DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Information Disclosure Statement
No information disclosure statement(s) (IDS) was filed before the mailing date of this office action.  Accordingly, no information disclosure statement is being considered by the examiner. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 5-9, 11-12, 19-24, 26-30, 32-33 and 40-43 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No 2019/0132356 A1 to Vargas Gonzalez (hereinafter Gonzalez), and further in view of US-PGPUB No. 2020/0084225 A1 to McKendall et al. (hereinafter McKendall)
Regarding claim 1:
Gonzalez discloses:
A method for monitoring use of web code, comprising: 
providing a web agent for embedding into the web code of a protected web site (see Gonzalez ¶10: “… a system that embeds a phishing detector in a webpage to enable automated detection of phishing activities and automated notification of the victims of the phishing activities.”, and 
¶43: “… a detector … is embedded in a webpage … hosted on the website. The detector … hosted in the webpage … has a reference to the server …”);  
upon downloading the web code from a server to a client computer and running the web code on the client computer, identifying, by the web agent, attributes of the server (see Gonzalez ¶10: “At least one embodiment disclosed herein provides a system that embeds a phishing detector in a webpage to enable automated detection of phishing activities and automated notification of the victims of the phishing activities”) 
analyzing the attributes by the web agent so as to detect malicious use of the web code (see Gonzalez ¶10: “Based on the source and/or destination, the phishing detector determines whether the user of the webpage is interacting with the original website of the webpage, or a suspected phishing site);Gonzalez failed to explicitly disclose the following limitation taught by McKendall:
 transmitting, by the web agent, a notification beacon in response to detecting the malicious use of the web code (see McKendall Abstract: “The code detects a phishing attack by sending a notification to the server indicating within which domain it is executing”, and 
¶100: “… a Web page will be downloaded to computer … along with the protection code, the protection code executes, and sends a notification with contextual information …).  
 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Gonzalez to incorporate the functionality of protection code to detect a phishing attack and send notification as disclosed by McKendall, such modification would allow to provide timely detection and mitigation of unauthorized use of a webpage (copied) and phishing attacks.

Regarding claim 2:
The combination of Gonzalez and McKendall disclose:
The method according to claim 1, wherein the malicious use of the web code comprises a phishing attack (see McKendall ¶15: “… the invention inserts protection code into a Web page requested by the user in order to detect a phishing attack.”).  Regarding claim 5:
The combination of Gonzalez, and McKendall disclose:
The method according to claim 1, wherein transmitting the notification beacon comprises transmitting the notification beacon upon detecting, by the web agent, the web code comprising the web agent being unloaded from a web browser (see McKendall ¶11: “Embodiments of the invention provide: … Web page tampering detection (an alert occurs when malware modifies a Web page displayed to a user…)”, and 
¶94: “It is also possible that malware executing on the user's computer is preventing the fingerprint calculation … an action may be taken such as generating an alert, logging the discrepancy, redirecting the session to another server or Web site, blocking or terminating the session …  locking the user's account, etc.”).  

Regarding claim 6:
The combination of Gonzalez and McKendall disclose:
The method according to claim 1, wherein analyzing the attributes comprises detecting multiple instances of the malicious use of the web code, and wherein transmitting the notification beacon comprises transmitting the notification beacon only for a specified percentage of the specified instances (see McKendall ¶103: “…  this APT code sends a notification over Internet link … that includes contextual information from this session. This notification and information may be sent periodically or upon certain events …”).  

Regarding claim 7:
The combination of Gonzalez and McKendall disclose:
The method according to claim 1, wherein transmitting the notification beacon comprises transmitting the notification beacon to a domain name classified as non- suspicious (see McKendall ¶103: “… this APT code sends a notification … to protector server …”).  

Regarding claim 8:
The combination of Gonzalez and McKendall disclose:
The method according to claim 1, wherein transmitting the notification beacon comprises embedding, by the web agent, the attributes in a content request, transmitting, by the web agent, the content request to a proxy server, embedding, by the proxy server, the attributes in the notification beacon, and transmitting, by the proxy server, the notification beacon to a security server (see McKendall ¶87: “… the protection code also calculates a fingerprint or checksum for the Web page or of each form displayed on the user computer. … The protection code then sends this client-side checksum … to integrity engine. … This data may be sent directly to the integrity engine server or indirectly via the protector server. The integrity engine compares the two checksums, and, if different, generates an alert.”).  

