Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
	Claim 9 is objected to because of the following informalities: (FP 7.29.01).
In claim 9, line 4, “how to score the each portion based on context of the suspect URL should read “how to score each portion based on context of the suspect URL”.
Claim Rejections - 35 USC § 103
	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or
as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will
not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection,
would be the same under either status. 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth
in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
	
Claims 1, 6, 10, 11, 13, 15, 16, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 10,601,865 (hereinafter 'Mesdaq') and in further view of US 2013/0086677 A1 (hereinafter 'MA').
Regarding Claim 1:
Mesdaq discloses:
A method for phishing detection using uniform resource locators, the method comprising: accessing data from one or more of a monitored portion of website data and a monitored portion of emails (Figure 4: 121, 123; Column 7, Line 22: “The email analysis logic 121 performs a first stage of analysis on the email which includes an analysis of the header and contents of the body of the email.”; Column 7, Line: 29 “Additionally, when a URL is detected, the email is provided to the web page analysis logic 123, which performs a third stage of analysis including fetching the web page content”), the data indicating a suspect Uniform Resource Locator (URL); assigning a rule score based on partial rule scores of each portion of the suspect URL, the rule score “The score determination logic 141 determines a score indicative of the likelihood the email is associated with a phishing, or more particularly, a spearphishing attack. The score determination logic 141 may determine a first score indicating the likelihood that the email is associated with a phishing attack based on an analysis of the email (e.g., header and body) and a URL detected within the email. The score determination logic 141 may determine a second score indicating the likelihood that the web page directed to by the URL in the email, and thus the email, is associated with a phishing attack based on an analysis of web page itself. Additionally, the score determination logic 141 may determine a third score indicating the likelihood that the email is associated with a phishing attack based on a dynamic analysis of web page directed to by the URL in the email as well as the information collected during the static analysis, including the first and second score.”); 
Mesdaq does not discloses the following limitation “determining a uniqueness score of the suspect URL, the uniqueness score indicating a degree of uniqueness of the suspect URL from a plurality of known phishing URLs; and determining a URL phishing score based, at least in part, on the rules scores and the uniqueness score for the suspect URL”. 
MA discloses: 
determining a uniqueness score of the suspect URL, the uniqueness score indicating a degree of uniqueness of the suspect URL from a plurality of known phishing URLs; and determining a URL phishing score based, at least in part, on the rules scores and the uniqueness score for the suspect URL (¶45: “The embodiments of the present invention provide a method and a device for detecting a phishing web page. The method includes: judging whether a unique domain name corresponding to a to-be-detected web page exists in a trusted domain name database; if the unique domain name does not exist in the trusted domain name database, determining a similarity (uniqueness score) between a content characteristic extracted from the to-be-detected web page and a content characteristic of each template file in a template file database; and determining that the to-be-detected web page is a phishing web page if the similarity (uniqueness score) between the content characteristic extracted from the to-be-detected web page and a content characteristic of at least one template file is greater than a preset similarity threshold.”).  
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and in order to include a feature that can calculate a suspected URL If a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of one or more brand template files in the brand template database is greater than a preset similarity threshold, that is, if a brand template file that is similar to the to-be-detected web page exists in the brand template database, because the unique domain name corresponding to the to-be-detected web page is not a trusted domain name, it is determined that the to-be-detected web page is a phishing web page that is a fake brand web page.”). 
Regarding Claim 6:
Mesdaq does not disclose the following limitation “wherein said determining the degree of uniqueness comprises: approximating an identity function for the suspect URL to determine a degree of error; and assigning a uniqueness score to the suspect URL that is inversely proportional to the degree of error.”
MA discloses:
The method of claim 1, wherein said determining the degree of uniqueness comprises: approximating an identity function for the suspect URL to determine a degree of error; and assigning a uniqueness score to the suspect URL that is inversely proportional to the degree of error (¶9: “If the unique domain name does not exist in the trusted domain name database, determining a similarity (uniqueness score) between a content characteristic extracted from the to-be-detected web page and a content characteristic of each template file in a template file database, where the content characteristic includes at least: a coding format, a document object model, a word, and the number of words; and determining that the to-be-detected web page is a phishing web page if a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of at least one template file is greater than a preset similarity threshold.”; ¶45: “If a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of one or more brand template files in the brand template database is greater than a preset similarity threshold, that is, if a brand template file that is similar to the to-be-detected web page exists in the brand template database, because the unique domain name corresponding to the to-be-detected web page is not a trusted domain name, it is determined that the to-be-detected web page is a phishing web page that is a fake brand web page.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and in order to include a feature that can determine the degree of uniqueness for a suspect URL based on its degree of error as taught by MA. One of ordinary skill in the art would have been motivated to do so because MA recognizes that if a suspected URL is not found in a database of trusted URLs, and it has a high degree of error then it will likely indicate that the suspected URL has less of a chance of being a phishing page (¶61: “If the word similarity is less than the high preset value of the word similarity, it indicates that a few words in the to-be-detected web page are the same as the words in the template file, and it may be determined that the to-be-detected web page is not a phishing web page.”). 
