Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/3/2022 has been entered.

Response to Amendment
This is in response to the amendments filed on 5/3/2022. Claims 1, 9, and 17 have been amended. Claims 7 and 15 have been canceled. Claims 1-3, 5, 6, 8-11, 13, 14, and 16-20 are currently pending and have been considered below. 

Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 9, and 17 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Objections
Claims 2, 6, and 10 are objected to because of the following informalities:  
Claim 2, line 3 recites “performs steps of” which should be changed to --perform the step of--. 
Claim 6, line 3 recites “performs steps of” which should be changed to --perform the step of--.  
Claim 10, line 2 recites “performs the steps of” which should be changed to --perform the step of--.  
Appropriate correction is required. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-3, 5, 6, 8-11, 13, 14, and 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Cho” (US 2016/0065613) in view of “Egbert” (US 2019/0132355) in in view of “Takata” (US 2020/0372085 as evidenced by “Canali” (“Prophiler: A Fast Filter for the Large-Scale Detection of Malicious Web Pages”, 2011) in further view of “Haynes” (US 2013/0117459).

Regarding Claim 1:
Cho teaches:
A non-transitory computer-readable storage medium having computer-readable code stored thereon for programming a server to performs steps of: 
receiving a list of web sites (Fig. 3, step S310), , …
… browsing to each web site in the list (Fig. 3, step S320); 
receiving a response based on the browsing (¶0066, “… the data crawling unit 220 crawls and stores contents data present in the website based on the URL information stored in the URL collection unit 210 at step S320”; i.e., receive data to store responsive to said data crawling performed); and 
analyzing the response to classify each web site as malicious or not (Fig. 3, steps S330-S380) based on a plurality of techniques including … JavaScript (JS) obfuscation detection based on de-obfuscation (¶0066, “In this case, the crawled and stored data may be data, such as an image, encoding JavaScript and a style sheet”; ¶0092, “Referring to FIG. 7, the method of detecting malicious code based on the Web according to the embodiment of the present invention may have the basic function of detecting a script (an external linker) intended for inducement to re-direction to a malicious code homepage using a web document external tag and alerting a user to the script as malicious code. In this case, even when a linker outside a web document is obfuscated or encoded, the linker is detected by decryption or decoding and is then filtered out”; i.e., de-obfuscate a detected script (which can include JavaScript), and perform subsequent analysis, shown by Fig. 3, steps S330-S380) based on the de-obfuscated script)… .
Cho does not disclose:
… wherein the list of websites is created based on a plurality of factors, and wherein the factors include more than one of newly registered domains, suspicious domains flagged by heuristic signatures, unclassified domains in a network security system, country-specific domains, and a targeted scan based on Content Management System (CMS);
anonymously browsing to each web site in the list; 
…
analyzing the response … including a signature less … detection based on de-obfuscation and heuristics, wherein the heuristics include a presence of any of a JS function and a domain in de-obfuscated JS content not present in obfuscated JS content.
Egbert teaches:
analyzing the response (¶0029, “at 310, a data stream to be analyzed may be received … containing one or more scripts…”)… including a signature less (¶0030, “At 330, execution of the script data may be emulated … At 340, features resulting from emulation of the script may be collected … Any extracted features may be compared to one or more heuristics as disclosed herein at 350 …”; i.e., utilize an emulation environment to extract features and compare the features with heuristics to determine whether the script is malicious, without the usage of known signatures)… detection based on de-obfuscation (¶0029, “The script data may include one or more … un-obfuscated scripts, such as JavaScript scripts…”) and heuristics, wherein the heuristics include a presence of any of a JS function and a domain in de-obfuscated JS content not present in obfuscated JS content (Abstract; ¶0030, “Any extracted features may be compared to one or more heuristics as disclosed herein at 350 to determine whether the script contains … malicious software”; ¶0032).
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Cho’s system for detecting malicious code within URLs by enhancing Cho’s malware detection method to include a signature-less, emulation-based analysis function that utilizes heuristics to determine whether de-obfuscated JavaScript content is malicious, as taught by Egbert, in order to provide real-time detection of malicious scripts within web content.
	The motivation is to emulate received web data to quickly determine whether any scripts within the data are deemed malicious in real-time (Egbert, ¶0010). This allows the data to analyzed and communicated at speeds which would eliminate a user from noticing any slowdown in data communication during malicious script detection.
Cho in view of Egbert does not disclose:
… wherein the list of websites is created based on a plurality of factors, and wherein the factors include more than one of newly registered domains, suspicious domains flagged by heuristic signatures, unclassified domains in a network security system, country-specific domains, and a targeted scan based on Content Management System (CMS);
anonymously browsing to each web site in the list;
Takata as evidenced by Canali teaches:
… wherein the list of websites is created based on a plurality of factors (¶0047, “URL lists input for the crawler unit 121 are … the URL lists for learning (the unmalicious list URL list for learning and the malicious URL list for learning) and the URL list for testing”) , and wherein the factors include more than one of newly registered domains, suspicious domains flagged by heuristic signatures, unclassified domains in a network security system, country-specific domains (¶0048, “URL lists provided by service (Document 1) for archiving past states of websites not detected to have been abused (unmalicious websites) and websites detected to have been abused (malicious websites) as described above … are used as the unmalicious URL list … and the malicious URL list…”; ¶0049, “Furthermore, a malicious URL list including URLs of websites detected beforehand to may have been abused … may be used, for example, by use of an existing technique”; i.e., the URL lists used for the crawler are created by Non-Patent Literature 1, which is referenced in ¶0007 of Takata to Canali. The examiner thus further references Canali (as provided herein as evidence) to further teach how these lists contain URLs based on a plurality of features, such as URLs having newly registered domains (Canali, Section 3.1.3, “For example, malware campaigns are often hosted on untrusted hosting provides, and the corresponding whois information reveals short registration time frames…”) and unclassified or country-specific domains (Canali, Section 3.1.3, “Also, it is very common for malicious web pages to include content from sites with no DNS name, or hosted on domains with a certain TLD (e.g., .cn, ru)”), and a targeted scan based on Content Management System (CMS);
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Cho in view of Egbert’s system for detecting malicious code within URLs by enhancing Cho in view of Egbert’s list of URLs to be selected based on a plurality of factors, such as country-specific domains and unclassified domains, as taught by Takata (as evidenced by Canali), in order to better detect malicious websites.
	The motivation is to utilize a plurality of determining features of URLs in detecting whether the URL is malicious or not. Utilizing of these features, such as domain information, ensures that it is not trivial to obscure malicious websites from detection, and thus makes detecting said websites more efficient.
Cho in view of Egbert in further view of Takata does not disclose: 
anonymously browsing to each web site in the list; 
Haynes teaches:
anonymously browsing to each web site in the list (¶0004, “Additional advantages are provided by using VPN routers, in part, because they provide visible internet protocol (IP) addresses based on a home server ID as opposed to individual machine IP addresses or personal IDs. This type of addressing arrangement can facilitate a variety of VPN applications, including anonymous web browsing …”); 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Cho in view of Egbert in further view of Takata’s system for detecting malicious code within URLs by enhancing Cho in view of Egbert in further view of Takata’s method of crawling to URLs to occur over an anonymous connection, such as over a VPN, as taught by Haynes, in order to prevent malicious websites from identifying a malicious website crawler.
	The motivation is to mask an IP address of a crawler that seeks out malicious websites, so that a malicious website cannot block and/or obscure itself upon detecting the IP address of the crawler itself.

