DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the communication filed on 09/26/2019.
Claims 12 and 20 are pending for consideration.
Claims 1-11 and 13-19 are non-elected.
Election/Restrictions
Restriction to one of the following inventions is required under 35 U.S.C. 121:
I. Claims 1-11 and 13-19, drawn a method to detecting phishing webpages, classified in H04L 63/1483.
II. Claims 12 and 20, drawn to a method for maintaining, by a server of an online security service, a first database of a plurality of suspicious webpages that have been reported by one or more clients of subscribers of a plurality of subscribers, classified in G06F 16/217.
Inventions in group (I) and group (II) are directed to related because the database of fingerprints created by group (II) is used by group (I) to detect phishing webpages. The related inventions are distinct if: (1) the inventions as claimed are either not capable of use together or can have a materially different design, mode of operation, function, or effect; (2) the inventions do not overlap in scope, i.e., are mutually exclusive; and (3) the inventions as claimed are not obvious variants.  See MPEP § 806.05(j). In the instant case, the inventions as claimed have distinct modes of operation, do not overlap in scope, nor are they obvious variations of each other.  Furthermore, the inventions as claimed do not encompass overlapping subject matter and there is nothing of record to show them to be obvious variants.
	Restriction for examination purposes as indicated is proper because all the inventions listed in this action are independent or distinct for the reasons given above and there would be a serious search and/or examination burden if restriction were not required because one or more of the following reasons apply:
The claimed inventions have distinct and non-overlapping search scope.
Applicant is advised that the reply to this requirement to be complete must include (i) an election of an invention to be examined even though the requirement may be traversed (37 CFR 1.143) and (ii) identification of the claims encompassing the elected invention. 
The election of an invention may be made with or without traverse. To reserve a right to petition, the election must be made with traverse. If the reply does not distinctly and specifically point out supposed errors in the restriction requirement, the election shall be treated as an election without traverse. Traversal must be presented at the time of election in order to be considered timely. Failure to timely traverse the requirement will result in the loss of right to petition under 37 CFR 1.144. If claims are added after the election, applicant must indicate which of these claims are readable upon the elected invention.
Should applicant traverse on the ground that the inventions are not patentably distinct, applicant should submit evidence or identify such evidence now of record showing the inventions to be obvious variants or clearly admit on the record that this is the case. In either instance, if the examiner finds one of the inventions unpatentable over the prior art, the evidence or admission may be used in a rejection under 35 U.S.C. 103 or pre-AIA  35 U.S.C. 103(a) of the other invention.
During a telephone conversation with Attorney Dorian Cartwright, Registration No.53853 on 2/10/2022 a provisional election was made with traverse to prosecute the invention of (II), claims 12 and 20.  Affirmation of this election must be made by applicant in replying to this Office action.  Claims 1-11 and 13-19 withdrawn from further consideration by the examiner, 37 CFR 1.142(b), as being drawn to a non-elected invention.
Claim Objections
Claims 12 and 20 are objected to because of the following informalities:
	Claims 12 and 20 recites limitation “facilitating, by the server, detection of phishing webpages by a plurality of client devices periodically delivering, by the server, updates to clients of the plurality of subscribers, including at least representative fingerprints of new clusters added to the plurality of clusters of fingerprints, if any, since a most recent update”. The claims should recite “facilitating, by the server, detection of phishing webpages by a plurality of client devices by periodically delivering, by the server, updates to clients of the plurality of subscribers, including at least representative fingerprints of new clusters added to the plurality of clusters of fingerprints, when any, since a most recent update” instead.

Appropriate corrections are required.
Claim Rejections - 35 USC § 112	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 12 and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.	Regarding claims 12 and 20, the claims recite limitation “clients of the subscribers” in lines 7 and 8-9 of claim 12 and lines 9 and 11 of claim 20.  It is unclear if the limitation refers to “one or more clients of subscribers of a plurality of subscribers” in lines 3-4 of claim 12 and 5-6 of claim 20, respectively, or it refers to something else.	For the purpose of prior art examination, the claims are interpreted as best understood.		Appropriate corrections are required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 12 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over KOHAVI; LIOR et al. (US 20200036751 A1, hereinafter Kohavi) in view of Keren; Yoav (US 20200311790 A, hereinafter Keren) and further in view of REDDEKOPP; ROD et al. (US 20200226214 A1, hereinafter Reddekopp) and Perdisci; Roberto et al. (US 20110283361 A1, Perdisci).

