Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed remarks on 11-08-2021 for 35 USC 101 rejection have been fully considered in light of arguments and new amendments but they are not persuasive. The client argues that “Applicant respectfully traverses this rejection, and expressly denies that the claims, as previously presented, recite an abstract idea. Nevertheless, to expedite prosecution, the Applicant has made a modest amendment to the claims”. The examiner disagrees with the contention. The modest amendments indicate that the html post operation is used during user interaction. However, such html get, post etc. operation(s) is/are detectable by parsing the html code as envisaged in various prior arts, NPLs and is well-known, obvious and not novel and does not add anything significantly more nor connects the claimed concept with the practical application per se, according to the PEG guidance 2019 with examples and Simply appending well-understood, routine, conventional activities previously known to the industry, specified at a high level of generality, to the judicial exception, MPEP 2106.05(d) and 2106.05(I)(A). Therefore the rejection is maintained.
Applicant’s arguments with respect to 35 USC 103 rejection of claim(s) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 20 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites intercept a user interaction with a website and determine that the user attempts to send sensitive information, suspend the interaction and assign a reputation to the URL and take a security action.
Step 1: The claims 1, 14 and 18 do fall into one of the four statutory categories of apparatus, method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 14 and 18 recites: intercept a user interaction with a website and determine that the user attempts to send sensitive information, suspend the interaction and assign a reputation to the URL and take a security action, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human mind and / or with pen and paper with/without a generic computer. Except for words ‘apparatus with processor and memory…, non-transitory medium’, there is nothing in the claim element precludes the step from practically being performed in human mind and/or with pen and paper. For example, the HTML POST request can be found by looking up the source code of the HTML code or by inspecting HTTP request type in a given browser, and while preventing user from sending sensitive data via a website, performing a privacy risk assessment on a website/URL and obtaining various information about the website including analysis the 
Dependent claims 2 – 13, 15 – 17, 19 and 20 which in turn recite performing deep analysis, phishing items, querying local or cloud-based cache to assign reputation, if not available in either systems, then performing deep analysis, warning user, if determined safe, permit user to send sensitive information etc. is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in an human organized way but for the recitation of generic computer components, then it falls within the “mental processes” grouping of abstract ideas and can be done manually. Accordingly, the claim recites an abstract idea.
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of: intercept a user interaction with a website and determine that the user attempts to send sensitive information, suspend the interaction and assign a reputation to the URL and take a security action. The steps are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (spec. figs. 6-8) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea.
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of not patent eligible. Therefore all the corresponding dependent claims 2 – 13, 15 – 17, 19 and 20 are also rejected for the same rationale.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Dixon et al (US 20140331119), hereafter Dixon and Volkov, Dmitry (US 20180191777), hereafter Vol.
Claim 1: Dixon teaches a computing apparatus, comprising: a hardware platform comprising a processor and a memory; a network interface; a user-space application comprising instructions to interact with a web site via a uniform resource locator (URL); ([Fig. 18, 309] include a processor; a memory and a communications interface coupled to the processor and the memory, [0099] a browser application associated with the client to enter an address or universal resource locator (URL) entered into an address bar of a browser application);
and a security agent comprising instructions to: intercept an interaction of the user-space application with the web site; ([0157-158] detection method is comprised of a technology built for operating systems that monitors access to persistent storage and execution of code… after a website is opened in a web browser, the operating system is analyzed to determine if any system changes, browser changes, code installs, or the like have occurred by opening the web page; [Fig. 4-5, 140, 157] In the reputation information process a user provides an Internet request (a search request or URL address request) and [0242] are intercepted, and a reputation analysis is performed in conjunction with the request);
determine that the intercepted interaction is a [hypertext markup language (HTML) POST] operation that will [[to]] send ([354, Fig. 23] personal or otherwise sensitive information requested during the authentication and validate procedures, and the reputation service host provides warnings and the like in connection with any such requests based on [095] information relating to Websites is used before, during, or after certain website interactions… other parameters of the interactions);
based at least in part on detecting the [HTML POST] operation, suspend the interaction; ([0121-122] the reputation service host identifies high risk content, sites, and the like (i.e., http post operation), and it passes this information on to a firewall facility. The firewall facility then uses this information to protect personal information by keeping the user from entering certain websites);
and assign a reputation to the URL. ([0229] a Web reputation service calculates a reputation of Websites, programs, Web forms, and other entities found on the Internet);
Dixon is silent on HTML POST operation.
But the analogous art Vol teaches interaction is a HTML POST operation. ([0075, 122] the system analyzes the HTML code that is loaded with the iframe tag and determines the HTML code of a web page comprises POST operation (table 1) <form ... method="POST"> ).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dixon to include the idea of scoring a URL as taught by Vol so that phishing detection rules are created based on at least one unique attribute that allows identifying a web page as a phishing web page ([008]).
