DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 are pending in this Office Action.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/22/2021 filed is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The drawings are objected to because Figures 1, 2, 4-9, and 11. Elements in Figures 1, 2, 4-9, and 11 do not include numerical labels and Figures 4-9 are illegible. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes 

Claim Objections
Claim 4 is objected to because of the following informalities:  Claim 4 improperly depends from itself.  Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a)  IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same,  and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a MPEP 2161.01(I) and 2163.05(I)(3)(ii) give guidance. Generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed. Ariad Pharms, Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1350 (Fed. Cir. 2010)(en banc); Enzo Biochem, Inc. v. Gen-Probe, Inc., 323 F.3d 956, 968, 63 USPQ2d 1609, ___ (Fed. Cir. 2002) (holding that generic claim language appearing in ipsis verbis in the original specification did not satisfy the written description requirement because it failed to support the scope of the genus claimed); Fiers v. Revel, 984 F.2d 1164, 1170, 25 USPQ2d 1601, ___ (Fed. Cir. 1993) (rejecting the argument that “only similar language in the specification or original claims is necessary to satisfy the written description requirement”).
Even original claims may fail to satisfy the written description requirement when the invention is claimed and described in functional language but the specification does not sufficiently identify how the invention achieves the claimed function. Ariad, 598 F.3d at 1349 (“[A]n adequate written description of a claimed genus requires more than a generic statement of an invention’s boundaries.”) (citing Regents of the University of California v. Eli Lilly, 119 F.3d 1559, 1568). In Ariad, the court recognized the problem of using functional claim language without providing in the specification examples of species that achieve the claimed function:
“The problem is especially acute with genus claims that use functional language to define the boundaries of a claimed genus. In such a case, the functional claim may simply claim a desired result, and may do so without describing species that achieve that result. But the specification must demonstrate that the applicant has made a generic invention that achieves the claimed result and do so by showing that the applicant has invented species sufficient to support a claim to the functionally-defined genus.” Ariad, 598 F.3d at 1349.
The standard for description of computer-implemented functions is a description within the specification itself of the algorithm steps that are necessary to perform the claimed function. In re Hayes Microcomputer Prods., Inc. Patent Litigation, 982 F.2d 1527, 1533-34, 25 USPQ2d 1241, ___ (Fed. Cir. 1992). See also Aristocrat Technologies v. IGT, 521 F.3d 1328 (Fed. Cir. 2008). Specifically, if one skilled in the art would know how to program the disclosed computer to perform the necessary steps described in the specification to achieve the claimed function and the inventor was in possession of that knowledge, the written description requirement would be satisfied. Hayes, 982 F.2d at 1534.
Further, when a specification provides a single means of performing a function it does not entitle the inventor to all means of achieving the function. Lizardtech Inc. v. Earth Res. Mapping Inc., 424 F.3d 1336, 1346 (Fed. Cir. 2005). The written description requirement for a claimed genus may be satisfied through sufficient description of a representative number of species by actual reduction to practice (see MPEP 2163.05(I)(3)(i)(A)), reduction to drawings ((i)(B)), or by disclosure of relevant, identifying characteristics, i.e., structure or other physical and/or chemical properties, by functional characteristics coupled with a known or disclosed correlation between function and structure, or by a combination of such identifying characteristics, sufficient to show the Eli Lilly, 119 F.3d at 1568.
Thus it is clear what is required of computer-implemented functional claims: As Ariad stated, mere claim to the functionality, without more, is insufficient to meet the written description requirement. Hayes and Aristocrat teach that the applicant must provide at least a single means of achieving the function within the specification itself. That means the algorithm steps which achieve the function must be described in sufficient detail that one of ordinary skill in the art would reasonably conclude that the applicant had possession of the claimed subject matter. The applicant must provide at least a single set of algorithm steps which perform the function, but even then that only entitles the applicant to claim those steps, as a claim to the broader function without proof of the enlarged scope is insufficient under Lizardtech. Therefore, a claim to the functional result must include at least a single means, and then other means or some expanding principle sufficient to prove possession of the full scope.
In the instant case:
Examiner contends that Applicant does not even disclose a representative number of species (i.e., algorithms or steps/procedures) in the specification for the claimed genus for achieving the functionality “receive domain information maintained in a certificate transparency (CT) log for a set of domains; generate, using at least one model, classification prediction scores for each of the domains based on the received domain information, wherein a classification prediction score is a likelihood that a domain is a phishing domain; determine whether each generated classification prediction score meets a predetermined threshold; and generate a subset of the set of domains, the subset including the domains having a classification prediction score that meets the st rejection is proper.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Independent Claim(s):
Step 1: Statutory Category. Claim(s) 1-20 is/are directed to statutory category of subject matter. The claim(s) does/do fall within at least one of the four categories of patent eligible subject matter because the claim(s) is/are directed to either a process, machine, manufacture, or composition of matter.
Step 2A: Prong One. Judicial Exception. Claim(s) 1-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial 
The independent claim(s) recites, in part, receive domain information maintained in a certificate transparency (CT) log for a set of domains; generate, using at least one model, classification prediction scores for each of the domains based on the received domain information, wherein a classification prediction score is a likelihood that a domain is a phishing domain; determine whether each generated classification prediction score meets a predetermined threshold; and generate a subset of the set of domains, the subset including the domains having a classification prediction score that meets the predetermined threshold, and 
Step 2A: Prong Two. Practical Application. Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea - see MPEP 2106.05(f). Adding insignificant extra-solution activity to the judicial exception - see MPEP 2106.05(g). Generally linking the use of the judicial exception to a particular technological environment or field of use – see MPEP 2106.05(h).
Step 2B: Additional Elements Significantly More Then the Judicial Exception. The independent claim(s) do/does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The claim recites the additional limitations of a memory; and a processor in communication with the memory, the processor configured to: receive domain information maintained in a certificate transparency (CT) log for a set of domains; generate, using at least one model, classification prediction scores for each of the domains based on the received domain information, wherein a classification prediction score is a likelihood that a domain is a phishing domain; determine whether each generated classification prediction score meets a predetermined threshold; and generate a subset of the set of domains, the subset including the domains having a classification prediction score that meets the predetermined threshold, and wherein the domains in the subset are classified as phishing domains. The “memory” and “processor” are recited at a high level of generality 

