DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This action is in response to Application filed 04/03/2020. Claims 1-20 are pending. 

Priority
No foreign priority or domestic benefit has been claimed.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/03/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Patent Eligibility Analysis (Abstract Idea)
Per 2019 Revised PEG (Electrical Arts):
Step 1: Claims 1, 9 and 14 are directed to at least one of the four categories of invention and therefore are “subject matter eligible”.
Step 2A -  prong one: In accordance with the defined abstract idea groupings, none of claims 1, 9 and 14 recite any limitation directed to abstract idea.
As such, at the conclusion of step 2A – prong one claims 1-20 are determined “patent eligible”.

 Intended Use
As per MPEP 2103, C. Review the Claims:
“The subject matter of a properly construed claim is defined by the terms that limit the scope of the claim when given their broadest reasonable interpretation. It is this subject matter that must be examined. As a general matter, grammar and the plain meaning of terms as understood by one having ordinary skill in the art used in a claim will dictate whether, and to what extent, the language limits the claim scope. See MPEP § 2111.01 for more information on the plain meaning of claim language. Language that suggests or makes a feature or step optional but does not require that feature or step does not limit the scope of a claim under the broadest reasonable claim interpretation. The following types of claim language may raise a question as to its limiting effect:
(A) statements of intended use or field of use, including statements of purpose or intended use in the preamble, 
(B) "adapted to" or "adapted for" clauses, 
(C) "wherein" or "whereby" clauses, 
(D) contingent limitations, 
(E) printed matter, or 
(F) terms with associated functional language.

Claims 1 and 9 recite “transmitting, …wherein the one or more machine learning modules are usable by an application executing on the computing device to identify whether a user interface accessed by the computing device matches a user interface associated with the set of Internet domain names”. This feature is an optional intended use feature that does not narrow the scope of any of the positively recited limitations and/or the scope of the claim as a whole. 
A recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art. Here, the intended use functional recitations are considered but given less patentable weight because they fail to add positively claimed features to narrow the scope. If the prior art structure is capable of performing the intended use, then it meets the claim. 


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 14 and 18 are rejected under 35 U.S.C. 102 (a) (1) as being anticipated by  Kumar, US2019/0104154.

Per claim 14, Kumar discloses a non-transitory computer-readable medium having instructions stored thereon that are executable by a plugin of a browser of a computing device to perform a set of security operations (the retrieval of the subject screenshot, or content associated therewith, may be via a centrally located system using an internet browser as discussed below or via accessing a data caching system that has stored therein previously captured screenshots…The screenshot may result from the processing of the webpage (the webpage associated with the URL) based on the characteristics (e.g. selected internet browser applications, operating systems, etc.) – Kumar: par. 0026 and 0027) comprising: 
capturing a current screenshot of a user interface that is requested for display by a user of the computing device (the detection process includes the (i) generation of a subject screenshot of a webpage retrieved from a subject URL – Kumar: par. 0026); and 
determining whether the user interface is suspicious by: 
providing the current screenshot of the user interface to a machine learning module within the plugin, wherein the machine learning module is trained using screenshots of authentic user interfaces ((ii) processing the subject screenshot to identify a set of keypoints, (iii) correlating the set of keypoints to a set of known benign or known phishing pages using the model, and (iv) if the correlation exceeds a threshold, classifying the subject URL as part of a phishing cyberattack. In some embodiments, the retrieval of the subject screenshot, or content associated therewith, may be via a centrally located system using an internet browser as discussed below or via accessing a data caching system that has stored therein previously captured screenshots – Kumar: par. 0026); and 
in response to the machine learning module indicating that the user interface matches a particular one of the authentic user interfaces, verifying a uniform resource locator (URL) of the user interface (a first confidence may correspond to the Bank of America webpage, a second confidence may correspond to the Wells Fargo webpage, etc., with each confidence indicating the likelihood that the subject webpage is attempting to mimic the webpage corresponding to the webpage family. Continuing the example, the first confidence indicates the likelihood that the subject webpage is attempting to mimic the Bank of America webpage based on how closely the subject webpage resembles the “look and feel” of the Bank of America webpage. [0061] The webpage family having the highest confidence may be passed to the image comparator 120, which performs an image comparison between the subject screenshot and the webpage corresponding to the webpage family with the highest confidence. … When the image comparison results in a match above a predefined threshold, the PDAS 400 determines that the subject webpage and the subject URL itself are part of a phishing attack – Kumar: par. 0060-0061 – Note: the highest confidence in the webpage family that is closest matching and is used compared to the screenshot which is subject to verification to determine if the screen shot, i.e., the webpage interface, is suspicious).