	Regarding claim 12, Kohavi teaches a method comprising:
	maintaining, by a server of an online security service, a first database of a plurality of suspicious webpages ([0053] Messages handled by server 114 may contain URLs and system 100 determines whether these URLs are phishing URLs or not. URLs lead to webpages 150, and the URLs and webpages are analyzed by system 100 to determine if these webpages 150 are phishing pages; ¶77, existing webpage fingerprints (stored in copy DB 128), a stored fingerprint of a known phishing page), for each suspicious webpage of the plurality of suspicious webpages (¶53, webpages 150; ¶77), a suspicious fingerprint of the suspicious webpage generated based on application of a hash function to an image of the suspicious webpage (¶77, computing webpage fingerprints for HTML page);
	maintaining, by the server, a second database of a plurality of confirmed phishing webpages  (¶54; ¶56-¶57; figs. 1A-B, any of two databases 128 and 132; see also ¶63, ¶65), including, for each confirmed phishing webpage of the plurality of confirmed phishing webpages, a confirmed fingerprint of the confirmed phishing webpage generated based on application of the hash function to an image of the confirmed phishing webpage (¶77; see also ¶54; ¶56-¶57; figs. 1A-B, databases 128 and 132; see also ¶63, ¶65);	Kohavi teaches the limitations of the claimed invention (see discussion above) including the detection of phishing webpages and the generation of fingerprints for webpages.  However, Kohavi does not explicitly disclose the following limitations that Keren teaches:	suspicious webpages that have been reported by one or more clients of subscribers of a plurality of subscribers to the online security service (Keren [0020], for example, the user installs on his Electronic Device a Warning Module, such as an “app” or application or plug-in or browser-extension or browser add-on or a locally installed software or a native software; Keren ¶149, receiving a plurality of user-submitted reports regarding whether a particular online venue is a phishing venue, users to report phishing venues or sites or emails; ¶151);	a first count of reports received by clients of the subscribers identifying the suspicious webpage as a phishing webpage (Keren [0014], In the discussion herein a “Fraud Online Item”, or a “Fraudulent Online Item”, or a “Fraudulent Products Online Item” may comprise: an Online Item that is used to commit or trying to commit fraud, and/or an Online Item that is trying or attempting to steal users credentials (for example, login details to a bank account online) by performing different deceiving methods (e.g., “Phishing”); Keren ¶142; see also Karen ¶52, ¶61, ¶64, ¶67),
a second count of reports received by clients of the subscribers identifying the suspicious webpage as not being a phishing webpage (Keren ¶14; Keren ¶142), and 	comparing the ratio for the suspicious webpage to a predetermined or configurable threshold (Keren ¶14; ¶142, the system determines that a pre-defined size of majority votes (e.g., 50 votes out of the 56 votes casted) indicate counterfeit assets and/or false information); and
	said comparing is indicative of the suspicious webpage being a confirmed phishing webpage (Keren ¶14; ¶142, indicate counterfeit assets and/or false information; and therefore, the system determines that a consensus was reached regarding such result).	facilitating, by the server, detection of phishing webpages by a plurality of client devices (¶14, ¶147, publishing through a block-chain data-set at least: (i) one or more user-submitted reports regarding authenticity of said online destination, and (ii) a stamp of approval regarding authenticity of said online destination. This may enable the public, or users, or premium users that receive an access code to the blockchain data-set, to autonomously search and/or check whether a particular online destination or venue is authentic and/or sells authentic products and/or publishes legitimate information; see also ¶148-¶151).	It would be obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Keren, which teaches users reporting webpages as phishing or not and the confirmation of webpages as phishing using a vote ratio into the teaching of Kohavi to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Keren’s teaching would help improve network security. In addition, both references teach features that are directed to analogous art, such as, phishing detections. This close relation between both references highly suggests an expectation of success when combined.	Although the combination of Kohavi in view of Keren teaches detection of phishing web pages by comparing fingerprints (Kohavi ¶11), a database for storing fingerprints of suspicious webpages and an update process using periodic schedule incrementally changes since the previous update (Kohavi ¶54, phishing URL detection is provided by a service provider 60 where service provider 60 provides local and remote software modules for detection of phishing URLs in messages of network 110 ¶57, updates are performed continually or at fixed time intervals. In some embodiments, updates are incremental changes since the previous update), and Keren teaches comparing is indicative of the suspicious webpage being a confirmed phishing webpage (¶142), the combination does not explicitly disclose periodically updating, by the server, the plurality of clusters of fingerprints, by, for each suspicious webpage and the following limitations that Reddekopp teaches:	the plurality of clusters of fingerprints (Reddekopp abstract, cluster signature that represents messages of one of many clusters that have distinct signatures; ¶16, a cluster signature that represents messages of one of many clusters that have distinct signatures; ¶56, cluster signature 162),
	an indication regarding a cluster of a plurality of clusters of fingerprints with which the confirmed fingerprint is associated, and an indication regarding whether the confirmed fingerprint is a representative of the cluster (¶16, the message signature is matched to a cluster signature; ¶56, then current message 111 may join the cluster having signature 162; [0051] Processing each message entails assigning the message to a cluster. Because initially there are no clusters, message 114 becomes its own cluster. Initial signature 180 of message 114 is copied as initial cluster signature 162 of the first cluster; ¶57, new cluster is created for message 111 in more or less the same way as creating a first cluster for a first message).