Dependent Claim(s):
Step 1: Statutory Category. Claim(s) 2-13, 15-18, and 20 is/are directed to statutory category of subject matter. The claim(s) does/do fall within at least one of the four categories of patent eligible subject matter because the claim(s) is/are directed to either a process, machine, manufacture, or composition of matter.
Step 2A: Judicial Exception. Claim(s) 2-13, 15-18, and 20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The claim(s) are directed to abstract idea of receiving domain information maintained in a certificate transparency (CT) log for a set of domains; generate, using at least one model, classification prediction scores for each of the domains based on the received domain information, wherein a classification prediction score is a likelihood that a domain is a phishing domain; determine whether each generated classification prediction score meets a 
The dependent claim(s) recites, in part, Claim 2. The system for detecting phishing domains of claim 1, wherein domain information for the set of domains is further received from a pDNS system. Claim 3. The system for detecting phishing domains of claim 1, wherein historical domain data including domains determined to be phishing domains and domains determined to be benign domains is stored in the memory. Claim 4. The system for detecting phishing domains of claim 4, wherein the at least one model is trained based on the stored historical domain data. Claim 5. The system for detecting phishing domains of claim 1, wherein the at least one model is trained on certificate transparency (CT) log-based features. Claim 6. The system for detecting phishing domains of claim 5, wherein the certificate transparency (CT) log-based features include one or more of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of uncertified gaps of a 
Step 2B: Additional Elements Significantly More Then the Judicial Exception. The dependent claim(s) do/does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The claim recites the additional limitations of a memory; and a processor in communication with the memory, the processor configured to: Claim 2. The system for detecting phishing domains of claim 1, wherein domain information for the set of domains is further received from a pDNS system. Claim 3. The system for detecting phishing domains of claim 1, wherein historical domain data including domains determined to be phishing domains and domains determined to be benign domains is stored in the memory. Claim 4. The system for detecting phishing domains of claim 4, wherein the at least one model is trained based on the stored historical domain data. Claim 5. The system for detecting phishing domains of claim 1, wherein the at least one model is trained on certificate transparency (CT) log-based features. Claim 6. The system for detecting phishing domains of claim 5, wherein the certificate transparency (CT) log-based features include one or 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 5, 10, 12, and 14-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Belenko, Andrey V. (Pub. No.: US 2021/0037006, hereinafter “Belenko”) in view of Stein et al. (Patent No.: US 10,104,113, hereinafter, “Stein”).
Claims 1, 14, 19. Belenko teaches:
A system for detecting phishing domains, the system comprising: – in paragraph [0003] (Aspects of the technology described herein use data in certificate transparency (CT) logs to identify security certificates that are likely to be used for phishing or brand violation.)
a memory; and a processor in communication with the memory, the processor configured to: – in paragraph [0031] (Some functions may be carried out by a processor executing instructions stored in memory.)
receive domain information maintained in a certificate transparency (CT) log for a set of domains; – in paragraph [0003] (Machine learning can be used to identify domain names in the CT logs that are visually similar to a brand name or to the name of the legitimate website, and yet, not actually associated with the brand.)

