DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/15/2021 was filed after the mailing date of the Non-Final on 09/15/2021.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
This action is in response to the communications and remarks filed on 12/15/2021. Claims 1-2, 4, 6, 10-11, 14-16 and 19 have been amended. Claim 13 has been canceled. Claims 1-12 and 14-20 have been examined and are pending.
	
Response to Arguments
Applicant’s Amendments necessitated anew ground of rejection; accordingly, Applicant’s arguments see pages 11-12 of remarks, filed 12/15/2021, with respect to amended independent claims 1 and 14 (Smith et al., hereinafter (“Smith”), US PG Publication (20160191548 A1), in view Goutal, US PG Publication (20180278627 A1)) have been considered but are moot in view of the new ground of rejections Smith et al., hereinafter (“Smith”), US PG Publication (20160191548 A1), in view of Kanich et al, hereinafter (“Kanich”), “No Plan Survives Contact: Experience with Cybercrime Measurement,” was submitted in 12/15/2021 IDS
Acknowledgement to applicant’s amendments to the abstract and claims 1, 11, 13-14, and 16 have been noted. The claim has been reviewed, entered and found obviating to previously raised objection for minor informalities. Objections to the abstract and claims 1, 11, 13-14, and 16 are hereby withdrawn.
Acknowledgement to applicant's argument to claim 14 has been noted. The claims have been reviewed, entered and found obviating to previously raised rejection under 35 USC 112 6th. Examiner notes that Applicant does not specifically highlight these non-structural terms in claim 14: “a fetcher...software modules...computing devices;” yet elaborates on “downloading and analyzing a webpage” on p. 8, then further discusses the presence of the algorithms/flow chart on p. 10 by referencing in the specification on p. 13, line 8 to p. 14, line 6; p. 15, line 17 to p. 21, line 10.  Recommends the removal/replacement of non-structural terms that are generic placeholders, instead amend using known structural terms. As such, interpretation under 35 USC 112 6th to claim 14 is hereby maintained.
Acknowledgement to applicant's amendments and arguments to claims 1-2, 4, 6, 10, 14-16, and 19 have been noted. The claims have been reviewed, entered and found obviating to previously raised rejection under 35 USC 112 2nd. Rejection under 35 USC 112 2nd to claims 1-2, 4, 6, 10, 14-16 and 19 is hereby withdrawn.

Applicants’ arguments in the instant Amendment, filed on 12/15/2021, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “Claims 1, 3, 5-14, and 17-20 are rejected under 35 U.S.C. § 103 as being unpatentable over U.S. PG Publication No. 2016/0191548 (hereinafter "Smith") in view of U.S. PG Publication No. 2018/0278627 (hereinafter "Goutal"). Applicant respectfully traverses. 
		Goutal states at para. [0147]: "If the email recipient agrees with the classification of the received email as likely malicious, B47 may be carried out, a true positive (TP) is reported to the ESPL service 108, and the malicious received email may be deleted, as shown at B47." Thus, the deletion of the email is dependent on the agreement of the email recipient. By contrast, Applicant's specification states at page 3, line 15: "Further, the system as described herein provides a near real time URL inspection service that removes already-delivered emails with URLs from the messaging inboxes or message lists of users (before these are opened) such that the users are never exposed to the links and therefore do not click on them." 
The Examiner disagrees with the Applicant’s assertion. The specification describes a system and method for detecting a phishing message and as such merely states that message(s) may be delivered to an inbox or message list of the message client 112 or may be held in the message server pending the analysis of process 200. The process 200 is a phishing detection method that scans received message to determine if the message(s) include a phishing message URL based on cached and database lookups and classified as a trusted site (i.e. whitelist) [specification, Abstract and ¶¶0063-0064].
Goutal is also an invention that describes a computer-implemented method of detecting an email spoofing and spear phishing attack may comprise generating a contact model of a sender of emails; Goutal shows how each cloud and gateway implementation include an Email Spoofing & spear phishing Protection Layer (ESPL) component/layer and Mail Transfer Agent (MTA), as shown in Fig.1; which Examiner cited to the ESPL as analogous to the user inbox function [Goutal, Abstract and ¶0041]. Goutal also states there is an association between the list of cities associated to a list of IP addresses maintained by the ESPL where the ESPL analyzes and builds a model for 
In any case, Examiner reviewed new IDS and applied the teachings of Kanich as shown below to the claim limitations.
Applicant’s arguments: “While continuing to traverse the rejections of the Examiner, Applicant has amended claims 1 and 14 to include the limitations of claim 13, which is hereby cancelled without prejudice or disclaimer. Thus, Goutal actually teaches away from amended claims 1 and 14 since the email is removed from the user inbox such that the users are never exposed to the links and therefore do not click on them. The Examiner cites Hou (US20130332585A1) as teaching or suggesting the limitations of claim 13, but Applicant respectfully disagrees as Hou does not relate to or even mention emails or user inboxes.”
The Examiner disagrees with the Applicant’s assertion. As discussed above, Goutal is an invention that describes a computer-implemented method of detecting an email spoofing and spear phishing attack may comprise generating a contact model of a sender of emails. As such, does not teach away from the amended claims, where extracted email (addresses) do not have a corresponding model [Goutal, See paras 0150-0151]. Also, Hou teaches a portal site that is analogous to a message inbox/message list [Hou, para 0009]. Therefore, Hou is maintained below.
In any case, Examiner reviewed new IDS and applied the teachings of Kanich as shown below to the claim limitations.
		
