DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s remarks filed 02/25/2022 has been fully considered. 
Regarding claim[s] 1, 8, 13, 19 under the anticipatory rejections, applicant’s remarks are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Therefore, see the office action below.
Regarding claim[s] 2 – 7, 9 – 12, 14 – 18, 20 under the various obviousness rejections, applicant’s remarks are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Therefore, see the office action below. 
The examiner will address all other remarks that do not concern the prior art rejections, if any, in the office action below. 
Response to Amendment
Status of the instant application:
Claim[s] 1 – 20 are pending in the instant application. 
Regarding claim[s] 1, 8, 13, 19 under the anticipatory rejections, applicant’s claim amendments have been inspected, therefore, the rejections are withdrawn. However, there are new prior art rejections to address applicant’s newly added claim amendments in the office action below. 
Regarding claim[s] 2 – 7, 9 – 12, 14 – 18, 20 under the various obviousness rejections, applicant’s claim amendments have been inspected, therefore, the rejections are withdrawn. However, there are new prior art rejections to address applicant’s newly added claim amendments in the office action below. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim[s] 1, 8, 13, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Feng et al. [US PGPUB # 2010/0313266] in view of Neystadt et al. [US PGPUB # 2008/0244742]
As per claim 1. Feng does teach a computer system for detecting malicious software [Feng, paragraph: 0001], the computer system comprising: 
one or more computer-readable storage devices including computer executable instructions [Feng, paragraph: 0033, lines 20 – 27, instructions 624, main memory 604 and processor 602 also may include computer readable media]; and 
one or more processors configured to execute the computer executable instructions to cause the computer system [Feng, Figure # 6 and paragraph: 0031, lines 1 – 5, the computer system 600 can include a set of instructions that can be executed to cause the computer system to perform any one or more of the methods or computer based functions disclosed herein] to: 
access connection records that include respective locational references to computerized resources external to a local network which computerized devices within the local network have accessed or attempted to access [Feng, Figure # 5, and paragraph: 0024, lines 1 – 9, Figure # 5 is a flow diagram illustrating yet another method of identifying a possible phishing site. At 502, the system can identify a URL [i.e. applicant’s location references] within a document. The document [i.e. applicant’s connection record] can be a part of a stored file [i.e. applicant’s connection record] or a message [i.e. applicant’s connection record] transferred between devices]; and 
perform one or more filtering operations on the connection records, wherein the one or more filtering operations [Feng, paragraph: 0027, lines 9 – 17, In yet another embodiment, the system can use a model to determine similarity. The model can be developed through machine learning techniques, through analysis of previously identified phishing domain names, through mining the web [i.e. applicant’s filtering operation], and through analysis of web logs [i.e. applicant’s filtering operation]. For example, a machine learning technique may identify text patterns within known phishing domain names or typical substitutions used by phishing sites to create domain names that are successful ] include: 
parsing the respective locational references associated with the connection records to identify domain names [Feng, Figure # 5, paragraph: 0024, lines 1 – 2, At 504, the system can parse the URL into a domain name and a path, and optionally, a set of parameters]; and 
for each of the identified domain names, based on a determination that the identified domain name is not included in the set of recently accessed [Feng, paragraph: 0027, lines 9 – 17, In yet another embodiment, the system can use a model to determine the similarity. The model can be developed through machine learning techniques, through analysis of previously identified phishing domain names, through mining the web, and through analysis of web logs [i.e. applicant’s identified domain name not included in a set]. For example, a machine learning technique may identify text patterns within known phishing domain names or typical substitutions used by phishing sites to create domain names that are successful at deceiving users [i.e. applicant’s….. recently accessed].] domain names [Feng, Figure # 5, and paragraph: 0025, lines 2 – 4, at 506, the system can compare the domain name of the URL to a set of trusted domain names and a set of known phishing sites], identifying connection records associated with the identified domain name to be in a first subset of connection records, wherein the identified domain names associated with the first subset of the connection records are identified as more likely to be malicious [Feng, Figure # 5, and paragraph: 0026, lines 14 – 20, Alternatively, when the domain name does not match any of the trusted domain names, as illustrated at 512, the system can determine if the domain name[s] [i.e. applicant’s first subset of the connection records…..identified as more likely to be malicious] matches a known phishing sites.] than domain names associated with connection records not included in the first subset of connection record [Feng, Figure # 5, and paragraph: 0026, lines 11 – 14, at 508, the system can determine if the domain name matches a trusted domain name [i.e. applicant’s connection records not included in the first subset of connection records]. When the domain name matches a trusted domain name, the method can end as illustrated in at 510.].
