DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 06/08/2020. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.



Claim 8, 10-14 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter as being directed to software per se. 
Regarding independent claim 8, the claim is directed to a system claim; however does not positively recite any hardware element in the body of the claim. A ‘processor’ is recited on claim 8, however the specification fails to limit the definition of the ‘processor’ as hardware processor. The disclosure appears to explain “processor” by providing examples. For example, par. 57 states “…System 310 may include at least one first processor 202 (e.g., such as controller 105 shown in Fig. 1…”. 

Regarding claims 9-14, claims 9-14 do not resolve the issue of claim 8 and therefore claims 9-14 are rejected based on the same rational as 8.

Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention. (FP 7.08.aia)

Claims 1-2, 4-9, 11-14 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over PIETRASZEK et. al. (US 20090094677 A1), hereinafter referred to as Pietraszek.

Regarding Claim 1: Pietraszek teaches A method of blocking phishing attempts in a computer network, the method comprising (Para [0037], it is an efficient and reliable method against phishing attacks):
receiving, by a processor, a list of assets of the computer network, wherein each asset is associated with at least one computer network address (Para [0080, 0081] The computer system… compiling a list of network addresses accessed by the business entity);
generating, by the processor, at least one address permutation on the at least one computer network address of each asset of the computer network, wherein the generated at least one address permutation is different from the address associated with each asset of the computer network (Para [0082, 0098-110], generating derivatives of the accessed network addresses... In step 20 the evaluation software of the browser 3 generates a set of similar derivatives 60 comprising as an example the URLs http://www.mybakn-online.com, http://www.my-bank-online.com, http://www.mybank-online.org, http://www.mybank.com, http://www.mybank.co.uk etc. In step 30 different trust levels are assigned to the generated derivatives 60 and the requested network address (URL) 50: http://www.mybakn-online.com: trust level 0 (non-existent));
receiving, by the processor, a communication request at a gateway server of the computer network (Para [0067, 0068], the method is performed within a proxy server, within a browser or within a Domain Name System (DNS) server of a computer system);
determining, by the processor, a destination address of the communication request (Para [0067, 0030], a further embodiment of the invention the method is performed within a proxy server, within a browser or within a Domain Name System (DNS) server of a computer system …there is presented a method for accessing a network address);
(Para [0034], comparing the trust levels of the derivatives with the trust level of the requested network address); and
when the determined destination address is the same as at least one address permutation, blocking the communication request at the gateway server (Para [0096], if the requested network address 50 is not trustworthy, the trust level of the requested network address 50 will be relatively low compared to the trust level of the generated derivatives 60. In this case, the response could indicate that the requested network address 50 is untrustworthy).  

Regarding Claim 2:  Pietraszek teaches the method of claim 1. 
Pietraszek further teaches further comprising comparing, by the processor, the at least one address permutation with a list of predetermined phishing addresses in a database coupled to the processor (Para [0095], all the generated derivatives 60 as well as the requested network address 50 are checked for trustworthiness by means of a set of properties of the requested network address 50 and the generated derivatives 60.).

Regarding Claim 4: Pietraszek teaches the method of claim 1. 
Pietraszek further teaches wherein the destination address is at least one of an email address and a website address (Para [0007], The message will typically be an unsolicited email containing a fictive story urging the user to disclose sensitive information, e.g. to validate its bank account or credit card information. This message contains a link that appears trustworthy, i.e., appears to point to a trustworthy website, but will in fact point to an attacker-controlled website).

Regarding Claim 5: Pietraszek teaches the method of claim 1. 
(Para [0098-0110], In step 20 the evaluation software of the browser 3 generates a set of similar derivatives 60 comprising as an example the URLs
http://www.mybakn-online.com, http://www.my-bank-online.com, http://www.mybank-online.org, http://www.mybank.com, http://www.mybank.co.uk etc. In step 30 different trust levels are assigned to the generated derivatives 60 and the requested network address (URL) 50: http://www.mybakn-online.com: trust level 0 (non-existent)).

