Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed November 30, 2021 have been fully considered but they are not persuasive to overcome the prior arts in record and place the claims in condition for allowance for the following reasons.
In the response, the applicant argues that by submitting that Gillum does not disclose the domains being similar but not identical and then argues that it would have been obvious to modify Gillum based on the Zink reference. The applicant submits that Zink is not concerned with domains being similar but instead relies on a relationship between a DKIM signature signer and a particular domain. 
The examiner respectfully disagrees with the applicant’s analysis and argument because they amount to general allegations that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
The applicant’s general allegation and contradicting analysis or argument against the prior arts  Zink are essentially for using the same standard protocols (DKIM) as the applicant’s own disclosure uses for the same purpose [See applicant’s disclosure  in Paragraphs 0038: In either case, there are only a small number of registrars, and this can be used to identify questionable domains. For example, if “Mimecast.x.com” uses a different registrar than the 

Furthermore, the applicant continues to argue and submits that; the Office Action suggest that Gillum discloses wherein the metadata comprises an identity of a registrar for the domain being analyzed and then suggests that, while Gillum and Zink do not explicitly disclose to correlate the identity of a registrar for the domain being analyzed or to correlate an identity of one or more name servers serving the domain being analyzed, Himler discloses these elements. Applicant submits that Himler does not in fact disclose or suggest these elements.
The examiner respectfully disagrees with the applicant’s analysis and argument for the following reasons. Under BRI, a domain registrar and identity of the domain registrar is a well understood and commonly used Domain Name service defined by several rules and protocols and the same is discussed in each of the prior arts as well. Furthermore, Himler specifically discloses system to correlate the identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed in sections recited in as follows:

[Column 5: lines 12-24] :The determination that a message is non-malicious (or legitimate) may be the result of an automated analysis, including an analysis to determine whether the sender of the message is a trusted sender, or whether the message is a mock malicious message, or it may be the result of a more comprehensive analysis that looks at a broader set of attributes associated with a message (e.g., detection of malware in an attachment, detection of malicious hyperlinks in a message, age of the domains associated with hyperlinks in a message, reputation of the registrar associated with different hyperlinks in a message, language used in the message, etc.).
[Column 5: lies 59-66]: The system may also include or have access to one or more remote or client-installed data sets of reference data 118 that the cybersecurity analyzer server or a client computing device may access when analyzing and classifying messages. The reference data may 
[Column 7: lines 23-39]: The analysis of user-reported messages can extend to the determination of whether the email is malicious or not, independently of whether it originates from a known trusted sender. This analysis may be performed at the level of the client computing device running the messaging client, or it may be performed at the level of a server, or a combination of both. It may also involve accessing one or more internal and external sources of information such as information from domain registrars, blacklists, servers maintaining reputation information, malware repositories (including repositories of malware signatures), caches storing some of this information or pre-computed metrics intended to facilitate the detection of malicious and legitimate messages (e.g. signatures of known malicious messages, who-is data, statistics about the number of hyperlinks found in different types of malicious and legitimate messages, reputation of different domain registrars, etc.) Examples of how the system may use this information will be described below.
[Column 12: lines 1-16]: The particular registrar with which each domain is registered. (For example, the system may maintain or have access to a data set identifying registrars that are more commonly associated with malicious messages than others, and registrars that are not commonly associated with malicious messages. The system may access a domain registrar service or a database of known domain registrations and issue a service call requesting the identity of a registrar for any domain found in the body of a message. The system may then determine whether a match for the identify is in the data asset, and if so, it may assign 

For at least the above reasons, the applicant’s argument are not persuasive to overcome the prior arts in record and place the claims and the application in condition for allowance.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5-6, 8-10, 13-14, 16-18, 20-21 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Gillum (US. Pub. No.: 2012/0167233) in view of Zink et al. (Hereinafter .

