DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to communication filed 09/08/2022. Claims 1-2, 8-10 and 14 are amended and claims 1-20 remain pending.

Response to Arguments
Applicant’s arguments, see Remarks: pages 9-10 (with regard to Jeyakumar), filed 09/08/2022, with respect to the rejection(s) of amended claim(s) 1, 9 and 14 under 35 U.S.C. 103 have been fully considered and are persuasive.
Therefore, the rejection of claims 1-20 has been withdrawn.  However, upon further consideration of claims 1-13, a new ground(s) of rejection is made in view of Mushtaq further in view of Rehfuss.

Claim Rejections - 35 USC § 112
1.	The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-13 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. Claims 1, 9 and 14 contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
Claims 1 and 9 disclose 
“receiving, by a server computer system, a first set of Internet domain names and a second, different set of Internet domain names; 
generating, by the server computer system, a first set of screenshots for user interfaces associated with the first set of Internet domain names and a second set of screenshots for user interfaces associated with the second, different set of Internet domain names; 
training, by the server computer system, a first machine learning module that is customized for the first set of Internet domain names using the first set of screenshots and a second machine learning module that is customized for the second, different set of Internet domain names using the second set of screenshots to identify whether user interfaces accessed by a computing device match a user interface associated with at least one of the first and second sets of Internet domain names”.
Throughout the specification, only one set of Internet domain names (set 132 - par. 26, 46 or 61) is being explicitly received. 
A showing of explicit or implicit support in the original disclosure overcomes this rejection. 
For examination, at least an implicit support is presumed.

2.	The following is a quotation of 35 U.S.C. 112(b):


(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential steps, such omission amounting to a gap between the steps.  See MPEP § 2172.01.  

Claims 1 and 9 recite “receiving, … a first set of Internet domain names and a second, different set of Internet domain names”. As one option, Applicant may amend and include any omitted steps that amount to a gap between receiving and generating to clarify “a first set of Internet domain names and a second, different set of Internet domain names”.
For examination, “a first set of Internet domain names and a second, different set of Internet domain names” is equivalent to a list of URLs/training set.

Claims 3, 4, 6, 11, 12 and 13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 3, 4, 6, 11, 12 and 13 recite the limitation “the set”.  There is insufficient antecedent basis for this limitation in the claim.
For examination, “the set” is interpreted to be either one of the first or the second sets (in light of the specification, set 132).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-13 are rejected under 35 U.S.C. 103 as being unpatentable over Kumar, US2019/0104154 in view of Mushtaq, US11146576, further in view of Rehfuss, US2006/0123478.

