DETAILED ACTION
This office action is in response to the application filed on 03/26/2020. Claims 120 are pending and are examined.	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Applicant’s benefit claim is hereby acknowledged of the provisional application No. 62/823,733, filed March 26, 2019, which papers have been placed on record in the file.

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1 and 19-20, are rejected under AIA  35 U.S.C. 102(a) (1) as being unpatentable over Alhumaisan et al. (U.S. Pub. No. 2018/0115584 A1, referred to as Alhumaisan).

Regarding claims 1 and 19-20, Alhumaisan teaches:
A computing platform, comprising: at least one processor; a communication interface communicatively coupled to the at least one processor; and memory storing computer-readable instructions that, when executed by the at least one processor (Fig. 1, Items 105, 110, 115, 120, 125, 140, ¶ 0018- ¶ 0019, “The computing device 110 includes a processor 115 (e.g., CPU), memory 125, an I/O interface 140, and a bus 120.”), cause the computing platform to: 
receive image data of a graphical rendering of a resource available at a uniform resource locator (URL) (Fig. 2, Steps 225-230; ¶ 0041- ¶ 0042, “At step 230, a screenshot of the loaded website is captured and/or taken. The screenshot can be an entire image of the loaded website, and/or a portion of the loaded website, depending on the user's needs.”); 
compute a computer vision vector representation of the image data (Fig. 2, Step 235; ¶ 0043- ¶ 0044, “By having a screenshot of the loaded website, the process 200 can proceed to step 235, which includes the application of the color IRT technique to the screenshot of the loaded website. The color IRT technique implements various approaches to accomplish feature detection.”); 
compare the computer vision vector representation of the image data to a plurality of stored numeric vectors representing page elements, resulting in a feature indicating whether the computer vision vector representation of the image data is visually similar to a known page element (Fig. 2, Steps 245, 250, 255, 265; ¶ 0045 “Running the image matching algorithm examines the degree of similarity between the features of the web page being requested, which is the web page being analyzed to determine whether it is a phishing web page, and the features extracted from the legitimate image stored in the database 245 of pre-collected images of original websites”; ¶ 0046); 
input the feature indicating whether the computer vision vector representation of the image data is visually similar to the known page element to a classifier (Fig. 2, Steps 250, 255, 265; ¶ 0046, “If the requested website is found similar at step 250, i.e., then the requested website is further examined for a degree of similarity in accordance with step 265. However, if the requested website is not similar, then in accordance with step 255 there is no sufficient data to examine the authenticity of the requested website and the process ends with step 285”); 
receive, from the classifier, a phish classification score indicating a likelihood that the URL is malicious (Fig. 2, Steps 270, 275; ¶ 0047, “At step 270, this degree of similarity is examined against a given threshold. Depending on the analysis of step 270, the user is either informed that the requested website could be legitimate or could be a phishing web page. For example, if the degree of similarity is less than the threshold”); and 
in response to determining that the phish classification score exceeds a first phish classification threshold, cause a cybersecurity server to perform a first action (Fig. 2, Steps 270, 275; ¶ 0047, “if the degree of similarity is greater than the threshold, the message of step 275 can inform the user that the requested web page could be a phishing website, i.e., “The web page may not be legitimate.”).

Regarding claim 20, Alhumaisan further teaches:
One or more non-transitory computer-readable media storing instructions that, when executed by a computing platform comprising at least one processor, a communication interface, and memory processor (Fig. 1, Items 115, 120, 125, ¶ 0017- ¶ 0019).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was.


Claims 2, 4-5 and 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Alhumaisan in view of Woodbridge et al. (U.S Pub No. 2019/0019058 A1, referred to as Woodbridge).