Regarding Claim 2:
The non-transitory computer-readable storage medium of claim 1, wherein Cho in view of Egbert in view of Takata in further view of Haynes the computer-readable code stored is further configured to program the server to performs steps of providing a blacklist of web sites classified as malicious (Takata, Fig. 8, step S1; ¶0088, “The crawler unit 121 of the classification apparatus 10 makes access to websites included in the … malicious URL list for learning (S1)…”).
The motivation to reject claim 2 under Takata is the same motivation used in combining Takata with Cho in view of Egbert to reject claim 1 above.

Regarding Claim 3:
The non-transitory computer-readable storage medium of claim 1, wherein Cho in view of Egbert in view of Takata in further view of Haynes further teaches the JS obfuscation detection is performed by de-obfuscating JS content and utilizing the heuristics to determine if the de-obfuscated JS content is malicious (Egbert, (Abstract; ¶0030, “Any extracted features may be compared to one or more heuristics as disclosed herein at 350 to determine whether the script contains … malicious software”; ¶0032).
The motivation to reject claim 3 under Egbert s the same motivation used in combining Egbert to Cho to reject claim 1 above.

Regarding Claim 5:
The non-transitory computer-readable storage medium of claim 1, wherein Cho in view of Egbert in view of Takata in further view of Haynes further teaches the plurality of techniques further includes detection of hidden Inline Frames in the response (Cho, ¶0094, “Furthermore, in this case, the method of detecting malicious code based on the Web … may detect a shellcode intended for inducement to hidden malicious code …”; ¶0095, “… three types of events that are detected may include … an iframe tag …”).

Regarding Claim 6:
The non-transitory computer-readable storage medium of claim 1, wherein Cho in view of Egbert in view of Takata (as evidenced by Canali) in further view of Haynes further teaches the computer-readable code stored is further configured to program the server to performs steps of
creating the list of web sites periodically based on a plurality of factors (Takata, Fig. 8, step S1; ¶0088, “The crawler unit 121 of the classification apparatus 10 makes access to websites included in the … malicious URL list for learning (S1)…”; Further, Section 4 of Canali discloses that a list of seed URLs is fetched daily from a plurality of search engines).
The motivation to reject claim 6 under Takata is the same motivation used in combining Takata with Cho in view of Egbert to reject claim 1 above.

Regarding Claim 8:
The non-transitory computer-readable storage medium of claim 1, wherein Cho in view of Egbert in view of Takata in further view of Haynes further teaches the anonymously browsing utilizes a Virtual Private Network (VPN) to obscure the server (Haynes, ¶0004, “Additional advantages are provided by using VPN routers, in part, because they provide visible internet protocol (IP) addresses based on a home server ID as opposed to individual machine IP addresses or personal IDs. This type of addressing arrangement can facilitate a variety of VPN applications, including anonymous web browsing …”).
The motivation to reject claim 8 under Haynes is the same motivation used in combining Haynes with Cho in view of Egbert in further view of Takata to reject claim 1 above.

Regarding Claims 9-11, 13, 14, and 16:
Server claims 9-11, 13, 14, and 16 correspond to respective computer-storage medium claims 1-3, 5, 6, and 8, and contain no further limitations. Thus claims 9-11, 13, 14, and 16 are each rejected by applying the same rationale used in rejecting claims 1-3, 5, 6, and 8 above, respectively.

Regarding Claims 17-20:
Method claims 17-20 correspond to respective computer-storage medium claims 1, 2, 6, and 3, and contain no further limitations. Thus claims 17-20 are rejected by applying the same rationale used to reject claims 1, 2, 6, and 3, respectively.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL B POTRATZ whose telephone number is (571)270-5329.  The examiner can normally be reached on M-F 10 A.M. - 6 P.M. CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491