Regarding claim 9:
The combination of Gonzalez and McKendall disclose:
The method according to claim 1, wherein the server has an Internet Protocol (IP) address, and wherein detecting, by the web agent, the malicious use of the web code comprises comparing the IP address of the server to a predefined list of valid IP addresses, and determining that that the identified IP address is not in the list (see McKendall ¶106: “server … checks the identifying information of the user computer in the contextual information (such as IP address …) and determines if this identifying information matches any other session information it has stored … By way of example, if contextual information includes “IP address is: 10.0.0.124” and “browser type is: Firefox,” yet, server … has no record of any session with a user computer having this information, this is a good indication that the current session is not valid and that phishing is likely.”).  


Regarding claim 11:
The combination of Gonzalez and McKendall disclose:
The method according to claim 1, wherein the server has a domain name, and wherein detecting, by the web agent, 331397-2003.1 S2 the malicious use of the web code comprises comparing the domain name of the server to a predefined list of valid domain names, and determining that that the identified domain name is not in the list (see McKendall ¶104: “The APT code may also send the name of the domain from which it originated … the server inspects this contextual information to determine if a valid session exists. … server … concludes that a valid session does not exist and that phishing is likely.”, and 
¶107: “… server 100 uses the name of the domain in which the APT code is being hosted to determine if a phishing attack may be occurring. … The received domain may also be compared to the actual name of the legitimate Web site. In a second way, the received domain “www.5erpentinebank.com” is compared to a blacklist or other database of known phishing Web sites; if on the list, the session is not valid and phishing is likely.”).  

Regarding claim 12:
The combination of Gonzalez and McKendall disclose:
The method according to claim 1, wherein the server has a Uniform Resource Locator (URL), and wherein detecting, by the web agent, the malicious use of the web code comprises comparing the URL of the server to a predefined list of valid URLs, and determining that that the identified URL is not in the list (see McKendall ¶54: “…  the proxy may provide a white list of only those URLs to which a user is allowed access within the Web application … 
See Fig. 4, step 316: “Optional White … list Blocking””).  

Regarding claim 19:
The combination of Gonzalez and McKendall disclose:
The method according to claim 1, wherein detecting, by the web agent, the malicious use of the web code comprises transmitting a fingerprint request to the server, receiving a server fingerprint in response to the signature request, and determining that the received server fingerprint is not valid (see McKendall ¶14: “…  takes the original Web page from the origin server and calculates a fingerprint for that page. … different fingerprints mean that malware has changed the Web page and an alert is generated, the account is locked, the user is redirected to clean the host computer, etc.”).  

Regarding claim 20:
The combination of Gonzalez and McKendall disclose:
The method according to claim 1, and comprising analyzing the web code by the web agent so as to detect unauthorized modification of the web code, and transmitting, by the web agent, the notification beacon in response to detecting the unauthorized modification to the web code (see McKendall ¶11: “… an alert occurs when malware modifies a Web page displayed to a user, e.g., to inject form fields or alter information …”).  

Regarding claim 21:
The combination of Gonzalez and McKendall disclose:
The method according to claim 1, and comprising detecting, by the web agent, content downloaded by the web code, computing, by the web agent a fingerprint over the downloaded content, determining, by the web agent, that the fingerprint is not valid, and 351397-2003.1 S2 transmitting, by the web agent, the notification beacon in response to detecting the unauthorized modification to the web code (see McKendall ¶87: “… the protection code also calculates a fingerprint or checksum for the Web page … the checksums do not match and an alert … is generated”, and 
¶14: “… different fingerprints mean that malware has changed the Web page and an alert is generated, the account is locked, the user is redirected to clean the host computer”). 