Regarding Claim 10:
Mesdaq does not disclose the following limitation “triggering a phishing URL alarm based on the rule score or the uniqueness score, prior to determining the URL phishing score”
MA discloses:
The method of claim 1, further comprising: triggering a phishing URL alarm based on the rule score or the uniqueness score, prior to determining the URL phishing score (¶4: “Currently, a general method is to integrate a phishing detecting module into client software. When a user accesses a web page by using a browser, the phishing detecting module calculates suspiciousness (rule score) of the web page according to a local or remote data query result, and sends alarm information to the user if the suspiciousness is high.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and in order to include a feature that can trigger an alarm based on a rule score prior to determining the URL phishing score as taught by MA. One of ordinary skill in the art would have been motivated to do so because MA recognizes that a suspiciousness score (rule score) can be used in order to alert a user if a suspected URL is a phishing URL before the system uses its resources further in order to calculate the final phishing score (¶4: “When a user accesses a web page by using a browser, the phishing detecting module calculates suspiciousness (rule score) of the web page according to a local or remote data query result, and sends alarm information to the user if the suspiciousness is high. A remote anti-phishing server provides functions such as data updating, querying and filtering for phishing detecting modules in many clients.”).  
Regarding Claim 11:
Mesdaq discloses:
A system comprising: a non-transitory memory storing instructions; and a processor configured to execute the instructions to cause the system to: access data from one or more of a monitored portion of website data and a monitored portion of emails (Abstract “A non-transitory computer readable storage medium having stored thereon instructions when executable by a processor perform operations including responsive to receiving an email including a URL conducting an analysis of the email including: (i) analyzing a header and a body, and (ii) analyzing the URL; analyzing contents of a web page directed to by the URL; generating a score indicating a level of confidence the email is associated with a phishing attack based on at least one of the analysis of the email or the analysis of the contents of the web page; and responsive to the score being below a threshold, virtually processing the web page to determine whether the web page is associated with the phishing attack is shown.”), the data indicating a suspect Uniform Resource Locator (URL); determine entity specific data for a potential phishing target of the suspect URL; assign, based on the entity specific data, a rule score for each portion of the suspect URL, the rule score indicating a phishing potential (Column 8, Line 12: “The score determination logic 141 determines a score indicative of the likelihood the email is associated with a phishing, or more particularly, a spearphishing attack. The score determination logic 141 may determine a first score indicating the likelihood that the email is associated with a phishing attack based on an analysis of the email (e.g., header and body) and a URL detected within the email. The score determination logic 141 may determine a second score indicating the likelihood that the web page directed to by the URL in the email, and thus the email, is associated with a phishing attack based on an analysis of web page itself. Additionally, the score determination logic 141 may determine a third score indicating the likelihood that the email is associated with a phishing attack based on a dynamic analysis of web page directed to by the URL in the email as well as the information collected during the static analysis, including the first and second score.”);
Mesdaq does not discloses the following limitation “determine a uniqueness score of the suspect URL, the uniqueness score indicating a degree of uniqueness of the suspect URL from a plurality of known phishing URLs; and determine a URL phishing score based, at least in part, on the rules scores and the uniqueness score for the suspect URL”
MA discloses: 
 “The embodiments of the present invention provide a method and a device for detecting a phishing web page. The method includes: judging whether a unique domain name corresponding to a to-be-detected web page exists in a trusted domain name database; if the unique domain name does not exist in the trusted domain name database, determining a similarity (uniqueness score) between a content characteristic extracted from the to-be-detected web page and a content characteristic of each template file in a template file database; and determining that the to-be-detected web page is a phishing web page if the similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of at least one template file is greater than a preset similarity threshold.”).  
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and in order to include a feature that can calculate a suspected URL phishing score based upon on a uniqueness score as taught by MA. One of ordinary skill in the art would have been motivated to do so because MA recognizes that if a suspected URL has high degree of similarity (low uniqueness score) based on another URL and if the suspected URL is not found in a database of trusted URLs, then it will likely indicate that the suspected URL is a phishing page (¶45: “If a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of one or more brand template files in the brand template database is greater than a preset similarity threshold, that is, if a brand template file that is similar to the to-be-detected web page exists in the brand template database, because the unique domain name corresponding to the to-be-detected web page is not a trusted domain name, it is determined that the to-be-detected web page is a phishing web page that is a fake brand web page.”). 
Regarding claim 13:
Mesdaq does not disclose the following limitation “wherein determining the degree of uniqueness comprises: approximating an identity function for the suspect URL to determine a degree of error; and assigning a uniqueness score to the suspect URL based on the degree of error.”
MA discloses:
 “If the unique domain name does not exist in the trusted domain name database, determining a similarity (uniqueness score) between a content characteristic extracted from the to-be-detected web page and a content characteristic of each template file in a template file database, where the content characteristic includes at least: a coding format, a document object model, a word, and the number of words; and determining that the to-be-detected web page is a phishing web page if a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of at least one template file is greater than a preset similarity threshold.”; ¶45: “If a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of one or more brand template files in the brand template database is greater than a preset similarity threshold, that is, if a brand template file that is similar to the to-be-detected web page exists in the brand template database, because the unique domain name corresponding to the to-be-detected web page is not a trusted domain name, it is determined that the to-be-detected web page is a phishing web page that is a fake brand web page.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and in order to include a feature that can determine the degree of uniqueness for a suspect URL based on its degree of error as taught by MA. One of ordinary skill in the art would have been motivated to do so because MA recognizes that if a suspected URL has high degree of similarity (low uniqueness score) based on another URL and if the suspected URL is not found in a database of trusted URLs, then it will likely indicate that the suspected URL is a phishing page (¶45: “If a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of one or more brand template files in the brand template database is greater than a preset similarity threshold, that is, if a brand template file that is similar to the to-be-detected web page exists in the brand template database, because the unique domain name corresponding to the to-be-detected web page is not a trusted domain name, it is determined that the to-be-detected web page is a phishing web page that is a fake brand web page.”). 