Regarding claim 2, Alhumaisan teaches all the features of claim 1, as outlined above.
Alhumaisan does not explicitly disclose, however Woodbridge teaches:
 wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: 
generate a screenshot database, wherein the screenshot database includes images of a plurality of URLs and their corresponding image data, and wherein: the plurality of URLs are selected by the computing platform based on one or more of: previous attacks corresponding to the URLs, anticipated attacks corresponding to the URLs, or URL popularity, and the plurality of URLs correspond to one or more of: internal websites or external websites (Woodbridge: ¶ 0007; ¶ 0023- ¶ 0024).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Alhumaisan by Woodbridge and have a system capable to convert a legitimate URLs for popular websites into an image and then compared against the image of list of strings in order to determine the relative similarity and if the similarity rating falls below a predetermined threshold, an alert is generated indicating that the string is potentially malicious (Woodbridge: Abstract).

Regarding claim 4, Alhumaisan teaches all the features of claim 2, as outlined above.
Alhumaisan does not explicitly disclose, however Woodbridge teaches:
wherein generating the screenshot database comprises computing, for each URL of the plurality of URLs, a computer vision vector representation of image data corresponding to the URL (Woodbridge: ¶ 0024- ¶ 0027).
Same motivation as claim 2.

Regarding claim 5, Alhumaisan teaches all the features of claim 1, as outlined above.
Alhumaisan does not explicitly disclose, however Woodbridge teaches:
wherein comparing the computer vision vector representation of the image data to the plurality of stored numeric vectors representing page elements comprises: 
identifying, using a hash table lookup function, an exact match between the image data and a specific page element of the page elements, or identifying, using a nearest neighbor search or radius search, an inexact match between the computer vision vector representation of the image data and the specific page element vector of the page elements vectors (Woodbridge: ¶ 0024- ¶ 0027, “Image 285 is converted to vector 290 using Siamese convolutional neural network 220. Index 275 is searched for similar vectors, and strings are reported for which the Euclidean distance between the vector for the new string 280 and the string stored in reference index 275 is below a predefined threshold. If the closest vector is less than predetermined threshold 295, alert 296 is generated identifying new string 280 as potential spoof attack. (step 206).”).
Same motivation as claim 2.

Regarding claim 11, Alhumaisan teaches all the features of claim 1, as outlined above.
Alhumaisan does not explicitly disclose, however Woodbridge teaches:
wherein the computer vision vector representation of the image data is computed using a convolutional neural network, and wherein the convolution neural network is trained using metric learning (Woodbridge: ¶ 0024- ¶ 0027, “Image 285 is converted to vector 290 using Siamese convolutional neural network 220. Index 275 is searched for similar vectors, and strings are reported for which the Euclidean distance between (EN: metric learning) the vector for the new string 280 and the string stored in reference index 275 is below a predefined threshold. If the closest vector is less than predetermined threshold 295, alert 296 is generated identifying new string 280 as potential spoof attack. (step 206).”).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Alhumaisan by Woodbridge and have a system capable to convert a legitimate URLs for popular websites into an image and then compared against the image of list of strings in order to determine the relative similarity and if the similarity rating falls below a predetermined threshold, an alert is generated indicating that the string is potentially malicious (Woodbridge: Abstract).

Regarding claim 12, Alhumaisan teaches all the features of claim 1, as outlined above.
 Alhumaisan does not explicitly disclose, however Woodbridge teaches:
wherein: the known page element is one of: a rendered page screenshot, a logo, login form, or other visual page element (Woodbridge: ¶ 0023); and 
the classifier is a machine learning classifier or a rule-based classifier (Woodbridge: ¶ 0024).
Same motivation as claim 11.

Claims 6-8 are rejected under 35 U.S.C. 103 as being unpatentable over Alhumaisan in view of Schmidtler (U.S Pub No. 2014/0033307 A1, referred to as Schmidtler).
Regarding claim 6, Alhumaisan teaches all the features of claim 1, as outlined above.
Alhumaisan does not explicitly disclose, however Schmidtler teaches:
wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: 
compare the image data of the URL to image data captured from one or more ancestor pages (Schmidtler: ¶ 0008- ¶ 0009, “In this instance, a bin contains the average page feature vectors of the children pages that have similar URL strings in relation to their parent (EN: ancestor pages) within the resolution of the bin width”), wherein the comparison results in an ancestor similarity score (Schmidtler: ¶ 0037; ¶ 0051, “This determined probability is generally normalized resulting in a classification score for the one or more URLs, where the classification score generally represents a measure of the likelihood that the URL is or otherwise is associated with a phishing site. ”).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Alhumaisan by Schmidtler  to create a feature vector for every iframe that is a descendent of the landing page, and derive a final feature vector from the feature vectors of the landing page and the descendent iframe pages, then a machine learning techniques may be applied to generate, or train, a classification model based upon one or more known phishing websites, in order for the classification modeler to classify a website as either a phishing website or as a non-phishing website. (Schmidtler: Abstract).