Regarding claims 22-23, 26-30, 32-33 and 40-42:
Claims 22-23, 26-30, 32-33 and 40-42 substantially recite the limitations as claims 1-2, 5-9, 11-12 and 19-21, respectively, in the form of a computer software product storing instructions to execute the corresponding methods, therefore they are rejected by the same rationale. 

Regarding claim 43: 
Claim 43 recites substantially the same limitation as claim 1 in the form of a web code protection computer comprising a processor to embed a web agent into a web code, therefore it is rejected by the same rationale.

Claims 3 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez, McKendall and further in view of US-PGPUB 2018/0063190 to Wright et al. (hereinafter Wright)
Regarding claim 3:
The method according to claim 1, and comprising automatically terminating the web agent upon determining, by the web agent, that the web code is running in a local environment (see Wright ¶26: “For example, S110 can include obfuscating the inserted tattler code, which can increase the difficulty for an attacker to remove the tattler when copying a target website”). 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of  Gonzalez and McKendall to incorporate the functionality of the method for hindering phishing activity which includes modifying a target website as disclosed by Wright, such modification would allow to automatically terminate protection code that is embedded within the web page, and obfuscate the web code when it is determined that the web page is being run in a local (hostile) environment to protect the malicious code from getting access to resources using the web code, thus providing protection against phishing attacks.


Regarding claim 24: 
Claim 24 substantially recites the limitation as claim 3, in the form of a computer software product storing instructions to execute the corresponding methods, therefore it is rejected by the same rationale. 

Claims 4 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez, McKendall and further in view of USPAT 10104113 B1 to Stein et al. (hereinafter Stein)
Regarding claim 4: 
The combination of Gonzalez and McKendall disclose the method of claim 1 but failed to explicitly disclose the following limitation taught by Stein: 
wherein the attributes of the server comprise a Uniform Resource Locator (URL) for a web page hosted by the server and comprising the web code, the URL comprising a character string, and wherein analyzing the attributes of the server comprises identifying, by the web agent, each of the characters individually (see Stein ¶56: “…URL feature extraction logic … can extract one or more URL features that are binary values that represent whether a domain contains a particular character. For example, in one embodiment URL feature extraction logic … can extract a URL feature that represents whether the domain contains a “m” character and another URL feature that represents whether the domain contains a “7” character.”, and 
¶72: “The extracted content features may be used by content classifier logic … to determine a maliciousness risk score for the URL. There are many types of content features that may be extracted, including, character count features …”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of  Gonzalez and McKendall to incorporate the functionality of the Content classifier includes content feature extraction logic system which  extracts content features from a webpage content as disclosed by Stein, such modification would allow to detect and identify disguised URL links by extracting each character from the URL string, thus protecting users from phishing attacks.

Regarding claim 25:
Claim 25 substantially recites the limitation as claim 4, in the form of a computer software product storing instructions to execute the corresponding methods, therefore it is rejected by the same rationale. 

Claims 10 and 31 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez, McKendall and further in view of US-PGPUB No. 2016/0191548 A1 Smith et al. (hereinafter Smith)
Regarding claim 10:
The combination of Gonzalez and McKendall disclose the method according to claim 9 but the combination of Gonzalez and McKendall failed to explicitly disclose the following limitation taught by Smith: 
wherein the list of IP addresses comprises a predefined range of IP addresses, and wherein determining that the IP address is not in the list comprises determining that the identified IP address is not within the range (see Smith ¶74: “HTTP requests may then be made to each of domains … to determine whether such websites also contain malicious activity or information useful for crawling. Likewise, the range of IP addresses … may also be considered a “link,” since it may be inferred that other IP addresses (not listed) falling within that range or associated with a similar geographical IP range may be suspect.”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of  Gonzalez and McKendall to incorporate the functionality of the Content analysis system to analyze IP addresses, domains, or websites, and to consider the range of IP addresses to consider as a “link” to a suspect as disclosed by Smith, such modification would allow to detect and identify IP addresses that are not predefined, but come from a certain geographical IP range known to be malicious, and thus protecting users from phishing attacks.


