DETAILED ACTION
This Office Action is in response to the application 16/830,923 filed on March 26th, 2020.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 1-20 are pending and herein considered.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 07/23/2020, 08/13/2020, 10/12/2021, 04/01/2022, is in compliance with the provisions of 37 CRR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Zhu et al. (Zhu), U.S. Pub. Number 2012/0158626.
Regarding claim 1; Zhu discloses a computing platform, comprising:
at least one processor (par. 0037; fig. 3; one or more processor(s) 310.);
a communication interface (par. 0037; fig. 3; one or more network interfaces 402.) communicatively coupled to the at least one processor; and
memory storing computer-readable instructions (par. 0037; fig. 3; memory 308.) that, when executed by the at least one processor, cause the computing platform to:
receive a uniform resource locator (URL) (par. 0106; fig. 6; an unknown URL is received via a user action such as data entry into a web browsing entry window or a search engine, an embedded link selection via a mouse click.);
tokenize the URL to reduce the URL into a plurality of components (par. 0107; fig. 6; extracts features associated with the received unknown URL.);
identify one or more human-engineered features of the URL (pars. 0047 & 0075; an analysis of the lexicology of the URL may indicate, at least in part, whether a URL is malicious or benign; counts the number of redirections for a URL; URL redirection is when the same web page is made available via multiple different URLs such as a very short URL redirects to a target URL.);
compute a vector representation of the URL to identify one or more deep learned features of the URL (pars. 0024 & 0094; develops decision criteria for the classification models, the decision criteria that decide whether a malicious URL is a phishing URL may be developed based on URL features common to phishing URLs; construct the binary classification model (adapt decision criteria).);
concatenate the one or more human-engineered features of the URL to the one or more deep learned features of the URL, resulting in a concatenated vector representation (par. 0043; the malicious URL detection and categorization module may use an combination of extracted features to detect and categorize an unknown URL as a malicious URL; the malicious URL detection and categorization module utilizes a binary classification model and a multi-label classification model.);
compute, by inputting the concatenated vector representation of the URL to a URL classifier, a phish classification score (pars. 0096-0097; the malicious URL detection and categorization module employs the classification models to detect and categorize an unknown URL as a malicious URL, the classification model employs an ensemble voting process under a threshold t to make a decision for the final classification set.); and
in response to determining that the phish classification score exceeds a first phish classification threshold, cause a cybersecurity server to perform a first action (par. 0109; fig. 6; if the URL is a malicious URL, the output module indicates the URL is a malicious URL to the web user.).
Regarding claim 2; Zhu discloses the computing platform of claim 1,wherein identifying the one or more human-engineered features of the URL comprises parsing the URL to identify components of the URL, wherein the identified components of the URL comprise one or more of: a protocol, a top level domain (TLD), a domain, a subdomain, a port, a port type, a path, or path components (pars. 0046-0048; URLs consist of domain name and a path.).
Regarding claim 3; Zhu discloses the computing platform of claim 1, wherein identifying the one or more human engineered features of the URL comprises identifying a popularity of the URL, popularity of a domain of the URL, popularity of a subdomain and a domain of the URL, or popularity of a subdomain, a domain and one or more path components of the URL (pars. 0059-0061; extract features associated with link popularity; link popularity counts the number of incoming links for a target URL; obtain information associated with link popularity from known search engines; different search engines may produce different information on link popularities due to different coverage of web pages which individual search engines crawl.).
Regarding claim 4; Zhu discloses the computing platform of claim 3, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: generate a popularity score for each of a plurality of URLs, domains, sub domains, or path components, wherein the popularity scores correspond to one or more of: a number of times during a predetermined period that corresponding URLs, domains, subdomains, or path components were accessed, or a number of users that accessed the corresponding URLs, domains, subdomains, or path components; and store, in a popularity index, the popularity scores, wherein the popularity scores are stored along with a correlation to their respective URLs, domains, subdomains, and path components and wherein the computing platform is configured to access the popularity scores by applying a lookup function (par. 0062; extract a distinct domain link ratio in order to combat link manipulation including “link-framing” which links a group of malicious web pages together in order to increase link popularity; the distinct domain link ratio is the number of unique domains that link to the targeted URL compared to the total number of incoming links for the target URL.).
Regarding claim 5; Zhu discloses the computing platform of claim 1, wherein identifying the one or more human-engineered features of the URL comprises identifying that the URL contains an instance of brand mimicry (par. 0058; the lexicology feature extraction module extracts whether there is a brand name presence in the received URL.).
Regarding claim 6; Zhu discloses the computing platform of claim 1, wherein identifying the one or more human-engineered features of the URL comprises identifying that the URL contains a homoglyph, identifying a character length of the URL, identifying an encrypted protocol, identifying a page extension of the URL, identifying a signature associated with a domain generation algorithm, identifying a presence of a random substring, identifying a presence of one or more strings from a lexicon in the URL, or identifying a number of subdomains of the URL (pars. 0021-0022; support vector machine (SVM) is the machine learning algorithm used to train the binary classification model to classify an unknown URL as a malicious URL or a benign URL; RAkEL is the machine learning algorithm used to train the multi-label classification model to classify an unknown URL as one of a phishing URL, a spamming URL, a malware URL, or a multi-type attack URL; ML-kNN is the machine learning algorithm used to train the multi-label classification model.).