Regarding Claim 6: Pietraszek teaches the method of claim 1. 
Pietraszek further teaches further comprising calculating a phishing attempt probability rank, wherein the phishing attempt probability rank is calculated based on at least one of: visual design code, popularity of the website, validity of SSL certifications and address availability (Para [0095], The trust level assignment is preferably based on at least a first property and a second property of the generated derivatives 60 and the requested network address 50. Such properties could be the validity, the page rank, the host location, the creation date, and/or the character set of the requested network address 50 and the derivatives 60. As another property it could be checked if the requested network address 50 and the derivatives 60 belong to a whitelist with trusted network addresses and/or to a blacklist with untrusted network addresses.).

Regarding Claim 7: Pietraszek teaches the method of claim 6. 
Pietraszek further teaches further comprising blocking the communication request at the gateway server when the calculated phishing attempt probability rank exceeds a predetermined threshold (Para [0095], Preferably the properties of the network addresses 50 and the derivatives 60 are given different relevance by means of weighing coefficients. The trust level assignment is then based on a weighed combination of the used properties of the network addresses. As an example, if the requested network address 50 or one of the derivatives 60 belongs to a blacklist, this will have a very high impact on the trust level, i.e. the trust level will be generally zero).

Regarding Claim 8:  Pietraszek teaches a system for blocking phishing attempts in a computer network with at least one gateway server, the system comprising (Para [0079, 0037, 0067], This method allows to improve the security of computer systems in a reliable and efficient way… An efficient and reliable method against phishing attacks… a further embodiment of the invention the method is performed within a proxy server, within a browser or within a Domain Name System (DNS) server of a computer system):
a processor, in communication with the at least one gateway server, wherein the processor is configured to (Para [0073-0074], According to another aspect of the present invention, there is presented a method for deploying computing infrastructure, comprising integrating computer readable code into a computer system, wherein the code in combination with the computer system is capable of performing the following: requesting a network address):
receive a list of assets of the computer network, wherein each asset is associated with at least one computer network address (Para [0080, 0081] The computer system… compiling a list of network addresses accessed by the business entity);
generate at least one address permutation on the at least one computer network address of each asset of the computer network, wherein the generated at least one address permutation is different from the address associated with each asset of the computer network (Para [0082, 0098-110], generating derivatives of the accessed network addresses.. In step 20 the evaluation software of the browser 3 generates a set of similar derivatives 60 comprising as an example the URLs http://www.mybakn-online.com, http://www.my-bank-online.com, http://www.mybank-online.org, http://www.mybank.com, http://www.mybank.co.uk etc. In step 30 different trust levels are assigned to the generated derivatives 60 and the requested network address (URL) 50: http://www.mybakn-online.com: trust level 0 (non-existent));
receive a communication request at the gateway server (Para [0067, 0068], the method is performed within a proxy server, within a browser or within a Domain Name System (DNS) server of a computer system);
determine a destination address of the communication request (Para [0030], there is presented a method for accessing a network address);
compare the determined destination address with the at least one address permutation (Para [0034], comparing the trust levels of the derivatives with the trust level of the requested network address); and
when the determined destination address is the same as at least one address permutation, block the communication request at the gateway server (Para [0096], if the requested network address 50 is not trustworthy, the trust level of the requested network address 50 will be relatively low compared to the trust level of the generated derivatives 60. In this case, the response could indicate that the requested network address 50 is untrustworthy).

Regarding Claim 9: Pietraszek teaches the system of claim 8. 
Regarding claim 9, claim 9 is a system claim that recites similar limitation as the method claim 4 and claim 9 is rejected based on the same rational as claim 4.

Regarding Claim 11: Pietraszek teaches the system of claim 8. 
(Para [0098-0110], generating derivatives of the accessed network addresses… In step 20 the evaluation software of the browser 3 generates a set of similar derivatives 60 comprising as an example the URLs http://www.mybakn-online.com, http://www.my-bank-online.com, http://www.mybank-online.org, http://www.mybank.com, http://www.mybank.co.uk etc. In step 30 different trust levels are assigned to the generated derivatives 60 and the requested network address (URL) 50: http://www.mybakn-online.com: trust level 0 (non-existent)).