Belenko does not explicitly teach:
generate, using at least one model, classification prediction scores for each of the domains based on the received domain information, wherein a classification prediction score is a likelihood that a domain is a phishing domain; determine whether each generated classification prediction score meets a predetermined threshold; and generate a subset of the set of domains, the subset including the domains having a classification prediction score that meets the predetermined threshold, and wherein the domains in the subset are classified as phishing domains.
However, Stein teaches
generate, using at least one model, classification prediction scores for each of the domains based on the received domain information, wherein a classification prediction score is a likelihood that a domain is a phishing domain; – on lines 31-36 in column 2, on lines 46-60 in column 2 (This type of malicious webpage is sometimes referred to as a “phishing” webpage. a two-step computer-implemented classification process determines whether a webpage is benign or malicious. A URL classifier may be programmed to extract URL features from a selected URL and determine a URL risk score for the selected URL based on an analysis of the URL features.)
determine whether each generated classification prediction score meets a predetermined threshold; and – on lines 46-60 in column 2 (If the URL risk score exceeds a threshold, a content classifier system may be programmed to extract content 
generate a subset of the set of domains, the subset including the domains having a classification prediction score that meets the predetermined threshold, and wherein the domains in the subset are classified as phishing domains. – on lines 46-60 in column 2 (The resulting maliciousness risk score and/or the classification of the URL may be sent to a reporting system that may store the results and/or generate a report regarding the results.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with to include generate, using at least one model, classification prediction scores for each of the domains based on the received domain information, wherein a classification prediction score is a likelihood that a domain is a phishing domain; determine whether each generated classification prediction score meets a predetermined threshold; and generate a subset of the set of domains, the subset including the domains having a classification prediction score that meets the predetermined threshold, and wherein the domains in the subset are classified as phishing domains, as taught by Stein, on lines 28-29 in column 1, to provide a technique that is easier and less time-consuming to determine whether a webpage is benign or malicious.

Claim 5. Combination of Belenko and Stein teaches The system for detecting phishing domains of claim 1 – refer to the indicated claim for reference(s). 
Belenko teaches:
wherein the at least one model is trained on certificate transparency (CT) log-based features. – in paragraph [0014] (Machine learning can be used to identify domain names in the CT logs that are visually similar to a brand name or to the name of the legitimate website, and yet, not actually associated with the brand.)