Per claim 18, Kumar discloses the non-transitory computer-readable medium of claim 14, wherein the verifying includes: determining whether a uniform resource locator (URL) of the user interface requested for display and a URL of the particular authentic user interface are the same (The pre-filter 116 performs a pre-filtering process on the URL, which may include one or more static scans such as whitelist/blacklist comparisons. In particular, the whitelist/blacklist database 118 stores data corresponding to whitelisted URLs (indicators determined to be benign) as well as blacklisted URLs (indicators determined to be associated with cyberattacks, e.g., phishing attacks). Comparisons performed by the pre-filter 116 between the whitelisted and blacklisted URLs stored in the whitelist/blacklist database 118 seek to remove any URLs known to be either benign or malicious. As a result of removing known benign or malicious URLs from the analysis, URLs passed on by the pre-filter 116 as not being knowingly benign or malicious and that resolve to webpages that very closely resemble known benign webpages (e.g., those of Bank of America, Wells Fargo, etc.) or malicious (e.g., known phishing webpages) are determined to be phishing webpages – Kumar: par. 0058).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claim(s) 1-2, 4, 6, 8-10 and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Kumar, US2019/0104154 in view of Jeyakumar, US2020/0389486.

Per claim 1, Kumar discloses a method, comprising: 
receiving, by a server computer system, a set of Internet domain names (As an overview the training process involves receipt of a list of URLs for use the detection of phishing websites. The list of URLs may be based on internal analytics, a third-party source, or the like. The URLs included in the list of URLs may be either known, benign websites (e.g., those that are often used in carrying out phishing attacks) and/or known phishing websites – Kumar: par. 0044); 
generating, by the server computer system, screenshots for user interfaces associated with the set of Internet domain names (The screenshot of the website of each URL of the list of URLs is obtained by the content fetcher 104 – Kumar: par. 0044); 
training, by the server computer system, one or more machine learning modules that are customized for the set of Internet domain names using the screenshots (The content fetcher 104 retrieves from the URL then provides the subject screenshot of the contents of the subject webpage (e.g., an image file, or an identifier, enabling retrieval of the image file), rendered by an interne browser, to the feature generation logic 106. As discussed above, the feature generation logic 106 detects keypoints within the subject screenshot and generates a feature vector based on the detected keypoints. The feature vector corresponding to the subject screenshot is provided to the classifier 112 for webpage family classification based on the model generated by the training module – Kumar: par. 0053); and 
Kumar is not relied on to explicitly disclose but Jeyakumar discloses transmitting, by the server computer system to a computing device, the one or more machine learning modules, wherein the one or more machine learning modules are usable by an application executing on the computing device to identify whether a user interface accessed by the computing device matches a user interface associated with the set of Internet domain names (The threat detection platform can then download resources from the storage medium(s) to build a ML model that can be used to identify email-based security threats. Thus, the threat detection platform can build a ML model based on retrospective information in order to better identify security threats in real time as emails are received. For example, the threat detection platform may ingest incoming emails and/or outgoing emails corresponding to the last six months, and then the threat detection platform may build a ML model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors) for the enterprise… Such an approach allows the threat detection platform to employ an effective ML model nearly immediately upon receiving approval from the enterprise to deploy it – Jeyakumar: par. 0130-0131 – Note: generating and deploying an ML model customized for an enterprise’s email application).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Kumar in view of Jeyakumar to include transmitting, by the server computer system to a computing device, the one or more machine learning modules, wherein the one or more machine learning modules are usable by an application executing on the computing device to identify whether a user interface accessed by the computing device matches a user interface associated with the set of Internet domain names.
One of ordinary skill in the art would have been motivated because it would allow “the ability to identify attacks that have not been seen before, as well as zero-day phishing attacks” – Jeyakumar: par. 0098 and would further allow “to employ an effective ML model nearly immediately upon receiving approval from the enterprise to deploy it” – Jeyakumar: par. 0131.