Per claim 1, Kumar discloses a method, comprising: 
receiving, by a server computer system, a first set of Internet domain names and a second, different set of Internet domain names (the training process begins upon receipt of a list of labeled URLs. The list of URLs resolves to webpages that are generally known to be typically targeted for use in phishing attacks such as login webpages of banks or other online accounts of well-known companies such as Apple iTunes®, Spotify®, Netflix®, etc. The list of URLs (wherein the set of URLs is referred to as the “training set”) may be obtained or updated periodically or aperiodically for training of the PDAS classifier logic so as to reflect commonly visited websites – Kumar: par. 0019 – Note: a list of URLs/training set comprising authentic family webpages and those webpages that are closely similar to family webpages); 
generating, by the server computer system, a first set of screenshots for user interfaces associated with the first set of Internet domain names and a second set of screenshots for user interfaces associated with the second, different set of Internet domain names (The PDAS may obtain a plurality of screenshots corresponding to a webpage associated with a URL, each such screenshot corresponding to a browser/operating system combination. A screenshot of the webpage to which each URL resolves is obtained by the PDAS, which then utilizes computer vision techniques to detect keypoints, determine keypoint descriptors and generate a feature vector for each screenshot. A feature may be interpreted as a set of keypoints and their corresponding keypoint descriptors that indicate a point of interest within the screenshot (e.g., a logo or a portion thereof). A feature vector includes the plurality of features detected within a screenshot. some embodiments, methods other than a vector may be used to store and organize the features, such as a matrix or other data structure within memory – Kumar: par. 0019); 
training, by the server computer system, a first machine learning module that is customized for the first set of Internet domain names using the first set of screenshots and a second machine learning module that is customized for the second set of internet domain names using the second set of screenshots (The features of each screenshot are inserted into separate vectors and labeled according to the webpage family to which the URL corresponding to the feature vector belongs. The plurality of labeled feature vectors are then used by the PDAS to generate a model using machine learning – Kumar: par. 0019) to identify whether user interfaces accessed by a computing device match a user interface associated with at least one of the first and second sets of Internet domain names (During the machine learning in generating the model, the training typically involves a plurality of webpages from the same webpage family and the system is trained to recognize family membership through identifying keypoints shared (high correlation) across those “labeled” webpages. The detection of those keypoints, including their location within the corresponding webpage, is key to later classification of an “unlabeled” webpage as being a member of the family to which it purports to be a member (through visual similarity) – Kumar: par. 0020).
In the alternative where one argues “training, by the server computer system, a first machine learning module that is customized for the first set of Internet domain names using the first set of screenshots and a second machine learning module that is customized for the second set of internet domain names using the second set of screenshots to identify whether user interfaces accessed by a computing device match a user interface associated with at least one of the first and second sets of Internet domain names” is not inherent, Mushtaq discloses multiple machine learning modules/classifiers. Mushtaq discloses a brand name credential stealing detection classifier module 140 (first stage classification), a custom credential stealing detection classifier module 150 (second stage classification): “In Stage 1, the system may determine whether the Candidate Page is a look-alike page of a known brand page that appears to be an exact replica of the brand page. If it is a look-alike page posing as a brand page, it may be labeled as a Brand-based Credential Stealing page. However, even if the Candidate Page does not appear to be an exact replica of a known brand page, there still is a chance that it is a fake or impostor page (i.e. a Custom Credential Stealing Page). This is where Stage 2 may come into play. In Stage 2, the system may determine whether the Candidate Page falls under the Custom Credential Stealing category” – Mushtaq: col. 14, lines 28-38 and Fig. 1-4. Mushtaq further discloses “As part of this second stage classification, a Candidate Page is cross compared with known Custom Credential Stealing Pages and known brand logos. The classification model may comprise one or more classifiers. Classification may be based on a supervised or self-learning machine learning models that has only two outcomes—either it is a Custom Credential Stealing Page or it is a Benign Page” – Mushtaq: col. 17, lines 63-67 and col. 18, lines 1-3).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Kumar in view of Mushtaq to include training, by the server computer system, a first machine learning module that is customized for the first set of Internet domain names using the first set of screenshots and a second machine learning module that is customized for the second set of internet domain names using the second set of screenshots to identify whether user interfaces accessed by a computing device match a user interface associated with at least one of the first and second sets of Internet domain names.
One of ordinary skill in the art would have been motivated because it would allow “automatically analyze a web page to detect both brand-based and custom credential stealing attacks in order to address this specific technical problem related to the use of replica or fake webpages to steal sensitive or confidential user information” – Mushtaq: col. 2, lines 14-20.
Kumar and/or Mushtaq are not relied on to disclose but Rehfuss discloses transmitting, by the server computer system to the computing device, at least one of the machine learning modules, wherein the at least one transmitted machine learning module is executable by an application executing on the computing device (The algorithms can be generated and/or updated at the data center 202, and then distributed to the client device 204 as an update to the detection module 220. An update to the detection module 220 can be communicated from the data center 202 via communication network 206, or an update can be distributed via computer readable media, such as a CD (compact disc) or other portable memory device…. Detection module 420 associated with a Web browsing application 410 is implemented to detect phishing when a user interacts with the Web browsing application 410 through a Web browsing user interface (e.g., Web browser user interface 110 shown in FIG. 1). Detection module 420 associated with the Web browsing application 410 implements features for phishing detection, prevention, and notification of fraudulent, deceptive, and/or phishing Web sites – Rehfuss: par. 0031-0032 and 0064-0065– Note: A detection module 220 (as an integrated component of a messaging application of client device 404) and/or 420 (as an integrated component of a web browsing or as a browsing toolbar plugin on the client device 404) can implement machine learning component to determine whether a Web page or message is suspicious or contains phishing content… the machine learning component can implemented with discriminative training).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Kumar and Mushtaq further in view of Rehfuss to include transmitting, by the server computer system to the computing device, at least one of the machine learning modules, wherein the at least one transmitted machine learning module is executable by an application executing on the computing device.
One of ordinary skill in the art would have been motivated because it would allow warning the user of the client device 404, for example, when a webpage is rendered for user interaction: “Warning: this Web site contains an address name for districbanc.com, which, to the best of our knowledge, is not affiliated with Districbank. Please use caution if submitting any personal or financial information about a DistricBank account" or when clicking on an IP address link included on a Web page: "Warning: the link you clicked on is an IP address. This kind of link is often used by phishing scams. Be cautious if the Web page asks you for any personal or financial information" or when a web blocking or allowing the user to visit a site does not provide the user with enough information to consistently make the correct decision. As such, informing the user of the reason(s) for suspicion provides a user with enough information to make an informed decision” - Rehfuss: par. 0070-0071.