		
 
Applicant’s arguments: “Applicant has further amended claims 1 and 14 to include limitations of claims 4 and 15 respectively: "wherein analysis of the downloaded webpage includes performing machine learning based image analysis and comparison of the webpage or parts of the webpage to known phishing pages or genuine webpages or parts of genuine webpages of known phishing page targets/brands." The Examiner cites Wright (US20180063190A1) para. [0056] as teaching or suggesting the limitations of claims 4 and 15. Applicant respectfully disagrees, as the "machine learning classifier model" proposed by Wright is based on multiple attack website "features". While "website content features" may be included in the classification model, Wright does not teach or suggest machine learning image analysis on the webpage or parts of the webpage of known phishing pages or genuine webpages or parts of genuine webpages of known phishing page targets/brands as amended claims 1 and 14 recite. 
		Applicant therefore submits that amended claims 1 and 14 are non-obvious over the cited prior art and other known art in providing for a phishing detection system that performs machine learning based image comparison to known phishing pages or genuine webpages or parts of genuine webpages of known phishing page targets/brands and further removes suspected phishing emails from user inboxes. Amended claims 1 and 14 are therefore deemed allowable, as are, a fortiori, claims dependent therefrom, including claims 2, 4, 15, and 16, which are separately rejected under 35 U.S.C. § 103. Claims 13 is cancelled. Reconsideration of claims 1-12 and 14-20 under 35 U.S.C. § 103 is therefore respectfully requested.”
The Examiner disagrees with the Applicant’s assertion of Wright concerning the teaching of “machine learning image analysis on the webpage or parts of the webpage of known phishing pages or genuine webpages or parts of genuine webpages of known phishing page targets/brands.”  As such, Examiner interpreted the monitored and extracted features to be inclusive of parts of the webpage like, the favicon, etc.; further teaching machine learning implemented on flagged emails. As such, Wright teaches “machine learning image analysis on the webpage or parts of the webpage of genuine webpages [See Wyatt, ¶0056].
 The Examiner respectfully submits that Wright does disclose “performing analysis of the Cascading Style Sheets (CSS) of the webpage and comparison of the webpage CSS to the CSS of known phishing pages or genuine webpages of known phishing page brands/targets”; where [See Wright, ¶0015: (6) the legitimacy of the attack website is evaluated (e.g., by comparing referrer data and/or other website monitoring data with known attack website information); included in code such as CSS], for which it was applied. Hence, an analysis is performed as taught by Wright; therefore, Wright is maintained.
CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:

(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a fetcher...software modules...” in claim 14.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 3, 5-14, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al., hereinafter (“Smith”), US PG Publication (20160191548 A1), in view of Wright et al., hereinafter (“Wright”), US PG Publication (20180063190 A1), in view of Kanich et al, hereinafter (“Kanich”), “No Plan Survives Contact: Experience with Cybercrime Measurement,” was submitted in 12/15/2021 IDS.
Regarding currently amended claims 1 and 14, Smith teaches a method ¶0037: typical form of phishing attacks occur in the form of malicious emails sent to user containing links or references to illegitimate web pages (a phishing message), etc.
a.    a scan engine; [Smith et al 20160191548A1, ¶¶0038 and 0066: An apparatus/system/method provided for fraud detection; monitors and detect legitimacy of emails or email content, links, images, videos, etc. Performs routine and continual crawling (a scan engine) to collect information associated with suspect activity] and
b.    a fetcher; [Smith, ¶0066: apparatus/system/method provided for fraud detection with a collection process (a fetcher) accesses an initial webpage through standard HTTP request and downloads its content for analysis.]
Fig. 2, 3, and 4 ¶¶0038-0039 and 0065-0066: An apparatus/system/method provided for fraud detection (a phishing detector); where aforementioned malicious web content could be identified by a scoring engine, monitors and detect legitimacy of emails or email content, links, images, videos, etc. Performs routine and continual crawling (a scan engine) to collect information associated with suspect activity; with a collection process (a fetcher) accesses an initial webpage through standard HTTP request and downloads its content for analysis. Each of the devices in the network are computers, mobile device, PDAs, etc. may first pass through or be subject to one or more security devices or applications, such as a proxy server 119 or firewall 111.]
b.    detecting a URL in [[the]] a message by the scan engine; [Smith, ¶0101: Security device 824 and system 814 may be operatively coupled or may communicate data based on URL blacklists]
c.    resolving the URL to a webpage by the scan engine; [Smith, See ¶¶0038 and 0066: continual crawling (a scan engine); ¶0073: using standard Domain Name Service (DNS) lookup operations (resolving the URL), it may be determined that domains 411, 412, and/or 413 are hosted by various IP addresses; as a result catalog URL 300, along with various constituent parts of the URL 300.  The domains and/or IP addresses may be further queried to reveal additional information, such as the web page 310 (a webpage) registrants 420.]
Fig. 2, 3, and 4 ¶¶0038-0039 and 0065-0066: ...downloads web page content for analysis.]
While Smith teaches performing machine learning and the downloaded webpage [See Smith, Fig. 2, 3, and 4 ¶¶0038-0039, 0065-0066, and 0098-0099: technology to monitor and detect legitimacy of email content (i.e. images) based on any one or more of an instantaneously identified, previously identified; use of identifying potential, social engineering attacks attempts through machine learning and optimization of scoring processes]; however, Smith fails to explicitly teach but Wright teaches wherein analysis of the downloaded webpage includes performing machine learning based image analysis and comparison of the webpage or parts of the webpage to known phishing pages or genuine webpages or parts of genuine webpages of known phishing page targets/brands [Wright et al 20180063190 A1, ¶0056: Attack website features can be extracted from website monitoring data (e.g., collected in S110), attack website activity (e.g., monitored in S150), and/or any suitable data. Attack website features can include: URL features (e.g., favicon, host name, URL shortening usage...website code features In an example, S132 can include generating a machine learning classifier model that outputs whether a website is an attack website or a non-attack website, and/or outputs a ranking (e.g., a score of 1-10) of the legitimacy of the website. Hence, Examiner interpreted the monitored and extracted features to be inclusive of parts of the webpage like, the favicon, etc.],


