DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Allowable Subject Matter
Claims 1-3, 5-11, 13-16 and 18-20 are allowed. 
The following is an examiner’s statement of reasons for allowance: With respect to claims 1, 11 and 16, the prior art on record does not teach or fairly suggests the combination of the limitations: “accessing certificate portions of a certificate associated with a suspect uniform resource locator (URL), the certificate accessed at a database that includes a plurality of certificates obtained by monitoring one or more certificate logs; accessing a URL score for the suspect URL; assigning a certificate rule score based on partial certificate scores of each portion of the certificate, the certificate rule score indicating a phishing potential for the certificate, each of the partial certificate scores indicating a likelihood of phishing of each respective portion based on certificate rules; using a machine learning model based, at least in part, on the URL score and the certificate to determine a uniqueness certificate score;
determining a phishing certificate score based, at least in part, on the certificate rule score and the uniqueness certificate score for the certificate; and determining a registration score of the certificate, wherein the registration score indicates a probability distribution of characters in the potential phishing URL, wherein the final phishing score is further based on the entropy score for the potential phishing URL.” Claims 2, 3, 5-10, 13-15 and 18-20, depend on claims 1, 11 and 16 respectively and are allowed with the same rationale thereto. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
	

EXAMINER’S AMENDMENT
Authorization for this examiner’s amendment was given in an interview with Martin Wojcik, Reg. No. 57,577 on February 11, 2022.
	The application has been amended as follows:
	In the Claims:

1. (Currently Amended) A method for phishing detection using certificates associated with uniform resource locators, the method comprising:
accessing certificate portions of a certificate associated with a suspect uniform resource locator (URL), the certificate accessed at a database that includes a plurality of certificates obtained by monitoring one or more certificate logs;
accessing a URL score for the suspect URL;
assigning a certificate rule score based on partial certificate scores of each portion of the certificate, the certificate rule score indicating a phishing potential for the certificate, each of the partial certificate scores indicating a likelihood of phishing of each respective portion based on certificate rules;
using a machine learning model based, at least in part, on the URL score and the certificate to determine a uniqueness certificate score;
determining a phishing certificate score based, at least in part, on the certificate rule score and the uniqueness certificate score for the certificate; and 
determining a registration score of the certificate, wherein the registration score indicates a probability distribution of characters in the potential phishing URL, wherein the final phishing score is further based on the entropy score for the potential phishing URL.

4. (Canceled). 

11. (Currently Amended) A system comprising:
a non-transitory memory storing instructions; and
a processor configured to execute the instructions to cause the system to:
determine issuance of a new certificate for a new uniform resource locator (URL), where the new certificate indicates at least one URL that includes the new URL;
in response to a determination that the new URL is suspect, access certificate portions of the new certificate;
assign a certificate rule score based on partial certificate scores of each portion of the certificate, the certificate rule score indicating a phishing potential for the certificate, each of the partial certificate scores indicating a likelihood of phishing of each respective portion based on certificate rules;
use a machine learning model based, at least in part, on the URL score and the certificate to determine a uniqueness certificate score; [and]
determine a phishing certificate score based, at least in part, on the certificate rule score and the uniqueness certificate score for the certificate; and 
determining a registration score of the certificate, wherein the registration score indicates a probability distribution of characters in the potential phishing URL, wherein the final phishing score is further based on the entropy score for the potential phishing URL.

12.  (Canceled).  

16. (Currently Amended) A non-transitory machine-readable medium having instructions stored thereon, the instructions executable to cause performance of operations comprising:
determining issuance of a new certificate for a new uniform resource locator (URL), where the new certificate indicates at least one URL that includes the new URL;
in response to a determination that the new URL is suspect, accessing certificate portions of the new certificate;
assigning a certificate rule score based on partial certificate scores of each portion of the certificate, the certificate rule score indicating a phishing potential for the certificate, each of the partial certificate scores indicating a likelihood of phishing of each respective portion based on certificate rules;
using a machine learning model based, at least in part, on the URL score and the certificate to determine a uniqueness certificate score; [and]
determining a phishing certificate score based, at least in part, on the certificate rule score and the uniqueness certificate score for the certificate; and 
determining a registration score of the certificate, wherein the registration score indicates a probability distribution of characters in the potential phishing URL, wherein the final phishing score is further based on the entropy score for the potential phishing URL..




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BEEMNET W DADA whose telephone number is (571)272-3847. The examiner can normally be reached Monday-Friday, 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

BEEMNET W. DADA
Primary Examiner
Art Unit 2435



/BEEMNET W DADA/Primary Examiner, Art Unit 2435