Feng does not clearly teach access a set of recently accessed domain names, wherein the set of recently accessed domain names are determined based on a set of locational references in a set of communications involving the local network from a recent period of time, wherein domain names in communications outside of the recent period of time are not included in the set of recently accessed domain names. 
However, Neystadt does teach access a set of recently accessed domain names [paragraph: 0037, lines 7 – 12, For example: a firewall product generates one kind of security data 162 representing logs of attempts by client computing devices 130 to access Internet resources such as Web sites (such logs generally include records of uniform resource identifiers ("URIs") [i.e. applicant’s set of recently accessed domain names] associated with the resources);], wherein the set of recently accessed domain names are determined based on a set of locational references in a set of communications involving the local network from a recent period of time [paragraph: 0046, lines 1 – 14, A malware analyzer, which as noted above can be a standalone SE, or incorporated into an SE having anti-virus/malware detection capability, or incorporated into the reputation service, will analyze the firewall logs to identify, in a retroactive manner over some predetermined time window, those client computers or users in the ECE 102 that had any past communications with the newly categorized resource. That is, communications with a URI or IP address are examined which occurred in the past [i.e. applicant’s the set of recently accessed domain names are determined based on a set of locational references in a set of communications involving the local network from a recent period of time] before the reputation of that URI or IP address was changed. When there is an identified past communication that matches an entry on the list from the reputation service, a security assessment is launched into the CCC 160 which will identify the client computer as being suspected of being compromised.], wherein domain names in communications outside of the recent period of time are not included in the set of recently accessed domain names [paragraph: 0047, lines 6 – 21, These include a methodology where the firewall logs are retroactively analyzed responsively to an access of a particular resource that has been identified as malicious. This could occur, for example, when a first client accessed a web site a month ago [i.e. applicant’s domain names in communications outside of the receipt period of time not included in…..], and a second client attempt to access the same site again today [i.e. applicant’s the set of recently accessed domain names]. In this example, it is assumed that a reputation service has flagged the site as when the second client accesses the site, a security assessment will be generated and some response may be taken to block access, etc. In addition, the firewall log is scanned to identify all past access to that particular URI or IP address by clients or users in the ECE 102 [i.e. applicant’s domain names in communications outside of the receipt period of time not included in….] and if identified, additional security assessments will be generated and used to trigger responses by the SEs or SAE.].

	It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Feng and Neystadt in order for the analysis of web logs and previously visited and known phishing web sites containing for potentially phishing URL’s and domain names of Feng to include security end point [SE] with assessment/assessment sharing mechanisms of Neystadt. This would allow monitoring/acquiring potential phishing URL’s and domain names from multiple different sources and aggregating such data from a variety of sources significantly enhances quality of detection of such phishing URL’s and domain names. See paragraph: 0017, lines 9 – 20 of Neystadt. 
As per claim 8. Feng does teach the computer system of Claim 1, wherein the one or more processors are configured to execute the computer executable instructions to further cause the computer system [Feng, Figure # 6 and paragraph: 0031, lines 1 – 5, the computer system 600 can include a set of instructions that can be executed to cause the computer system to perform any one or more of the methods or computer based functions disclosed herein] to:
transmit an indicator for display, the indicator indicating the identified domain names are likely to compromise security [Feng, Figure # 5, and paragraph: 0024, lines 1 – 9, Figure # 5 is a flow diagram illustrating yet another method of identifying a possible phishing site. At 502, the system can identify a URL within a document. The document can be a part of a stored file or a message transferred between devices].
As per computer implemented method claim[s] 13 that includes the same or similar claim limitations as computer system claim # 1, and is similarly rejected. 
***The examiner notes that applicant’s recited: “one or more processors,” and “computer executable instructions,” at paragraph: 0033, lines 1-3, and paragraph: 0031, lines 1 – 5, respectively, of Feng. 
As per computer implemented method claim[s] 19 that includes the same or similar claim limitations as computer system claim # 8, and is similarly rejected. 