Per claim 9, it recites a non-transitory computer-readable medium having instructions stored thereon that are executable by a server computing device to perform operations recited in the method of claim 1.
 Therefore, claim 9 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claims 2 and 10, Kumar in view of Jeyakumar discloses features of claims 1 and 9, wherein the training includes: 
determining, based on the screenshots, a plurality of attributes of the user interfaces associated with the set of Internet domain names (Upon obtaining a screenshot of the website to which each URL resolves, one or more screenshots may be provided to the feature generation logic 106. It should be noted that the content fetcher 104 may provide the one or more screenshots (or identifiers thereof, such as file names) to the feature generation logic 106 as other screenshots from the list of URLs are being collected, as opposed to obtaining the screenshots prior to passing the screenshots along to the feature generation logic 106. For each screenshot, the feature generation logic 106 is responsible for: (1) detecting keypoints within the screenshot, (2) generating keypoint descriptors based on the detected keypoints, and (3) generating a feature vector that includes the generated keypoint descriptors. The feature generation logic 106 uses computer vision techniques to detect the keypoints – Kumar: par. 0047), wherein the plurality of attributes include one or more of: 
input attributes, location attributes, and style attributes (The content fetcher 104 retrieves from the URL then provides the subject screenshot of the contents of the subject webpage (e.g., an image file, or an identifier, enabling retrieval of the image file), rendered by an internet browser, to the feature generation logic 106. As discussed above, the feature generation logic 106 detects keypoints within the subject screenshot and generates a feature vector based on the detected keypoints – Kumar: par. 0053 – Note: feature vector is the one or more attributes used to train the model); and 
inputting the determined plurality of attributes to the one or more machine learning modules during training (The classifier 112 uses the feature vector of the subject screenshot as an input to the model generated during training – Kumar: par. 0060).

Per claim 4, Kumar in view of Jeyakumar discloses the method of claim 1, wherein, in response to identifying that the user interface accessed by the computing device matches a user interface associated with the set of Internet domain names (the PDAS 400 may receive an object and, in such an embodiment, an optional URL extractor 114 may first extract the subject URL (e.g., from an email or other object) and provide the extracted subject URL to the pre-filter 116 for pre-filtering… When the subject URL is not found to be either malicious or benign, the subject URL is provided to the content fetcher 104, which obtains, in some embodiments, generates, a screenshot of the webpage to which the URL resolves – Kumar: par. 0052), the application is executable to verify an address used by the device to access the user interface, wherein the computing device accesses the user interface via a web browser, and wherein the user interface accessed by the computing device is a webpage (The pre-filter 116 performs a pre-filtering process, such as one or more static scans, on the URL, which may include performing whitelist/blacklist comparisons…When the image comparison results in a match (e.g., correlation value) above a predefined threshold, the PDAS 400 determines that the subject webpage and the subject URL itself are part of a phishing attack. Where two or more webpages within a webpage family are used, the comparison with the subject webpage may be made separately for each of the webpages and, in alternatively embodiments (i) if any or a prescribed number of the resulting correlation values exceed the threshold, the URL is declared part of a phishing attack, or (ii) if the correlation value determined by statistically combining the separate correlation values (e.g., as by determining the mean, median, or mode of the separate correlation values) exceeds the threshold, the URL is declared part of a phishing attack – Kumar: par. 0052 and 0055).

Per claim 6, Kumar in view of Jeyakumar discloses the method of claim 1, wherein the server computer system trains a plurality of machine learning modules based on the set of Internet domain names including multiple domain names (Each confidence of the plurality of confidences corresponds to a separate webpage family of the URLs provided to the PDAS 400 during training (“the training set”). As an illustrative example, when the training set includes URLs for Bank of America, Wells Fargo, First Republic, and other known banking webpages for a total of twenty (20) banking webpages in the training set, the analysis of the feature vector of the subject screenshot during the detection process may result in 20 confidence – Kumar: par. 0060 – Note: each URL of the URLs in the training set results in a different confidence).