While Smith teaches the scan engine [See Smith, ¶¶0038 and 0066: continual crawling (a scan engine)] and the downloaded webpage [See Smith, See Fig. 2, 3, and 4 ¶¶0036-0039 0065-0066 and 0077: ...monitors, collects proactively identifies and guards against downloads web page(s) or phishing email attempts]; however, the combination of Smith and Wright fail to explicitly teach but Kanich teaches 
e.    analysis of the downloaded webpage by the fetcher to determine whether the webpage is a phishing webpage; wherein when the webpage is determined to be a phishing webpage, deleting the message by the scan engine. [Kanich, 2.1 Redirection, ¶1: Through use of hosting spam-advertised sites and a crawling approach; a command-tool for visiting a URL and downloading contents of a web page, redirects spam-advertised URL and final landing page], and 
wherein the message is in a user inbox and the deleting of the message includes removing the message from the user inbox. [Kanich, 1 Introduction, ¶2: through controlled experiments, the nature of current threats can measure behavior. Crawling 2.1 Redirection: through use of a simple command-line tool for visiting a downloading the contents of the Web page, JavaScript redirects. It is the network filters rendering DDoS attacks harmless. 2.2 Deterrence: through use of JavaScript that use image overlays on the page to the same effect; blacklisting IP addresses suspected of crawling. Hence, Examiner interprets the redirection function, which includes a filtering technique that in essence removes or deletes, as analogous to removing the downloaded contents in the Web page; where the Web page is analogous to the user inbox]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of method and system for misuse detection of Smith before him or her by including the teachings of an experiment of empirical security research involves analyzing the behavior, capabilities, and motives of adversaries of Kanich. The motivation/suggestion would have been obvious to try redirection and deterrence features of this cybercrime experiment to thwart Storm denial-of-service (DoS) [Kanich, Sections 2.1-2.2 and 4 Lessons Learned, ¶8]. 
Regarding claims 3 and 17, the combination of Smith, Wright, and Kanich teach claim 1 as described above.
Smith teaches wherein the analysis comprises analyzing the HTML structure and HTML code for similarities to known phishing kits. [Smith, ¶0075: web page 310 displays several hyperlinks 311-314, from which additional URLs 320, 330, and 340 may be gleaned; HTTP requests may be made to each such URL analysis of the content of each associated website. Further analysis of binary information of executable file 450 (HTML code) where comparison of part 450 (HTML structure) of executable file with virus signature 460 (known phishing kits).]
Regarding claim 5, the combination of Smith, Wright, and Kanich teach claim 1 as described above.
Smith teaches wherein the analysis comprises performing machine learning based analysis of the language used on the webpage. [Smith, ¶0099: further machine learning to identify false positives.]

Regarding currently amended claim 6, the combination of Smith, Wright, and Kanich teach claim 1 as described above.
Smith teaches wherein the method for the downloading of the webpage includes one or more of:
a.    the webpage is downloaded multiple times each using a different source IP address; [Smith, ¶0037: phishing attacks occurs in the form of malicious emails sent to users containing links or references to illegitimate web pages, illegitimate web content] and
b.    the webpage is downloaded using multiple user agents; [Smith, ¶0070: downloaded webpage content is analyzed] [[and]]


Smith teaches wherein the machine learning based analysis of the webpage language is based on one or more of word counting, term frequency-inverse document frequency, or cluster counting of GloVe (Global Vectors for Word Representation). [Smith, ¶0110: Word expressions often perform the “heavy lifting” of the scoring process. Word expressions are usually mathematical equations, where the variables in the equations might represent, for example, a number of occurrences of keywords, patterns, or otherwise identifiably potentially malicious trends in the digital media document text. The word expression engine is usually optimized to efficiently search for thousands of various patterns in a document.]

Regarding claims 8 and 18, the combination of Smith, Wright, and Kanich teach claim 1 as described above.
Smith teaches further comprising URL analysis by the scan engine for one or more of suspicious characteristics, URL metadata, or suspicious URLs. [Smith, ¶0071: RL 300 may be selected on account of previously known information about the content hosted by that URL—for example, evidence of pirating of copyright-protected media such as movies, music or software—or the suspicious web page 310 may be encountered randomly through the previously mentioned web crawling operations.]