Claim 10. Combination of Belenko and Stein teaches The system for detecting phishing domains of claim 1 – refer to the indicated claim for reference(s).
Belenko teaches:
wherein the at least one model is trained on certificate transparency (CT) log-based features, pDNS-based features, and lexical features. – in paragraph [0014] (Aspects of the technology described herein use data in certificate transparency (CT) logs to identify security certificates that are likely to be used for phishing or brand violation. Machine learning can be used to identify domain names in the CT logs that are visually similar to a brand name or to the name of the legitimate website, and yet, not actually associated with the brand. Many domain names are written in Unicode. Unicode has many advantages, but a downside is the many ways it allows letters to be spoofed. A common example is that an “r and n” can be made to look like an “m.” A computer reading the Unicode characters will register the r and n separately, but a person viewing the rendered “r and n” may see an “m.” Programs auditing the CT logs 

Claim 12. Combination of Belenko and Stein teaches The system for detecting phishing domains of claim 1 – refer to the indicated claim for reference(s).
Belenko teaches:
wherein the at least one model is trained by one or more machine learning algorithms in a group consisting of Random Forests (RF), Long Short Term Memory (LSTM), Gated Recurrent Unit (GRU), Convolutional Neural Network (CNN), MultiLayer Perceptron (MLP), XGboost, decision trees, and Support Vector Machine (SVM). – in paragraph [0051] (The neural network may include many more than three layers. Neural networks with more than one hidden layer may be called deep neural networks. Example neural networks that may be used with aspects of the technology described herein include, but are not limited to, multilayer perceptron (MLP) networks, convolutional neural networks (CNN), recursive neural networks, recurrent neural networks, and long short-term memory (LSTM) (which is a type of recursive neural network).)

Claim 15. Combination of Belenko and Stein teaches The method for detecting phishing domains of claim 14 – refer to the indicated claim for reference(s).

Stein further teaches:
wherein the classification prediction scores are generated prior to page content data becoming available for each domain in the set of domains. – on lines 46-60 in column 2 (The resulting maliciousness risk score and/or the classification of the URL may be sent to a reporting system that may store the results and/or generate a report regarding the results.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with to include wherein the classification prediction scores are generated prior to page content data becoming available for each domain in the set of domains, as taught by Stein, on lines 28-29 in column 1, to provide a technique that is easier and less time-consuming to determine whether a webpage is benign or malicious.

Claim 16. Combination of Belenko and Stein teaches The method for detecting phishing domains of claim 14 – refer to the indicated claim for reference(s).

Stein further teaches:
further comprising receiving page content data of at least one domain of the set of domains subsequent to generating the subset of domains; and updating the subset of domains based on the received page content data. – on lines 46-60 in column 2 (The resulting maliciousness risk score and/or the classification of the URL may be sent to a reporting system that may store the results and/or generate a report regarding the results.)


Claim 17. Combination of Belenko and Stein teaches The method for detecting phishing domains of claim 14 – refer to the indicated claim for reference(s).

Stein further teaches:
further comprising training the at least one model with the updated subset of domains. – on lines 46-60 in column 2 (The resulting maliciousness risk score and/or the classification of the URL may be sent to a reporting system that may store the results and/or generate a report regarding the results.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with to include further comprising training the at least one model with the updated subset of domains, as taught by Stein, on lines 28-29 in column 1, to provide a technique that is easier and less time-consuming to determine whether a webpage is benign or malicious.

Claim 18. Combination of Belenko and Stein teaches The method for detecting phishing domains of claim 14 – refer to the indicated claim for reference(s).

Stein further teaches:
further comprising removing domains from the set of domains for which a classification prediction score has been generated within a predefined amount of time prior to receiving the domain information. – on lines 46-60 in column 2 (The resulting maliciousness risk score and/or the classification of the URL may be sent to a reporting system that may store the results and/or generate a report regarding the results.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with to include further comprising removing domains from the set of domains for which a classification prediction score has been generated within a predefined amount of time prior to receiving the domain information, as taught by Stein, on lines 28-29 in column 1, to provide a technique that is easier and less time-consuming to determine whether a webpage is benign or malicious.

Claim(s) 2, 8, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Belenko, Andrey V. (Pub. No.: US 2021/0037006, hereinafter “Belenko”) in view of Stein et al. (Patent No.: US 10,104,113, hereinafter, “Stein”), and further in view of Antonakakis et al. (Pub. No.: US 2012/0042381, hereinafter, “Antonakakis”).
Claim 2. Combination of Belenko and Stein teaches The system for detecting phishing domains of claim 1 – refer to the indicated claim for reference(s).