Regarding claim 7; Zhu discloses the computing platform of claim 1, wherein computing the vector representation of the URL comprises computing the vector representation of the URL using a neural network (pars. 0021-0022; support vector machine (SVM) is the machine learning algorithm used to train the binary classification model to classify an unknown URL as a malicious URL or a benign URL; RAkEL is the machine learning algorithm used to train the multi-label classification model to classify an unknown URL as one of a phishing URL, a spamming URL, a malware URL, or a multi-type attack URL; ML-kNN is the machine learning algorithm used to train the multi-label classification model.).
Regarding claim 8; Zhu discloses the computing platform of claim 7, wherein the neural network is pre-trained using one or more of: a language modeling task or another self-supervised task (par. 0090; extract any combination of the features for purposes of training the classification models; and detecting and categorizing URLs as potentially malicious URLs.).
Regarding claim 9; Zhu discloses the computing platform of claim 1, wherein identifying the one or more human-engineered features of the URL comprises: identifying that the URL is a redirector; initiating one or more requests to capture a redirection chain of one or more URLs associated with redirection actions taken by each URL in the redirection chain; and identifying one or more features of URLs associated with the redirection chain of the one or more URLs associated with the redirection chain (par. 0097; in RAkEL, a ranking of the labels is produced by averaging the zero-one predictions of each model per considered label; an ensemble voting process under a threshold t is then employed to make a decision for the final classification set.).
Regarding claim 10; Zhu discloses the computing platform of claim 1, wherein the URL classifier is a neural network (par. 0096; RAkEL creates m random sets of k label combinations and builds an ensemble of label powerset classifiers from each of the m random sets; the label powerset is a transformation-based algorithm that accepts a single-label classifier as a parameter; it considers each distinct combination of labels that exist in the training set as a different class value of a single-label classification task.).
Regarding claim 11; Zhu discloses the computing platform of claim 1, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: in response to determining that the phish classification score exceeds a second phish classification threshold, cause the cybersecurity server to perform a second action different from the first action (par. 0068; cyber attackers who inject malicious code into web pages via importing and hiding exploits in the web page content.).
Regarding claim 12; Zhu discloses the computing platform of claim 11, wherein: causing the cybersecurity server to perform the first action comprises setting a first flag; and causing the cybersecurity server to perform the second action comprises setting a second flag, wherein: the first flag and the second flag are set in a cybersecurity database hosted by one of: the computing platform or a central repository, and the cybersecurity database is accessible by the cybersecurity server (par. 0058; number cyber attackers target widely trusted brand names when using malicious URLs; the brand name presence is a binary feature that check whether a brand name is contained in any of the URL tokens other than the SLD.).
Regarding claim 13; Zhu discloses the computing platform of claim 12, wherein the cybersecurity server is configured to monitor the cybersecurity database at a predetermined interval to detect flags (par. 0031; the classification models are able to provider better protection against malicious URLs even when cyber attackers are continuously trying to evade detection by modifying the manner in which malicious URLs are configured.).
Regarding claim 14; Zhu discloses the computing platform of claim 13, wherein performing the first action comprises, in response to detecting the first flag, generating one or more commands directing a visual similarity classification platform to analyze content of the URL; and wherein performing the second action comprises, in response to detecting the second flag, one or more of: generating one or more commands directing another computing device to display a graphical user interface indicating that the URL is malicious, or adding the URL to a list of blocked URLs (par. 0027; applies classification models and employs the classification models to determine whether the unknown URL is malicious or benign; the result may be output to a web user, a web browser, a search engine, a computing system, a system analyzer, a blacklist/list of blocked URL.).
Regarding claim 15; Zhu discloses the computing platform of claim 13, wherein performing the first action comprises, in response to detecting the first flag, generating one or more commands directing a holistic classification platform to analyze content of the URL; and wherein performing the second action comprises, in response to detecting the second flag, one or more of: generating one or more commands directing another computing device to display a graphical user interface indicating that the URL is malicious, or adding the URL to a list of blocked URLs (par. 0027; applies classification models and employs the classification models to determine whether the unknown URL is malicious or benign; the result may be output to a web user, a web browser, a search engine, a computing system, a system analyzer, a blacklist/list of blocked URL.).
Regarding claim 16; Zhu discloses the computing platform of claim 13, wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: based on a failure to detect a flag, determine that the phish classification score does not exceed the first phish classification threshold or the second phish classification threshold; and determine, based on the determination that the phish classification score does not exceed the first phish classification threshold or the second phish classification threshold, that the URL is legitimate (par. 0071; injecting hidden malicious iframes into compromised legitimate web pages is a popular form of a malware attack; invisible iframes allow for silent loading of exploits from illegitimate web pages while an unsuspecting web user is browsing visible content of the compromised legitimate web page.).
Regarding claims 17-19; Claims 17-19 are directed to method which have similar scope as claims 1-16. Therefore, claims 17-19 remain un-patentable for the same reasons.
Regarding claim 20; Claim 20 is directed to one or more non-transitory computer-readable media which has similar scope as claim 1. Therefore, claim 20 remains un-patentable for the same reasons.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHOI V LE whose telephone number is (571)270-5087.  The examiner can normally be reached on 9:00 AM - 5:00 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/KHOI V LE/
Primary Examiner, Art Unit 2436