Claim[s] 2, 3, 4, 14 - 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Feng et al. [US PGPUB # 2010/0313266] in view of Neystadt et al. [US PGPUB # 2008/0244742] as applied in the rejection of claim[s] 1 above, further in view of Robertson et al. [US PAT # 7752665]
As per claim 2. Feng and Neystadt do teach what is taught in the rejection of claim 1 above. 
	Although Feng does teach domain names [Figure # 5, paragraph: 0024, lines 1 – 2, At 504, the system can parse the URL into a domain name].
But, Feng and Neystadt do not clearly teach the computer system of Claim 1, wherein the one or more processors are configured to execute the computer executable instructions to further cause the computer system to:
score at least a portion of the first subset of connection records using a machine learning model incorporating a factor relating to the identified domain names; and
perform one or more additional filtering operations on the scored portion of the first subset of connection records to identify a second subset of the first subset of connection records.
However, Robertson does teach the computer system of Claim 1, wherein the one or more processors are configured to execute the computer executable instructions to further cause the computer system to:
	score at least a portion of the first subset of connection records using a machine learning model incorporating a factor relating to the identified…………. [Robertson, Cal. 7, lines 2-12, b. scoring [i.e. applicant’s score] each group [i.e. applicant's first subset of connection records] based on the quantity of
attack destinations; and c. generating an alert for
each group whose score is greater than an empirically - derived threshold [i.e.
applicant’s machine learning model]]; and
	perform one or more additional filtering operations on the scored portion of the first subset of connection records to identify a second subset of the first subset of connection records [Robertson, Figure #2, and Col. 5, lines 60 – 67 and col 6, lines 1 - 4, following event classification 216, a suite of parameter-based
event filtering operations 220 [i.e. applicant’s performing one or more additional filtering operations on scored portion of the first subset of connection..etc.] reduces the alert information. Filtering operations 220 may include: a, correlation, e.g., grouping source IP addresses  that are considered sufficiently close to represent a common malicious entity; B. aggregation, e.g., grouping multiple probing sources into a common scanning or attacking source; c, cast-sensitive filtering, e.g., prioritizing alerts according to such criteria as severity of the attack, importance of the aspect of the network or data affected, and cost of preemptive action of connection session records [i.e. applicant’s connection records].
	It would have been obvious to one of ordinary skilled in the art before the
effective filing date of applicant's claimed invention to combing the teachings of
Feng as modified and Robertson in order for the analysis of web logs and previously visited and known phishing web sites containing for potentially phishing URL’s and domain names of Feng as modified to include using a dynamic machine learning techniques for detection of phishing URL’s and domain names previously accessed/accessed between senders of a messages/text messages of Robertson. This would allow collected data to be logged then analyzed by a malicious detection analysis system that adapts to changes in the phishing tactic patterns that are as of yet unknown. See col. 12, line 45 - 49 of Robertson.
As per claim 3. Feng as modified does teach the computer system of Claim 2, wherein:
the one or more additional filtering operations identify, within the scored portion of the first subset of connection records, the second subset of the first subset of connection records associated with one or more locational references [Robertson, Figure #2, and Col. 5, lines 60 – 67 and col 6, lines 1 - 4, following event classification 216, a suite of parameter-based event filtering operations 220 [i.e. applicant’s performing one or more additional filtering operations on scored portion of the first subset of connection..etc.] reduces the alert information. Filtering operations 220 may include: a, correlation, e.g., grouping source IP addresses [i.e. applicant’s locational references]  that are considered sufficiently close to represent a common malicious entity; B. aggregation, e.g., grouping multiple probing sources into a common scanning or attacking source; c, cast-sensitive filtering, e.g., prioritizing alerts according to such criteria as severity of the attack, importance of the aspect of the network or data affected, and cost of preemptive action of connection session records [i.e. applicant’s connection records], and the second subset of the first subset of connection records are more likely to be malicious than [Feng, Figure # 5, and paragraph: 0026, lines 14 – 20, Alternatively, when the domain name does not match any of the trusted domain names, as illustrated at 512, the system can determine if the domain name[s] [i.e. applicant’s first subset of the connection records…..identified as more likely to be malicious] matches a known phishing sites.] identified domain names associated with connection records in the first subset of connection records that are not included in the second subset of the first subset of connection records [Feng, Figure # 5, and paragraph: 0026, lines 11 – 14, at 508, the system can determine if the domain name matches a trusted domain name [i.e. applicant’s connection records not included in the first subset of connection records]. When the domain name matches a trusted domain name, the method can end as illustrated in at 510. ].