Regarding claim 7, Alhumaisan teaches all the features of claim 6, as outlined above.
Alhumaisan does not explicitly disclose, however Schmidtler teaches:
wherein the memory stores additional computer-readable instructions that, when executed by the at least one processor, cause the computing platform to: 
identify page elements of the one or more ancestor pages (Schmidtler: ¶ 0008- ¶ 0009).
Same motivation as claim 6.

Regarding claim 8, Alhumaisan teaches all the features of claim 7, as outlined above.
Alhumaisan does not explicitly disclose, however Schmidtler teaches:
wherein comparing the image data of the URL to the image data captured from the one or more ancestor pages comprises comparing page elements of the URL to the identified page elements of the one or more ancestor pages (Schmidtler: ¶ 0008- ¶ 0009, “In this instance, a bin contains the average page feature vectors of the children pages that have similar URL strings in relation to their parent within the resolution of the bin width” (EN: comparing)).
Same motivation as claim 6.

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Alhumaisan in view Schmidtler and further in view of Woodbridge.

Regarding claim 10, Alhumaisan teaches all the features of claim 7, as outlined above.
Alhumaisan does not explicitly disclose, however Schmidtler teaches:
wherein comparing the image data of the URL to the image data captured from the one or more ancestor pages comprises performing: a visual comparison (Schmidtler: ¶ 0008- ¶ 0009).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Alhumaisan by Schmidtler  to create a feature vector for every iframe that is a descendent of the landing page, and derive a final feature vector from the feature vectors of the landing page and the descendent iframe pages, then a machine learning techniques may be applied to generate, or train, a classification model based upon one or more known phishing websites, in order for the classification modeler to classify a website as either a phishing website or as a non-phishing website. (Schmidtler: Abstract).
Alhumaisan in view of Schmidtler does not explicitly disclose, however Woodbridge teaches:
wherein the visual comparison comprises one or more of: a color analysis, a deep learning vector comparison, logo comparison, or optical character comparison between the graphical rendering of the URL and the one or more ancestor pages, or a non-visual comparison, wherein the non-visual comparison comprises a comparison of markup, code, or text corresponding to the URL and markup, code, or text corresponding to the one or more ancestor pages (Woodbridge: ¶ 0024- ¶ 0027, “The third step is to input training images 255 into Siamese convolutional neural network 220 (EN: deep learning vector comparison), which learns to represent each image as a vector of floats (step 203). The vector might comprise, for example, 64 numbers of 32 bits each. Siamese convolutional neural network 220 extracts image features from each image in training images 255.”).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Alhumaisan in view of  Schmidtler by Woodbridge and have a system capable to convert a legitimate URLs for popular websites into an image and then compared against the image of list of strings in order to determine the relative similarity and if the similarity rating falls below a predetermined threshold, an alert is generated indicating that the string is potentially malicious (Woodbridge: Abstract).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Alhumaisan in view of Johns et al. (U.S Pub No. 2019/0132334 A1, referred to as Johns).

Regarding claim 13, Alhumaisan teaches all the features of claim 1, as outlined above.
Alhumaisan does not explicitly disclose, however Johns teaches:
the memory stores additional computer- readable instructions that, when executed by the at least one processor, cause the computing platform to:
 in response to determining that the phish classification score exceeds a second phish classification threshold, cause the cybersecurity server to perform a second action different from the first action (Johns: Fig. 3A, Steps 335, 340; Fig. 3B ¶ 0070- ¶ 0071).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify Alhumaisan by Johns and perform a behavioral analysis in order to verify a prior classification when the threat score exceeds a second threshold. (Johns: ¶ 0071).