Per claim 8, Kumar in view of Jeyakumar discloses method of claim 1, wherein the one or more machine learning modules are machine learning classifiers (the training process begins upon receipt of a list of labeled URLs. The list of URLs resolves to webpages that are generally known to be typically targeted for use in phishing attacks such as login webpages of banks or other online accounts of well-known companies such as Apple iTunes®, Spotify®, Netflix®, etc. The list of URLs (wherein the set of URLs is referred to as the “training set”) may be obtained or updated periodically or aperiodically for training of the PDAS classifier logic so as to reflect commonly visited websites – Kumar: par. 0019).

Per claim 12, Kumar in view of Jeyakumar discloses the non-transitory computer-readable medium of claim 9, wherein the operations further comprise: 
receiving, from the computing device, a report indicating suspiciousness of the user interface accessed by the computing device (a plurality of screenshots may be associated with a single webpage family as mentioned above, in which case an image comparison would be performed between the subject screenshot and each screenshot of the plurality of screenshots corresponding to the most highly correlated webpage family. If this image comparison exceeds a threshold, the subject URL is determined to be associated with a phishing cyberattack. Upon determination of the subject URL being associated with a phishing cyberattack, an alert and/or a report is issued to an administrator or a cybersecurity analyst – Kumar: par. 0025 and 0062), wherein the report is generated in response to: 
identifying that the user interface accessed by the computing device matches a user interface associated with the set of Internet domain names (the PDAS 400 may receive an object and, in such an embodiment, an optional URL extractor 114 may first extract the subject URL (e.g., from an email or other object) and provide the extracted subject URL to the pre-filter 116 for pre-filtering… When the subject URL is not found to be either malicious or benign, the subject URL is provided to the content fetcher 104, which obtains, in some embodiments, generates, a screenshot of the webpage to which the URL resolves – Kumar: par. 0052); and 
verifying an address used by the computing device to access the user interface, wherein the computing device accesses the user interface via a web browser, and wherein the user interface accessed by the computing device is a webpage (The pre-filter 116 performs a pre-filtering process, such as one or more static scans, on the URL, which may include performing whitelist/blacklist comparisons…When the image comparison results in a match (e.g., correlation value) above a predefined threshold, the PDAS 400 determines that the subject webpage and the subject URL itself are part of a phishing attack. Where two or more webpages within a webpage family are used, the comparison with the subject webpage may be made separately for each of the webpages and, in alternatively embodiments (i) if any or a prescribed number of the resulting correlation values exceed the threshold, the URL is declared part of a phishing attack, or (ii) if the correlation value determined by statistically combining the separate correlation values (e.g., as by determining the mean, median, or mode of the separate correlation values) exceeds the threshold, the URL is declared part of a phishing attack – Kumar: par. 0052 and 0055).

Per claim 13, Kumar in view of Jeyakumar discloses the non-transitory computer-readable medium of claim 12, wherein a number of machine learning modules that are trained is based on a number of domain names included in the set of Internet domain names (when the training set includes URLs for Bank of America, Wells Fargo, First Republic, and other known banking webpages for a total of twenty (20) banking webpages in the training set, the analysis of the feature vector of the subject screenshot during the detection process may result in 20 confidence – Kumar: par. 0060).

2.	Claims 3, 5, 7, 11 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Kumar, US2019/0104154 in view of Jeyakumar, US2020/0389486 as applied to claims 1 and 9 above, further in view of Nunes, US2021/0203690.

Per claims 3 and 11, Kumar in view of Jeyakumar discloses features of claims 1 and 9. 
Kumar or Jeyakumar is not relied on to explicitly disclose but Nunes discloses wherein the generating includes: 
identifying, based on program code of user interfaces associated with domain names included in the set, one or more user interfaces that include requests for personal information of a user of the computing device (The screenshot analysis engine can use various legitimate webpages that correspond to typical web pages of the business performing the detection functions. For text elements, the screenshot analysis engine can determine whether certain keywords found in the suspect text like login, username, password, etc. are indicators of a malicious page (e.g., a phishing determination). In some embodiments, the screenshot analysis engine can make the phishing determination in conjunction with some analysis of the content phishing detection engine that can be performed on the suspect text and/or features of the suspect webpage – Nunes: par. 0059); and 
capturing screenshots of user interfaces that include requests for personal information (As The screenshot analysis engine can use a machine learning model (MLL) where screenshots of legitimate webpages can be fed to the MLL in order to learn features like color scheme, shape of the buttons, location of the elements on the legitimate webpages. The MLL can then be used to detect similar looking pages that are received by the ingestion module, such as where a high degree of similarity of a suspect webpage can indicate a high likelihood of phishing. The result from the screenshot analysis engine can be a decision indicating whether the web page is a phishing web page, a score (e.g., a confidence indication) of the decision, and supporting data such as indications of malicious portions of the OCR-ed suspect text and/or features of the suspect webpage – Nunes: par. 0059).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Kumar and Jeyakumar further in view of Nunes to include identifying, based on program code of user interfaces associated with domain names included in the set, one or more user interfaces that include requests for personal information of a user of the computing device; and capturing screenshots of user interfaces that include requests for personal information.
One of ordinary skill in the art would have been motivated because it would allow determining “identity theft by deceiving users to appear as legitimate websites, links, emails, etc., while in actuality baiting the user to voluntarily provide personal and/or confidential information to the bad actor” – Nunes: par. 0023.