As per claim 1:
Gillum discloses a system for domain name authentication, the system comprising:
a processor coupled to a memory containing instructions executable by the processor to cause the system to (0016):
maintain a database with a plurality of trusted domains (0013-0014: trusted domain and authorized domain);
analyze a domain associated with an undelivered message intended to be delivered to a recipient, wherein analysis of the domain comprises comparing the domain with one or more of the plurality of trusted domains (0020-0021);
if the domain is determined to be similar to at least one of the trusted domains, correlate metadata of the domain with metadata of the at least one trusted domain (0021-0022 : DKIM); and
flag the domain as being legitimate or flag the domain as being illegitimate based on the correlation (0025-0028; 0025: trust indicator).

Gillum does not explicitly disclose the determined domains to be similar are not identical domains. Zink, in analogous art however, discloses the determined domains to be similar are not identical domains (0028; 0032-0033: align DMAC and domain in the From: address may be trusted domain; DMARC results are usually stamped in the Authentication-Results header in a 

Gillum discloses wherein the metadata comprises an identity of a registrar for the domain being analyzed (0047: To verify that the email message is received from an authorized domain; 

Gillum and Zink do not explicitly disclose correlate the identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  Himler, in analogous art however, discloses correlate the identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed (Column 1: lines 55-64; column 2: lines 1-7: Determining whether a received message is a legitimate message or a malicious message may include selecting a structural element of the received message, obtaining information corresponding to the structural element, and using the obtained information to assign a trust value to the structural element... There may be various ways to obtain information corresponding to a structural element. If the structural element includes a hyperlink, the method may access a domain name registrar to retrieve information that indicates an age of a domain associated with the hyperlink. The method may also identify a domain name registrar for a domain associated with the 
Himler, further discloses (Colum 12; lines 2-15: The particular registrar with which each domain is registered. For example, the system may maintain or have access to a data set 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the limitations of identity of a registrar for the domain disclosed by Gillum to include correlating the identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide effective and efficient cybersecurity protection systems that meets a need to reduce reported non-malicious electronic messages, to save time and money, to enable an organization to set non-malicious email senders preemptively, and to provide guidance to the user based on the analysis of the email as suggested by Himler (0019-0020).

As per claim 2:


As per claims 5 and 6:
Gillum does not explicitly disclose wherein the metadata is stored in a domain name system and wherein the metadata comprises at least one of a Mail Exchanger (MX) record, a Sender Policy Framework (SPF) record, and a DomainKeys Identified Mail (DKIM) record. Zink, in analogous art however, discloses wherein the metadata is stored in a domain name system (DNS) (0022-0024: DNS records, DMARC records, SPF records, DKIM records; 0028; 0039), and wherein the metadata comprises at least one of a Mail Exchanger (MX) record, a Sender Policy Framework (SPF) record, and a DomainKeys Identified Mail (DKIM) record (0022-0024: DNS records, DMARC records, SPF records, DKIM records; 0028; 0039). Similarly, Himler, in a similar filed of endeavor, discloses wherein the metadata is stored in a domain name system (DNS) (column 4: lines 30-35;), and wherein the metadata comprises at least one of a Mail Exchanger (MX) record, a Sender Policy Framework (SPF) record, and a DomainKeys Identified Mail (DKIM) record (column 4: lines 36-55; column 14: lines 16-35).
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of metadata disclosed by Gillum to include wherein the metadata is stored in a domain name system and wherein the metadata comprises at least one of a Mail Exchanger (MX) record, a Sender Policy Framework (SPF) record, and a DomainKeys Identified Mail (DKIM) record. This modification would have been 

As per claim 8:
Gillum discloses wherein the metadata comprises an identity expressed in Secure Sockets Layer (SSL), Transport Layer Security (TLS), other cryptographic certificates (0048).