Regarding claim 15:
Mesdaq does not disclose the following limitation “trigger a phishing URL alarm based on the rule score or the uniqueness score, prior to determining the URL phishing score”

The system of claim 11, wherein executing the instructions further cause the system to, trigger a phishing URL alarm based on the rule score or the uniqueness score, prior to determining the URL phishing score (¶4: “Currently, a general method is to integrate a phishing detecting module into client software. When a user accesses a web page by using a browser, the phishing detecting module calculates suspiciousness (rule score) of the web page according to a local or remote data query result, and sends alarm information to the user if the suspiciousness is high.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and in order to include a feature that can trigger an alarm based on a rule score prior to determining the URL phishing score as taught by MA. One of ordinary skill in the art would have been motivated to do so because MA recognizes that a suspiciousness score (rule score) can be used in order to alert a user if a suspected URL is a phishing URL before the system uses its resources further in order to calculate the final phishing score (¶4: “When a user accesses a web page by using a browser, the phishing detecting module calculates suspiciousness of the web page according to a local or remote data query result, and sends alarm information to the user if the suspiciousness is high. A remote anti-phishing server provides functions such as data updating, querying and filtering for phishing detecting modules in many clients.”).  
Regarding claim 16:
Mesdaq discloses:
A non-transitory machine-readable medium having instructions stored thereon, the instructions executable to cause performance of operations comprising: accessing data from one or more of a monitored portion of website data and a monitored portion of emails, the data indicating a suspect Uniform Resource Locator (URL) determining entity specific data for a potential phishing target of the suspect URL (Abstract “A non-transitory computer readable storage medium having stored thereon instructions when executable by a processor perform operations including responsive to receiving an email including a URL conducting an analysis of the email including: (i) analyzing a header and a body, and (ii) analyzing the URL; analyzing contents of a web page directed to by the URL; generating a score indicating a level of confidence the email is associated with a phishing attack based on at least one of the analysis of the email or the analysis of the contents of the web page; and responsive to the score being below a threshold, virtually processing the web page to determine whether the web page is associated with the phishing attack is shown.”); assigning, based on the entity specific data, a rule score for each portion of the suspect URL, the rule score indicating a phishing potential (Column 8, Line 12: “The score determination logic 141 determines a score indicative of the likelihood the email is associated with a phishing, or more particularly, a spearphishing attack. The score determination logic 141 may determine a first score indicating the likelihood that the email is associated with a phishing attack based on an analysis of the email (e.g., header and body) and a URL detected within the email. The score determination logic 141 may determine a second score indicating the likelihood that the web page directed to by the URL in the email, and thus the email, is associated with a phishing attack based on an analysis of web page itself. Additionally, the score determination logic 141 may determine a third score indicating the likelihood that the email is associated with a phishing attack based on a dynamic analysis of web page directed to by the URL in the email as well as the information collected during the static analysis, including the first and second score.”); 
Mesdaq does not discloses the following limitation “determining a uniqueness score of the suspect URL, the uniqueness score indicating a degree of uniqueness of the suspect URL from a plurality of known phishing URLs; and determining a URL phishing score based, at least in part, on the rules scores and the uniqueness score for the suspect URL”
MA discloses:
determining a uniqueness score of the suspect URL, the uniqueness score indicating a degree of uniqueness of the suspect URL from a plurality of known phishing URLs; and determining a URL phishing score based, at least in part, on the rules scores and the uniqueness score for the suspect URL (¶45: “The embodiments of the present invention provide a method and a device for detecting a phishing web page. The method includes: judging whether a unique domain name corresponding to a to-be-detected web page exists in a trusted domain name database; if the unique domain name does not exist in the trusted domain name database, determining a similarity (uniqueness score) between a content characteristic extracted from the to-be-detected web page and a content characteristic of each template file in a template file database; and determining that the to-be-detected web page is a phishing web page if the similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of at least one template file is greater than a preset similarity threshold.”).
If a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of one or more brand template files in the brand template database is greater than a preset similarity threshold, that is, if a brand template file that is similar to the to-be-detected web page exists in the brand template database, because the unique domain name corresponding to the to-be-detected web page is not a trusted domain name, it is determined that the to-be-detected web page is a phishing web page that is a fake brand web page.”). 
Regarding Claim 18
The non-transitory machine-readable medium of claim 16, wherein determining the degree of uniqueness comprises: approximating an identity function for the suspect URL to determine a degree of error; and assigning a uniqueness score to the suspect URL based on the degree of error (¶9: “If the unique domain name does not exist in the trusted domain name database, determining a similarity between a content characteristic extracted from the to-be-detected web page and a content characteristic of each template file in a template file database, where the content characteristic includes at least: a coding format, a document object model, a word, and the number of words; and determining that the to-be-detected web page is a phishing web page if a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of at least one template file is greater than a preset similarity threshold.”; ¶45: “If a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of one or more brand template files in the brand template database is greater than a preset similarity threshold, that is, if a brand template file that is similar to the to-be-detected web page exists in the brand template database, because the unique domain name corresponding to the to-be-detected web page is not a trusted domain name, it is determined that the to-be-detected web page is a phishing web page that is a fake brand web page.”).
 determine the degree of uniqueness for a suspect URL based on its degree of error as taught by MA. One of ordinary skill in the art would have been motivated to do so because MA recognizes that if a suspected URL has high degree of similarity (low uniqueness score) based on another URL and if the suspected URL is not found in a database of trusted URLs, then it will likely indicate that the suspected URL is a phishing page (¶45: “If a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of one or more brand template files in the brand template database is greater than a preset similarity threshold, that is, if a brand template file that is similar to the to-be-detected web page exists in the brand template database, because the unique domain name corresponding to the to-be-detected web page is not a trusted domain name, it is determined that the to-be-detected web page is a phishing web page that is a fake brand web page.”). 
