DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to application filed on 09/27/2019. Claims 1-32 have been filed, from which claims 1, 9, 17 and 25 are independent claims.

Priority
No priority has been claimed.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02/08/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) are: 
1) Functional limitations in claim 1, i.e., “analysis selector to select the first website analyzer…, [and] select the second website analyzer…”, “a website analyzer to analyze …”, “a website analyzer indicating a classification…” “a website classifier to,…, classify…”. Similarly, additional functional limitations respectively attributed to “a third website analyzer”, “a site browser”, “a data form identifier”, “a data generator”, “a form executor”, “a response analyzer”, “a site behavior classifier” in claims 2-8 do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f).
2) Functional limitations in claim 25, i.e., “means for selecting… to select the first website analyzer…, [and] select the second website analyzer…”, “a website analyzer to analyze…”, “a website analyzer indicating a classification…”, “means for classifying to,…, classify…”. Similarly, additional functional limitations respectively attributed to “third means for analyzing”, “means for browsing”, “means for identifying”, “means for generating”, “means for submitting”, “means for inspecting”, “means for determining” in claims 26-32 use the word “means” and are being interpreted under 35 U.S.C. 112(f).

Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. 
If applicant does not intend to have these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Objections
Claims 1 and 25 are objected to because of the following informalities:  
“[A] website analyzer indicating a classification…” and “a website classifier to,… classify…” in claim 1 and similarly stated in claim 25 do not clearly point out and distinctly claim which one of the claimed components, i.e., analyzer(s) or classifier, indicates a classification and/or classifies and therefore are contradictory/confusing.
For examination, “a website analyzer indicating a classification that exceeds a confidence threshold” is interpreted “a website analyzer indicating a website analysis result that exceeds a confidence threshold”, wherein in response to the website analysis result, the website classifier is configured to classify the requested website as a benign website or a website presenting a phishing attack.      
Appropriate correction and/or clarification are required in order to avoid a 112(b) indefiniteness rejection.

Examiner’s Note on Abstract Idea Analysis
Per 2019 Revised PEG:
Step 1 – claims 1, 9, 17 and 25, being interpreted under 35 U.S.C. 112(f), are directed to at least one of the four categories of patent eligible subject matters.
Step 2A, prong one - in accordance with the abstract idea groupings defined in 2019 Revised PEG for Electrical Arts, claims 1, 9, 17 and 25, being interpreted under 35 U.S.C. 112(f), do NOT recite any limitation which may reasonably be construed as “abstract”.
As such, claims 1-32 are patent eligible.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 3-4, 9, 11-12, 17, 19-20, 25 and 27-28 are rejected under 35 U.S.C. 102(a) (2) as being anticipated by Mesdaq, US10601865B1.

Per claim 1, Mesdaq discloses an apparatus to detect website-based phishing attacks, the apparatus comprising: 
a plurality of website analyzers to analyze a requested website for evidence of a phishing attack, the plurality of website analyzers including a first website analyzer and a second website analyzer (The parser 124 within the static analysis logic 120 parses the received network traffic and extracts SMTP traffic (e.g., an email) and provides the email to the email analysis logic 121.  The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email. The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email. The email is also provided to the URL analysis logic 121 which performs a second stage of analysis including parsing the email for a URL and upon detection of a URL, performing an analysis of the URL itself – Mesdaq: col. 7, lines 19-28); 
an analysis selector to select the first website analyzer for execution, the analysis selector to, in response to determining that an additional analyzer is to be executed, select the second website analyzer to analyze the requested website (The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email.  The email is also provided to the URL analysis logic 121 which performs a second stage of analysis including parsing the email for a URL and upon detection of a URL, performing an analysis of the URL itself.  Additionally, when a URL is detected, the email is provided to the web page analysis logic 123, which performs a third stage of analysis including fetching the web page content (e.g., HTML source code and associated metadata) and analyzing the header and body contents of the web page.  In one embodiment, the analyses may be performed sequentially (e.g., email analysis, URL analysis, web page analysis) or one or more of the analyses may be performed concurrently (e.g., at least partially overlapping at the same time).  In some embodiments, information and results of one analyses may be used to assist in other analyses.  For example, information and results of the email analysis and/or the URL analysis may aid the web page analysis by providing the web page analysis logic 123 with the domain of the sender of the email and/or a domain of the URL (e.g., prior to one or more redirects), which may assist the web page analysis logic 123 in narrowing its analysis – Mesdaq: col. 7, lines 22-45 – Note: per paragraph 0015 in the instant specification, descriptors "first," "second," "third," etc. are used herein when identifying multiple elements or components which may be referred to separately…such descriptors are not intended to impute any meaning of priority, physical order or arrangement in a list, or ordering in time but are merely used as labels for referring to multiple elements or components separately for ease of understanding the disclosed examples); and 
a website classifier to, in response to a website analyzer indicating a classification that exceeds a confidence threshold, classify the requested website as a benign site or presenting a phishing attack (A classification logic includes logic to prioritize the results of the analyses performed by the static analysis logic and/or the dynamic analysis logic to determine whether the email is associated with a phishing attack, or in particular, a spearphishing attack.  In some embodiments, the score determination logic of the classification logic may generate a score indicating a level of confidence that the email is associated with a spearphishing attack. Herein, a score may be a numerical value; one of a predefined set of categories such as "suspicious," "malicious," or "benign" – Mesdaq: col. 4, lines 1-10).

