Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This Action is in response to the original claims 1-20.  Claims 1 (software) and 11 (a method) are independent.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-10 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claim 1 is directed to software per se.  Claim 1 recites: “where any portions of the cyber security appliance implemented as software can be stored in one or more non-transitory memory storage devices ….”  The capability of software to be stored does not require a potential storage device.  Claim 1 is not directed to a non-transitory CRM, claim 1 is software per se.  Software is none of a process, machine, manufacture nor a composition of matter and is non-statutory for the purposes of 35 U.S.C. § 101.

Claims 1, 3-5, 8-11, 13-15, and 18-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) a mental process.  For example, claims 1 and 11 recite a plurality of steps for comparing a website to other known malicious websites.  Comparing websites can be done in a human mind.  This judicial exception is not integrated into a practical application because claims 1 and 11 do not apply the claimed mental process to perform any action. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the access of a website, by a person, is a well-understood, routine, and conventional activity and does not amount to significantly more than the mental process of comparing images, See MPEP 2106.05(d).

Claims 2, 6, 7, 12, 16, and 17 are excluded from the abstract idea rejection as performing “OCR” or the use of a “Fully Convolutional Neural Network” is not a mental process. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8 and 11-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Waterson et al., US 2012/0023566 (filed 2009-04), in view of Flament et al., US 2019/0019020 (filed 2018-07).

a phishing site detector (“if the software tool determines that the downloaded web page 202 is a fraudulent page 207, then the browser will reject the page, step 211.” Waterson ¶ 68) that has a segmentation module … of a site (“Tokens will typically be words or other identifying features that can be used to determine the legitimacy of a web site. Tokens can also comprise images such as a logo displayed on the website.” Waterson ¶ 70)… and then analyze each segment of the image of that page to determine visually whether a key text-like feature exists in that segment, (“extracting tokens from the text, or performing optical character recognition of an image of the page or frame and/or the title of the page and extracting tokens from the optically recognised characters.” Waterson ¶ 22) and then a signature creator to create a digital signature for each segment containing a particular key text-like feature, (“The plug in tool then extracts tokens from the retrieved page, step 403. It then, for each token, determines a token probability, being a probability that that token exists in a fraudulent web page.” Waterson ¶ 74. The token being the claimed signature) where the digital signature (Note that in the art a digital signature is typically a hash encrypted with a private key so for validation.  Here, a digital signature is just a characterization of the feature used for matching.) for that segment containing the particular key text-like feature at least is indicative of a visual appearance of the particular key text-like feature (the Token is an OCR of text in the picture, Waterson ¶ 22), and 
a trained Al model to (“The training system 120 then extracts tokens from the training web pages 106, step 302. Tokens will typically be words or other identifying features that can be used to determine the legitimacy of a web site. Tokens can also extracts tokens from the retrieved page, step 403. It then, for each token, determines a token probability, being a probability that that token exists in a fraudulent web page.” Waterson ¶ 74. “Using the token probabilities determined for the tokens from the retrieved page, the plug in tool then determines a page probability, step 405.” Waterson ¶ 75. See also ¶ 80) in order to output a likelihood of maliciousness of the unknown site under analysis, (“The page probability is the probability calculated that the retrieved page is a fraudulent page. The plug in tool then determines from the page probability whether the retrieved page is a fraudulent page, for example by comparing their probability to a threshold, step 406.” Waterson ¶ 75) where any portions of the cyber security appliance implemented as software can be stored in one or more non-transitory memory storage devices in an executable format to be executed by one or more processors. (“software and/or system for detecting fraudulent pages” Waterson ¶ 1)

Waterson does not disclose:
to break up an image of a page … under analysis into multiple segments


to break up an image of a page … (“The convolutional neural network may receive captured images produced by an input device such as a mobile client device, and may produce heat maps or bounding boxes corresponding to feature types such as text, face, signature, document background, and image background.” Flament ¶ 11) under analysis into multiple segments (“the heat maps may indicate areas that are bounded by distinct lines (bounding boxes), where the portion of the image within a bounding box has an above-threshold likelihood of having the particular feature type and the portion of the image outside the bounding box has a below-threshold likelihood of having the particular feature type.” Flament ¶ 39. “The convolutional neural network may further extract information from the input images, where information of a specific feature type is extracted from the area of the captured image indicated by the corresponding heat map or bounding box.” Flament ¶ 11)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Waterson with Flament by utilizing the image processing learner of Flament to detect and extract the text and logos of Waterson ¶ 70.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Waterson with Flament in order to capture and recognize the text and logos of Waterson without knowing the layout and features of the document, thereby increasing the robustness and efficiency of the parsing system (Flament ¶ 5)

