Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

DETAILED ACTION
Claims 1-20 are presented for examination.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/21/2021 and 12/21/2020 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.

Drawings
The drawings filed on 12/21/2020 are accepted by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims of Patent # 10902124 contains every element of claims 1-20 of the instant application. Claims of the instant application therefore are not patently distinct from the earlier patent claims and as such are unpatentable over obvious-type double patenting. A later patent claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim. 
 “A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim.  In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). “  ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED:  May 30, 2001). 
Furthermore, the ODP is not the only outstanding rejection and the claims, if allowed, would improperly extend the "right to exclude" already granted in the patent. A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

1.	Claims 1-20 rejected under 35 U.S.C. 103 as being unpatentable over Friedrichs et al. (US Pub No. 2012/0227105, hereinafter “Friedrichs”) in view of Banerjee et al. (US Pub No. 2020/0186088, hereinafter “Banerjee”).

Regarding claim 1, Friedrichs does disclose, a computer-implemented method for malicious object classification, comprising: generating one or more feature vectors based on the received content (Friedrichs, (para. [0011]), there is a feature extraction phase in which a client system can extract a feature vector from a potentially malicious software application); providing a classification model trained using a set of content sources known to be benign and a set of content sources known to be malicious; and evaluating, using the classification model, the one or more feature vectors to generate a score indicating whether the content comprises one or more malicious objects  (Friedrichs, (para. [0011]), transmit it (extracted feature) to a back-end server for evaluation, there is an evaluation phase wherein the model is applied to the extracted feature vector to determine whether the application of interest is likely malicious or benign (... possibly a score that represents the likelihood of this distinction--e.g., a score from 0 to 100 where 0 represents that an application is with overwhelming likelihood clean and 100 means an application is with overwhelming likelihood malign).  
Friedrichs does not explicitly disclose but the analogous art Banerjee discloses, receiving content from a threat processor, the content comprising one or more objects associated with HTML content (Banerjee, (para. [0103]), the module detects and analyzes code that can be found in (a) the webpage, (b) in web-objects within that page, and (c) websites pointed to by hyperlinks from the web page. The term web objects refer herein to all code and other elements of a web page, files embedded or linked from the page, the hyperlinks in the page, web advertisements in the page, and the web-objects found on the websites linked from the page and its advertisement). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Friedrichs by including the content comprising one or more objects associated with HTML content taught by Banerjee for the advantage of providing an automated identification of phishing, phony, and malicious web sites (Banerjee, (para. [0002])).

Regarding claim 2, the combination of Friedrichs-Banerjee does disclose the computer-implemented method of claim 1, further comprising providing the generated score to the computing system (Friedrich, (para. [0032]), within the context of anti-malware solutions, machine learning techniques may be used to identify whether a given software application is likely to be malicious or benign, and potentially produce a score that reflects the confidence in that classification).  

Regarding claim 3, the combination of Friedrichs-Banerjee does disclose the computer-implemented method of claim 2, wherein providing the generated score comprises providing an indication that the content is one of malicious and benign (Friedrichs, (para. [0011]), ... possibly a score that represents the likelihood of this distinction--e.g., a score from 0 to 100 where 0 represents that an application is with overwhelming likelihood clean and 100 means an application is with overwhelming likelihood malign…).  

Regarding claim 4, the combination of Friedrichs-Banerjee does disclose the computer-implemented method of claim 1, wherein receiving content further comprises receiving an identifier associated with the content (Banerjee, (para. [0105]), the module detects web objects 404 (js, pdf, exe, rtf, swf, php). Each web-object, hyperlink, and linked website is checked 405 for whether it is malicious or not and the threat score is updated 406).  

Regarding claim 5, the combination of Friedrichs-Banerjee does disclose the computer-implemented method of claim 4, further comprising: determining, based on the identifier, whether a score is available in a threat data store for the content (Banerjee, (para. [0023]), a safety status is determined for the webpage, including whether the webpage is hazardous by using a threat score for the webpage); based on determining that a score is available, accessing the threat data store to retrieve the score for the content (Banerjee, (para. [0112-0114]), the content module score process 500 analyzes the use of web elements 503. It analyzes each element such as an image, script, audio or video files and other such objects. This module score process 500 calculates a threat score 506 based on the presence or absence of these elements in a suspected web page. The module score process 500 also compares the website with reference pages 505 and reports the comparison results 506. Comparison results can include how similar a website is to reference pages, or what reference pages are similar to the given website); and providing the accessed score to the computing system (Banerjee, (para. [0094]), the threat score is recorded and all scores are provided to the decision logic module 204 for use in determining the final threat level).  