Per claim 9, Mesdaq discloses at least one non-transitory computer readable medium comprising instructions that, when executed, cause at least one processor to at least: 
select a first website analyzer to analyze a requested website (The parser 124 within the static analysis logic 120 parses the received network traffic and extracts SMTP traffic (e.g., an email) and provides the email to the email analysis logic 121.  The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email. The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email – Mesdaq: col. 7, lines 19-25); 
analyze the requested website for evidence of a phishing attack (The email is also provided to the URL analysis logic 121 which performs a second stage of analysis including parsing the email for a URL and upon detection of a URL, performing an analysis of the URL itself – Mesdaq: col. 7, lines 25-28);
determine whether a second analyzer is to be executed (The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email.  The email is also provided to the URL analysis logic 121 which performs a second stage of analysis including parsing the email for a URL and upon detection of a URL, performing an analysis of the URL itself.  Additionally, when a URL is detected, the email is provided to the web page analysis logic 123, which performs a third stage of analysis including fetching the web page content (e.g., HTML source code and associated metadata) and analyzing the header and body contents of the web page – Mesdaq: col. 7, lines 22-45); 
in response to determining that an additional analyzer is to be executed, select a second website analyzer to analyze the requested website (In one embodiment, the analyses may be performed sequentially (e.g., email analysis, URL analysis, web page analysis) or one or more of the analyses may be performed concurrently (e.g., at least partially overlapping at the same time).  In some embodiments, information and results of one analyses may be used to assist in other analyses.  For example, information and results of the email analysis and/or the URL analysis may aid the web page analysis by providing the web page analysis logic 123 with the domain of the sender of the email and/or a domain of the URL (e.g., prior to one or more redirects), which may assist the web page analysis logic 123 in narrowing its analysis – Mesdaq: col. 7, lines 22-45 – Note: per paragraph 0015 in the instant specification, descriptors "first," "second," "third," etc. are used herein when identifying multiple elements or components which may be referred to separately…such descriptors are not intended to impute any meaning of priority, physical order or arrangement in a list, or ordering in time but are merely used as labels for referring to multiple elements or components separately for ease of understanding the disclosed examples); and 
in response to an indication that a classification exceeds a confidence threshold, classify the requested website as a benign site or as presenting a phishing attack (A classification logic includes logic to prioritize the results of the analyses performed by the static analysis logic and/or the dynamic analysis logic to determine whether the email is associated with a phishing attack, or in particular, a spearphishing attack.  In some embodiments, the score determination logic of the classification logic may generate a score indicating a level of confidence that the email is associated with a spearphishing attack. Herein, a score may be a numerical value; one of a predefined set of categories such as "suspicious," "malicious," or "benign" – Mesdaq: col. 4, lines 1-10).