As per claim 9:
Gillum discloses a system for detecting a spoofed email message from a sender based on detection of the sender's fraudulent domain associated with the spoofed email message, the system comprising:
a processor coupled to a memory containing instructions executable by the processor to cause the system to (0016):
maintain a database with a plurality of trusted domains (0013-0014: trusted domain and authorized domain; 0020: the email trust service is implemented to determine whether an email message can be trusted, such as whether an email message originated from a trusted business domain);
receive an email message (0020-0021: verify that the email message is received from an authorized domain as specified in a sender address field of the email message);
compare a domain name given in the received email message with one or more of the plurality of trusted domains and determine a level of resemblance between the domain name and one or more of the trusted domains based on the comparison (0021: the email trust service 
if there is a positive level of resemblance between the domain name and one or more similar trusted domains of the plurality of trusted domains, analyze the domain name given in the received email message, wherein analysis of the domain name comprises correlating published metadata of the domain name with published metadata of one or more of the similar (0029: if an email message is received from a domain that is listed in the email safe list, the email trust service may determine that the email is trusted without applying authentication techniques and/or without determining whether an Extended Validation certificate is associated with the domain. The email distribution service 106 can also maintain an email block list 132 of domain names that are not trusted by a user, or that have been determined as untrusted; 0033-0035); and
the metadata comprises an identity of a registrar for the domain being analyzed (0047: To verify that the email message is received from an authorized domain; authentication techniques include a DomainKeys Identified Mail (DKIM) authentication technique and a SenderID authentication technique; 0048: the email trust service determines whether an Extended Validation certificate is associated with the authorized domain by extracting a domain 
flag the domain name as being legitimate and the email message as safe or flag the domain name as being illegitimate and the email message as potentially harmful based on the correlation (0025-0028: trust indicator; The email trust service can obtain a Favicon that is associated with an authorized business domain. A Favicon that is associated with a business domain generally includes a logo or picture that is associated with the particular domain, such as a logo of a business or organization; 0049).
Gillum does not explicitly disclose the determined domains to be similar are not identical domains. Zink, in analogous art however, discloses the determined domains to be similar are not identical domains (0028; 0032-0033: align DMAC and domain in the From: address may be trusted domain; DMARC results are usually stamped in the Authentication-Results header in a message; 0039: the domain in the From: address may be checked to align with either the domain that passes SPF or the domain that passes DKIM (defined in the d= field). If a message passes all three, then it may be considered as passing DMARC as not being spoofed and forwarded to mail storage; 0043: reconstructed domain may be aligned from the selector against the actual domain in the “From” address to pass DMARC; 0064-0066). It is further noted that a DMARC verification as described in Zink et al. relies on a strict or relaxed alignment.  See e.g. 
Gillum and Zink do not explicitly disclose correlate the identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  Himler, in analogous art however, discloses correlate the identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed (Column 1: lines 55-64; column 2: lines 1-7: Determining whether a received message is a legitimate message or a malicious message may include selecting a structural element of the received message, obtaining information corresponding to the structural element, and using the obtained information to assign a trust value to the structural element... There may be various ways to obtain information corresponding to a structural 
Himler further discloses (Colum 12; lines 2-15: The particular registrar with which each domain is registered. For example, the system may maintain or have access to a data set identifying registrars that are more commonly associated with malicious messages than others, and registrars that are not commonly associated with malicious messages. The system may access a domain registrar service or a database of known domain registrations and issue a service call requesting the identity of a registrar for any domain found in the body of a message. The system may then determine whether a match for the identify is in the data asset, and if so, it may assign a value for this factor based on a measure of the extent to which the data set identifies the registrar as being known (or not known) to the associated with malicious websites. In this way, the system can maintain information about the reputations of registrars and use this information as a factor to determining a trust score for the message; Column 15: lines 15-20).
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the limitations of identity of a registrar for the domain disclosed by Gillum to include correlating the identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide effective and efficient cybersecurity protection systems that meets need to reduce reported non-malicious electronic messages, to save time and money, to enable an organization to set non-malicious email senders 

As per claim 10:
Gillum discloses wherein the domain name is flagged as being legitimate based on a positive correlation and the domain name is flagged as being illegitimate based on a negative correlation (0034-0036: List view includes Trust indicator; Safe list; Block list; 0049-0051: a trust indicator is a Favicon that is associated with a domain name; the email trust service requests a Favicon from a website that is associated with the authorized domain and configured to distribute the Favicon, and then receives the Favicon from the website).