Regarding Claim 20
The non-transitory machine-readable medium of claim 16, wherein the operations further comprise: triggering a phishing URL alarm based on the rule score or the uniqueness score, prior to determining the URL phishing score (¶4: “Currently, a general method is to integrate a phishing detecting module into client software. When a user accesses a web page by using a browser, the phishing detecting module calculates suspiciousness (rule score) of the web page according to a local or remote data query result, and sends alarm information to the user if the suspiciousness is high.”)
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and in order to include a feature that can trigger an alarm based on a rule score prior to determining the URL phishing score as taught by MA. One of ordinary skill in the art would have been motivated to do so because MA recognizes that a suspiciousness score (rule score) can be used in order to alert a user if a suspected URL is a phishing URL before the system uses its resources further in order to calculate the final phishing score (¶4: “When a user accesses a web page by using a browser, the phishing detecting module calculates suspiciousness of the web page according to a local or remote data query result, and sends alarm information to the user if the suspiciousness is high. A remote anti-phishing server provides functions such as data updating, querying and filtering for phishing detecting modules in many clients.”).  

s 2, 3, 12, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over US 10,601,865 (hereinafter 'Mesdaq'), in view of US 2013/0086677 A1 (hereinafter 'MA'), and in further view of US 9,578,048 B1 (hereinafter 'Hunt').
Regarding Claim 2:
Mesdaq and MA do not disclose the following limitation “further comprising: determining an entropy score of the suspect URL, wherein the entropy score indicates a probability distribution of characters in the suspect URL, wherein the final phishing score is further based on the entropy score for the suspect URL”
Hunt discloses:
The method of claim 1, further comprising: determining an entropy score of the suspect URL, wherein the entropy score indicates a probability distribution of characters in the suspect URL, wherein the final phishing score is further based on the entropy score for the suspect URL (Column 14, Line 11: “Entropy is a measure based on the distribution of characters in the DOM and a high or low entropy (entropy score) within a domain path may indicate phishing behavior. A website domain length may include the length of web http address within a domain based on a number of characters, amount of information, and/or any other relevant measurement. The combination of a long domain/path along with a low entropy (entropy score) may be a strong indicator of phishing activity.”). 
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA in order to include a feature that can calculate a suspected URL phishing score based upon its entropy score as taught by Hunt. One of ordinary skill in the art would have been motivated to do so because Hunt recognizes that a suspected URL having a low entropy score and a high length score will likely indicate that it has a strong phishing activity (Column 14, Line 19: “The combination of a long domain/path along with a low entropy may be a strong indicator of phishing activity. Similar measurements may be made for full website addresses”). 
Regarding Claim 3:
Mesdaq and MA do not disclose the following limitation “determining a length score of the suspect URL, wherein the length score indicates a relative length of characters in the suspect URL, wherein the final phishing score is further based on the length score”
Hunt discloses:
 “A website domain length may include the length of web http address within a domain based on a number of characters, amount of information, and/or any other relevant measurement. The combination of a long domain (length score) /path along with a low entropy may be a strong indicator of phishing activity. Similar measurements may be made for full website addresses.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA in order to include a feature that can calculate a suspected URL phishing score based upon a length score as taught by Hunt. One of ordinary skill in the art would have been motivated to do so because Hunt recognizes that a suspected URL having a low entropy score and a high length score will likely indicate that it has a strong phishing activity (Column 14, Line 19: “The combination of a long domain (length score)/path along with a low entropy may be a strong indicator of phishing activity. Similar measurements may be made for full website addresses”). 
Regarding claim 12:
Mesdaq and MA do not disclose the following limitation “wherein executing the instructions further cause the system to, determine an entropy score of the suspect URL, wherein the entropy score indicates a probability distribution of characters in the suspect URL, wherein the final phishing score is further based on the entropy score for the suspect URL”
Hunt discloses:
The system of claim 11, wherein executing the instructions further cause the system to, determine an entropy score of the suspect URL, wherein the entropy score indicates a probability distribution of characters in the suspect URL, wherein the final phishing score is further based on the entropy score for the suspect URL (Column 14, Line 11: “Entropy is a measure based on the distribution of characters in the DOM and a high or low entropy (entropy score) within a domain path may indicate phishing behavior. A website domain length may include the length of web http address within a domain based on a number of characters, amount of information, and/or any other relevant measurement. The combination of a long domain/path along with a low entropy may be a strong indicator of phishing activity.”).
The combination of a long domain/path along with a low entropy may be a strong indicator of phishing activity. Similar measurements may be made for full website addresses”). 
Regarding Claim 17
Mesdaq and MA do not disclose the following limitation “wherein the operations further comprise: determining an entropy score of the suspect URL, wherein the entropy score indicates a probability distribution of characters in the suspect URL, wherein the final phishing score is further based on the entropy score for the suspect URL”
Hunt discloses:
The non-transitory machine-readable medium of claim 16, wherein the operations further comprise: determining an entropy score of the suspect URL, wherein the entropy score indicates a probability distribution of characters in the suspect URL, wherein the final phishing score is further based on the entropy score for the suspect URL (Column 14, Line 11: “Entropy is a measure based on the distribution of characters in the DOM and a high or low entropy (entropy score) within a domain path may indicate phishing behavior. A website domain length may include the length of web http address within a domain based on a number of characters, amount of information, and/or any other relevant measurement. The combination of a long domain/path along with a low entropy (entropy score) may be a strong indicator of phishing activity.”). 