Per claim 17, Mesdaq discloses a method of detecting whether a requested website is presenting a phishing attack, the method comprising: 
selecting a first website analyzer to analyze the requested website (The parser 124 within the static analysis logic 120 parses the received network traffic and extracts SMTP traffic (e.g., an email) and provides the email to the email analysis logic 121.  The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email. The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email – Mesdaq: col. 7, lines 19-25);
analyzing the requested website for evidence of a phishing attack (The email is also provided to the URL analysis logic 121 which performs a second stage of analysis including parsing the email for a URL and upon detection of a URL, performing an analysis of the URL itself – Mesdaq: col. 7, lines 25-28); 
determining, by executing an instruction with a processor, whether an additional analyzer is to be executed (The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email.  The email is also provided to the URL analysis logic 121 which performs a second stage of analysis including parsing the email for a URL and upon detection of a URL, performing an analysis of the URL itself.  Additionally, when a URL is detected, the email is provided to the web page analysis logic 123, which performs a third stage of analysis including fetching the web page content (e.g., HTML source code and associated metadata) and analyzing the header and body contents of the web page – Mesdaq: col. 7, lines 22-45); 
in response to determining that the additional analyzer is to be executed, selecting a second website analyzer to analyze the requested website (In one embodiment, the analyses may be performed sequentially (e.g., email analysis, URL analysis, web page analysis) or one or more of the analyses may be performed concurrently (e.g., at least partially overlapping at the same time).  In some embodiments, information and results of one analyses may be used to assist in other analyses.  For example, information and results of the email analysis and/or the URL analysis may aid the web page analysis by providing the web page analysis logic 123 with the domain of the sender of the email and/or a domain of the URL (e.g., prior to one or more redirects), which may assist the web page analysis logic 123 in narrowing its analysis – Mesdaq: col. 7, lines 22-45 – Note: per paragraph 0015 in the instant specification, descriptors "first," "second," "third," etc. are used herein when identifying multiple elements or components which may be referred to separately…such descriptors are not intended to impute any meaning of priority, physical order or arrangement in a list, or ordering in time but are merely used as labels for referring to multiple elements or components separately for ease of understanding the disclosed examples); and 
in response to an indication that a classification exceeds a confidence threshold, classifying, by executing an instruction with the processor, the requested website as a benign site or as presenting a phishing attack (A classification logic includes logic to prioritize the results of the analyses performed by the static analysis logic and/or the dynamic analysis logic to determine whether the email is associated with a phishing attack, or in particular, a spearphishing attack.  In some embodiments, the score determination logic of the classification logic may generate a score indicating a level of confidence that the email is associated with a spearphishing attack. Herein, a score may be a numerical value; one of a predefined set of categories such as "suspicious," "malicious," or "benign" – Mesdaq: col. 4, lines 1-10).

Per claim 25, Mesdaq discloses an apparatus to detect website-based phishing attacks, the apparatus comprising: 
first means for analyzing (The parser 124 within the static analysis logic 120 parses the received network traffic and extracts SMTP traffic (e.g., an email) and provides the email to the email analysis logic 121.  The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email. The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email – Mesdaq: col. 7, lines 19-25); 
second means for analyzing (The email is also provided to the URL analysis logic 121 which performs a second stage of analysis including parsing the email for a URL and upon detection of a URL, performing an analysis of the URL itself – Mesdaq: col. 7, lines 25-28), 
the first and second means for analyzing to analyze a requested website for evidence of a phishing attack (At block 602, the content information and attributes of the email are extracted.  Herein, the content information may refer to the contents of the body of the email and include, but is not limited or restricted to, one or more URLs detected within the email, one or more input forms (e.g., text boxes, radio buttons, drop down menus, etc.) detected within the email, the location of URLs detected within the email, and/or text and/or images detected within the email…in FIG. 6, blocks 602 and 603 highlight at least a portion of the email analysis described as stage 1 above and blocks 602 and 604 highlight at least a portion of the URL analysis described as stage 2… – Mesdaq: col. 10, lines 55-62 and col. 11, lines 20-59 – Note: the results of the analyses performed by the static analysis logic and/or the dynamic analysis logic determines whether the email is associated with a phishing attack, or in particular, a spearphishing attack); 
means for selecting to select a first website analyzer for execution, the means for selecting to, in response to determining that an additional analyzer is to be executed, select a second website analyzer to analyze the requested website (The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email.  The email is also provided to the URL analysis logic 121 which performs a second stage of analysis including parsing the email for a URL and upon detection of a URL, performing an analysis of the URL itself.  Additionally, when a URL is detected, the email is provided to the web page analysis logic 123, which performs a third stage of analysis including fetching the web page content (e.g., HTML source code and associated metadata) and analyzing the header and body contents of the web page.  In one embodiment, the analyses may be performed sequentially (e.g., email analysis, URL analysis, web page analysis) or one or more of the analyses may be performed concurrently (e.g., at least partially overlapping at the same time).  In some embodiments, information and results of one analyses may be used to assist in other analyses.  For example, information and results of the email analysis and/or the URL analysis may aid the web page analysis by providing the web page analysis logic 123 with the domain of the sender of the email and/or a domain of the URL (e.g., prior to one or more redirects), which may assist the web page analysis logic 123 in narrowing its analysis – Mesdaq: col. 7, lines 22-45 – Note: per paragraph 0015 in the instant specification, descriptors "first," "second," "third," etc. are used herein when identifying multiple elements or components which may be referred to separately…such descriptors are not intended to impute any meaning of priority, physical order or arrangement in a list, or ordering in time but are merely used as labels for referring to multiple elements or components separately for ease of understanding the disclosed examples); and 
means for classifying to, in response to a website analyzer indicating a classification that exceeds a confidence threshold, classify the requested website as a benign site or presenting a phishing attack (A classification logic includes logic to prioritize the results of the analyses performed by the static analysis logic and/or the dynamic analysis logic to determine whether the email is associated with a phishing attack, or in particular, a spearphishing attack.  In some embodiments, the score determination logic of the classification logic may generate a score indicating a level of confidence that the email is associated with a spearphishing attack. Herein, a score may be a numerical value; one of a predefined set of categories such as "suspicious," "malicious," or "benign" – Mesdaq: col. 4, lines 1-10).