Combination of Belenko and Stein does not explicitly teach:
wherein domain information for the set of domains is further received from a pDNS system.
However, Antonakakis teaches:
wherein domain information for the set of domains is further received from a pDNS system. – in paragraph [0014] (The reputation engine 130 may utilize the information stored in the pDNS database 125 to determine the reputation of new domain names.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with Antonakakis to include wherein domain information for the set of domains is further received from a pDNS system, as taught by Antonakakis, in abstract, to determine whether at least one domain is legitimate or malicious by obtaining passive DNS query information, using the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, and using the statistical features to determine at least one reputation for at least one new domain, where the reputation indicates whether the at least one new domain is likely to be for malicious or legitimate uses.

Claim 8. Combination of Belenko and Stein teaches The system for detecting phishing domains of claim 1 – refer to the indicated claim for reference(s).

Combination of Belenko and Stein does not explicitly teach:
wherein the at least one model is trained on pDNS-based features including one or both of a quantity of name servers where a domain had authoritative DNS records, and a quantity of administrative servers related to a domain.
However, Antonakakis teaches:
wherein the at least one model is trained on pDNS-based features including one or both of a quantity of name servers where a domain had authoritative DNS records, and a quantity of administrative servers related to a domain. – in paragraph [0014] (The reputation engine 130 may utilize the information stored in the pDNS database 125 to determine the reputation of new domain names.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with Antonakakis to include wherein the at least one model is trained on pDNS-based features including one or both of a quantity of name servers where a domain had authoritative DNS records, and a quantity of administrative servers related to a domain, as taught by Antonakakis, in abstract, to determine whether at least one domain is legitimate or malicious by obtaining passive DNS query information, using the passive DNS query information to measure statistical features of known malicious domain names and known legitimate domain names, and using the statistical features to determine at least one reputation for 

Claim 20. Combination of Belenko and Stein teaches The computer-readable, non-transitory medium of claim 19 – refer to the indicated claim for reference(s).  

Combination of Belenko and Stein does not explicitly teach:
wherein the domain information further includes information received from a pDNS system for the set of domains, and wherein the classification prediction scores are solely based on the domain information and lexical features extracted from each of the domains in the set of domains.
However, Antonakakis teaches:
wherein the domain information further includes information received from a pDNS system for the set of domains, and wherein the classification prediction scores are solely based on the domain information and lexical features extracted from each of the domains in the set of domains. – in paragraph [0014] (The reputation engine 130 may utilize the information stored in the pDNS database 125 to determine the reputation of new domain names.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with Antonakakis to include wherein the domain information further includes information received from a pDNS system for the set of domains, and wherein the classification prediction scores are solely based on the domain information and lexical features extracted from each of .

Claim(s) 3 and 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Belenko, Andrey V. (Pub. No.: US 2021/0037006, hereinafter “Belenko”) in view of Stein et al. (Patent No.: US 10,104,113, hereinafter, “Stein”), and further in view of Zhu et al. (Pub. No.: US 2012/0158626, hereinafter, “Zhu”).
Claim 3. Combination of Belenko and Stein teaches The system for detecting phishing domains of claim 1 – refer to the indicated claim for reference(s).  

Combination of Belenko and Stein does not explicitly teach:
wherein historical domain data including domains determined to be phishing domains and domains determined to be benign domains is stored in the memory.
However, Zhu teaches:
wherein historical domain data including domains determined to be phishing domains and domains determined to be benign domains is stored in the memory. – in paragraph [0102] (FIG. 5 depicts an exemplary process 500 that trains 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with Zhu to include wherein historical domain data including domains determined to be phishing domains and domains determined to be benign domains is stored in the memory, as taught by Zhu, in paragraph [0003], to provide a technique which enables malicious URL detection to protect computing system hardware/software from computer viruses, prevent execution of malicious or unwanted software, and help avoid accessing malicious URLs web users do not want to visit.

Claim 4. Combination of Belenko and Stein teaches The system for detecting phishing domains of claim 4 – refer to the indicated claim for reference(s).  