Regarding claim 6, the combination of Friedrichs-Banerjee does disclose the computer-implemented method of claim 1, further comprising: crawling one or more content sources from a set of content sources known to be benign and a set of content sources known to be malicious to update the model (Friedrichs, (para. [0065]), the server can scour through all previous logs and retrieve all feature vectors associated with files whose fingerprints are on known whitelists/blacklists. The server can create a training corpus associated with the feature vectors corresponding to fingerprints from known whitelists and blacklists (i.e., those items on the whitelists would be the "benign" subset of the corpus and those items on blacklists would on the "malicious" subset of the corpus).  

Regarding claim 7, the combination of Friedrichs-Banerjee does disclose the computer-implemented method of claim 6, wherein crawling the one or more content sources comprises: identifying one or more objects within content from the one or more content sources (Banerjee, (para. [0103]), the module detects and analyzes code that can be found in (a) the webpage); tokenizing at least one of the one or more objects to generate a set of tokens; generating a set of raw features based on the set of tokens; and generating a set of abstract features based on the set of raw features (Banerjee, (para. [0151]), if the object is a JavaScript (js) object, then the process JS-Check () is applied. The object is checked against a database of malicious or safe scripts 1515, in a database maintained by the system and using external databases with such information, and .... The process 1500 checks keywords (as defined above) for indication of good or bad intention 1517, including keywords that are commonly present in malicious scripts, analyzes the character level profile 1518, including the frequency of occurrences of characters (i.e. raw features), groups of characters, sequences of characters possibly defined by regular expressions)).  

Regarding claim 8, the substance of the claimed invention is similar to that of claim 1. Accordingly, this claim is rejected under the same rationale.

Regarding claim 9, the substance of the claimed invention is similar to that of claim 7. Accordingly, this claim is rejected under the same rationale.

Regarding claim 10, the combination of Friedrichs-Banerjee does disclose the system of claim 9, wherein the method further comprises determining whether a local threat data store is useable to determine a score for the feature vectors (Banerjee, (para. [0023, 0101]), a safety status is determined for the webpage, including whether the webpage is hazardous by using a threat score for the webpage).  

Regarding claim 11, the combination of Friedrichs-Banerjee does disclose the system of claim 10, wherein the one or more feature vectors are transmitted to the security service when it is determined that the local threat data store is not useable to determine a score for the feature vectors (Banerjee, (para. [0136]), the difference of a character between the two names increases the local threat score by a mathematical function. Similarly, the difference in length among these names increases the difference threat score using a mathematical function. The higher the difference threat score, the more dissimilar the two websites are. The threat score is updated 1003 and reported to the decision logic module. The website name module score process 1000 includes processing any feedback 1004 received, and using the feedback to adjust analysis and update the threat score).  

Regarding claim 12, the combination of Friedrichs-Banerjee does disclose the system of claim 8, wherein determining whether the content comprises one or more malicious objects comprises evaluating the received score based on a threshold (Friedrichs, (para. [0011]), ... possibly a score that represents the likelihood of this distinction--e.g., a score from 0 to 100 where 0 represents that an application is with overwhelming likelihood clean and 100 means an application is with overwhelming likelihood malign….).  

Regarding claim 13, the combination of Friedrichs-Banerjee does disclose the system of claim 8, wherein transmitting the one or more feature vectors to the security service further comprises transmitting an identifier associated with the content to the security service (Banerjee, (para. [0094]), the threat score is recorded and all scores are provided to the decision logic module 204 for use in determining the final threat level).  

Regarding claim 14, the combination of Friedrichs-Banerjee does disclose the system of claim 8, wherein the content is a webpage, and wherein the one or more malicious objects are JavaScript objects (Banerjee, (para. [0151]), if the object is a JavaScript (js) object, then the process JS-Check () is applied).

Regarding claim 15, the substance of the claimed invention is similar to that of claim 1. Accordingly, this claim is rejected under the same rationale.

Regarding claim 16, the substance of the claimed invention is similar to that of claim 7. Accordingly, this claim is rejected under the same rationale.

Regarding claim 17, the substance of the claimed invention is similar to that of claim 10. Accordingly, this claim is rejected under the same rationale.

Regarding claim 18, the substance of the claimed invention is similar to that of claim 11. Accordingly, this claim is rejected under the same rationale.

Regarding claim 19, the substance of the claimed invention is similar to that of claim 12. Accordingly, this claim is rejected under the same rationale.

Regarding claim 20, the substance of the claimed invention is similar to that of claim 14. Accordingly, this claim is rejected under the same rationale.



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MORSHED MEHEDI	whose telephone number is (571) 270-7640. The examiner can normally be reached on M - F, 8:00 am to 4:00 pm EST.    If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeffrey L. Nickerson can be reach on (469) 295-9235. The fax number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from their Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (In USA or Canada) or 571-272-1000.

/MORSHED MEHEDI/Primary Examiner, Art Unit 2432