Per claim 3, Mesdaq discloses apparatus of claim 1, further including a third website analyzer to identify a target site the requested website may be impersonating and to compare data from the requested website to data from the target site (The static analysis logic includes (i) an email analysis logic that extracts and analyzes the header and body of the email, (ii) a URL analysis logic to extract and analyze a URL included within the email, and (iii) a web page analysis logic to fetch the HTML code of the web page corresponding to the URL, subsequently extract and analyze the header and body, including images contained therein, and determine whether the web page is attempting to impersonate (e.g., a victim domain). The dynamic analysis logic includes…(c) an expert system to correlate the target domain with the victim domain and apply additional heuristics to determine if the web page is associated with spearphishing – Mesdaq: col. 3, lines 32-48).
Similar analysis set forth above in the rejection of claim 3, applies to features of each of claims 11, 19 and 27 because they have similar scopes. As such, claims 11, 19 and 27 are rejected based on the same analysis as set forth in the rejection of claim 3 above.

Per claim 4, Mesdaq discloses apparatus of claim 1, further including a third website analyzer to analyze a behavior of the requested website in response to a submission of a data form of the requested website (The static analysis logic includes … (iii) a web page analysis logic to fetch the HTML code of the web page corresponding to the URL, subsequently extract and analyze the header and body, including images contained therein, and determine whether the web page is attempting to impersonate (e.g., a victim domain).  The dynamic analysis logic includes (a) at least one virtual machine (VM) to dynamically process the HTML source code of the web page to which the URL in the email directs – Mesdaq: col. 3, lines 32-44).
Similar analysis set forth above in the rejection of claim 4, applies to features of each of claims 12, 20 and 28 because they have similar scopes. As such, claims 12, 20 and 28 are rejected based on the same analysis as set forth in the rejection of claim 4 above.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 2, 10, 18 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Mesdaq, US10601865B1, in view of Pidathala, US2015/0007312A1.

Per claim 2, Mesdaq discloses the apparatus of claim 1.
Mesdaq is not relied on to disclose but Pidathala discloses wherein the analysis selector is to determine whether the second website analyzer is to be executed based on a confidence value returned by the first website analyzer (a first system performs pre-filtering using whitelists and/or blacklists to pass only specimens requiring further analysis to the second system…Such a pre-filtering operation can significantly screen out any URL links that are known to be either non-malicious links or malicious links…if the frequency of encountering a link specifying a particular IP address or particular domain is above a set threshold, the heuristic may assign to the link a higher probability that the link is associated with malware, and should be classified as at least suspicious and requiring further analysis – Pidathala: par. 0033 and 0042).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Mesdaq in view of Pidathala to include wherein the analysis selector is to determine whether the second website analyzer is to be executed based on a confidence value returned by the first website analyzer.
One of ordinary skill in the art would have been motivated because it would allow to “reduce a number of links to be examined” by calculating a probability of a link being suspicious, wherein “[w]hile the probability may not be sufficient to declare the link as malicious, the probability may be sufficient to classify the link as suspicious and requiring further analysis” – Pidathala: par. 0026 – Note: more efficient analysis.
Similar analysis set forth above in the rejection of claim 2, applies to features of each of claims 10, 18 and 26 because they have similar scopes. As such, claims 10, 18 and 26 are rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 2 above.