Per claim 5, Kumar and Jeyakumar further in view of Nunes discloses the method of claim 4, wherein the address is a uniform resource locator (URL) that is usable by the web browser to display the webpage (The PDAS may obtain a plurality of screenshots corresponding to a webpage associated with a URL, each such screenshot corresponding to a browser/operating system combination. A screenshot of the webpage to which each URL resolves is obtained by the PDAS, which then utilizes computer vision techniques to detect keypoints, determine keypoint descriptors and generate a feature vector for each screenshot – Kumar: par. 0072 – Note:– par. 0019).
Kumar is not relied on to explicitly disclose but Jeyakumar discloses wherein the application is a browser plugin module installed on the computing device that is executable to download one or more machine learning modules from the server computer system, and wherein the address is a uniform resource locator (URL) that is usable by the web browser to display the webpage (if the second output indicates that the email includes a link to an HTML resource, the threat detection platform may follow the link so that the HTML resource is accessed using a virtual web browser, capture a screenshot of the HTML resource through the virtual web browser, apply a computer vision (CV) algorithm designed to identity similarities between the screenshot and a library of verified sign-in websites, and determine whether – Jeyakumar: par. 0217).
The same motivation to modify Kumar in view of Jeyakumar applied to claim 1 above applies here.

Per claim 7, Kumar in view of Jeyakumar discloses the method of claim 1, further comprising: receiving, from the computing device, a report indicating suspiciousness of the user interface accessed by the computing device (a plurality of screenshots may be associated with a single webpage family as mentioned above, in which case an image comparison would be performed between the subject screenshot and each screenshot of the plurality of screenshots corresponding to the most highly correlated webpage family. If this image comparison exceeds a threshold, the subject URL is determined to be associated with a phishing cyberattack. Upon determination of the subject URL being associated with a phishing cyberattack, an alert and/or a report is issued to an administrator or a cybersecurity analyst – Kumar: par. 0025), 
Kumar or Jeyakumar is not relied on to disclose but Nunes discloses wherein the report includes at least geolocation information of the computing device and a screenshot of the user interface (The action protocol can define use of action packets that will enable the services 106 to perform action(s) on the malware and/or phishing element without necessarily performing any manual verification steps. The action protocol can define characteristics used to retrieve some supporting data such as device characteristics, Operating System (OS), browser version & headers, IP address-based geolocation, and/or autonomous system number (ASN), of device(s) from which the data was obtained. The evidence package can include metadata on the domain registration, hosting IP/network, SSL certificate, and/or screenshot(s) of the suspect webpage, among others – Nunes: par. 0069).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Kumar and Jeyakumar further in view of Nunes to include generating, based on the determining, a report for the user interface requested for display, wherein the report includes at least the current screenshot and the URL of the user interface.
One of ordinary skill in the art would have been motivated because it would allow to “implement an action protocol with dynamic fields based on the number and/or type of detection functions that were performed on the particular phishing URL (or malware)” – Nunes: par. 0068.

