DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Amended claims as submitted on 12/14/21 were considered.  Any objections and/or rejections not repeated for record below were withdrawn due to applicant’s amendments.

Response to Arguments
	Applicant’s arguments made with respect to the amended claims submitted on 12/14/21 were fully considered.   Only arguments which have not been rendered moot in view of new rejections made below, which in turn were made in response to applicant’s amendments, will be addressed in this section.
	With respect to claims 19 and 20, applicant argues Zhu does not teach the new limitation that the one or more network resource identifiers are received from a database.  The examiner disagrees.  
Previously cited paragraphs 26-27 shows URLs, i.e. network resource identifiers, being received from a search engine.  Whatever search result the search engine use to store the URLs to then provide to the client/server computers can be considered a database as in its simples form, a database is just something that stores data that can be accessed.  Alternatively, paragraphs 19-20 of Zhu explicitly disclose URL’s being collected and stored in Internet sources such as search engines or databases.  Once 


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 12-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 12 recites “The device”, which lacks antecedent basis.  It is assumed “The device” should be “A device”.
Claims 13-18 are rejected due to dependency on claim 12.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –




(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 19-20 is/are rejected under 35 U.S.C. 102(a)(1) and (a)(2) as being anticipated by Zhu et al (US 2012/0158626).
Claims 19 and 20:
	As per claim 19, Zhu discloses a method of determining whether one or more network resources are phishing threats, each one or more network resources having an associated network resource identifier (paragraphs 26-28 and 46; URL), the method using a pre-defined statistical model to determine whether a network resource is a
potential phishing threat based on features extracted from the network resource identifier (paragraphs 57, 63-66 and 68; Several pre-defined statistical models are used, including phishing SLD hit ratio and phish link ratio), the method comprising:
Receiving, from a database, one or more network resource identifiers (paragraphs 19-22 and 26-27; URLs are stored by either a search engine or database.  Note wherever the search engine stores the search results can also be considered a database.  URLs are accessed by a client or a system employing machine learning and in accessing, they receive the URLs from the search engine/database);
extracting one or more features from each one or more network resource identifier (paragraph 21-22, 27, 46, and 48);
applying the pre-defined statistical model to the extracted one or more features (paragraphs 57 and 63-66); and
for each network resource identifier, classifying the associated network resource
as a phishing threat if the output of the pre-defined statistical model, when applied to the extracted one or more features, determines that the network resource is a potential phishing threat (paragraphs 28, 56-57, and 63-66).
The rejection of claim 19 applies, mutatis mutandis, to claim 20.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhu et al (US 2012/0158626) in view of Klein et al (US 2008/0147837).

Claims 1 and 12:
	As per claim 1, Zhu discloses:
The method using a pre-defined statistical model to determine whether a network resource is a potential phishing threat based on features extracted from a network resource identifier for the network resource (paragraphs 57, 63-66 and 68; Several pre-defined statistical models are used, including phishing SLD hit ratio and phish link ratio
Receiving a request to access a network resource (paragraphs 19-22 and 26-27; URLs are stored by either a search engine or database.  Note wherever the search engine stores the search results can also be considered a database.  URLs are accessed by a client or a system employing machine learning and in accessing, they receive the URLs from the search engine/database).
Determining, from the request, a network resource identifier (paragraphs 20-22, 27 and 46; URL).
Extracting one or more features from the network resource identifier (paragraph 20-22, 27, 46, and 48).
Applying the pre-defined statistical model to the extracted one or more features (paragraphs 21-22, 57, 63-66, and 68).
Classifying the network resource as a phishing threat if the output of the pre-defined statistical model, when applied to the extracted one or more features, determines that the network resource is a potential phishing threat (paragraphs 21-24, 28, 56-57, and 63-66).
Responding, in response to determining that the network resource is a potential phishing threat, to the request (paragraphs 109-110; Responds by blocking phishing URL or warns of phishing attempt at URL).

