around the identified website for a period of time, which in some examples may be pre-defined or random. --- Note that enable a user to specify a number of websites to visit and arranged to access the website for period of time teaches determining the list of web sites periodically; select a new IP address, for example from a different country or a different language teaches based on a plurality of factors).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cho’s system by enhancing Cho’s system to specify a number of websites to visit based on a new IP address, for example from a different country or a different language, as taught by Trevelyan, in order to analyze various types of websites and contents.
The motivation is to protect the system from dramatically changed malicious network attacks by visiting suspicious websites to detect the malicious code in advance. 

Regarding claim 7:
Cho in view of Trevelyan teaches:
The non-transitory computer-readable storage medium of claim 6.
Cho is silent about:
wherein the plurality of factors include newly registered domains, suspicious domains flagged by heuristic signatures, unclassified domains in a network security system, country-specific domains, a targeted scan based on Content Management System (CMS).
Trevelyan teaches:
wherein the plurality of factors include newly registered domains, suspicious domains flagged by heuristic signatures, unclassified domains in a network security system, country-specific domains, a targeted scan based on Content Management System (CMS) (para. [0035]: The at least one processor in a processor engine may enable a user to specify a number of websites to visit and navigate. In subsequently accessing these websites, statistics from the website may be provided to search and, thus, the website(s) page ranking on the Internet search engine may be affected. In some examples of the present invention, the at least one processor in a processor engine may be arranged to access the website and automatically navigate around the website for a period of time, in order to register ‘sufficient’ activity/interest in the web-site according to any Internet search engine rules, before the program exits. The at least one processor in a processor engine may then select a new IP address, for example from a different country and perhaps using a different browser or a different language and repeats the process. --- Note that a new IP address teaches newly registered domains; further note that this limitation is unclear as to the plurality of factors include all of the listed factors or at least one of the listed factors. For the sake of examination, it is interpreted as including at least one of the listed factors).
	The motivation for claim 6 is applicable for claim 7.

Regarding claim 9:
Claim 9 recites a server which corresponds to a non-transitory computer-readable storage medium of claim 1, and additionally contains: 
	a network interface communicatively coupled to a network;
a processor communicatively coupled to the network interface; and
memory storing computer-executable instructions.
However, Trevelyan teaches:
(para. [0084]: Communications interface 524 can be used to allow software and data to be transferred between computing system 500 and external devices.);
a processor communicatively coupled to the network interface (para. [0080]: processor 504 is connected to a bus 502 or other communications medium.); and
memory storing computer-executable instructions (para. [0081]: Computing system 500 may likewise include a read only memory (ROM) or other static storage device coupled to bus 502 for storing static information and instructions for processor 504.).
Therefore, claim 9 is rejected by applying the same rationale used to reject claim 1 above and the reason stated above.

Regarding claim 11:
Claim 11 recites the server which corresponds to the non-transitory computer-readable storage medium of claim 3, and contains no additional limitation. Therefore, claim 11 is rejected by applying the same rationale used to reject claim 3 above.

Regarding claim 12:
Claim 12 recites the server which corresponds to the non-transitory computer-readable storage medium of claim 4, and contains no additional limitation. Therefore, claim 12 is rejected by applying the same rationale used to reject claim 4 above.

Regarding claim 13:
Claim 13 recites the server which corresponds to the non-transitory computer-readable storage medium of claim 5, and contains no additional limitation. Therefore, claim 13 is rejected by applying the same rationale used to reject claim 5 above.

Regarding claim 14:
Claim 14 recites the server which corresponds to the non-transitory computer-readable storage medium of claim 6, and contains no additional limitation. Therefore, claim 14 is rejected by applying the same rationale used to reject claim 6 above.

Regarding claim 15:
Claim 15 recites the server which corresponds to the non-transitory computer-readable storage medium of claim 7, and contains no additional limitation. Therefore, claim 15 is rejected by applying the same rationale used to reject claim 7 above.

Regarding claim 17:
Claim 17 recites a method which corresponds to a non-transitory computer-readable storage medium of claim 1, and contains no additional limitation. Therefore, claim 17 is rejected by applying the same rationale used to reject claim 1 above.

