DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 8/2/22 has been entered.
	Amended claims 1-7, 9-14, and 16-20 as submitted on 8/2/22 were considered.  Applicant’s arguments directed at the amended claims were also considered, but are moot in view of new rejections made below in response to the amendments.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9-14, 16-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhu et al (US 2012/0158626) in view of Hulten et al (US 2007/0192855) in further view of Klein et al (US 2008/0147837).

Claims 1 and 12:
	As per claim 1, Zhu discloses:
The method using a pre-defined statistical model to determine whether a network resource is a potential phishing threat based on features extracted from a network resource identifier for the network resource (paragraphs 57, 63-66 and 68; Several pre-defined statistical models are used, including phishing SLD hit ratio and phish link ratio), the method comprising: 
Receiving a request to access a network resource (paragraphs 19-22 and 26-27; URLs are stored by either a search engine or database.  Note wherever the search engine stores the search results can also be considered a database.  URLs are accessed by a client or a system employing machine learning and in accessing, they receive the URLs from the search engine/database).
Determining, from the request, a network resource identifier (paragraphs 20-22, 27 and 46; URL).
Extracting one or more features from the network resource identifier (paragraph 20-22, 27, 46, and 48).
Applying the pre-defined statistical model to the extracted one or more features (paragraphs 21-22, 57, 63-66, and 68).
Classifying the network resource as a phishing threat if the output of the pre-defined statistical model, when applied to the extracted one or more features, determines that the network resource is a potential phishing threat (paragraphs 21-24, 28, 56-57, and 63-66).
Responding, in response to determining that the network resource is a potential phishing threat, to the request (paragraphs 109-110; Responds by blocking phishing URL or warns of phishing attempt at URL).

Zhu does not explicitly disclose, but Hulten discloses:
Wherein an output of the pre-defined statistical model determines a probability that a network resource is a phishing threat (paragraphs 26-27, 48-50, 54, and 91-93; Probabilistic machine learning algorithms are used to determine the likelihood that a site is a phishing site).
Determines that the network resource is a potential phishing threat when the probability exceeds a predetermined threshold (paragraph 92; If a probability is above a target threshold, then the site is determined to be a phishing site/having a bad reputation).

Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to incorporate Hulten’s teachings discussed above into Zhu’s invention.  Zhu and Hulten’s inventions both use machine learning models to detect malicious URLs.  The rationale for why one of ordinary skill in the art would have incorporated Hulten’s teachings with Zhu’s is that doing so is use of a known technique to improve similar devices/methods/products in the same way, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).  Hulten’s teachings provide additional ways of detecting phishing sites, thus would mean that phishing sites are more likely to be detected than just relying on Zhu’s teachings alone.
Zhu does not disclose does not disclose, but Klein discloses the responding…to the request with one of an invalid IP address and a benign IP address (paragraphs 45, 49, and 62-63).  Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to further modify Zhu’s invention such that the responding was done in accordance with Klein’s teachings.  The rationale for why it would be obvious is that doing so is nothing more than simple substitution of one know element for another to obtain predicable results, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).  In this case, both references block access to phishing attempts, but the differs in how the block is done and it doesn’t matter if one does so using Zhu or Klein’s method.  The result is the phishing attempt by an invalid URL is still blocked.

The rejection of claim 1 applies, mutatis mutandis, to claim 12.

Claim 2:
	Zhu further discloses preventing access to the network resource if it is classified as a phishing threat (paragraphs 28 and 109; User is prevented from visiting the malicious URL).

Claim 3:
	Zhu further discloses wherein the step of extracting one or more features of from the network resource identifier comprises extracting features from a FQDN portion of the network resource identifier (paragraph 46; The full exemplary URL shown in paragraph 46 is the FQDN of the URL and consist of several portions which are extracted such as the domain name and path).

Claim 4:
	Zhu further discloses wherein the step of extracting one or more features from the network resource identifier comprises extracting a feature indirectly from the network resource identifier (paragraphs 83-84; ASN used to get information/features from registers and service providers, which are then used for the statistical analysis, thus the features used in the statistical analysis are indirectly obtained/extracted).



Claims 5 and 6:
	Zhu further discloses wherein the pre-defined statistical model is applied to a set of at least three/five features extracted from the network resource identifier (paragraphs 43, 46, 48, and 62; As discussed in paragraph 43, any combination of extracted features can be used to determine if a URL is malicious/associated with phishing.  In the examples given in the other paragraphs cited, at least 3-5 features are extracted).

Claim 13:
	Zhu further discloses an output interface for forwarding or responding to the request to access the network resource, the device configured only to forward or respond to the request in the case where the network resource is not classified as a phishing threat (paragraphs 28 and 109-110; Block URL if malicious/phishing URL and present/forward to user if URL is benign/valid).

