DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with KWANGHO JANG (Reg. No. 76690) on August 3, 2022.

Drawings
The drawings are objected to because Figures 1, 2, 4-9, and 11. Elements in Figures 1, 2, 4-9, and 11 do not include numerical labels and Figures 4-9 are illegible. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

The application has been amended as follows:


(Currently Amended):  	A system for detecting phishing domains, the system comprising:
a memory; and
a processor in communication with the memory, the processor configured to:
receive domain information maintained in a certificate transparency (CT) log for a set of domains;
generate, using at least one model, classification prediction scores for each of the domains based on the received domain information, wherein a classification prediction score is a likelihood that a domain is a phishing domain;
determine whether each generated classification prediction score meets a predetermined threshold; and
generate a subset of the set of domains, the subset including the domains having a classification prediction score that meets the predetermined threshold, and wherein the domains in the subset are classified as phishing domains,
wherein the at least one model is trained on CT log-based features, theCT log-based features comprising at least one of a quantity of uncertified gaps of a domain and a duration of time of the uncertified gaps of a domain,
wherein domain information for the set of domains is further received from a passive DNS (pDNS) system,
wherein the at least one model is trained on pDNS-based features including both of a quantity of name servers, where a domain had authoritative domain name system (DNS) records, and a quantity of administrative servers related to a domain,
wherein the at least one model is trained on lexical features including a quantity of digits, dashes, and total characters of a dictionary entropy of a domain name.

(Cancelled):	

(Previously Presented): 	The system for detecting phishing domains of claim 1, wherein historical domain data including domains determined to be phishing domains and domains determined to be benign domains is stored in the memory.

(Previously Presented):	The system for detecting phishing domains of claim 3, wherein the at least one model is trained based on the stored historical domain data.

(Cancelled)	

(Currently Amended):	The system for detecting phishing domains of claim 1, wherein the CT log-based features further comprises at least one of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of distinct certificate issuers of a domain, a total quantity of certificates acquired by a domain, and an average length of all subject alternative name (SAN) lists associated with a domain.

(Currently Amended):	The system for detecting phishing domains of claim 1, wherein the CT log-based features further comprises each of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of distinct certificate issuers of a domain, a total quantity of certificates acquired by a domain, and an average length of all subject alternative name (SAN) lists associated with a domain.

(Cancelled):	

(Cancelled):	

(Cancelled):	

(Currently Amended):	The system for detecting phishing domains of claim 1, wherein the at least one model is trained on each of a lifetime of a domain, a mean, maximum, or minimum inter-arrival time between certificates of a domain, a mean, maximum, or minimum certificate duration of a domain, a quantity of distinct certificate issuers of a domain, a total quantity of certificates acquired by a domain, and an average length of all subject alternative name (SAN) lists associated with a domain, 

(Previously Presented):	The system for detecting phishing domains of claim 1, wherein the at least one model is trained by one or more machine learning algorithms in a group consisting of Random Forests (RF), Long Short Term Memory (LSTM), Gated Recurrent Unit (GRU), Convolutional Neural Network (CNN), MultiLayer Perceptron (MLP), XGboost, decision trees, and Support Vector Machine (SVM).

(Previously Presented):	The system for detecting phishing domains of claim 1, wherein the predetermined threshold is set based on a desired false positive rate.

(Currently Amended):	A method for detecting phishing domains comprising:
receiving domain information from a certificate transparency (CT) log for a set of domains;
generating, using at least one model, classification prediction scores for each of the domains based on the received domain information, wherein a classification prediction score is a likelihood that a domain is a phishing domain;
determining whether each generated classification prediction score meets a predetermined threshold; and
generating a subset of the set of domains, the subset including the domains having a classification prediction score that meets the predetermined threshold, and wherein the domains in the subset are classified as phishing domains,
wherein the at least one model is trained on CT log-based features, the CT log-based features comprising at least one of a quantity of uncertified gaps of a domain and a duration of time of the uncertified gaps of a domain,
wherein domain information for the set of domains is further received from a passive DNS (pDNS) system,
wherein the at least one model is trained on pDNS-based features including both of a quantity of name servers, where a domain had authoritative domain name system (DNS) records, and a quantity of administrative servers related to a domain,
wherein the at least one model is trained on lexical features including a quantity of digits, dashes, and total characters of a dictionary entropy of a domain name.