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA in order to include a feature that can calculate a suspected URL phishing score based upon its entropy score as taught by Hunt. One of ordinary skill in the art would have been motivated to do so because Hunt recognizes that a suspected URL having a low entropy and a high length score will likely indicate that it has a strong phishing activity (Column 14, Line 19: “The combination of a long domain/path along with a low entropy may be a strong indicator of phishing activity. Similar measurements may be made for full website addresses”). 

Claims 4 is rejected under 35 U.S.C. 103 as being unpatentable over US 10,601,865 (hereinafter 'Mesdaq'), in view of US 2013/0086677 A1 (hereinafter 'MA'), and in further view of US 2014/0380482 A1 (hereinafter ‘Thomas’).
Regarding Claim 4:
Mesdaq and MA do not disclose the following limitation “further comprising: selecting a next detection engine of a plurality of detection engines for processing the suspect URL, the selecting based at least on the final phishing score, each of the plurality of detection engines for performing one or more respective investigation actions on the suspect URL to determine a particular issue”
Thomas discloses: 
The method of claim 1, further comprising: selecting a next detection engine of a plurality of detection engines for processing the suspect URL, the selecting based at least on the final phishing score (¶28: “As shown in FIG. 1 b, malware controller 140 may be any type of computing device, many of which are known in the art. Malware controller 140 may be configured to receive malware scan requests, and send the malware scan requests to one or more hubs 150 for further processing. Malware controller 140 (first detection engine) may also be configured to analyze data to autonomously identify malware scan requests, and send the malware scan requests to one or more hubs 150 (next detection engine) for further processing.”), each of the plurality of detection engines for performing one or more respective investigation actions on the suspect URL to determine a particular issue (¶28: “Malware scan requests may include one or more parameters, such as, for example, target uniform resource identifiers (URIs), uniform resource locators (URLs). Malware controller 140 may also be configured to analyze data to autonomously identify malware scan requests, and send the malware scan requests to one or more hubs 150 for further processing.”), 
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA in order to include a feature where a suspected URL is forwarded to a detection taught by Thomas. One of ordinary skill in the art would have been motivated to do so because Thomas recognizes that a detection engine can further analyze the phishing URL (¶28: “Malware controller 140 may also be configured to analyze data to autonomously identify malware scan requests, and send the malware scan requests to one or more hubs 150 for further processing”).

wherein said accessing, said assigning the rule scores (Mesdaq Column 8, Line 16: “The score determination logic 141 (rule score) may determine a first score indicating the likelihood that the email is associated with a phishing attack based on an analysis of the email (e.g., header and body) and a URL detected within the email. The score determination logic 141 may determine a second score indicating the likelihood that the web page directed to by the URL in the email, and thus the email, is associated with a phishing attack based on an analysis of web page itself. Additionally, the score determination logic 141 may determine a third score indicating the likelihood that the email is associated with a phishing attack based on a dynamic analysis of web page directed to by the URL in the email as well as the information collected during the static analysis, including the first and second score.”), said approximating, said assigning the uniqueness score (MA: Abstract: “The embodiments of the present invention provide a method and a device for detecting a phishing web page. The method includes: judging whether a unique domain name corresponding to a to-be-detected web page exists in a trusted domain name database; if the unique domain name does not exist in the trusted domain name database, determining a similarity (uniqueness score) between a content characteristic extracted from the to-be-detected web page and a content characteristic of each template file in a template file database; and determining that the to-be-detected web page is a phishing web page if the similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of at least one template file is greater than a preset similarity threshold.”), and said determining are performed by a first detection engine of the plurality of detection engines (Thomas ¶28: “Malware controller 140 (first detection engine) may also be configured to analyze data to autonomously identify malware scan requests, and send the malware scan requests to one or more hubs 150 (next detection engine) for further processing.”; ¶29 “In addition, malware controller 140 may also be in communication with another hub, i.e., hub 150 b, as illustrated by the dashed line from malware controller 140 to hub 150 b.”). 
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq in order to include an engine that can calculate a uniqueness score of a suspected URL as taught by MA and include a feature that can identify a malware (phishing) detection by a first detection engine from a plurality of detection engines as taught by Thomas. One of ordinary skill in the art would have been motivated to do so because MA recognizes that a detection engine can be used in order to analyze a If a similarity between the content characteristic extracted from the to-be-detected web page and a content characteristic of one or more brand template files in the brand template database is greater than a preset similarity threshold, that is, if a brand template file that is similar to the to-be-detected web page exists in the brand template database, because the unique domain name corresponding to the to-be-detected web page is not a trusted domain name, it is determined that the to-be-detected web page is a phishing web page that is a fake brand web page.”) and Thomas recognizes that by identifying a malware (phishing) attack with the first detection engine would be beneficial as the first engine can than forward the information from the malware (phishing) attack to a second engine where it can be further analyzed (¶28: “Malware controller 140 may also be configured to analyze data to autonomously identify malware scan requests, and send the malware scan requests to one or more hubs 150 for further processing”).

Claims 5 is rejected under 35 U.S.C. 103 as being unpatentable over US 10,601,865 (hereinafter 'Mesdaq'), in view of US 2013/0086677 A1 (hereinafter 'MA'), and in further view of US 2020/0358819 A1 (hereinafter 'Bowditch').