As per claims 13-14 and 16:
Claims 13-14 and 16 are directed to limitations having substantially similar features corresponding to limitations of claims 5-6 and 8 respectively and therefore claims 13-14 and 16 are rejected with the same rationale given above to reject corresponding claims 5-6 and 8.

As per claim 17:
Gillum discloses a system for detecting one or more dangerous websites including one or more fraudulent domains, the system comprises
a processor coupled to a memory containing instructions executable by the processor to cause the system to (0016): 

compare an unrecognized domain associated with a website with one or more of the plurality of trusted domains and determine a level of resemblance between the unrecognized domain and one or more of the trusted domains based on the comparison (0021: the email trust service verifies that an email message is received from a reputable source, such as a well-known company, financial institution, or other legitimate business at a known business domain; 0022: Various authentication techniques can be applied by the email trust service to an email message, the email trust service applies DomainKeys Identified Mail (DKIM) authentication techniques and/or SenderID authentication techniques to an email message. Both DKIM and SenderID can be used to verify that an email message is received from an authorized domain as specified in the sender address field of the email message; 0023: the email trust service can extract the domain “starbank.com" from the sender address "john@starbank.com", and then establish a secure connection with the website "www.starbank.com", which may be a business domain; 0048-0049);
if there is a positive level of resemblance between the unrecognized domain and one or more similar trusted domains of the plurality of trusted domains, analyze the unrecognized domain associated with the website, wherein analysis of the unrecognized domain comprises correlating published metadata of the unrecognized domain with published metadata of one or more of the similar trusted domains (0029: if an email message is received from a domain that is 
at least one of an identity of a registrar for the domain being analyzed or an identity of one (0047: To verify that the email message is received from an authorized domain; authentication techniques include a DomainKeys Identified Mail (DKIM) authentication technique and a SenderID authentication technique; 0048: the email trust service determines whether an Extended Validation certificate is associated with the authorized domain by extracting a domain name from a sender address field of the email message and then examining a certificate provided by a website that is associated with the domain name) or more name servers serving the domain being analyzed (0023: the email trust service can extract the domain name from the sender address field of the email message and establish a secure connection with the domain, such as by connecting to a website associated with the domain); and
flag the domain as being legitimate and the website as safe or flag the domain as being illegitimate and the website as potentially dangerous based on the correlation (0025-0028: trust indicator; The email trust service can obtain a Favicon that is associated with an authorized business domain. A Favicon that is associated with a business domain generally includes a logo or picture that is associated with the particular domain, such as a logo of a business or organization; 0049).

Gillum and Zink do not explicitly disclose correlate the identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  Himler, in analogous art however, discloses correlate the identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed (Column 1: lines 55-64; column 2: lines 1-7: Determining whether a received message is a legitimate message or a malicious message may include selecting a structural element of the received message, obtaining information corresponding to the structural element, and using the obtained information to assign a trust value to the structural element... There may be various ways to obtain information corresponding to a structural element. If the structural element includes a hyperlink, the method may access a domain name registrar to retrieve information that indicates an age of a domain associated with the hyperlink. The method may also identify a domain name registrar for a domain associated with the hyperlink, and access a data set of known domain name registrars to identify whether the registrar is known to register malicious websites. The method may also determine a number of redirects associated with the plurality of hyperlinks, if the structural element includes a plurality of hyperlinks. Column 5: lines 12-24:The determination that a message is non-malicious (or legitimate) may be the result of an automated analysis, including an analysis to determine whether the sender of the message is a trusted sender, or whether the message is a mock malicious message, or it may be the result of a more comprehensive analysis that looks at a broader set of attributes associated with a message (e.g., detection of malware in an attachment, 
Himler, further discloses (Colum 12; lines 2-15: The particular registrar with which each domain is registered. For example, the system may maintain or have access to a data set identifying registrars that are more commonly associated with malicious messages than others, and registrars that are not commonly associated with malicious messages. The system may access a domain registrar service or a database of known domain registrations and issue a service call requesting the identity of a registrar for any domain found in the body of a message. The system may then determine whether a match for the identify is in the data asset, and if so, it may assign a value for this factor based on a measure of the extent to which the data set identifies the registrar as being known (or not known) to the associated with malicious websites. 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the limitations of identity of a registrar for the domain disclosed by Gillum to include correlating the identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide effective and efficient cybersecurity protection systems that meets need to reduce reported non-malicious electronic messages, to save time and money, to enable an organization to set non-malicious email senders preemptively, and to provide guidance to the user based on the analysis of the email as suggested by Himler (0019-0020).