(Previously Presented):	The method for detecting phishing domains of claim 14, wherein the classification prediction scores are generated prior to page content data becoming available for each domain in the set of domains.

(Previously Presented):	The method for detecting phishing domains of claim 14, further comprising receiving page content data of at least one domain of the set of domains subsequent to generating the subset of domains; and updating the subset of domains based on the received page content data.

(Previously Presented):	The method for detecting phishing domains of claim 14, further comprising training the at least one model with the updated subset of domains.

(Previously Presente): The method for detecting phishing domains of claim 14, further comprising removing domains from the set of domains for which a classification prediction score has been generated within a predefined amount of time prior to receiving the domain information.

(Currently Amended):	A computer-readable, non-transitory medium storing instructions, which when executed by a processor, cause the processor to:
receive domain information maintained in a certificate transparency (CT) log for a set of domains;
generate, using at least one model, classification prediction scores for each of the domains based on the received domain information, wherein a classification prediction score is a likelihood that a domain is a phishing domain;
determine whether each generated classification prediction score meets a predetermined threshold; and
generate a subset of the set of domains, the subset including the domains having a classification prediction score that meets the predetermined threshold, and wherein the domains in the subset are classified as phishing domains,
wherein the at least one model is trained on CT log-based features, the CT log-based features comprising at least one of a quantity of uncertified gaps of a domain and a duration of time of the uncertified gaps of a domain,
wherein the domain information further includes information received from a passive DNS (pDNS) system for the set of domains,
wherein the at least one model is trained on pDNS-based features including both of a quantity of name servers, where a domain had authoritative domain name system (DNS) records, and a quantity of administrative servers related to a domain,
wherein the at least one model is trained on lexical features including a quantity of digits, dashes, and total characters of a dictionary entropy of a domain name.

(Currently Amended):	The computer-readable, non-transitory medium of claim 19, the lexical features extracted from each of the domains in the set of domains.

Allowable Subject Matter
Claims 1, 3-4, 6-7, and 11-20 is allowed.
The following is an examiner’s statement of reasons for allowance:
Independent claims 1, 14, and 19, among other things, teach a system for detecting phishing domains, the system comprising: a memory; and a processor in communication with the memory, the processor configured to: receive domain information maintained in a certificate transparency (CT) log for a set of domains; generate, using at least one model, classification prediction scores for each of the domains based on the received domain information, wherein a classification prediction score is a likelihood that a domain is a phishing domain; determine whether each generated classification prediction score meets a predetermined threshold; and generate a subset of the set of domains, the subset including the domains having a classification prediction score that meets the predetermined threshold, and wherein the domains in the subset are classified as phishing domains, wherein the at least one model is trained on CT log-based features, the CT log-based features comprising at least one of a quantity of uncertified gaps of a domain and a duration of time of the uncertified gaps of a domain, wherein domain information for the set of domains is further received from a passive DNS (pDNS) system, wherein the at least one model is trained on pDNS-based features including both of a quantity of name servers, where a domain had authoritative domain name system (DNS) records, and a quantity of administrative servers related to a domain, wherein the at least one model is trained on lexical features including a quantity of digits, dashes, and total characters of a dictionary entropy of a domain name. All of the steps recited in each of the claims are required to be executed and all of the limitations in each of the claims are given patentable weight. The present invention distinguishes over the art of record in that none of the art of record discloses, individually or in reasonable combination, the recited limitations in the independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD RAZA whose telephone number is (571)272-7734. The examiner can normally be reached Monday-Friday, 7:00 A.M.-5:00 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUHAMMAD RAZA/Primary Examiner, Art Unit 2449