Zhu does not disclose does not disclose, but Klein discloses the responding…to the request with one of an invalid IP address and a benign IP address (paragraphs 45, 49, and 62-63).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to modify Zhu’s invention such that KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).  In this case, both references block access to phishing attempts, but the differs in how the block is done and it doesn’t matter if one does so using Zhu or Klein’s method.  The result is the phishing attempt by an invalid URL is still blocked.

The rejection of claim 1 applies, mutatis mutandis, to claim 12.

Claim 2:
	Zhu further discloses preventing access to the network resource if it is classified as a phishing threat (paragraphs 28 and 109; User is prevented from visiting the malicious URL).

Claim 3:
	Zhu further discloses wherein the step of extracting one or more features of from the network resource identifier comprises extracting features from a FQDN portion of the network resource identifier (paragraph 46; The full exemplary URL shown in paragraph 46 is the FQDN of the URL and consist of several portions which are extracted such as the domain name and path).

Claim 4:
ASN used to get information/features from registers and service providers, which are then used for the statistical analysis, thus the features used in the statistical analysis are indirectly obtained/extracted).



Claims 5 and 6:
	Zhu further discloses wherein the pre-defined statistical model is applied to a set of at least three/five features extracted from the network resource identifier (paragraphs 43, 46, 48, and 62; As discussed in paragraph 43, any combination of extracted features can be used to determine if a URL is malicious/associated with phishing.  In the examples given in the other paragraphs cited, at least 3-5 features are extracted).

Claim 13:
	Zhu further discloses an output interface for forwarding or responding to the request to access the network resource, the device configured only to forward or respond to the request in the case where the network resource is not classified as a phishing threat (paragraphs 28 and 109-110; Block URL if malicious/phishing URL and present/forward to user if URL is benign/valid).

Claims 7 and 14:

the maximum Kulback-Leibler (KL) divergence of each of the subdomains in the
FQDN; and a geographical lookup based on the IP address(es) to which the FQDN resolves (paragraphs 46, 48, and 58; Stripped keyword in FQND as disclosed in paragraphs 46 and 48 are the tokens extracted from the full URL and existence of a selected keyword in the FQDN reads on brand names that are extracted from the URL)

The rejection of claim 7 applies, mutatis mutandis, to claim 14.

Claims 8 and 15:
	As per claim 8, Zhu further discloses wherein the pre-defined statistical model determines the probability that a network resource is a phishing threat and determines that the network resource is a potential phishing threat when probability exceeds a predetermined threshold (paragraphs 57 and 63-66; For example a phishing SLD hit ratio is a threshold where if met or exceeded indicates a phishing threat).
The rejection of claim 8 applies, mutatis mutandis, to claim 15.

Claims 9 and 16:
	As per claim 9, Zhu further discloses the method according to claim 1 implemented in an HTTP proxy, wherein the received request for a network resource is an HTTP request, wherein in the case when the requested network resource is determined to be a potential phishing threat, the HTTP proxy is instructed to block the HTTP request (paragraph 27 and Fig 2; A URL is sent from a search engine for analysis.  A URL is based on the http protocol, thus the system which does the analysis for the search engine is an HTTP proxy).
The rejection of claim 9 applies, mutatis mutandis, to claim 16.

Claims 10 and 17:
	As per claim 10, Zhu further discloses the method according to claim 1, implemented in a DNS server, the received request for a network resource being a DNS lookup, wherein in the case when a network resource is determined to be a potential phishing threat, the DNS server is instructed to block the DNS lookup (paragraphs 78, 87, 103, and 109).
The rejection of claim 10 applies, mutatis mutandis, to claim 17.

Claims 11 and 18:
	As per claim 11, Zhu further discloses the method according to claim 1, implemented in an end user device, wherein in the case when a network resource is 
The rejection of claim 11 applies, mutatis mutandis, to claim 18.


	
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PONNOREAY PICH/Primary Examiner, Art Unit 2495