2.	Claims 5-8, 13-16, 21-24 and 29-32 are rejected under 35 U.S.C. 103 as being unpatentable over Mesdaq, US10601865B1, in view of Wilcox, US2020/0053120A1.

Per claim 5, Mesdaq discloses the apparatus of claim 4, wherein the third website analyzer includes: 
a site browser to request the requested website (At block 702, the URL, detected during parsing and/or analysis of the header and body contents of the email is activated.  Herein, by activating the URL, the web page analysis logic of the spearphishing credential detection system initiates a request for the HTML source code corresponding to the URL – Mesdaq: col. 12, lines 21-26); 
a data form identifier to identify a form in the requested website that accepts input (At block 801, the dynamic analysis logic receives the HTML source code for the web page directed to by the URL in the email… At block 802, the web page is scanned for input fields that submit data to an external server via a request method supported by the Hypertext Transfer Protocol (HTTP), which may be, for example, a HTTP POST request. Herein, the analysis may look to detect a POST request as a POST request requests that a web server accepts data enclosed in the request payload – Mesdaq: col. 13, lines 57-67 and col. 14, lines 3-11 – Note: wherein as explained in col. 16, lines 58-61, the web browsing emulation logic may analyze the POST request generated by submission of content into the input form during the virtual processing of the web page 1000). 
Mesdaq is not relied on to explicitly disclose but Wilcox discloses a data generator to generate data to be placed into the form (the system may analyze a body of text of the message 106 using a natural language processing (NLP) model to determine the type(s) of information that is being sought…At block 407, the system may generate content that corresponds to the type(s) of information that is being sought… At block 409, the system may cause the content generated at block 407 to be transmitted in a response to the message 106.  For example, under circumstances where the message 106 includes a link to the phishing webpage that includes form fields for submitting requested information, the system may enter the generated content into the form fields – Wilcox: par. 0080-0082 – Note: if the message 106 is designed to fraudulently obtain credit card information (e.g., credit card numbers, expiration dates, etc.), then the system may generate this type of information using a credit card number generator.  As another example, if the message 106 is designed to fraudulently obtain user names and/or passwords for real user accounts 134, then the system may generate fake user names and/or fake passwords); 
a form executor to submit the form (At block 409, … once the form field(s) have the content entered therein, the system may activate a UI input control that submits a response (that includes the entered content) to a phisher computing system – Wilcox: par. 0082); 
a response analyzer to analyze a response of the requested website to the form (The message generated by the response engine 114 may further inquire as to whether any alternate forms of online payment can be accepted.  This impersonation response 206 may then induce the phisher into providing instructions on how to remit payment to a particular online payment account that the phisher also uses to conduct another phishing campaign 126 – Wilcox: par. 0060-0063).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Mesdaq in view of Wilcox to include a data generator to generate data to be placed into the form; a form executor to submit the form; a response analyzer to analyze a response of the requested website to the form.
One of ordinary skill in the art would have been motivated because it would allow “to trigger a conversation cycle in which the phisher is lured into conversing with the system” and as a result “the phisher is duped into wasting some amount of time participating in the conversation cycle--thereby preventing them from utilizing that time to target and/or converse with real users that may potentially fall victim to the phishing campaign” – Wilcox: par. 0015.

Mesdaq further discloses a site behavior classifier to determine whether the requested website is a phishing attack using a behavior of the requested website (A classification logic includes logic to prioritize the results of the analyses performed by the static analysis logic and/or the dynamic analysis logic to determine whether the email is associated with a phishing attack, or in particular, a spearphishing attack… After any analysis, the score determination logic may determine a first score according to one or more analyses that is above a first threshold indicating a phishing attack (e.g., based on the presence of a domain in a detected URL known to be associated with a generic phishing attack) or a second score that is above a second threshold indicating a credential spearphishing attack (e.g., based on the presence of a domain in a detected URL known to be associated with a spearphishing attack and/or the presence of input forms on a web page requesting credential information) – Mesdaq: col. 4, lines 1-5 and lines 22-32).
	
Per claim 6, Mesdaq in view of Wilcox discloses the apparatus of claim 5, wherein the data generator is to generate data to be placed into the requested website using a random data generator (In some implementations, the system may use a natural language processing (NLP) model to analyze a body of text that is included within the phishing message to determine what type of information is being sought.  For example, the phishing message may include some fanciful fact pattern that alleges that the user will be compensated for assisting with some task (e.g., a "Nigerian 419" scam that indicates that a user will be compensated for their assistance in transferring a sum of money) … Then, the system may further leverage various artificial intelligence (AI) techniques such as, for example, the NLP model to generate a response to the phishing message – Wilcox: par. 0014-0015).
The same motivation to modify Mesdaq in view of Wilcox applied to claim 5 above applies here.
Similar analysis set forth above in the rejection of claim 6, applies to features of each of claims 14, 22 and 30 because they have similar scopes. As such, claims 14, 22 and 30 are rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 6 above.