Per claim 16, Kumar in view of Nunes discloses the non-transitory computer-readable medium of claim 15, wherein the instructions are further executable by the plugin to perform a set of training operations that comprise: 
transmitting a set of Internet domain names to a training server (the detection process begins when the PDAS 400 receives a subject URL – Kumar: par. 0052) that in view of Nunes, it is configured to: 
access authentic user interfaces for the set of Internet domain names (The screenshot analysis engine can use various legitimate webpages that correspond to typical web pages of the business performing the detection functions. For text elements, the screenshot analysis engine can determine whether certain keywords found in the suspect text like login, username, password, etc. are indicators of a malicious page (e.g., a phishing determination) – Nunes: par. 0059 – Note: a URL resolves to a screenshot corresponding to a browser/operating system combination. Features of each screenshot are inserted into separate vectors and labeled according to a webpage family to which the URL corresponding to the feature vector belongs. The plurality of labeled feature vectors are then used by the PDAS to generate a model using machine learning. As mentioned above, the model is a digitized representation of the correlation of the feature vectors corresponding to the URLs within the training set of URLs); and 
use screenshots of the accessed authentic user interfaces to train the machine learning module (The screenshot analysis engine can use a machine learning model (MLL) where screenshots of legitimate webpages can be fed to the MLL in order to learn features like color scheme, shape of the buttons, location of the elements on the legitimate webpages – Nunes: par. 0059);
The same motivation to modify Kumar in view of Nunes applied to claim 7 above applies here.
 and Kumar or Nunes is not relied on to disclose but Jeyakumar discloses receiving the trained machine learning module from the training server (The threat detection platform can then download resources from the storage medium(s) to build a ML model that can be used to identify email-based security threats. Thus, the threat detection platform can build a ML model based on retrospective information in order to better identify security threats in real time as emails are received. For example, the threat detection platform may ingest incoming emails and/or outgoing emails corresponding to the last six months, and then the threat detection platform may build a ML model that understands the norms of communication with internal contacts (e.g., other employees) and/or external contacts (e.g., vendors) for the enterprise… Such an approach allows the threat detection platform to employ an effective ML model nearly immediately upon receiving approval from the enterprise to deploy it – Jeyakumar: par. 0130-0131 – Note: generating and deploying an ML model customized for an enterprise’s email application).
The same motivation to modify Kumar in view of Jeyakumar applied to claim 1 above applies here.

Per claim 17, Kumar, Nunes and Jeyakumar discloses the non-transitory computer-readable medium of claim 16, wherein the set of security operations further comprise: 
generating the set of Internet domain names based on information stored in a browser account manager of the computing device (the training process begins upon receipt of a list of labeled URLs. The list of URLs resolves to webpages that are generally known to be typically targeted for use in phishing attacks such as login webpages of banks or other online accounts of well-known companies such as Apple iTunes®, Spotify®, Netflix®, etc. The list of URLs (wherein the set of URLs is referred to as the “training set”) may be obtained or updated periodically or aperiodically for training of the PDAS classifier logic so as to reflect commonly visited websites. The PDAS may obtain a plurality of screenshots corresponding to a webpage associated with a URL, each such screenshot corresponding to a browser/operating system combination. A screenshot of the webpage to which each URL resolves is obtained by the PDAS, which then utilizes computer vision techniques to detect keypoints, determine keypoint descriptors and generate a feature vector for each screenshot)… The features of each screenshot are inserted into separate vectors and labeled according to the webpage family to which the URL corresponding to the feature vector belongs. The plurality of labeled feature vectors are then used by the PDAS to generate a model using machine learning – Kumar: par. 0019).

3.	Claim(s) 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kumar, US2019/0104154 in view of Nunes, US2019/0203690.

Per claim 15, Kumar discloses the non-transitory computer-readable medium of claim 14. 
Kumar is not relied to disclose but Nunes discloses wherein the capturing of the current screenshot is performed in response to identifying that the user interface requested for display includes a request for personal information of a user of the computing device (As The screenshot analysis engine can use a machine learning model (MLL) where screenshots of legitimate webpages can be fed to the MLL in order to learn features like color scheme, shape of the buttons, location of the elements on the legitimate webpages. The MLL can then be used to detect similar looking pages that are received by the ingestion module, such as where a high degree of similarity of a suspect webpage can indicate a high likelihood of phishing. The result from the screenshot analysis engine can be a decision indicating whether the web page is a phishing web page, a score (e.g., a confidence indication) of the decision, and supporting data such as indications of malicious portions of the OCR-ed suspect text and/or features of the suspect webpage – Nunes: par. 0059 – Note: wherein the screenshot analysis engine can determine whether certain keywords found in the suspect text like login, username, password, etc. are indicators of a malicious page (e.g., a phishing determination). In some embodiments, the screenshot analysis engine can make the phishing determination in conjunction with some analysis of the content phishing detection engine that can be performed on the suspect text and/or features of the suspect webpage).
The same motivation to modify Kumar in view of Nunes applied to claim 3 above applies here.