Claim 14: Dixon teaches one or more tangible, non-transitory computer-readable storage mediums having stored thereon executable instructions to instruct a processor to ([Fig. 18, 309]): insert or register operating system hooks to enable interception of user-space processes; determine that a user-space process is attempting to interact with an internet resource identified by a uniform resource locator (URL) via a [hypertext markup language (HTML) POST] operation; suspend the attempt based at least in part on identifying the [HTML POST] operation; while the attempt is suspended; and take a security action based on the reputation of the URL. ([Fig. 18, 309] include a processor; a memory and a communications interface coupled to the processor and the memory, [0099] a browser application associated with the client to enter an address or universal resource locator (URL) entered into an address bar of a browser application; [0157-158] detection method is comprised of a technology built for operating systems that monitors access to persistent storage and execution of code… after a website is opened in a web browser, the operating system is analyzed to determine if any system changes, browser changes, code installs, or the like have occurred by opening the web page; [Fig. 4-5, 140, 157] In the reputation information process a user provides an Internet request (a search request or URL address request) and [0242] are intercepted, and a reputation analysis is performed in conjunction with the request; [354, Fig. 23] personal or otherwise sensitive information requested during the authentication and validate procedures, and the reputation service host provides warnings and the like in connection with any such requests based on [095] information relating to Websites is used before, during, or after certain website interactions … other parameters of the interactions; ([0121-122] the reputation service host identifies high risk content, sites, and the like (i.e., http post operation), and it passes this information on to a firewall facility. The firewall facility then uses this information to protect personal information by keeping the user from entering certain websites; [0229] a Web reputation service calculates a reputation of Websites, programs, Web forms, and other entities found on the Internet; [0097] The reputation service host provides warnings, cautions, alerts, indications of acceptable reputation, indications of poor reputations, indications of reputations, indications of types of expected behaviors, and the like).
Dixon is silent on HTML POST operation.
But the analogous art Vol teaches HTML POST operation. ([0075, 122] the system analyzes the HTML code that is loaded with the iframe tag and determines the HTML code of a web page comprises POST operation (table 1) <form ... method="POST"> ).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Dixon to include the idea of scoring a URL as taught by Vol so that phishing detection rules are created based on at least one unique attribute that allows identifying a web page as a phishing web page ([008]).
Claim 18: Dixon teaches a computer-implemented method of providing browser-based phishing mitigation for a web site, the method comprising: detecting a user interaction with a web site via the browser, the user interaction comprising sending a [hypertext markup language (HTML) POST] operation; suspending the user interaction based at least in part on detecting the [HTML POST] operation; suspending the user interaction; while the user interaction is suspended; and taking a security action based on the assigned reputation. ([Fig. 18, 309] include a processor; a memory and a communications interface coupled to the processor and the memory, [0099] a browser application associated with the client to enter an address or universal resource locator (URL) entered into an address bar of a browser application; [0157-158] detection method is comprised of a technology built for operating systems that monitors access to persistent storage and execution of code… after a website is opened in a web browser, the operating system is analyzed to determine if any system changes, browser changes, code installs, or the like have occurred by opening the web page; [Fig. 4-5, 140, 157] In the reputation information process a user provides an Internet request (a search request or URL address request) and [0242] are intercepted, and a reputation analysis is performed in conjunction with the request; [354, Fig. 23] personal or otherwise sensitive information requested during the authentication and validate procedures, and the reputation service host provides warnings and the like in connection with any such requests based on [095] information relating to Websites is used before, during, or after certain website interactions … other parameters of the interactions; ([0121-122] the reputation service host identifies high risk content, sites, and the like (i.e., http post operation), and it passes this information on to a firewall facility. The firewall facility then uses this information to protect personal information by keeping the user from entering certain websites; [0229] a Web reputation service calculates a reputation of Websites, programs, Web forms, and other entities found on the Internet; [0097] The reputation service host provides warnings, cautions, alerts, indications of acceptable reputation, indications of poor reputations, indications of reputations, indications of types of expected behaviors, and the like).
Dixon is silent on HTML POST operation.
But the analogous art Vol teaches HTML POST operation. ([0075, 122] the system analyzes the HTML code that is loaded with the iframe tag and determines the HTML code of a web page comprises POST operation (table 1) <form ... method="POST"> ).
([008]).