Per claim 7, Mesdaq discloses the apparatus of claim 5, wherein the site behavior classifier is to determine whether the requested website is the phishing attack by determining whether the response from the requested website includes a redirection request to a different domain than that of the requested website (When the target domain and the victim domain are not the same (no at block 807), the expert system of the dynamic analysis logic is invoked to perform additional heuristics on the web page to determine whether the web page is associated with a phishing web page, and thus the email associated with a phishing attack (block 809).  Examples of additional heuristics that may aid in the determination of a score, as discussed below, may include but are not limited or restricted to, the presence, or lack thereof, of: a redirection from a secured website ("HTTPS") to an unsecured website ("HTTP") or vice versa – Mesdaq: col. 15, lines 16-26).
Similar analysis set forth above in the rejection of claim 7, applies to features of each of claims 15, 23 and 31 because they have similar scopes. As such, claims 15, 23 and 31 are rejected based on the same analysis as set forth in the rejection of claim 7 above.

Per claim 8, Mesdaq discloses the apparatus of claim 5, wherein the site behavior classifier is to determine whether the requested website is the phishing attack by determining whether the response from the requested website includes a request for a user to input additional information (At block 801, the dynamic analysis logic receives the HTML source code for the web page directed to by the URL in the email…[to determine] (ii) a score indicating a level of suspiciousness as to whether the web page is associated with a spearphishing attack based on a static analysis of the header and contents of the body of the web page as set forth in the HTML source code of the web page. At block 802, the web page is scanned for input fields that submit data to an external server via a request method supported by the Hypertext Transfer Protocol (HTTP), which may be, for example, a HTTP POST request.  Herein, the analysis may look to detect a POST request as a POST request requests that a web server accepts data enclosed in the request payload – Mesdaq: col. 13, lines 58-67 and col. 14, lines 3-14 – Note: The URL within a spearphishing email may direct the recipient of the email to a web page that imitates a legitimate institution claiming to need the recipient to provide credential information (e.g., login) in order to change a password, verify their identity, read an important notice, etc. Submission of credential information through such a web page merely provides the credential information to the spearphisher enabling the spearphisher to access sensitive information).
Similar analysis set forth above in the rejection of claim 8, applies to features of each of claims 16, 24 and 32 because they have similar scopes. As such, claims 16, 24 and 32 are rejected based on the same analysis as set forth in the rejection of claim 8 above.

Per claim 13, Mesdaq discloses the at least one non-transitory computer readable medium of claim 12, wherein the instructions, when executed, further cause at least one processor to at least: 
identify a data form in the requested website that accepts input (At block 801, the dynamic analysis logic receives the HTML source code for the web page directed to by the URL in the email… At block 802, the web page is scanned for input fields that submit data to an external server via a request method supported by the Hypertext Transfer Protocol (HTTP), which may be, for example, a HTTP POST request. Herein, the analysis may look to detect a POST request as a POST request requests that a web server accepts data enclosed in the request payload – Mesdaq: col. 13, lines 57-67 and col. 14, lines 3-11 – Note: wherein as explained in col. 16, lines 58-61, the web browsing emulation logic may analyze the POST request generated by submission of content into the input form during the virtual processing of the web page 1000). 
Mesdaq is not relied on to explicitly disclose but Wilcox discloses generate data to be placed into the form (the system may analyze a body of text of the message 106 using a natural language processing (NLP) model to determine the type(s) of information that is being sought…At block 407, the system may generate content that corresponds to the type(s) of information that is being sought… At block 409, the system may cause the content generated at block 407 to be transmitted in a response to the message 106.  For example, under circumstances where the message 106 includes a link to the phishing webpage that includes form fields for submitting requested information, the system may enter the generated content into the form fields – Wilcox: par. 0080-0082 – Note: if the message 106 is designed to fraudulently obtain credit card information (e.g., credit card numbers, expiration dates, etc.), then the system may generate this type of information using a credit card number generator.  As another example, if the message 106 is designed to fraudulently obtain user names and/or passwords for real user accounts 134, then the system may generate fake user names and/or fake passwords);
submit the form (At block 409, … once the form field(s) have the content entered therein, the system may activate a UI input control that submits a response (that includes the entered content) to a phisher computing system – Wilcox: par. 0082);  
analyze a response of the requested website to the form (The message generated by the response engine 114 may further inquire as to whether any alternate forms of online payment can be accepted.  This impersonation response 206 may then induce the phisher into providing instructions on how to remit payment to a particular online payment account that the phisher also uses to conduct another phishing campaign 126 – Wilcox: par. 0060-0063).
The same motivation to modify Mesdaq in view of Wilcox applied to claim 5 above applies here. 
Mesdaq further discloses determine whether the requested website is a phishing attack using a behavior of the requested website (A classification logic includes logic to prioritize the results of the analyses performed by the static analysis logic and/or the dynamic analysis logic to determine whether the email is associated with a phishing attack, or in particular, a spearphishing attack… After any analysis, the score determination logic may determine a first score according to one or more analyses that is above a first threshold indicating a phishing attack (e.g., based on the presence of a domain in a detected URL known to be associated with a generic phishing attack) or a second score that is above a second threshold indicating a credential spearphishing attack (e.g., based on the presence of a domain in a detected URL known to be associated with a spearphishing attack and/or the presence of input forms on a web page requesting credential information) – Mesdaq: col. 4, lines 1-5 and lines 22-32).