 optically recognised characters.” Waterson ¶ 22) ii) analysis of a literal visual representation from the image of that page under analysis to determine what does the first key text-like feature on the page visually look like, (“The convolutional neural network may receive captured images produced by an input device such as a mobile client device, and may produce heat maps or bounding boxes corresponding to feature types such as text, face, signature, document background, and image background.” Flament ¶ 11.)  and then iii) use both of resulting text from the OCR text recognition and the visual appearance of the key text-like feature in order to determine a category that the first key text-like feature in the first segment of the image of the page under analysis belongs to, (“The convolutional neural network may receive captured images produced by an input device such as a mobile client device, and may produce heat maps or bounding boxes corresponding to feature types such as text, face, signature, document background, and image background.” Flament ¶ 11. Waterson ¶ 70 discussing logos and textual generated tokens.) where the image of the page of the unknown site under analysis is a page that harvests log-in credentials for the unknown site. (Waterson Figure 13).

determining if the token exists in token database (also training corpus), step 603. If it is not, then the token is assigned a default token probability, preferably 0.5, step 608. If the token does exist in the token database, step 603, then the method comprises obtaining from the token database the count of the total number of fraudulent pages that contained this token,” Waterson ¶ 86)



As to claims 5 and 15, Waterson in view of Flament discloses the system/method of claims 1 and 11 and further discloses:
bounding boxes corresponding to feature types such as text, face, signature, document background, and image background.” Flament ¶ 11. See figures 5 and 6 of Flament.)

As to claims 6 and 16, Waterson in view of Flament discloses the system/method of claims 5 and 15 and further discloses:
…
configured to analyze the image to look for specific key features that appear be text-like, including any of actual text and …, (“the heat maps may indicate areas that are bounded by distinct lines (bounding boxes), where the portion of the image within a bounding box has an above-threshold likelihood of having the particular feature type and the portion of the image outside the bounding box has a below-threshold likelihood of having the particular feature type.” Flament ¶ 39. “The convolutional neural network may further extract information from the input images, where information of a specific feature type is extracted from the area of the captured image indicated by the corresponding heat map or bounding box.” Flament ¶ 11)


Waterson in view of Flament does not disclose:
where the machine learning algorithm is implemented in Fully Convolutional Neural Networks 
logos
on the image of the page under analysis by detecting for gradients in color change in one or more areas and a ratio to a background color to establish a beginning and an end of each specific key feature that appears be text-like,

Flament further discloses:
where the machine learning algorithm is implemented in Fully Convolutional Neural Networks (“fully convolutional neural network” Flament ¶ 56)
logos (“Other heat maps (which for purposes of clarity are not shown in the figure) may also be generated to indicate the locations of other types of features, such as signatures, logos, security features, etc.” Flament ¶ 38)
on the image of the page under analysis by detecting for gradients in color change in one or more areas and a ratio to a background color (“The heat maps may use colors, shades of gray, or other means to indicate a range of likelihoods of finding a 

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Waterson in view of Flament with Flament by utilizing the image processing learner of Flament to detect and extract the text and logos of Waterson ¶ 70.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further combine Waterson in view of Flament with Flament in order to capture and recognize the text and logos of Waterson without knowing the layout and features of the document, thereby increasing the robustness and efficiency of the parsing system (Flament ¶ 5)

As to claims 7 and 17, Waterson in view of Flament discloses the system/method of claims 6 and 16 and further discloses:
where the phishing site detector has a categorizing module to perform OCR text analysis on a first key text-like feature in the first set of key text-like features (“the heat 
 and an analysis of a literal visual representation on the first key text-like feature, in combination, (“one of the maps shows where in the original image text has been detected, while another may show where a face, a signature, document background, image background, or another type of feature has been detected.” Flament ¶ 37) to determine what meaning that first key text- like feature is trying to convey (where in the original image text has been detected, while another may show where a face, a signature, document background, image background, or another type of feature) in order to help catalog the first key text-like feature for a comparison (“The plug in tool then extracts tokens from the retrieved page, step 403. It then, for each token, determines a token probability, being a probability that that token exists in a fraudulent web page.” Waterson ¶ 74), where each key text-like feature has its own bounding box. (“The convolutional neural network may further extract information from the input images, where information of a specific feature type is extracted from the area of the captured image indicated by the corresponding heat map or bounding box.” Flament ¶ 11)