Regarding Claim 12: Pietraszek teaches the system of claim 8. 
Pietraszek further teaches wherein the processor is configured to determine the origin of the communication request (Para [0066], If the received network address is trustworthy, the trust level of the received network address will be relatively high compared to the trust level of the generated derivatives. In this case, the response would comprise the received network address or the content of the received network address, e.g. a requested webpage).

Regarding Claim 13: Pietraszek teaches the system of claim 8. 
Pietraszek further teaches wherein the processor is configured to calculate a phishing attempt probability rank, wherein the phishing attempt probability rank is calculated based on at least one of: visual design code, popularity of the website, validity of SSL certifications and address availability (Para [0095], The trust level assignment is preferably based on at least a first property and a second property of the generated derivatives 60 and the requested network address 50. Such properties could be the validity, the page rank, the host location, the creation date, and/or the character set of the requested network address 50 and the derivatives 60. As another property it could be checked if the requested network address 50 and the derivatives 60 belong to a whitelist with trusted network addresses and/or to a blacklist with untrusted network addresses).

Regarding Claim 14: Pietraszek teaches the system of claim 13. 
Pietraszek further teaches wherein the processor is configured to block the communication request at the gateway server when the calculated phishing rank exceeds a predetermined threshold (Para [0095], Preferably the properties of the network addresses 50 and the derivatives 60 are given different relevance by means of weighing coefficients. The trust level assignment is then based on a weighed combination of the used properties of the network addresses. As an example, if the requested network address 50 or one of the derivatives 60 belongs to a blacklist, this will have a very high impact on the trust level, i.e. the trust level will be generally zero).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


s 3 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over PIETRASZEK et. al. (US 20090094677 A1), hereinafter referred to as Pietraszek, HUBBARD et. al (US 20080133540 A1), hereinafter referred to as Hubbard. 

Regarding Claim 3: Pietraszek teaches the method of claim 1. 
Pietraszek teaches when an address determined as phishing address to be added to the database (Para [0086], Once dangerous or untrustworthy network addresses have been detected, they can be put on a blacklist and the employees can be warned…. the computer-implemented method further comprises developing a context history database containing the extracted information and phishing and/or non-phishing label for each received email configured to determining a new email as a phishing email or non-phishing email based on similarity between the new email and information in the context history database).
Pietraszek fails to teach the address comprises an invalid SSL certification.
However, Hubbard teaches wherein an address is determined as a phishing address to be added to the database when the address comprises an invalid SSL certification (Fig 12, Para [0076, 0087, 0101] the policy module 142 may be configured to block access to URLs with low scores (e.g., indicative of poor reputation or higher likelihood of active or other targeted content) where the applicable policy might otherwise allow access to the URL... the content scoring module 330 bases the score at least partly on a reputation score generated by the reputation scoring module 331. In one embodiment, the reputation scoring module 331 may be configured to associate a score with a URL based on information about the URL... The database management collection module 190 may also include a gateway server access module 210. The gateway server access module is a software component or program that may be configured to regularly access the logging database 144 on the gateway server module 120 to download/upload all of the newly uncategorized web content identified by the logging database 144…whether search engine results exist for the URL or the URL host, certificate details associated with the URL (e.g., for secure (such as HTTPS) access schemes)).

Given the teachings as a whole, it would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to specify an SSL certificate as suggested by Hubbard with the invention of Pietraszek in order to determine whether the SSL certificate of a website is illegitimate and add the address in the database. Hubbard teaches that a low scoring URL and associated certificates can be predicted unreliable and recognized as a phishing website. (See Hubbard, Fig 12, Para [0076, 0087, 0101]). 