Smith teaches wherein the method for the downloading of the webpage comprises: by the fetcher, executing redirect code to resolve the destination web page. [See Smith, ¶¶ 0065-0066: ...downloads web page content for analysis.]
Regarding claim 11, the combination of Smith, Wright, and Kanich teach claim 1 as described above.
Smith teaches wherein the webpage is downloaded using an IP address from the message recipient IP address range. [Smith, ¶074: the range of IP addresses 430 may also be considered a “link,” since it may be inferred that other IP addresses (not listed) falling within that range or associated with a similar geographical IP range may be suspect.]

Regarding claims 16, the combination of Smith, Wright, and Kanich teach claim 14 as described above.
Smith teaches wherein the method for the downloading of the webpage is selected from the group consisting of:
a.    the webpage is downloaded multiple times each using a different source IP address; [Smith, ¶0037: phishing attacks occurs in the form of malicious emails sent to users containing links or references to illegitimate web pages, illegitimate web content]
¶0070: downloaded webpage content is analyzed; ¶0074: the range of IP addresses 430 may also be considered a “link,” since it may be inferred that other IP addresses (not listed) falling within that range or associated with a similar geographical IP range may be suspect.] and
d.    a combination of the above. [Smith, ¶0109: Various computer languages or protocols such an algorithm, scripts, etc. are used to assess information present in source document. Document downloaders 910 could take any form, such as in information-seeking/delivering web crawlers, email monitoring software, or any other form of hardware, software, or combination thereof.]
Claims 2 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al., hereinafter (“Smith”), US PG Publication (20160191548 A1), in view of Kanich et al, hereinafter (“Kanich”), “No Plan Survives Contact: Experience with Cybercrime Measurement,” was submitted in 12/15/2021 IDS, in view of Wright et al., hereinafter (“Wright”), US PG Publication (20180063190 A1), in view of Lindsay, US PG Publication (20180247483 A1).
Regarding currently amended claims 2, the combination of Smith, Wright, and Kanich teach claim 1 as described above.
Smith teaches wherein the analysis is selected from the group consisting of:
b.    performing machine learning based image analysis of images found on the webpage to match the images to known genuine phishing target logos; [Smith, ¶¶0038 and 0099: fraud detection of emails, email content: links, images, videos, etc. through use of machine learning]
While Smith teaches performing analysis of web forms on the web page [See Smith, ¶0089: In certain embodiments, “behavioral analysis” may encompass any type of analysis similar to that which would be performed on URLs, domain names, IP addresses, or similar links during the crawling and collection operations. ¶¶0262-0263: identify a spear phishing target attack where a false web page reproduce portion of the web pages such as: login and/or password boxes.]; however, the combination of Smith, Wright, and Kanich    fail to explicitly teach but Wright teaches
a.    performing analysis of the Cascading Style Sheets (CSS) of the webpage and comparison of the webpage CSS to the CSS of known phishing pages or genuine webpages of known phishing page brands/targets; [Wright et al 20180063190 A1, ¶0014: (2) an attacker copies the target website--including the tattler code--in order to setup an attack website (e.g., a phishing website); ¶0015: (4) the target website receives referrer data indicating information regarding the previous website (e.g., the attack website) that directed the victim to the target website; (6) the legitimacy of the attack website is evaluated (e.g., by comparing referrer data and/or other website monitoring data with known attack website information);  and ¶0019: Tattler includes JavaScript code, including HTML, CSS, etc.; collects, analyzes, and/or transmits website monitoring data when executed.]