Claim 2: the combination of Dixon and Vol teaches the computing apparatus of claim 1, wherein the security agent is further to take a security action based at least in part on the reputation of the URL. (Dixon: [0097] The reputation service host provides warnings, cautions, alerts, indications of acceptable reputation, indications of poor reputations, indications of reputations, indications of types of expected behaviors, and the like).
Claim 3: the combination of Dixon and Vol teaches the computing apparatus of claim 1, wherein assigning the reputation to the URL comprises performing a deep security analysis of the web site. (Dixon: [0249] a reputation service host looks for characteristics of the Website to determine if it is probable that the site's only reason for existence is to collect personal information. Such heuristics include looking for sites with very few pages, indicating very little content on the site; looking for sites that request personal information on their first page instead of having these requests deeper within the site; and looking for sites that request significant amounts of personal information).
Claim 4: the combination of Dixon and Vol teaches the computing apparatus of claim 3, wherein the deep security analysis comprises analyzing the web site's code for phishing features. (Dixon: [0007-8] A database contains the reputation based upon a link structure analysis; a black list; a heuristic; an automatic test; a dynamic and/or static analysis of an executable application, or script; an analysis of an end user license agreement; a determination of a distinguishing characteristic of a Web site, such as a business model or a genre; the result of a Web crawl; the output of a machine learning facility and so forth, [0124] a reputation service host is associated with a phishing facility adapted to filter phishing, identify phishing activities).
Claim 5: the combination of Dixon and Vol teaches the computing apparatus of claim 1, wherein assigning the reputation comprises querying a user feature for a deep analysis flag, and performing deep analysis only if the deep analysis flag is set. (Dixon: [0007] user contributed feedback, [0126] the settings for allowing interactions with Web content are adjusted in accordance with parental control settings. The reputation service host is associated with a supervisor or administrator controls facility, [0165] the service collect user feedback to correct internal data, discover new sites/programs/Web forms and collect data that cannot be automatically tested).
Claim 6: the combination of Dixon and Vol teaches the computing apparatus of claim 5, further comprising determining that the deep analysis flag is not set, and warning the user of a potential for data loss because the web site has not been analyzed via deep analysis. (Dixon: [0171] a site, a portion of a site, or content within a site may be labeled "Unknown," signifying that the site that has not been analyzed, [0300] a system displays a pre-transaction alert in order to save the user the hassle of discovering the site's potential harm after the user has already sent or entered private information).
Claim 7: the combination of Dixon and Vol teaches the computing apparatus of claim 1, wherein assigning the reputation comprises querying a user-configurable scan aggressiveness option, and performing a scan of the web site's code for phishing features according to the user-configurable scan aggressiveness option. (Dixon: [0165] the product is a protection based program, a software application that communicates with a reputation service and that protects a user from adware, risky e-commerce, fraud, and giving personal information to aggressive marketers, spammers and [0124] a reputation service host is associated with a phishing facility adapted to filter phishing, identify phishing activities. The service warns a user before he does a dangerous thing).
Claim 8: the combination of Dixon and Vol an teaches the computing apparatus of claim 1, wherein the security agent is further to warn the user if the user-configurable scan aggressiveness option is set below a threshold. (Dixon: [0159-160] when a website with a bad reputation is discovered by the analysis facility it is discovered if other cloned websites exist and to mark those websites as illegitimate cloned websites and if the candidate clone website is below the score threshold, the candidate clone website is an approximate clone and [0042] providing warnings, alerts, and the like).
Claim 9: the combination of Dixon and Vol teaches the computing apparatus of claim 1, wherein the security agent is further to warn the user of potential data loss, and send the sensitive information only after receiving confirmation from the user. (Dixon: [0300] a system displays a pre-transaction alert in order to save the user the hassle of discovering the site's potential harm after the user has already sent or entered private information, [0172, 184] users have the option of overriding a warning and proceeding with what they were trying to do. If users have opted into providing feedback, this override information is sent back to the reputation server as part of the collection facility process).
Claim 10: the combination of Dixon and Vol teaches the computing apparatus of claim 9, wherein the security agent is further to cache a response from the user in a response cache. (Dixon: [0289] the client cache information locally as it is looked up so that repeated visits to the same site may not require time consuming look ups... This cache is pre-loaded with reputation data of the most popular websites when the client is first installed).
Claim 11: the combination of Dixon and Vol teaches the computing apparatus of claim 10, wherein the security agent is further to: query the response cache; determine that the user has previously permitted sensitive information to be submitted to the web site; and permit the sensitive information to be submitted without requiring a further response from the user. (Dixon: [0184] Users have the option of having the host store the override decision, so that the same warning is not provided repetitively for an action the user has decided to take. [0191] when users override one of these warnings, they are not warned again in the future when they attempt the same action. The list of sites that have these warnings disabled is deployed as a personal white-list for the user. It consists of the top-level URL for the page and the type of warning that was purposely disabled for the site).