Regarding claim 5
Mesdaq and Ma do not disclose the following limitation “wherein said determining the final phishing score is further based on a cryptographic score that indicates analysis of a cryptographic certificate associated with the suspect URL”
Bowditch discloses: 
The method of claim 1, wherein said determining the final phishing score is further based on a cryptographic score that indicates analysis of a cryptographic certificate associated with the suspect URL (¶26: “In one embodiment, the detection and extraction processor 14 can include one or more feature extractors, elements, etc. 22 configured to extract a domain or URL associated with the request, keywords in an email accompanying the request, an 1P analysis, or other features indicative of a phishing attack or other malicious actions, such as a domain registration age, a domain registrar, and a domain's SSL certificate details (e.g., if an SSL certificate is present), etc., based on/from the received request information.”).
Thereafter, the detection and extraction processor 14 can analyze and compare the extracted, identified, or computed features of the request/webpage to known features and/or other information, such as in a Whitelist, Blacklist, and/or other repository of malicious and/or known legitimate/safe requestors (e.g., URLs, domains, etc.) to initially determine if the request is a known malicious or known safe/trusted action, or if further analysis is required.). 
Claims 7, 8, 14, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over US 10,601,865 (hereinafter 'Mesdaq'), in view of US 2013/0086677 A1 (hereinafter 'MA'), and in further view of US 2014/0033307 A1 (hereinafter 'Schmidtler').
Regarding Claim 7:
Mesdaq and MA do not disclose the following limitation: “wherein said approximating the identity function comprises: using an encoder to map the suspect URL to a vector; and using a decoder to re-create, based on the vector, the suspect URL as a recreated URL”
Schmidtler discloses:
The method of claim 6, wherein said approximating the identity function comprises: using an encoder to map the suspect URL to a vector; and using a decoder to re-create, based on the vector, the suspect URL as a recreated URL (¶8: “In accordance with embodiments of the present disclosure, the phishing classification system encodes (using an encoder) this information by creating a feature vector for one or more pages of the web page, i.e. the landing page and its descendant iframe pages. In some embodiments, a feature vector is created for every page of the web page (using a decoder). A final feature vector {right arrow over (p)} may then be derived from the individual page feature vectors according to the following formula”; Claims 1-3: “A method comprising: creating a feature vector for a website; and providing the feature vector to a model to determine whether or not the website is a phishing website. The method of claim 1, further comprising: creating one or more feature vectors for a landing page of the website; creating one or more feature vectors for one or more iframe pages that are a descendant of the landing page; and deriving a final feature vector from the one or more feature vectors of the landing page and the one or more feature vectors for the descendant iframe pages. The method of claim 2, further comprising: inputting the final feature vector into a model, wherein the model outputs a score associated with a probability of being a phishing site given the input; classifying the website as a phishing website based on the determined score.); 
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA in order to include a feature that can use an encoder to map a suspicious URL to vector and use a decoder in order to re-create the suspect URL as taught by Schmidtler. Although Schmidtler does not disclose the use of a decoder in order to recreate the suspected URL, it should be noted that a decoder is an inherent feature of an encoder as it is used in order to reverse the information that is collected from the encoder in order to re-create the suspect URL. One of ordinary skill in the art would have been motivated to do so because Schmidtler recognizes that a vector can be used to determine whether the suspected URL is a phishing website (¶13: “According to some embodiments of the present invention, a method is provided, the method creating a feature vector for a website, and providing the feature vector to a model to determine whether or not the website is a phishing website. And further yet, a system for classifying one or more websites is provided, the system comprising a plurality of sensors for providing input data to a server configured to create a feature vector for a website and provide the feature vector to a model to determine whether or not the website is a phishing website.”)
Schmidtler further discloses:
wherein one or more of the encoder and the decoder are trained using the plurality of known phishing URLs (¶6: “In accordance with some embodiments of the present disclosure, a phishing classification system, or model, is disclosed that provides improved protection compared to the current state of the art against threats to internet security and against malicious code in general. The improvement is achieved by leveraging nearly all of the relevant information (URLs) and encoding (encoder paired with decoder) this information with as little preprocessing as possible.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA and in order to include a feature that can model an encoder and decoder using a plurality of known phishing URLs. Although Schmidtler does not disclose the use of a decoder This results in a highly adaptive system capable of capturing evolving or new signal patterns without changing or updating the sources as well as the encoding (encoder paired with decoder)  of the input information supplied to the system. By constantly retraining this highly adaptive system on newly detected phishing sites, one automatically maintains the system's capability of detecting new phishing sites despite continuously changing practices and strategies used in phishing.”).
Regarding Claim 8:
Mesdaq and MA do not disclose the following limitation “using an encoder to map the suspect URL to a vector; and apply the vector to a machine learning model to determine anomalous vectors if the vector does not match one of known phishing URLs; wherein one or more of the encoder and the machine learning model are trained using the plurality of known phishing URLs.”