Regarding claim 19:
Claim 19 recites the method which corresponds to the non-transitory computer-readable storage medium of claim 6, and contains no additional limitation. Therefore, claim 19 is rejected by applying the same rationale used to reject claim 6 above.

Regarding claim 20:
Claim 20 recites the method which corresponds to the non-transitory computer-readable storage medium of claim 3, and contains no additional limitation. Therefore, claim 20 is rejected by applying the same rationale used to reject claim 3 above.

Claims 2, 10, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Cho et al. (US 2016/0065613 A1; hereinafter, “Cho” ) in view of Trevelyan (US 2013/0219281 A1; hereinafter, “Trevelyan”), and further in view of Thomas et al. (US 2012/0174224 A1; hereinafter, “Thomas”).

Regarding claim 2:
Cho in view of Trevelyan teaches:
The non-transitory computer-readable storage medium of claim 1, wherein the computer-readable code stored is further configured to program the server to performs steps of …
Cho further teaches:
… providing a blacklist … classified as malicious (para. [0047]: the malicious pattern database 230 databases and stores not only the information of previously known malicious code but also the information of the same type of malicious code whose pattern is similar to that of the previously known malicious code. --- Note that stores the information of previously known malicious code teaches providing a blacklist classified as malicious).
Cho in view of Trevelyan is silent about:
… a blacklist of web sites …
Thomas, in the same field of endeavor, teaches: 
… a blacklist of web sites … (para. [0018]: In such a case, the malware detection software may consult one or more lists of web sites known to promulgate malware (e.g., a blacklist) to advise the user as to whether the web pages referenced in the search results may contain malware. --- Note that lists of web sites known to promulgate malware (e.g., a blacklist) teaches a blacklist of web sites).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Cho’s system by enhancing Cho’s system to 
The motivation is to advise a user or a system as to whether the web pages referenced in the search results may contain malware. (See Thomas, para. [0018]) Also, detecting a malicious website or malware is a well-known technology to one of ordinary skill in the art. 


Regarding claim 10:
Claim 10 recites the server which corresponds to the non-transitory computer-readable storage medium of claim 2, and contains no additional limitation. Therefore, claim 10 is rejected by applying the same rationale used to reject claim 2 above.

Regarding claim 18:
Claim 18 recites the method which corresponds to the non-transitory computer-readable storage medium of claim 2, and contains no additional limitation. Therefore, claim 18 is rejected by applying the same rationale used to reject claim 2 above.

Claims 8, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Cho et al. (US 2016/0065613 A1; hereinafter, “Cho” ) in view of Trevelyan (US 2013/0219281 A1; hereinafter, “Trevelyan”), and further in view of Haynes (US 2013/0117459 A1; hereinafter, “Haynes”).

Regarding claim 8:
Cho in view of Trevelyan teaches:
The non-transitory computer-readable storage medium of claim 1.
Cho is silent about:
wherein the anonymously browsing utilizes a Virtual Private Network (VPN) to obscure the server.
Haynes, in the same field of endeavor, teaches:
wherein the anonymously browsing utilizes a Virtual Private Network (VPN) to obscure the server (para. [0004]: Additional advantages are provided by using VPN routers, in part because they provide visible internet protocol (IP) addresses based on a home server ID as opposed to individual machine IP addresses or personal IDs. This type of addressing arrangement can facilitate a variety of VPN applications, including anonymous web browsing, firewall protection from malicious network attacks, additional protection from personal data theft, etc.).
	The motivation for claim 1 is applicable for claim 8.

Regarding claim 16:
Claim 16 recites the server which corresponds to the non-transitory computer-readable storage medium of claim 8, and contains no additional limitation. Therefore, claim 16 is rejected by applying the same rationale used to reject claim 8 above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Banerjee et al. (US10,148681 B2) discloses a computer implemented method, comprises receiving a first input, the first input including a universal resource locator (URL) for a webpage. A second input is received, the second input including feedback information related to the webpage, the feedback information including an indication designating the webpage as safe or unsafe. A third input is received from a database, the third input including reputation information related to the webpage. Data is extracted from the webpage. A safety status is determined for the webpage. 


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR PATEL can be reached on (571)-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/W.Y./Examiner, Art Unit 2491                                                                                                                                                                                                        




/ASHOKKUMAR B PATEL/            Supervisory Patent Examiner, Art Unit 2491