Claim 12: the combination of Dixon and Vol teaches the computing apparatus of claim 1, wherein assigning the reputation to the website comprises querying a cloud-based reputation cache, and receiving a reputation for the website from the cloud-based reputation cache. (Dixon: [0008] the provision of a real time database query interface for lookup up the reputation of web content, such as a website, an executable application, a script, a web form, and so forth; the caching of the results of this real time database locally on client computers to improve performance; the provision of a database containing the reputation, [0011] a web reputation service comprises the web content analysis facility, the database, and the real time database query interface. The web reputation service comprises, without limitation, a service providing information about the safety or trustworthiness of a Web site).
Claim 13: the combination of Dixon and Vol teaches the computing apparatus of claim 12, wherein assigning the reputation to the website further comprises first querying a local cache of the cloud-based reputation cache, and querying the cloud-based reputation cache only if no locally cached reputation exists in the local cache. (Dixon: [0142-144] there is a local cache on the client device such that the frequently/recently accessed content has its reputation, or indicia of its reputation, stored locally. This information is cleared out of the cache, or modified, when new threat information is associated with stored information or there is a change in the reputation status of a site, or for other such reasons, the web content analysis facility is external to the server or the client. The web content analysis facility access web content on the third-party web server and performs a web content analysis function such as a link structure analysis; a white list comparison; a black list comparison etc.).
Claim 15: the combination of Dixon and Vol teaches the one or more tangible, non-transitory computer-readable mediums of claim 14, wherein assigning the reputation to the website comprises querying a cloud-based reputation cache, and receiving a reputation for the website from the cloud-based reputation cache. (Dixon: [0008] the provision of a real time database query interface for lookup up the reputation of web content, such as a website, an executable application, a script, a web form, and so forth; the caching of the results of this real time database locally on client computers to improve performance; the provision of a database containing the reputation, [0011] a web reputation service comprises the web content analysis facility, the database, and the real time database query interface. The web reputation service comprises, without limitation, a service providing information about the safety or trustworthiness of a Web site).
Claim 16: the combination of Dixon and Vol teaches the one or more tangible, non-transitory computer-readable mediums of claim 15, wherein assigning the reputation to the website further comprises first querying a local cache of the cloud-based reputation cache, and querying the cloud-based reputation cache only if no locally cached reputation exists in the local cache. (Dixon: [0142-144] there is a local cache on the client device such that the frequently/recently accessed content has its reputation, or indicia of its reputation, stored locally. This information is cleared out of the cache, or modified, when new threat information is associated with stored information or there is a change in the reputation status of a site, or for other such reasons, the web content analysis facility is external to the server or the client. The web content analysis facility access web content on the third-party web server and performs a web content analysis function such as a link structure analysis; a white list comparison; a black list comparison etc.).
Claim 17: the combination of Dixon and Vol teaches the one or more tangible, non-transitory computer-readable mediums of claim 15, wherein assigning the reputation to the website further comprises determining that a cloud-based reputation from the cloud-based reputation cache is unknown, and triggering a local deep analysis of the internet resource. (Dixon: [0008] the provision of a real time database query interface for lookup up the reputation of web content, such as a website, an executable application, a script, a web form, and so forth; [0171] a site, a portion of a site, or content within a site may be labeled "Unknown," signifying that the site that has not been analyzed; [0148-149, 161-163] a link structure analysis and a deeper website analysis is performed).
Claim 19: the combination of Dixon and Vol teaches the computer-implemented method of claim 18, wherein assigning the reputation to the website comprises performing a deep security (Dixon: [0249] a reputation service host looks for characteristics of the Website to determine if it is probable that the site's only reason for existence is to collect personal information. Such heuristics include looking for sites with very few pages, indicating very little content on the site; looking for sites that request personal information on their first page instead of having these requests deeper within the site; and looking for sites that request significant amounts of personal information).
Claim 20: the combination of Dixon and Vol teaches the computer-implemented method of claim 19, wherein the deep security analysis comprises analyzing the website's code for phishing features. (Dixon: [0007-8] A database contains the reputation based upon a link structure analysis; a black list; a heuristic; an automatic test; a dynamic and/or static analysis of an executable application, or script; an analysis of an end user license agreement; a determination of a distinguishing characteristic of a Web site, such as a business model or a genre; the result of a Web crawl; the output of a machine learning facility and so forth, [0124] a reputation service host is associated with a phishing facility adapted to filter phishing, identify phishing activities).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 



Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BADRINARAYANAN /Examiner, Art Unit 2496.