Regarding Claim 10: Pietraszek teaches the system of claim 8, further comprising a database, in communication with the processor and comprising a list of predetermined phishing addresses, and wherein the processor is 19WO 2019/123455PCT/IL2018/051369 configured to determine an address as a phishing address to be added to the database (Para [0086], Once dangerous or untrustworthy network addresses have been detected, they can be put on a blacklist and the employees can be warned…. the computer-implemented method further comprises developing a context history database containing the extracted information and phishing and/or non-phishing label for each received email configured to determining a new email as a phishing email or non-phishing email based on similarity between the new email and information in the context history database).
Pietraszek fails to teach the address comprises an invalid SSL certification.
However, Hubbard teaches in communication with the processor and comprising a list of predetermined phishing addresses, and wherein the processor is 19configured to determine an address as a phishing address to be added to the database when the address comprises an invalid SSL certification. (Fig 12, Para [0076, 0087, 0101] the policy module 142 may be configured to block access to URLs with low scores (e.g., indicative of poor reputation or higher likelihood of active or other targeted content) where the applicable policy might otherwise allow access to the URL... the content scoring module 330 bases the score at least partly on a reputation score generated by the reputation scoring module 331. In one embodiment, the reputation scoring module 331 may be configured to associate a score with a URL based on information about the URL... The database management collection module 190 may also include a gateway server access module 210. The gateway server access module is a software component or program that may be configured to regularly access the logging database 144 on the gateway server module 120 to download/upload all of the newly uncategorized web content identified by the logging database 144…whether search engine results exist for the URL or the URL host, certificate details associated with the URL (e.g., for secure (such as HTTPS) access schemes)).

Claims 15, 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over PIETRASZEK et. al. (US 20090094677 A1), hereinafter referred to as Pietraszek, FORD et. al. (US 20090064325 A1), hereinafter referred to as Ford. 

Regarding Claim 15: Pietraszek teaches A method of determining phishing attempts in a computer network, the method comprising (Para [0037], it is an efficient and reliable method against phishing attacks):
receiving, by a processor, a list of assets of the computer network, wherein each asset is associated with at least one computer network address (Para [0080, 0081] The computer system… compiling a list of network addresses accessed by the business entity);
generating, by the processor, at least one address permutation on the at least one computer network address of each asset of the computer network, wherein the generated at least one address permutation is different from the address associated with each asset of the computer network (Para [0082, 0098-110], generating derivatives of the accessed network addresses… In step 20 the evaluation software of the browser 3 generates a set of similar derivatives 60 comprising as an example the URLs http://www.mybakn-online.com, http://www.my-bank-online.com, http://www.mybank-online.org, http://www.mybank.com, http://www.mybank.co.uk etc. In step 30 different trust levels are assigned to the generated derivatives 60 and the requested network address (URL) 50: http://www.mybakn-online.com: trust level 0 (non-existent));
receiving, by the processor, a communication request at a gateway server of the computer network (Para [0067, 0068], the method is performed within a proxy server, within a browser or within a Domain Name System (DNS) server of a computer system);
determining, by the processor, a destination address of the communication request (Para [0067, 0030], a further embodiment of the invention the method is performed within a proxy server, within a browser or within a Domain Name System (DNS) server of a computer system …there is presented a method for accessing a network address);
Pietraszek fails to teach obtaining at least one IP address corresponding to the generated at least one address permutation;
and when the obtained at least one IP address is associated with a phishing address, determining that the destination address is associated with a phishing address.
However, Ford teaches obtaining at least one IP address corresponding to the generated at least one address permutation (Para [009], a method includes determining whether new phishing site identifiers (such as, but not limited to, URLs and/or IP addresses) have been created);
and when the obtained at least one IP address is associated with a phishing address, determining that the destination address is associated with a phishing address (Fig 3, Para [0048-0055], a phishing notification is provided that the user was successfully phished in the past, i.e., provided critical values to a known phishing site. Illustratively, the phishing notification includes one or more of the following notifications: (1) the date and/or time when the critical values were provided to the phishing site; (2) the critical values provided to the phishing site; (3) the site identifier, e.g., the URL and/or IP address, of the phishing site; (4) the name of the phishing site).
Given the teachings as a whole, it would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to specify an IP address as suggested by Ford with the invention of Pietraszek in order to verify the validity of the address and determine if the address is a phishing address or not (See Ford, Para [009, 0048-0055]. 