Per claim 21, Mesdaq discloses the method of claim 20, wherein the analyzing of the behavior of the requested website includes: 
identifying, by executing an instruction with a processor, a data form in the requested website that accepts input (At block 801, the dynamic analysis logic receives the HTML source code for the web page directed to by the URL in the email… At block 802, the web page is scanned for input fields that submit data to an external server via a request method supported by the Hypertext Transfer Protocol (HTTP), which may be, for example, a HTTP POST request. Herein, the analysis may look to detect a POST request as a POST request requests that a web server accepts data enclosed in the request payload – Mesdaq: col. 13, lines 57-67 and col. 14, lines 3-11 – Note: wherein as explained in col. 16, lines 58-61, the web browsing emulation logic may analyze the POST request generated by submission of content into the input form during the virtual processing of the web page 1000); 
Mesdaq is not relied on to explicitly disclose but Wilcox discloses generating, by executing an instruction with the processor, data to be placed into the form (the system may analyze a body of text of the message 106 using a natural language processing (NLP) model to determine the type(s) of information that is being sought…At block 407, the system may generate content that corresponds to the type(s) of information that is being sought… At block 409, the system may cause the content generated at block 407 to be transmitted in a response to the message 106.  For example, under circumstances where the message 106 includes a link to the phishing webpage that includes form fields for submitting requested information, the system may enter the generated content into the form fields – Wilcox: par. 0080-0082 – Note: if the message 106 is designed to fraudulently obtain credit card information (e.g., credit card numbers, expiration dates, etc.), then the system may generate this type of information using a credit card number generator.  As another example, if the message 106 is designed to fraudulently obtain user names and/or passwords for real user accounts 134, then the system may generate fake user names and/or fake passwords);  
submitting, by executing an instruction with the processor, the form (At block 409, … once the form field(s) have the content entered therein, the system may activate a UI input control that submits a response (that includes the entered content) to a phisher computing system – Wilcox: par. 0082);  
analyzing, by executing an instruction with the processor, a response of the requested website to the form (The message generated by the response engine 114 may further inquire as to whether any alternate forms of online payment can be accepted.  This impersonation response 206 may then induce the phisher into providing instructions on how to remit payment to a particular online payment account that the phisher also uses to conduct another phishing campaign 126 – Wilcox: par. 0060-0063).
The same motivation to modify Mesdaq in view of Wilcox applied to claim 5 above applies here. 
Mesdaq further discloses determining whether the requested website is a phishing attack using the behavior of the requested website (A classification logic includes logic to prioritize the results of the analyses performed by the static analysis logic and/or the dynamic analysis logic to determine whether the email is associated with a phishing attack, or in particular, a spearphishing attack… After any analysis, the score determination logic may determine a first score according to one or more analyses that is above a first threshold indicating a phishing attack (e.g., based on the presence of a domain in a detected URL known to be associated with a generic phishing attack) or a second score that is above a second threshold indicating a credential spearphishing attack (e.g., based on the presence of a domain in a detected URL known to be associated with a spearphishing attack and/or the presence of input forms on a web page requesting credential information) – Mesdaq: col. 4, lines 1-5 and lines 22-32).