Combination of Belenko and Stein does not explicitly teach:
wherein the at least one model is trained based on the stored historical domain data.
However, Zhu teaches:
wherein the at least one model is trained based on the stored historical domain data. – in paragraph [0102] (FIG. 5 depicts an exemplary process 500 that 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with Zhu to include wherein the at least one model is trained based on the stored historical domain data, as taught by Zhu, in paragraph [0003], to provide a technique which enables malicious URL detection to protect computing system hardware/software from computer viruses, prevent execution of malicious or unwanted software, and help avoid accessing malicious URLs web users do not want to visit.

Claim(s) 6, 7, and 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Belenko, Andrey V. (Pub. No.: US 2021/0037006, hereinafter “Belenko”) in view of Stein et al. (Patent No.: US 10,104,113, hereinafter, “Stein”), and further in view of Nunes et al. (Pub. No.: US 2021/0203692, hereinafter, “Nunes”).
Claim 6. Combination of Belenko and Stein teaches The system for detecting phishing domains of claim 5 – refer to the indicated claim for reference(s).

Combination of Belenko and Stein does not explicitly teach:
wherein the certificate transparency (CT) log-based features include one or more of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of uncertified gaps of a domain, a duration of time of the uncertified gaps of a domain, a quantity of distinct certificate issuers of a domain, a total quantity of certificates acquired by a domain, and an average length of all SAN lists associated with a domain.
However, Nunes teaches:
wherein the certificate transparency (CT) log-based features include one or more of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of uncertified gaps of a domain, a duration of time of the uncertified gaps of a domain, a quantity of distinct certificate issuers of a domain, a total quantity of certificates acquired by a domain, and an average length of all SAN lists associated with a domain. – in paragraph [0123] (The certificate acquirer 1020 can thus access and parse fields 1110-1114 of the certificate 1102. In the example certificate 1102, the fields include an ID 1110, issuer info 112, subject info 1114, validity duration 1116, and a list of domains 1118. A record of all the certificates in use can be maintained by the certificate transparency logs, such as http://www.certificate-transparency.org/known-logs.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with Nunes to include wherein the certificate transparency (CT) log-based features include one or more of a 

Claim 7. The system for detecting phishing domains of claim 5 – refer to the indicated claim for reference(s).

Combination of Belenko and Stein does not explicitly teach:
wherein the certificate transparency (CT) log-based features include each of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of uncertified gaps of a domain, a duration of time of the uncertified gaps of a domain, a quantity of distinct certificate issuers of a domain, a total quantity of certificates acquired by a domain, and an average length of all SAN lists associated with a domain.
However, Nunes teaches:
wherein the certificate transparency (CT) log-based features include each of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of uncertified gaps of a domain, a duration of time of the uncertified gaps of a domain, a quantity of distinct certificate issuers of a domain, a total quantity of certificates acquired by a domain, and an average length of all SAN lists associated with a domain. – in paragraph [0123] (The certificate acquirer 1020 can thus access and parse fields 1110-1114 of the certificate 1102. In the example certificate 1102, the fields include an ID 1110, issuer info 112, subject info 1114, validity duration 1116, and a list of domains 1118. A record of all the certificates in use can be maintained by the certificate transparency logs, such as http://www.certificate-transparency.org/known-logs.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with Nunes to include wherein the certificate transparency (CT) log-based features include each of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of uncertified gaps of a domain, a duration of time of the uncertified gaps of a domain, a quantity of distinct certificate issuers of a domain, a total quantity of certificates acquired by a domain, and an average length of all SAN lists associated with a domain, as taught by Nunes, in paragraph [0003], to identify and prevent and/or mitigate sophisticated malware and/or phishing attacks.

Claim 11. Combination of Belenko and Stein teaches The system for detecting phishing domains of claim 1 – refer to the indicated claim for reference(s).