Schmidtler discloses:
The method of claim 1, wherein said determining the degree of uniqueness comprises: using an encoder to map the suspect URL to a vector (Claim 4: “The method of claim 3, further comprising: classifying the website as a phishing website given the score and a threshold.”; ¶8: “In accordance with embodiments of the present disclosure, the phishing classification system encodes (using an encoder) this information by creating a feature vector for one or more pages of the web page, i.e. the landing page and its descendant iframe pages.”); and apply the vector to a machine learning model to determine anomalous vectors if the vector does not match one of known phishing URLs; wherein one or more of the encoder and the machine learning model are trained using the plurality of known phishing URLs (Abstract: “The phishing classification model may operate on a server and may further select a website, generate a feature vector for a landing page of the website, create a feature vector for every iframe that is a descendent of the landing page, and derive a final feature vector from the feature vectors of the landing page and the descendent iframe pages. Further, machine learning techniques may be applied to generate, or train, a classification model based upon one or more known phishing websites.”; ¶6: “In accordance with some embodiments of the present disclosure, a phishing classification system, or model, is disclosed that provides improved protection compared to the current state of the art against threats to internet security and against malicious code in general. The improvement is achieved by leveraging nearly all of the relevant information (URLs) and encoding (encoder paired with decoder) this information with as little preprocessing as possible.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA in order to include a feature that can use an encoder and decoder to detect a suspected URL and apply a machine learning technique in order to train a vector in order to determine if the suspected URL is a phishing webpage. One of ordinary skill in the art would have been motivated to do so because Schmidtler recognizes that this method is effective in recognizing phishing URLs and ensures that the machine learning system vectors will be able to improve over time with the more phishing URLs that they can model after (¶77: “Furthermore, transudative learning methods may be applied to leverage the information contained in the stored instances with unknown phishing classification assessments, and, thus further improve the prediction accuracy of the learned phishing classification models. In instances where one or modes 412, 520 are used, method 1000 may then combine the one or more models at optional step S1016.”)
Regarding claim 14:
Mesdaq and MA do not disclose the following limitation “using an encoder to map the suspect URL to a vector; and using a decoder to re-create, based on the vector, the suspect URL as a recreated URL”.
Schmidtler discloses:
The system of claim 13, wherein said approximating the identity function comprises: using an encoder to map the suspect URL to a vector; and using a decoder to re-create, based on the vector, the suspect URL as a recreated URL (¶8: “In accordance with embodiments of the present disclosure, the phishing classification system encodes (using an encoder) this information by creating a feature vector for one or more pages of the web page, i.e. the landing page and its descendant iframe pages. In some embodiments, a feature vector is created for every page of the web page (using a decoder). A final feature vector {right arrow over (p)} may then be derived from the individual page feature vectors according to the following formula”; Claims 1-3: “A method comprising: creating a feature vector for a website; and providing the feature vector to a model to determine whether or not the website is a phishing website. The method of claim 1, further comprising: creating one or more feature vectors for a landing page of the website; creating one or more feature vectors for one or more iframe pages that are a descendant of the landing page; and deriving a final feature vector from the one or more feature vectors of the landing page and the one or more feature vectors for the descendant iframe pages. The method of claim 2, further comprising: inputting the final feature vector into a model, wherein the model outputs a score associated with a probability of being a phishing site given the input; classifying the website as a phishing website based on the determined score.); 
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA in order to include a feature that can use an encoder and decoder to map a suspicious URL to vector as taught by Schmidtler. Although Schmidtler does not disclose the use of a decoder in order to recreate the suspected URL, it should be noted that a decoder is an inherent feature of an encoder as it is used in order to reverse the information that is collected from the encoder in order to re-create the suspect URL. One of ordinary skill in the art would have been motivated to do so because Schmidtler recognizes that a vector can be used to determine whether the suspected URL is a phishing website (¶13: “According to some embodiments of the present invention, a method is provided, the method creating a feature vector for a website, and providing the feature vector to a model to determine whether or not the website is a phishing website. And further yet, a system for classifying one or more websites is provided, the system comprising a plurality of sensors for providing input data to a server configured to create a feature vector for a website and provide the feature vector to a model to determine whether or not the website is a phishing website.”)
Schmidtler further discloses:
wherein one or more of the encoder and the decoder are trained using the plurality of known phishing URLs (¶6: “It is with respect to the above issues and other problems that the embodiments presented herein were contemplated. In accordance with some embodiments of the present disclosure, a phishing classification system, or model, is disclosed that provides improved protection compared to the current state of the art against threats to internet security and against malicious code in general. The improvement is achieved by leveraging nearly all of the relevant information and encoding (encoder paired with decoder) this information with as little preprocessing as possible.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA in order to include a feature that can model an encoder using a plurality of known phishing URLs. Although Schmidtler does not disclose the use of a decoder when modeling a This results in a highly adaptive system capable of capturing evolving or new signal patterns without changing or updating the sources as well as the encoding of the input information supplied to the system. By constantly retraining this highly adaptive system on newly detected phishing sites, one automatically maintains the system's capability of detecting new phishing sites despite continuously changing practices and strategies used in phishing.”).
Regarding Claim 19
Mesdaq and MA do not disclose the following limitation “wherein said approximating the identity function comprises: using an encoder to map the suspect URL to a vector; and using a decoder to re-create, based on the vector, the suspect URL as a recreated URL”.