Per claim 9, it recites a non-transitory computer-readable medium having instructions stored thereon that are executable by a server computing device to perform operations comprising the method steps recited in claim 1.
Therefore, claim 9 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claims 2 and 10,  Kumar, Mushtaq and Rehfuss disclose features of claims 1 and 9, wherein the training the first machine learning module includes: 
determining, based on the screenshots, a plurality of attributes of the user interfaces associated with the first set of Internet domain names (for each screenshot, the feature generation logic 106 is responsible for: (1) detecting keypoints within the screenshot, (2) generating keypoint descriptors based on the detected keypoints, and (3) generating a feature vector that includes the generated keypoint descriptors. The feature generation logic 106 uses computer vision techniques to detect the keypoints – Kumar: par. 0047), wherein the plurality of attributes include one or more of: input attributes, location attributes, and style attributes (the feature generation logic 106 detects keypoints within the subject screenshot and generates a feature vector based on the detected keypoints – Kumar: par. 0053 – Note: A keypoint descriptor may include a set of one or more parameters that describe the keypoint such as keypoint center coordinates x and y relative to the screenshot, a scale (e.g., being a radius of a circular image region, when applicable), and/or an orientation determined by the gradient of the pixel greyscale within the keypoint – par. 0018); and 
inputting the determined plurality of attributes to the first machine learning module during training (The classifier 112 uses the feature vector of the subject screenshot as an input to the model generated during training – Kumar: par. 0060).

Per claims 3 and 11,  Kumar, Mushtaq and Rehfuss disclose features of claims 1 and 9, wherein the generating includes: 
identifying, based on program code of user interfaces associated with domain names included in the set, one or more user interfaces that include requests for personal information of a user of the computing device (the training process begins upon receipt of a list of labeled URLs. The list of URLs resolves to webpages that are generally known to be typically targeted for use in phishing attacks such as login webpages of banks or other online accounts of well-known companies such as Apple iTunes®, Spotify®, Netflix®, etc. – Kumar: par. 0019); and 
capturing screenshots of user interfaces that include requests for personal information (The list of URLs (wherein the set of URLs is referred to as the “training set”) may be obtained or updated periodically or aperiodically for training of the PDAS classifier logic so as to reflect commonly visited websites. The PDAS may obtain a plurality of screenshots corresponding to a webpage associated with a URL, each such screenshot corresponding to a browser/operating system combination. A screenshot of the webpage to which each URL resolves is obtained by the PDAS, which then utilizes computer vision techniques to detect keypoints, determine keypoint descriptors and generate a feature vector for each screenshot – Kumar: par. 0019).

Per claims 4 and 12, Kumar, Mushtaq and Rehfuss disclose features of claims 1 and 9,  wherein, in response to identifying that the user interface accessed by the computing device matches a user interface associated with the set of Internet domain names (the feature vector of the subject screenshot is analyzed using the model to determine a set of confidences, with each confidence corresponding to a separate labeled feature vector corresponding to the training set; thus, providing an understanding of the webpage family having the highest confidence (e.g., which webpage family, and specifically, which webpage, is most likely being mimicked by the subject screenshot) – Kumar: par. 0026, the application is executable to verify an address used by the computing device to access the user interface, wherein the computing device accesses the user interface via a web browser, and wherein the user interface accessed by the computing device is a webpage (At block 802, content is received from a network-based resource. For example, a Web browsing application 410 (FIG. 4) generates a Web browser user interface (e.g., Web browser user interface 110 shown in FIG. 1) such that a user at client device 404 can request and receive Web pages and other information from a network-based resource, such as a Web site or domain. At block 804, a user interface of a Web browsing application is rendered to display the content received from the network-based resource. [0106] At block 806, a suspicious user-selectable link is detected in the content. For example, the detection module 420 (FIG. 4) can detect that a suspicious user-selectable link may be a link to an additional network-based resource, a URL (Uniform Resource Locator), and/or an email address. The user-selectable link can be detected as being similar to a known fraudulent target, as including suspicious text content, and/or including suspicious text content in a title bar of the user interface of the Web browsing application – Rehfuss: par. 0105-0106).
The same motivation to modify Kumar and Mushtaq further in view of Rehfuss applied to claim 1 above applies here.