Combination of Belenko and Stein does not explicitly teach:
wherein the at least one model is trained on each of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of uncertified gaps of a domain, a duration of time of the uncertified gaps of a domain, a quantity of distinct certificate issuers of a domain, a total quantity of certificates acquired by a domain, and an average length of all SAN lists associated with a domain, a quantity of name servers where a domain had authoritative DNS records, a quantity of administrative servers related to a domain, and a quantity of digits, dashes, and total characters of a dictionary entropy of a domain name.
However, Nunes teaches:
wherein the at least one model is trained on each of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of uncertified gaps of a domain, a duration of time of the uncertified gaps of a domain, a quantity of distinct certificate issuers of a domain, a total quantity of certificates acquired by a domain, and an average length of all SAN lists associated with a domain, a quantity of name servers where a domain had authoritative DNS records, a quantity of administrative servers related to a domain, and a quantity of digits, dashes, and total characters of a dictionary entropy of a domain name. – in paragraph [0123] (The certificate acquirer 1020 can thus access and parse fields 1110-1114 of the certificate 1102. In the example 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with Nunes to include wherein the at least one model is trained on each of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of uncertified gaps of a domain, a duration of time of the uncertified gaps of a domain, a quantity of distinct certificate issuers of a domain, a total quantity of certificates acquired by a domain, and an average length of all SAN lists associated with a domain, a quantity of name servers where a domain had authoritative DNS records, a quantity of administrative servers related to a domain, and a quantity of digits, dashes, and total characters of a dictionary entropy of a domain name, as taught by Nunes, in paragraph [0003], to identify and prevent and/or mitigate sophisticated malware and/or phishing attacks.

Claim(s) 9 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Belenko, Andrey V. (Pub. No.: US 2021/0037006, hereinafter “Belenko”) in view of Stein et al. (Patent No.: US 10,104,113, hereinafter, “Stein”), and further in view of Huang et al. (Pub. No.: US 2018/0097822, hereinafter, “Huang”).
Claim 9. Combination of Belenko and Stein teaches The system for detecting phishing domains of claim 1 – refer to the indicated claim for reference(s).

Combination of Belenko and Stein does not explicitly teach:
wherein the at least one model is trained on lexical features including a quantity of digits, dashes, and total characters of a dictionary entropy of a domain name.
However, Huang teaches:
wherein the at least one model is trained on lexical features including a quantity of digits, dashes, and total characters of a dictionary entropy of a domain name. – in paragraph [0028] (The adapter 222 of the URL analysis manager 202 is configured to train or otherwise provide feedback to each of the URL lexical ensemble analyzer 204, the third-party detection analyzer 206, and the URL metadata analyzer 208 based on the malicious URL analysis performed by each analyzer 204, 206, 208.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with to include wherein the at least one model is trained on lexical features including a quantity of digits, dashes, and total characters of a dictionary entropy of a domain name, as taught by Huang, in paragraph [0002], to identify malicious URLs based on non-content analysis using techniques that are more scalable and agile to new or emerging threats.

Claim 13. Combination of Belenko and Stein teaches The system for detecting phishing domains of claim 1 – refer to the indicated claim for reference(s).

Combination of Belenko and Stein does not explicitly teach:
wherein the predetermined threshold is set based on a desired false positive rate.
However, Huang teaches:
wherein the predetermined threshold is set based on a desired false positive rate. – in paragraph [0044] (The customer feedback may be embodied as any type of data or information provided by customers or user of the URL analysis system 102 regarding the classification of one or more URLs. In regard to the machine learning algorithms employed by the URL analysis system 102, such customer feedback may be positive reinforcing (e.g., an indication that a URL is malicious) or negative reinforcing (e.g., an indicating that a URL is non-malicious). The customer feedback may be used to filter out false positive and/or false negative maliciousness classifications of the URL.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Belenko and Stein with to include wherein the predetermined threshold is set based on a desired false positive rate, as taught by Huang, in paragraph [0002], to identify malicious URLs based on non-content analysis using techniques that are more scalable and agile to new or emerging threats.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD RAZA whose telephone number is (571)272-7734. The examiner can normally be reached Monday-Friday, 7:00 A.M.-5:00 P.M..

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUHAMMAD RAZA/Primary Examiner, Art Unit 2449