Claims 13 and 34 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez, Kendall, and further in view of USPAT No. 9654484 B2 Grill et al. (hereinafter Grill)
Regarding claim 13:
The combination of Gonzalez and McKendall disclose the method of claim 1 but failed to explicitly disclose the following limitation taught by Grill: 
wherein detecting, by the web agent, the malicious use of the web code comprises detecting the web code downloading content from one or more servers, computing a count of the one or more servers, and determining that the count is less than a predefined threshold (see Grill ¶10: “… a number of domain name server requests originating from a particular network node are determined, wherein the domain name server requests are directed to one or more domain name servers. A number of internet protocol addresses (IP addresses) contacted by the particular network node are determined. Based on the number of domain name server requests and the number of IP addresses contacted, existence of malware on the particular network node is identified.”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Gonzalez and McKendall to incorporate the functionality of the network device to determine the number of domain name server requests originating from a particular network node as disclosed by Grill, such modification would allow tor identify the  existence of malware on a particular network node by monitoring the number of requests to be less than a predefined threshold, and thus protect from malicious activities. 

Regarding claim 34:
Claim 34 substantially recites the same limitation as claim 13, in the form of a computer software product storing instructions to execute the corresponding method, therefore it is rejected by the same rationale. 

Claims 14-15 and 33-36 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez, McKendall, and further in view of USPAT No.10523680 B2 to Turgeman et al. (hereinafter Turgeman)
Regarding claim 14:
The combination of Gonzalez and McKendall disclose the method of claim 1 but failed to explicitly disclose the following limitation taught by Turgeman: 
wherein detecting, by the web agent, the malicious use of the web code comprises transmitting a predefined Domain Name System (DNS) query having an expected response, receiving a response to the query, and detecting that the received response does not match the expected response (see Turgeman ¶41: “… the system may issue a DNS query about the source (or the originating) IP address … the response to the DNS query may provide other information which may be utilized for proxy detection or proxy estimation …”).   

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of  Gonzalez and McKendall to incorporate the functionality of the fraud estimation module to estimate or detect or determine a fraud or a fraudulent transaction or a fraudulent user or an attacker or a fraudulent set-of-operations by issuing a DNS query about the source IP address  and matching the response with the expected result as disclosed by Turgeman, such modification would allow to detect and identify unauthorized, modified Ip addresses and protect users from illegitimate websites.

Regarding claim 15:
The combination of Gonzalez and McKendall disclose the method of claim 1 but failed to explicitly disclose the following limitation taught by Turgeman:
wherein detecting, by the web agent, the malicious use of the web code comprises receiving a transmission from the server, and detecting that the received transmission does not comprise a specified Hypertext Transfer Protocol (HTTP) header (see Turgeman ¶41: “… an HTTP header Modifier … may intentionally modify HTTP response header(s) that are sent by a trusted server to the end-user device in a manner that violates HTTP protocol … and the proxy detector may check the response or the reaction of the end-user device to such intentional violation or to such non-HTTP compliant header.”). 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Gonzalez and McKendall to incorporate the functionality of the proxy detector to identify modified HTTP headers as disclosed by Turgeman, such modification would allow to protect the unauthorized modification of HTTP headers, and protect from cross-site scripting and phishing attacks.

Regarding claims 35-36:
Claims 35-36 substantially recite the same limitations as claims 14-15, respectively, in the form of a computer software product storing instructions to execute the corresponding methods, therefore they are rejected by the same rationale. 

Claims 16, 18, 37 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez, McKendall, and further in view of USPAT No. 10581597 B2 Shen et al (hereinafter Shen)
Regarding claim 16:
The combination of Gonzalez and McKendall disclose the method of claim 1 but failed to explicitly disclose the following limitation taught by Shen: 
detecting, by the web agent, the malicious use of the web code comprises transmitting a certificate request to the server, receiving a server certificate in response to 341397-2003.1 S2 the certificate request, and determining that the received server certificate is not valid (see Shen ¶71-73: “… the client software sends an electronic credential acquisition request to the server. The server responds to the electronic credential acquisition request. … the server sends the server signature information and the electronic credential to the client software …. After receiving the server signature information and the electronic credential, the client software extracts the electronic credential, and performs a hash operation on the electronic credential to obtain a second hash value. … compares the first hash value … with the second hash value ... If the first hash value is different from the second hash value, it indicates that the electronic credential is tampered with …”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Gonzalez and McKendall to incorporate the functionality of the client software to send an electronic credential acquisition request to the server, and extract the response and compare the hash values to determine if the credential was tampered as disclosed by Shen, such modification would provide to verify the server signature and determine if the webpage is not modified, thus protecting malicious activities.