Regarding Claim 17: The combination of Pietraszek and Ford teaches the method of claim 15. 
Pietraszek further teaches wherein the destination address comprises at least one of email address and website address (Para [007], The message will typically be an unsolicited email containing a fictive story urging the user to disclose sensitive information, e.g. to validate its bank account or credit card information. This message contains a link that appears trustworthy, i.e., appears to point to a trustworthy website, but will in fact point to an attacker-controlled website).

Regarding Claim 18: The combination of Pietraszek and Ford teaches the method of claim 15. 
Pietraszek further teaches wherein generation of the address permutation comprises at least one of homoglyph generation, character repetition, character omission, typographical error, context similarity, bit squatting and address suffix permutation (Para [0098-0110], generating derivatives of the accessed network addresses… In step 20 the evaluation software of the browser 3 generates a set of similar derivatives 60 comprising as an example the URLs http://www.mybakn-online.com, http://www.my-bank-online.com, http://www.mybank-online.org, http://www.mybank.com, http://www.mybank.co.uk etc. In step 30 different trust levels are assigned to the generated derivatives 60 and the requested network address (URL) 50: http://www.mybakn-online.com: trust level 0 (non-existent)).

Regarding Claim 19: The combination of Pietraszek and Ford teaches the method of claim 15. 
Pietraszek further teaches further comprising determining the origin of the communication request (Para [0066], If the received network address is trustworthy, the trust level of the received network address will be relatively high compared to the trust level of the generated derivatives. In this case, the response would comprise the received network address or the content of the received network address, e.g. a requested webpage).

Regarding Claim 20: The combination of Pietraszek and Ford teaches the method of claim 15. 
Pietraszek further teaches further comprising calculating a phishing attempt probability rank, wherein the phishing rank is calculated based on at least one of: visual design code, popularity of the website, validity of SSL certifications and address availability (Para [0095], The trust level assignment is preferably based on at least a first property and a second property of the generated derivatives 60 and the requested network address 50. Such properties could be the validity, the page rank, the host location, the creation date, and/or the character set of the requested network address 50 and the derivatives 60. As another property it could be checked if the requested network address 50 and the derivatives 60 belong to a whitelist with trusted network addresses and/or to a blacklist with untrusted network addresses).

Claims 16 is rejected under 35 U.S.C. 103 as being unpatentable over PIETRASZEK et. al. (US 20090094677 A1), hereinafter referred to as Pietraszek, FORD et. al. (US 20090064325 A1), hereinafter referred to as Ford, HUBBARD et. al (US 20080133540 A1), hereinafter referred to as Hubbard. 

Regarding Claim 16: The combination of Pietraszek and Ford teaches the method of claim 15. 

However, Hubbard teaches wherein an address is determined as a phishing address when the address comprises an invalid SSL certification (Fig 12, Para [0076, 0087, 0101] the policy module 142 may be configured to block access to URLs with low scores (e.g., indicative of poor reputation or higher likelihood of active or other targeted content) where the applicable policy might otherwise allow access to the URL... the content scoring module 330 bases the score at least partly on a reputation score generated by the reputation scoring module 331. In one embodiment, the reputation scoring module 331 may be configured to associate a score with a URL based on information about the URL... The database management collection module 190 may also include a gateway server access module 210. The gateway server access module is a software component or program that may be configured to regularly access the logging database 144 on the gateway server module 120 to download/upload all of the newly uncategorized web content identified by the logging database 144…whether search engine results exist for the URL or the URL host, certificate details associated with the URL (e.g., for secure (such as HTTPS) access schemes)).

Given the teachings as a whole, it would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to specify an SSL certificate as suggested by Hubbard with the inventions of Pietraszek and Ford in order to determine whether the SSL certificate of a website is illegitimate and add the address in the database (See Hubbard, Fig 12, Para [0076, 0087, 0101]). 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMED JAMIL RAHMAN whose telephone number is (571)272-2272. The examiner can normally be reached M-F 7:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MUHAMMED JAMIL RAHMAN/Examiner, Art Unit 2497
/ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497