As per claim 18:
Claim 18 is directed to limitations having substantially similar features corresponding to limitations of claim 10 and therefore claim 18 is rejected with the same rationale given above to reject claim 10.

As per claims 20-21 and 23:
Claims 20-21 and 23 are directed to limitations having substantially similar features corresponding to limitations of claims 5-6 and 8 respectively and therefore claims 20-21 and 23 are rejected with the same rationale given above to reject corresponding claims 5-6 and 8.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 7, 15 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Gillum and Zink in view of Himleret al. (Hereinafter referred to as Himler, US. Pat. No.: US 9774626 B1) and in further view of Shull et al. (hereinafter referred to as Shull, US. Pub. No.: 20080034211).

As per claims 7, 15 and 22:
Gillum, Zink and Himleret do not explicitly disclose wherein the metadata comprises information stored in a WHOIS database. Shull, in analogous art however, discloses wherein the metadata comprises information stored in a WHOIS database (0064; 0083; 0092). Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the method disclosed by Gillum, Zink and Himleret to include wherein the metadata comprises information stored in a WHOIS database. This modification methods and systems for validating ownership of domain names as suggested by Shull (0011).

BRI (Broadest Reasonable Interpretation)
The above claims under examination have been given their BRI consistent with the applicant’s disclosure as it would be interpreted by one of ordinary skill in the art and the following claim words or terms or phrases or languages have been given to them the following reasonable BRI considerations in view of the applicant’s disclosure in order to construe boundary and scope of the claimed limitations. For example, for the following claim words or terms or phrases or languages, the examiner recites BRI considerations from the applicant’s disclosure as follows:
DNS metada: [0014; 0032; 0039: The system 10 is configured to analyze most, if not all, DNS metadata provided by a DNS system, for example, for a given domain under inspection, including, but not limited to, the registrar of the domain, the IP addresses of Mail Exchanger (MX) records, DomainKeys Identified Mail (DKIM) records, and other service addresses beyond Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), and Post Office Protocol (POP). The system 10 is further configured to utilize other data associated with the domain name under inspection, such as behavioral attributes of the trusted entity or party, including, but not limited to, server software in use and policies the entity or party enforces].
Correlate Registrar: [0035: A security module for analyzing the email message, specifically determining a correlation between the domain of the email message under inspection and a well-
[0038: For example, FIG. 4 is a flow diagram illustrating a decision module of the security system for determining whether an email message is authentic upon inspection of the domain based, at least in part, on metadata stored in a Domain Name System (DNS). For example, most companies register all of their domains with a single registrar, or serve as their own registrar. In either case, there are only a small number of registrars, and this can be used to identify questionable domains. For example, if “Mimecast.x.com” uses a different registrar than the Mimecast domains do, it is likely an attempt to fool someone. Similarly, the contents of a DNS record may hold similar clues. If a company has a DKIM or SPF record, it is likely to be consistent throughout the company, so a different DKIM or SPF record would be another red flag]. 

Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  


Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784.  The examiner can normally be reached on 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished 






/TECHANE GERGISO/Primary Examiner, Art Unit 2494