However, the combination of Smith, Kanich, and Wright fail to explicitly teach but Lindsay teaches 
c.    performing analysis of web forms for credential submission on the webpage; [Lindsay 20180247483, ¶0197: the PIN Safety Service 808 regarding the user's account or can be supplemented by accessing the security database 810 as needed. While the required data can be obtained and processed in any of several ways known to those in the art, the submitted user credentials received in the attempted transaction with the merchant 828 are compared with the known credentials that the credit card company 812 associates with the user 802 ] and

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Smith, Kanich, and Wright before him or her by including the teachings of a security systems for protecting an asset of Lindsay. The motivation/suggestion would have been obvious to try reduce the risk of others stealing login information using fake login pages 
Regarding currently amended claim 15, the combination of Smith, Wright, and Kanich teach claim 14 as described above.
Smith teaches wherein the analysis includes one or more 
However, Smith fails to explicitly teach but Wright teaches ¶0031: S110 include generating digital fingerprints for visitors of the attack website. A digital fingerprint preferably identifies an individual based on web browser data, device data, other website monitoring data, and/or other suitable information associated with the individual. Attack website visitor fingerprints can be compared against known attacker digital fingerprints (e.g., in S132) in identifying attackers and/or illegitimate attack websites.]
¶0056: In this variation, automatically classifying a potential attack website can include generating one or more models for distinguishing between non-attack websites and attack 

d.    performing analysis of the Cascading Style Sheets (CSS) of the webpage and comparison of the webpage CSS to the CSS of known phishing pages or genuine webpages of known phishing page brands/targets; [Wright et al 20180063190 A1, ¶0014: (2) an attacker copies the target website--including the tattler code--in order to setup an attack website (e.g., a phishing website); ¶0015: (4) the target website receives referrer data indicating information regarding the previous website (e.g., the attack website) that directed the victim to the target website; (6) the legitimacy of the attack website is evaluated (e.g., by comparing referrer data and/or other website monitoring data with known attack website information);  and ¶0019: Tattler includes JavaScript code, including HTML, CSS, etc.; collects, analyzes, and/or transmits website monitoring data when executed. ]
e.    performing machine learning based image analysis of images found on the webpage to match the images to known genuine phishing target logos; [Smith, ¶¶0038 and 0099: fraud detection of emails, email content: links, images, videos, etc. through use of machine learning]
g.    performing analysis of web forms for credential submission on the webpage; [Wright et al 20180063190 A1, ¶0024: activation of the tattler may function also function to collect attack website activity that, in some embodiments, includes user activity while visiting the attack website in which the user activity includes providing user credentials and the like. In the case that the tattler detects a visitor providing credentials to the attack website, the tattler may function to capture the credentials data and specifically] 
While Smith teaches performing analysis of web forms on the web page [See Smith, ¶0089: In certain embodiments, “behavioral analysis” may encompass any type of analysis similar to that which would be performed on URLs, domain names, IP addresses, or similar links during the crawling and collection operations. ¶¶0262-0263: identify a spear phishing target attack where a false web page reproduce portion of the web pages such as: login and/or password boxes.]; however, the combination of Smith, Wright, and Kanich    fail to explicitly teach but Lindsay teaches
h.    a combination of the above. [Lindsay 20180247483, ¶0204: Preventing Phishing and Fake Login Pages by anti-phishing scheme requires convert validation action to verify website being operated by legitimate party.]
. 
Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Smith et al., hereinafter (“Smith”), US PG Publication (20160191548 A1), in view of Wright et al., hereinafter (“Wright”), US PG Publication (20180063190 A1), in view of Kanich et al, hereinafter (“Kanich”), “No Plan Survives Contact: Experience with Cybercrime Measurement,” was submitted in 12/15/2021 IDS, in view of Lindsay, US PG Publication (20180247483 A1).