Allowable Subject Matter
Claims 3, 9 and 14-18 would be allowable if they were rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The following is an examiner’s statement of reasons for identifying allowable subject matter.	

The closest prior arts made of records are, Alhumaisan et al. (U.S. Pub. No. 2018/0115584 A1, referred to as Alhumaisan), Woodbridge et al. (U.S Pub No. 2019/0019058 A1, referred to as Woodbridge) and Schmidtler (U.S Pub No. 2014/0033307 A1, referred to as Schmidtler).

Alhumaisan discloses systems and methods for comparing the features of a questionable website to features of a legitimate website, wherein detection of a phishing website using color IRT includes: requesting access, on at least one computing device to a web page having a Universal Resource Locator (URL), comparing the URL of the requested web page to a reference URL within a database , determining that the URL of the requested web page matches the reference URL and generating a message that the web page is legitimate when there is a match between the URL of the requested web page and the reference URL.

Woodbridge discloses a method to identify potentially malicious URLs and executable files in a computing device, wherein a Siamese convolutional neural network is trained to identify the relative similarity between image versions of two strings of text. After the training process, a list of strings that are likely to be utilized in malicious attacks are provided (e.g., legitimate URLs for popular websites). When a new string is received, it is converted to an image and then compared against the image of list of strings. The relative similarity is determined, and if the similarity rating falls below a predetermined threshold, an alert is generated indicating that the string is potentially malicious.

Schmidtler discloses a phishing classification model that detects a phishing website based on one or more feature vectors for the website. The phishing classification model may operate on a server and may further select a website, generate a feature vector for a landing page of the website, create a feature vector for every iframe that is a descendent of the landing page, and derive a final feature vector from the feature vectors of the landing page and the descendent iframe pages. Further, machine learning techniques may be applied to generate, or train, a classification model based upon one or more known phishing websites. Based on the feature vector, the classification modeler may classify a website as either a phishing website or as a non-phishing website. Feedback in the form of human verification may further be incorporated.

However, regarding claim 3, the prior art of Alhumaisan, Woodbridge and Schmidtler when taken in the context of the claim as a whole do not disclose nor suggest, “update the screenshot database, wherein updating the screenshot database comprises: identifying that a page image corresponding to a URL of the plurality of URLs has changed, wherein a previous page image corresponding to the URL of the plurality of URLs is stored in the screenshot database; and in response to determining that the page image corresponding to a URL of the plurality of URLs has changed: capturing the page image corresponding to the URL of the plurality of URLs, resulting in a captured page image corresponding to the URL of the plurality of URLs; and adding the captured page image corresponding to the URL of the plurality of URLs to the screenshot database.”.

Regarding claim 9, the prior art of Alhumaisan, Woodbridge and Schmidtler when taken in the context of the claim as a whole do not disclose nor suggest, “wherein comparing the image data of the URL to the image data captured from the one or more ancestor pages comprises: generating, for the one or more ancestor pages, an object list that includes the corresponding identified page elements;  -37- Docket No. 009075.00133\US applying object detection to the image data of the URL to identify included objects, wherein the identified included objects comprise one or more of: a logo, a brand graphic, a login pane, a logo aspect ratio, or a background image; and comparing the identified included objects to the object list.”.

Regarding claim 14, the prior art of Alhumaisan, Woodbridge and Schmidtler when taken in the context of the claim as a whole do not disclose nor suggest, “wherein causing the cybersecurity server to perform the first action comprises setting a first flag; and causing the cybersecurity server to perform the second action comprises setting a second flag, wherein: the first flag and the second flag are set in a cybersecurity database hosted by one of: the computing platform or a central repository, and the cybersecurity database is accessible by the cybersecurity server.”.

Claims 15-18 depends on claim 14 and is/are of consequence identified as allowable.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408. The examiner can normally be reached Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HASSAN SAADOUN/Examiner, Art Unit 2435  

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435