Claims 7 and 14:
	As per claim 7, Zhu further discloses wherein the extracted one or more features of the network resource identifier comprises features selected from:  the FQDN containing a target domain from a pre-defined list of target domains but the target domain is not the second level domain; character length of the FQDN; number of subdomains in the FQDN; existence of a selected keyword in FQDN; stripped Keyword in FQDN; longest subdomain length; number of numeric subdomains; number of subdomains with hyphen; number of alphanumeric subdomains; unusual top-level domain (TLD); the maximum Kulback-Leibler (KL) divergence of each of the subdomains in the FQDN; and a geographical lookup based on the IP address(es) to which the FQDN resolves (paragraphs 46, 48, and 58; Stripped keyword in FQND as disclosed in paragraphs 46 and 48 are the tokens extracted from the full URL and existence of a selected keyword in the FQDN reads on brand names that are extracted from the URL)

The rejection of claim 7 applies, mutatis mutandis, to claim 14.


Claims 9 and 16:
	As per claim 9, Zhu further discloses the method according to claim 1 implemented in an HTTP proxy, wherein the received request for a network resource is an HTTP request, wherein in the case when the requested network resource is determined to be a potential phishing threat, the HTTP proxy is instructed to block the HTTP request (paragraph 27 and Fig 2; A URL is sent from a search engine for analysis.  A URL is based on the http protocol, thus the system which does the analysis for the search engine is an HTTP proxy).
The rejection of claim 9 applies, mutatis mutandis, to claim 16.

Claims 10 and 17:
	As per claim 10, Zhu further discloses the method according to claim 1, implemented in a DNS server, the received request for a network resource being a DNS lookup, wherein in the case when a network resource is determined to be a potential phishing threat, the DNS server is instructed to block the DNS lookup (paragraphs 78, 87, 103, and 109).
The rejection of claim 10 applies, mutatis mutandis, to claim 17.

Claims 11 and 18:
	As per claim 11, Zhu further discloses the method according to claim 1, implemented in an end user device, wherein in the case when a network resource is determined to be a potential phishing threat, the end user device blocks the request for the network resource (paragraphs 99 and 109).
The rejection of claim 11 applies, mutatis mutandis, to claim 18.

Claims 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhu et al (US 2012/0158626) in view of Hulten et al (US 2007/0192855)
Claims 19 and 20:
	As per claim 19, Zhu discloses a method of determining whether one or more network resources are phishing threats, each one or more network resources having an associated network resource identifier (paragraphs 26-28 and 46; URL), the method using a pre-defined statistical model to determine whether a network resource is a
potential phishing threat based on features extracted from the network resource identifier (paragraphs 57, 63-66 and 68; Several pre-defined statistical models are used, including phishing SLD hit ratio and phish link ratio), the method comprising:
Receiving, from a database, one or more network resource identifiers (paragraphs 19-22 and 26-27; URLs are stored by either a search engine or database.  Note wherever the search engine stores the search results can also be considered a database.  URLs are accessed by a client or a system employing machine learning and in accessing, they receive the URLs from the search engine/database);
extracting one or more features from each one or more network resource identifier (paragraph 21-22, 27, 46, and 48);
applying the pre-defined statistical model to the extracted one or more features (paragraphs 57 and 63-66); and
for each network resource identifier, classifying the associated network resource
as a phishing threat if the output of the pre-defined statistical model, when applied to the extracted one or more features, determines that the network resource is a potential phishing threat (paragraphs 28, 56-57, and 63-66).

Zhu does not explicitly disclose, but Hulten discloses:
Wherein an output of the pre-defined statistical model determines a probability that a network resource is a phishing threat (paragraphs 26-27, 48-50, 54, and 91-93; Probabilistic machine learning algorithms are used to determine the likelihood that a site is a phishing site).
Determines that the network resource is a potential phishing threat when the probability exceeds a predetermined threshold (paragraph 92; If a probability is above a target threshold, then the site is determined to be a phishing site/having a bad reputation).

Before the effective filing date of applicant’s claimed invention, it would have been obvious to one of ordinary skill in the art to incorporate Hulten’s teachings discussed above into Zhu’s invention.  Zhu and Hulten’s inventions both use machine learning models to detect malicious URLs.  The rationale for why one of ordinary skill in the art would have incorporated Hulten’s teachings with Zhu’s is that doing so is use of a known technique to improve similar devices/methods/products in the same way, see KSR Int'l Co. v. Teleflex, Inc., 550 U.S. 398 (2007).  Hulten’s teachings provide additional ways of detecting phishing sites, thus would mean that phishing sites are more likely to be detected than just relying on Zhu’s teachings alone.
The rejection of claim 19 applies, mutatis mutandis, to claim 20.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PONNOREAY PICH whose telephone number is (571)272-7962. The examiner can normally be reached M-F 9am-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PONNOREAY PICH/           Primary Examiner, Art Unit 2495