Per claim 29, Mesdaq discloses the apparatus of claim 28, wherein the third means for analyzing includes: 
means for browsing to request the requested website (At block 702, the URL, detected during parsing and/or analysis of the header and body contents of the email is activated.  Herein, by activating the URL, the web page analysis logic of the spearphishing credential detection system initiates a request for the HTML source code corresponding to the URL – Mesdaq: col. 12, lines 21-26); 
means for identifying a form in the requested website that accepts input (At block 801, the dynamic analysis logic receives the HTML source code for the web page directed to by the URL in the email… At block 802, the web page is scanned for input fields that submit data to an external server via a request method supported by the Hypertext Transfer Protocol (HTTP), which may be, for example, a HTTP POST request. Herein, the analysis may look to detect a POST request as a POST request requests that a web server accepts data enclosed in the request payload – Mesdaq: col. 13, lines 57-67 and col. 14, lines 3-11 – Note: wherein as explained in col. 16, lines 58-61, the web browsing emulation logic may analyze the POST request generated by submission of content into the input form during the virtual processing of the web page 1000); 
Mesdaq is not relied on to explicitly disclose but Wilcox discloses means for generating a data generator to generate data to be placed into the form (the system may analyze a body of text of the message 106 using a natural language processing (NLP) model to determine the type(s) of information that is being sought…At block 407, the system may generate content that corresponds to the type(s) of information that is being sought… At block 409, the system may cause the content generated at block 407 to be transmitted in a response to the message 106.  For example, under circumstances where the message 106 includes a link to the phishing webpage that includes form fields for submitting requested information, the system may enter the generated content into the form fields – Wilcox: par. 0080-0082 – Note: if the message 106 is designed to fraudulently obtain credit card information (e.g., credit card numbers, expiration dates, etc.), then the system may generate this type of information using a credit card number generator.  As another example, if the message 106 is designed to fraudulently obtain user names and/or passwords for real user accounts 134, then the system may generate fake user names and/or fake passwords);  
means for submitting the form (At block 409, … once the form field(s) have the content entered therein, the system may activate a UI input control that submits a response (that includes the entered content) to a phisher computing system – Wilcox: par. 0082);  
means for inspecting to analyze a response of the requested website to the form (The message generated by the response engine 114 may further inquire as to whether any alternate forms of online payment can be accepted.  This impersonation response 206 may then induce the phisher into providing instructions on how to remit payment to a particular online payment account that the phisher also uses to conduct another phishing campaign 126 – Wilcox: par. 0060-0063).
The same motivation to modify Mesdaq in view of Wilcox applied to claim 5 above applies here. 
Mesdaq further discloses means for determining whether the requested website is a phishing attack using a behavior of the requested website (A classification logic includes logic to prioritize the results of the analyses performed by the static analysis logic and/or the dynamic analysis logic to determine whether the email is associated with a phishing attack, or in particular, a spearphishing attack… After any analysis, the score determination logic may determine a first score according to one or more analyses that is above a first threshold indicating a phishing attack (e.g., based on the presence of a domain in a detected URL known to be associated with a generic phishing attack) or a second score that is above a second threshold indicating a credential spearphishing attack (e.g., based on the presence of a domain in a detected URL known to be associated with a spearphishing attack and/or the presence of input forms on a web page requesting credential information) – Mesdaq: col. 4, lines 1-5 and lines 22-32).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Liu (US10904286B1) discloses analyzing at least one displayable image of a webpage referenced by a URL associated with an email to ascertain whether the image, and thus the webpage and the email are part of a phishing cyber-attack.

Varenhorst (US2014/0173726A1) discloses determining that a phishing attack is likely to have occurred if, for example: (1) the URL for the prior webpage is similar to the URL of the present webpage; (2) the prior webpage includes text that is similar to text on the present webpage; (3) the prior webpage includes graphics that are similar to those on the present webpage; or (4) the prior webpage includes graphics that contain watermarks that are similar to those included within graphics on the present webpage. 

Hunt (US10200381B2) discloses generating a temporary page profile associated with a webpage including an image component, a geometry component, a style component, and a link component.  One or more baseline page profiles are retrieved and the temporary page profile is compared with the one or more baseline page profiles, wherein a determination that the temporary page profile does not match the one or more baseline page profiles generates an alert to display to a user indicating that fraud has been detected for the webpage.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/            Examiner, Art Unit 2494