	performing a clustering process to either add the Reddekopp abstract and ¶16, the message signature is matched to a cluster signature that represents messages of one of many clusters that have distinct signatures. The training message is added to the cluster; [0056] If message signature 170 matches cluster signature 162, then current message 111 may join the cluster having signature 162. Thus, messages 111 and 114 would be in a same cluster. In an embodiment, current message 111 joins whichever cluster has the highest signature match probability; [0057] If message signature 170 matches no cluster, or if the highest signature match probability does not exceed a threshold, then a new cluster is created for message 111 in more or less the same way as creating a first cluster for a first message. Thus during training, clusters organically grow by monotonically increase in number (i.e. as dissimilar messages are processed) and individual size (i.e. as similar message as processed). Training finishes after all messages of the training corpus are processed; [0051] Processing each message entails assigning the message to a cluster. Because initially there are no clusters, message 114 becomes its own cluster. Initial signature 180 of message 114 is copied as initial cluster signature 162 of the first cluster. A signature of a cluster and/or message may evolve as explained later herein).
	It would be obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Reddekopp, which teaches clustering of signatures into the teaching of Kohavi in view of Keren who teaches fingerprints of phishing webpages to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Reddekopp’s teaching would help improve system performance when determining matches of phishing webpages (Reddekopp abstract, ¶35). In addition, both references teach features that are directed to analogous art, such as, security and monitoring (Reddekopp ¶21). This close relation between both references highly suggests an expectation of success when combined.	Although Kohavi teaches detection of phishing web pages by comparing fingerprints (Kohavi ¶11) and an update process using periodic schedule incrementally changes since the previous update (Kohavi ¶57, updates are performed continually or at fixed time intervals. In some embodiments, updates are incremental changes since the previous update), Keren teaches facilitating, by the server, detection of [counterfeit goods or publishes false or fake information] webpages by a plurality of client devices delivering, by the server, updates to clients of the plurality of subscribers and Reddekopp teaches the representative fingerprints of new clusters added to the plurality of clusters of fingerprints, the combination of Kohavi in view of Keren and Reddekopp does not explicitly disclose the updates including at least representative fingerprints of new clusters added to the plurality of clusters of fingerprints, if any.
	On the other hand,
	Perdisci teaches updates including at least representative fingerprints of new clusters added to the plurality of clusters of fingerprints, if any ([0008] FIG. 2, sequences of HTTP requests from the malware samples can be recorded and sent to the clustering application 105. In 205, the malware samples can be clustered by the clustering application 105. In 210, the HTTP requests generated by the malware samples in each cluster can be processed by extracting network signatures using the clustering application 105. In 215, the network signatures for the cluster can be deployed by any intrusion detection system 130 to detect malicious outbound HTTP requests; [0117] The centroid of Ci can be represented as a set of network signatures; ¶122, the centroid S.sub.i={s.sub.k}, where k=1, . . . l.sub.i, comprises a set of network signatures; [0135] Extract network signatures from clusters, once clusters are found that share similar HTTP behavior, for each of these clusters Ci (where i=1 . . . c), an updated centroid signature set S', can be computed using the same algorithm used for computing cluster centroids, the server name or IP do not need to be considered when generating network signatures; See also FIG. 2, ¶148-¶153).
	It would be obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Perdisci, which teaches the deployment of network centroid signatures of cluster into the teaching of Kohavi in view of Keren and Reddekopp who teaches periodically updates clients with changes since last update for detecting phishing sites to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Perdisci’s teaching would help improve system security (Perdisci ¶8-¶12, ¶46). In addition, both references teach features that are directed to analogous art, such as, security (Perdisci ¶8-¶12, ¶46). This close relation between both references highly suggests an expectation of success when combined.	Regarding claim 20, the claim recites essentially the same limitations as that of claim 12.  The claim 20 is rejected for the same reasons as that of claim 12.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20180343283 A1 - report phishing URLs to the centralized service/remote computer server and storage 422 and receive therefrom updates to the list of trusted websites.
US 8984640 B1 - a count may be kept of the number of times that a substantially identical URL has been reported, and a report may be considered confirmed when the number of times a substantially identical URL has been reported reaches a threshold, a report may be validated by fetching a document corresponding to a reported URL and determining whether the document contains suspicious content.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Vy Huy Ho whose telephone number is (571) 272-3261.  The examiner can normally be reached on Monday - Friday 7:30 am-5:30 pm.
	Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/V.H.H/
Examiner, Art Unit 2497

/IZUNNA OKEKE/Primary Examiner, Art Unit 2497