As to claims 8 and 18, Waterson in view of Flament discloses the system/method of claims 1 and 11 and further discloses:
determining if the token exists in token database (also training corpus), step 603. If it is not, then the token is assigned a default token probability, preferably 0.5, step 608. If the token does exist in the token database, step 603, then the method comprises obtaining from the token database the count of the total number of fraudulent pages that contained this token,” Waterson ¶ 86) where each key text-like feature is compared to another key text-like feature in that same category, (“The convolutional neural network may receive captured images produced by an input device such as a mobile client device, and may produce heat maps or bounding boxes corresponding to feature types such as text, face, signature, document background, and image background.” Flament ¶ 11) in order to output the likelihood of maliciousness of the unknown site under analysis, (“Using the token probabilities determined for the tokens from the retrieved page, the plug in tool then determines a page probability, step 405.” Waterson ¶ 75. See also ¶ 80) where the page is a log-in page of the site under analysis. (see Waterson Figure 13).

Claims 9, 10, 19, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Waterson et al., US 2012/0023566 (filed 2009-04), in view of Flament et al., US 2019/0019020 (filed 2018-07), and Govardhan et al., US 2019/0334947 (filed 2018-06).
As to claims 9 and 19, Waterson in view of Flament discloses the system of claims 1 and 11 and further discloses:
where the trained Al model is configured to compare the digital signatures from the first set of key text-like features detected in the unknown site under analysis to the digital signatures of the second set of key text-like features of known bad phishing sites, (“Tokens are extracted from the retrieved web page, steps 402 and 403 from FIG. 4. Determining token probability using Bayesian statistics, step 404, is then carried out in the following manner. First the method comprises determining if the token exists in token database (also training corpus), step 603. If it is not, then the token is assigned a default token probability, preferably 0.5, step 608. If the token does exist in the token database, step 603, then the method comprises obtaining from the token database the count of the total number of fraudulent pages that contained this token,” Waterson ¶ 86) 

Waterson in view of Flament does not disclose:
where the phishing site detector has an access module configured when an email under analysis is checked, then the access module is configured to access a link in the email to capture the image of at least a log-in page associated with the unknown site accessed through the link.

Govardhan discloses:
214 crawls one or more webpages of a website associated with the URL. Once webpage crawler 214 has browsed each of the one or more webpages, webpage crawler 214 captures one or more images associated with each of the one or more webpages.” Govardhan ¶ 25) at least a log-in page associated with the unknown site accessed through the link. (“The webpage category may include login page (for example, for email or storage)” Govardhan ¶ 28).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Waterson in view of Flament with Govardhan by utilizing the crawler and URL processor of Govardhan in the system of Waterson in view of Flament.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Waterson in view of Flament with Govardhan in order to extract and classify URLs of websites which users of a system are prompted with to thereby secure the user’s in the system from malicious phishing attacks via fraudulent URLs, Govardhan ¶ 4.

As to claims 10 and 20, Waterson in view of Flament and Govardhan discloses the system/method of claims 9 and 19 and further discloses:
214 crawls one or more webpages of a website associated with the URL. Once webpage crawler 214 has browsed each of the one or more webpages, webpage crawler 214 captures one or more images associated with each of the one or more webpages.” Govardhan ¶ 25) of at least the log-in page (Govardhan ¶ 28), and then to feed the screenshot to the segmentation module. (“extracting tokens from the text, or performing optical character recognition of an image of the page or frame and/or the title of the page and extracting tokens from the optically recognised characters.” Waterson ¶ 22. See also Flament as cited.)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Govardhan et al., US 2019/0334947, discloses classifying websites by simulating user interactions therewith. 
Gammage et al., US 2008/0091765, converts images in an email to tokens to assess maliciousness thereof.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/           Examiner, Art Unit 2492