Schmidtler discloses:
The non-transitory machine-readable medium of claim 18, wherein said approximating the identity function comprises: using an encoder to map the suspect URL to a vector; and using a decoder to re-create, based on the vector, the suspect URL as a recreated URL (¶8: “In accordance with embodiments of the present disclosure, the phishing classification system encodes (using an encoder) this information by creating a feature vector for one or more pages of the web page, i.e. the landing page and its descendant iframe pages. In some embodiments, a feature vector is created for every page of the web page (using a decoder). A final feature vector {right arrow over (p)} may then be derived from the individual page feature vectors according to the following formula”; ¶15: “And further yet, a non-transitory computer readable medium is provide, the non-transitory computer readable containing instructions that when executed by a processor and memory, cause the processor to facilitate the classification of one or more websites, the instructions comprising: creating a feature vector for a website, and providing the feature vector to a model to determine whether or not the website is a phishing website.”; Claims 1-3: “A method comprising: creating a feature vector for a website; and providing the feature vector to a model to determine whether or not the website is a phishing website. The method of claim 1, further comprising: creating one or more feature vectors for a landing page of the website; creating one or more feature vectors for one or more iframe pages that are a descendant of the landing page; and deriving a final feature vector from the one or more feature vectors of the landing page and the one or more feature vectors for the descendant iframe pages. The method of claim 2, further comprising: inputting the final feature vector into a model, wherein the model outputs a score associated with a probability of being a phishing site given the input; classifying the website as a phishing website based on the determined score.);
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA in order to include a feature that can use an encoder to map a suspicious URL to vector and use a decoder in order to re-create the suspect URL as taught by Schmidtler. Although Schmidtler does not disclose the use of a decoder in order to recreate the suspected URL, it should be noted that a decoder is an inherent feature of an encoder as it is used in order to reverse the information that is collected from the encoder in order to re-create the suspect URL. One of ordinary skill in the art would have been motivated to do so because Schmidtler recognizes that a vector can be used to determine whether the suspected URL is a phishing website (¶13: “According to some embodiments of the present invention, a method is provided, the method creating a feature vector for a website, and providing the feature vector to a model to determine whether or not the website is a phishing website. And further yet, a system for classifying one or more websites is provided, the system comprising a plurality of sensors for providing input data to a server configured to create a feature vector for a website and provide the feature vector to a model to determine whether or not the website is a phishing website.”)
Schmidtler further discloses: 
wherein one or more of the encoder and the decoder are trained using the plurality of known phishing URLs (¶6: “It is with respect to the above issues and other problems that the embodiments presented herein were contemplated. In accordance with some embodiments of the present disclosure, a phishing classification system, or model, is disclosed that provides improved protection compared to the current state of the art against threats to internet security and against malicious code in general. The improvement is achieved by leveraging nearly all of the relevant information and encoding (encoder paired with decoder) this information with as little preprocessing as possible.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA and in order to include a feature that can model an encoder and This results in a highly adaptive system capable of capturing evolving or new signal patterns without changing or updating the sources as well as the encoding (encoder paired with decoder)  of the input information supplied to the system. By constantly retraining this highly adaptive system on newly detected phishing sites, one automatically maintains the system's capability of detecting new phishing sites despite continuously changing practices and strategies used in phishing.”).

Claims 9 rejected under 35 U.S.C. 103 as being unpatentable over US 10,601,865 (hereinafter 'Mesdaq'), in view of US 2013/0086677 A1 (hereinafter 'MA'), and in further view of US 2018/0124110A1 (hereinafter 'Hunt_2').
Regarding Claim 9:
Mesdaq does not disclose the following limitation: “assigning a respective partial score to each portion of the suspect URL, the assigning based on a database of known suspect phishing URL portions, wherein said assigning the respective partial scores is based on URL rules that indicate how to score the each portion based on context of the suspect URL; and generating the rule score based on the partial scores.”
Hunt_2 discloses: 
The method of claim 1, wherein said assigning the rule scores comprises: assigning a respective partial score to each portion of the suspect URL, the assigning based on a database of known suspect phishing URL portions, wherein said assigning the respective partial scores is based on URL rules that indicate how to score the each portion based on context of the suspect URL; and generating the rule score based on the partial scores (¶8: “Based upon a number of times the attribute reoccurs in at least one URI in different blacklist sequences, a score may be generated for the attribute. The score may indicate a likelihood that the attribute is associated with malicious behavior. In some examples, the score may be further based upon a number of times that a web crawl causes a URI with the attribute to be called without the web crawl resulting in the generation of a blacklist sequence (i.e., none of the URIs called during the web crawl were identified as malicious). In such examples, the score may be generated based upon a Wilson score interval to prevent attributes from being identified as malicious the first few times that they are identified in a blacklist sequence (e.g., that there is statistical support that the attribute is more often bad than not). In some examples, the score may be further based upon an amount of time since a web crawl that included a URI with the attribute resulted in the generation of a blacklist sequence. In such examples, the amount of time may be temporal or based upon a number of web crawls run.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Mesdaq and MA in order to include a feature that can calculate a suspected URLs phishing score based off of other scoring factor as taught by Hunt_2. One of ordinary skill in the art would have been motivated to do so because Hunt_2 recognizes that this method is of scoring is effective in recognizing phishing webpages as different scores can be weighted differently based on the content of the suspected URL (¶62: “In some examples, a weight may be applied to the score based on one or more factors. For example, the weight may be an exponential decay factor (e.g., calculating the score may be further based upon an amount of time since the attribute has been included in a blacklist sequence). The score may be weighted based on the one or more factors. For example, the score may be multiplied by the decay factor. The exponential decay factor may be defined as a specific number of days during which a network asset was crawled and an when an malicious incident was detected for an indicator (e.g., a network asset). For example, the decay factor may be 7 days. A different weight for the decay factor may be applied to the score based on consideration of the decay factor. In the last example, when the difference between the last time a network asset was crawled and the last time network asset was detected as being associated with malicious incident was 7 days, the weight may be 0.5, or half of the score. Thus, a score may be modified based on application of a weight.”).







Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Zhu (CN 107438083 A) discloses that a character length of the URL is greater than 30, the length of the common trusted website will not be too long if the length is too long URL, likely to be a phishing site. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SAAD AHMAD ABDULLAH/Examiner, Art Unit 2431                                                                                                                                                                                                        
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431