Per claim 5, Kumar, Mushtaq and Rehfuss disclose the method of claim 4, wherein the application is a browser plugin module installed on the computing device (Client device 404 includes a detection module 420 that can be implemented as a browsing toolbar plug-in for a Web browsing application 410 to implement phishing detection, prevention, and notification. The detection module 420 can be implemented as any one or combination of hardware, software, firmware, code, and/or logic in an embodiment of phishing detection, prevention, and notification – Rehfuss: par. 0063) that is executable to download one or more machine learning modules from the server computer system, and wherein the address is a uniform resource locator (URL) that is usable by the web browser to display the webpage (A detection module 220 and/or 420 can implement the machine learning component to determine whether a Web page or message is suspicious or contains phishing content. Inputs to a machine learning module can include the full text of a Web page, the subject line and body of an email message, any inputs that can be provided to a spam detector, and/or the title bar of the Web page. Additionally, the machine learning component can implemented with discriminative training.… the detection module 420 (FIG. 4) can detect that a suspicious user-selectable link may be a link to an additional network-based resource, a URL (Uniform Resource Locator), and/or an email address – Rehfuss: par. 0094 and 0106) – Note: the algorithms can be generated and/or updated at the data center 202, and then distributed to the client device 204 as an update to the detection module 220 – par. 0031).
The same motivation to modify Kumar and Mushtaq further in view of Rehfuss applied to claim 1 above applies here.

Per claims 6 and 13, Kumar, Mushtaq and Rehfuss disclose features of claims 1 and 12, wherein the server computer system trains a plurality of machine learning modules based on the set of Internet domain names including multiple domain names (The logic flow 100 of the training process illustrates the flow of data among logic modules of the PDAS 400, as seen in FIG. 4, in order to train a classifier 112 (e.g., CV classifier) for use in detecting URLs that resolve to phishing websites – Kumar: par. 0043).

Per claim 7, Kumar, Mushtaq and Rehfuss disclose the method of claim 1, further comprising: receiving, from the computing device, a report indicating suspiciousness of the user interface accessed by the computing device, wherein the report includes at least geolocation information of the computing device (Detection module 420 can also be implemented to determine the country or IP range in which a Web server is located to further detect phishing Web sites on the basis of historical phishing behavior of that country or IP range. This can be accomplished using any one or more of the associated IP information, Whois information (e.g., to identify the owner of a second-level domain name), and Traceroute information. The location of a user can be determined from an IP address, registration information, configuration information, and/or version information – Rehfuss: par. 0082) and a screenshot of the user interface (A warning message 618 can be generated for display on display device 616. The warning message 618 is merely exemplary, and any type of warning, be it text, graphic, audible, or any combination thereof, can be generated to warn a user of a possible phishing attack – Rehfuss: par. 0095).
The same motivation to modify Kumar and Mushtaq further in view of Rehfuss applied to claim 1 above applies here.

Per claim 8, Kumar, Mushtaq and Rehfuss disclose the method of claim 1, wherein the first and second machine learning modules are machine learning classifiers.
Therefore, claim 8 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above.

Allowable Subject Matter
Claims 14-20 are allowed. Reason for allowance will be furnished in a Notice of Allowance action, when claims 1-13 are in condition for allowance. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Goodman (US2007/0039038) 
Mushtaq (US10404723) is directed to detecting credential stealing attacks.
Cleveland (US2019/0014149) is directed to phishing detection.
Gupta (US2014/0359760) is directed to detecting phishing webpages.
Mushtaq (US10764313) is directed protection against network-based cyber threats.
Buck (US2020/0287913) is directed to domain name and URL visual verification.
Dalal (US10679088) is directed to visual domain detection.
Leddy (US2020/0067861) is directed to scam evaluation.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/            Examiner, Art Unit 2494