Per claim 20, Kumar discloses the non-transitory computer-readable medium of claim 14, wherein the set of security operations further comprise: 
generating, based on the determining, a report for the user interface requested for display (a plurality of screenshots may be associated with a single webpage family as mentioned above, in which case an image comparison would be performed between the subject screenshot and each screenshot of the plurality of screenshots corresponding to the most highly correlated webpage family. If this image comparison exceeds a threshold, the subject URL is determined to be associated with a phishing cyberattack. Upon determination of the subject URL being associated with a phishing cyberattack, an alert and/or a report is issued to an administrator or a cybersecurity analyst – Kumar: par. 0025 and par. 0062), Kumar and Jayakumar is not relied on to disclose but Nunes discloses wherein the report includes at least the current screenshot and the URL of the user interface (The action protocol can define use of action packets that will enable the services 106 to perform action(s) on the malware and/or phishing element without necessarily performing any manual verification steps. The action protocol can define characteristics used to retrieve some supporting data such as device characteristics, Operating System (OS), browser version & headers, IP address-based geolocation, and/or autonomous system number (ASN), of device(s) from which the data was obtained. The evidence package can include metadata on the domain registration, hosting IP/network, SSL certificate, and/or screenshot(s) of the suspect webpage, among others – Nunes: par. 0069).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Kumar and Jeyakumar further in view of Nunes to include generating, based on the determining, a report for the user interface requested for display, wherein the report includes at least the current screenshot and the URL of the user interface.
One of ordinary skill in the art would have been motivated because it would allow to “implement an action protocol with dynamic fields based on the number and/or type of detection functions that were performed on the particular phishing URL (or malware)” – Nunes: par. 0068.

4.	Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Kumar, US2019/0104154 in view of Narayanaswamy, US2021/0234892.


Per claim 19, Kumar discloses the non-transitory computer-readable medium of claim 18.
Kumar is not relied on to disclose but Narayanaswamy discloses wherein the verifying further includes: 
in response to determining that the URL of the user interface requested for display and the URL of the particular authentic user interface are not the same (The particular hosted service can be a cloud computing and storage service and the webpage can be hosted on the cloud computing and storage service. The webpage can have a uniform resource locator (URL) of the cloud computing and storage service that is different from one or more official URLs of the particular hosted service – Narayanaswamy: par. 0113), determining that the user interface requested for display is suspicious (An endpoint security system intercepts a webpage rendered by a server in response to a user action executed on a client. The endpoint security system analyzes one or more images of the webpage and determines that a particular hosted service is represented by the images. The webpage is accompanied with a valid domain and certificate issued by the particular hosted service and impersonates one or more official webpages of the particular hosted service – Narayanaswamy: par. 0120).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Kumar in view of Narayanaswamy to include in response to determining that the URL of the user interface requested for display and the URL of the particular authentic user interface are not the same, determining that the user interface requested for display is suspicious.
One of ordinary skill in the art would have been motivated because it would allow “preventing exfiltration of confidential information to an unsanctioned resource by comparing a resource address in a request with sanctioned resource addresses used by the hosted services and identified in the metadata store” – Narayanaswamy: par. 0036.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Bowditch (US2020/0358819) discloses a detection and extraction processor for receiving and analyzing information/data related to one or more requests for user information, such as an email requesting user credentials or personal information, a webpage prompting requiring entry of a user's login credentials, a link to a webpage or email, etc., wherein a computer vision model reviews the webpage/login site from the detection and extraction processor and facilitates extraction or obtaining of one or more screenshots or images, e.g., screenshots or images of an email, webpage, login page, etc.

Hunt (US2020/0204587) discloses selecting a phishing policy based on information associated with a website, where the phishing policy has multiple phishing models. A phishing model is selected from multiple phishing models to apply to the website. Website information is analyzed to identify multiple common sources of phishing features on the website

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/            Examiner, Art Unit 2494