As per claim 4. Feng does teach the computer system of Claim 2, wherein the machine learning model incorporates a plurality of factors based on at least one of the one or more filtering operations [Feng, paragraph: 0027, lines 9 – 17, In yet another embodiment, the system can use a model to determine similarity. The model can be developed through machine learning techniques, through analysis of previously identified phishing domain names, through mining the web [i.e. applicant’s filtering operation], and through analysis of web logs [i.e. applicant’s filtering operation]. For example, a machine learning technique may identify text patterns within known phishing domain names or typical substitutions used by phishing sites to create domain names that are successful ].
As per computer implemented method claim 14, that includes the same or similar claim limitations as system claim 2, and is similarly rejected. 

As per computer implemented method claim 15, that includes the same or similar claim limitations as system claim 3, and is similarly rejected. 

As per computer implemented method claim 16 that includes the same or similar claim limitations as system claim 4, and is similarly rejected. 

Claim[s] 5, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Feng et al. [US PGPUB # 2010/0313266] in view of Neystadt et al. [US PGPUB # 2008/0244742] and Robertson et al. [US PAT # 7752665] as applied in the rejection to claim[s] 2 above, and further in view of Friedrichs et al. [US PGPUB # 2013/0139261]
As per claim 5. Feng and Neystadt and Robertson do teach what is taught in the rejection of claim 2 above. 
Feng and Neystadt and Robertson do not clearly teach the computer system of Claim 2, wherein the machine learning model comprises at least one of: a Support Vector Machine model, a Neural Network model, a Decision Tree model, a Naive Bayes model, or a Logistic Regression model.
However, Friedrichs does teach the computer system of Claim 2, wherein the machine learning model comprises at least one of: a Support Vector Machine model, a Neural Network model, a Decision Tree model, a Naive Bayes model, or a Logistic Regression model [paragraph: 0039].
	It would have been obvious to one of ordinary skilled in the art before the
effective filing date of applicant's claimed invention to combine the teachings of
Feng as modified and Friedrich in order for the analysis of web logs and previously visited and known phishing web sites containing for potentially phishing URL’s and domain names of Feng as modified to include detecting probes and scans of hosts by using conventional detection techniques in addition to contextual information web logs and website parameters of Friedrich. This would allow for the detection of the scans and probes by scanning the suspected web site for malicious/phishing activity instead of the targeted host by a server using aggressive detection engines. See paragraph 0012, lines 1 ~ 5, and lines 16 - 20 of Friedrich.
As per computer implemented method claim 17 that includes the same or similar claim limitations as system claim 5, and is similarly rejected. 

Claim[s] 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Feng et al. [US PGPUB # 2010/0313266] in view of Neystadt et al. [US PGPUB # 2008/0244742] as applied in the rejection of claim[s] 1 above, further in view of Kothapalli et al. [US PGPUB # 2014/0006439]
As per claim 12. Feng and Neystadt do teach what is taught in the rejection of claim 1 above. 
Feng and Neystadt do not teach clearly the computer system of Claim 1, wherein the one or more filtering operations include a filtering operation based on registration dates of the identified domain names.
However, Kothapalli does teach the computer system of Claim 1, wherein the one or more filtering operations include a filtering operation based on registration dates of the identified domain names [paragraph: 0042, lines 5 – 11, For example, user 104 may request, and Whois server 106 may search for, objects relating to the queried TLD, such as the domain name, the name server, the registrar, the registration date, the expiration date, and the status of the domain name.].
	It would have been obvious to one of ordinary skilled in the art before the
effective filing date of applicant's claimed invention to combine the teachings of Feng as modified and Kothapalli in order for the analysis of web logs and previously visited and known phishing web sites containing potential phishing URL’s and domain names of Feng as modified to include ICANN [internet corporation for assigned names and . 
Allowable Subject Matter
Claim[s] 6, 7, 9 – 11, 18, 20 contains allowable subject matter, but as allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Claim[s] 6, 7, 9 – 11, 18, 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT SHAIFER - HARRIMAN whose telephone number is (571)272-7910. The examiner can normally be reached M - F: 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/DANT B SHAIFER HARRIMAN/          Primary Examiner, Art Unit 2434