Regarding currently amended claim 4, the combination of Smith, Wright, and Kanich teach claim 1 as described above.
Smith teaches wherein the analysis is selected from the group consisting
of:   a.    computing webpage fingerprints for multiple HTML page elements and comparing the webpage fingerprints to existing webpage fingerprints of known phishing page targets and known phishing sites; [Smith, ¶0265: scanning emails containing multiple forms; ¶0267: metadata helps in identifying potentially malicious parties by comparison of various forms of electronic signatures]
webpage or parts of the webpage to known phishing pages or genuine webpages or parts of genuine webpages of known phishing page targets/brands; [Smith, ¶0253: the receiving server of the call (e.g., the server that owns the legitimate site bank.com) compares the requested Web page's information to the legitimate Web page's information. The compared information can include IP addresses, URLs, and/or domains,] and
d.    a combination of the above. [See Smith, ¶0253: The compared information can include IP addresses, URLs, and/or domains, or any combination thereof]
While Smith teaches image analysis and comparison of the webpage or parts of the webpage [See Smith, ¶0253]; however the combination of Smith, Wright, and Kanich fail to explicitly teach but Lindsay teaches b.    performing image analysis and comparison of the page favicon of the webpage to favicons known to be used in phishing pages and also genuine favicons of known phishing page targets; [Lindsay, ¶¶0206, 0209 and 0219-0220: FIG. 19 depicts a portion of graphical user interface 1000 that illustrates some aspects of a system in which a user (not shown) can verify that a Web site or other electronic interface is legitimate, or in other words, that it is operated by an authorized service as opposed to being sham for extracting information from a user. Modified favicon 1020 displayed can be accessed to determine if accessing legitimate Web site.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of . 
Claims 10, 12 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al., hereinafter (“Smith”), US PG Publication (20160191548 A1), in view of Wright et al., hereinafter (“Wright”), US PG Publication (20180063190 A1), in view of Kanich et al, hereinafter (“Kanich”), “No Plan Survives Contact: Experience with Cybercrime Measurement, NPL was submitted in 12/15/2021 IDS, in view of Hou, US PG Publication (20130332585 A1).
Regarding currently amended claims 10 and 19, the combination of Smith, Wright, and Kanich teach claim 1 as described above.
However, the combination of Smith, Wright, and Kanich fail to explicitly teach but Hou teaches wherein the method for the downloading of the webpage comprises: when the URL does not resolve, attempting multiple times to resolve the webpage over a configurable period of time until the webpage is downloaded. [Hou, ¶¶0023, 0025 and 0028: When the relationship is established, the identification code of the content related information includes a timestamp. Download engine of portal site configured to download acquire the real URL of the content, and download the content to the terminal, which wants to download the content according to the acquired real URL. ¶0035: when presenting to reorient the download engine inquires about resolves the real URL; when triggered. Hence, Examiner interprets that the download engine has a timestamp parameter, therefore the period of time is configurable by the portal site that instantiates the triggering feature; see para 0027]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Smith, Wright, and Kanich before him or her by including the teachings of method and system for downloading content of Hou. The motivation/suggestion would have been obvious to try a method and system for realizing content download, including: after a portal site receives a request for triggering download and generating a pseudo uniform resource locator (URL) for a content to be downloaded [Hou, Abstract]. 
Regarding claims 12 and 20, the combination of Smith, Wright, and Kanich teach claim 1 as described above. 
However, the combination of Smith, Wright, and Kanich fail to explicitly teach but Hou teaches wherein site content that is encrypted or obfuscated is decrypted and executed in order to generate the page HTML. [Hou 20130332585 A1, ¶0090: determining whether to obfuscate elements of the requested resource (e.g., obfuscating an email address such that it will be displayed on the rendered page but obfuscated from the page source]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Smith, Wright, and Kanich before him or her by including the teachings of method and . 
Conclusion

Applicant's submission of an information disclosure statement under 37 CFR 1.97(c) with the fee set forth in 37 CFR 1.17(p) on 12/15/2021 prompted the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 609.04(b).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SAKINAH WHITE-TAYLOR
Examiner
Art Unit 2497


/Sakinah White Taylor/Examiner, Art Unit 2497                                                                                                                                                                                                                                                                                                                                                                                                          /ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497