Regarding claim 18:
The combination of Gonzalez and McKendall disclose the method of claim 1 but failed to explicitly disclose the following limitation taught by Shen: 
wherein detecting, by the web agent, the malicious use of the web code comprises transmitting a signature request to the server, receiving a server signature in response to the signature request, and determining that the received server signature is not valid (see Shen ¶71-73: “… the client software sends an electronic credential acquisition request to the server. The server responds to the electronic credential acquisition request. … the server sends the server signature information and the electronic credential to the client software …”, and  
¶122-124: “The client software receives the server signature information and the electronic credential that are sent by the server. The client software verifies the server signature information …  If the verification on the server signature information fails, an electronic credential provided by the server cannot be obtained.”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Gonzalez and McKendall to incorporate the functionality of the client software to send an electronic credential acquisition request to the server, and extract the response and compare the hash values to determine if the credential was tampered as disclosed by Shen, such modification would provide to verify the server signature and determine if the webpage is not modified, thus protecting malicious activities. 

Regarding claims 37 and 39:
Claims 37 and 39 substantially recite the same limitations as claims 16 and 18, respectively, in the form of a computer software product storing instructions to execute the corresponding methods, therefore they are rejected by the same rationale. 


Claims 17 and 38 are rejected under 35 U.S.C. 103 as being unpatentable over Gonzalez, McKendall and further in view of USPAT No. 7958555 B1to Chen et al. (hereinafter Chen)
Regarding claim 17:
The combination of Gonzalez and McKendall disclose the method of claim 1 but failed to explicitly disclose the following limitation taught by Chen: 
wherein detecting, by the web agent, the malicious use of the web code comprises transmitting a token request to the server, receiving a server token in response to the token request, comparing the received server signatures to a specified list of server signatures, and determining that the received server token is not valid (see Chen ¶39-40: “The page signature extractor … sends a phishing detection request to the signature server … to determine if the webpage is a phishing page ... The phishing detection request may be in the form of a DNS query, and may include the signature and URL of the webpage for data collection and further investigation, if needed. In response to the phishing detection request, the signature server … compares the signature of the web page to signatures of phishing pages and returns the result of the comparison in the form of a DNS answer. … if the signature of the web page matches a signature of one or more phishing pages, the page signature extractor … so informs the policy enforcer …”).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Gonzalez and McKendall to incorporate the functionality of the page signature extractor to encode the web page by generating the signature of the web page and send a phishing detection request to the signature server as disclosed by Chen, such modification would allow to detect phishing attacks by encoding the webpage and generating a signature to provide a secured way of detecting malicious activities.    

Regarding claim 38:
Claim 38 substantially recites the same limitation as claim 17, in the form of a computer software product storing instructions to execute the corresponding method, therefore it is rejected by the same rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

Liu (US-PGPUB No. 20160241589-A1)- disclosed a method and an apparatus for identifying a malicious website, the method including: acquiring uniform resource locators (URLs) of websites determined as malicious websites and URLs of websites determined as safe websites; performing feature extraction on the URLs of the malicious websites.
Cleveland (US-PGPUB No. 20210211463-A1)- disclosed a Web site comprise detection method and system. The method includes parsing the source code, analyzing the source code to determine an indicator of compromise is present in the source code.
Banerjee et al. (US-PGPUB No. 2010/0186088-A1)- disclosed a method and system for automated identification of phishing, phony, and malicious web sites.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through

Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M.H./Examiner, Art Unit 2491 

/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491