DETAILED ACTION
This action is response to communication:  response original application filed on 08/23/2021.
Claims 1-20 are currently pending in this application.  
The IDS filed on 08/23/2021 has been accepted.  
	
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of U.S. Patent No. 11/140,191. Although the claims at issue are not identical, they are not patentably distinct from each other because all the limitations of the current claims are found in the parent patent. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 16-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
As per claims 16-20 the claims are directed toward a computer-readable storage medium.  It is well known in the art that such mediums may be directed toward carrier signals and waves, which are directed toward non-statutory subject matter.  The applicant’s specification does not limit the mediums to non-transitory mediums, and thus, the claims are rejected under 101.  The applicants may overcome this rejection by limiting the mediums in the specification to non-transitory computer readable mediums, or may amend the claims limiting the subject matter toward non-transitory computer readable mediums. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3, 5-9, 11, 13-17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Chapman US Patent Application Publication 2013/0198846 (Chapman), in view of O’Connor US Patent Application Publication 2016/0352772 (O’Connor)
As per claim 1, Chapman teaches a method for testing security of a computer system, the method comprising: generating a plurality of phishing domain names associated with a target entity (paragraph 24 with generating web pages; see Figure 5; see also paragraph 41 ); and implementing a test phishing campaign (abstract, paragraph 42-43, and throughout with implementing phishing susceptibility testing with the webpages).  
Although Chapman teaches generating webpages and using them for a phishing campaign, Chapman does nto explicitly teach wherein the domain names are based on legitimate domain names and rating each phishing domain name of the plurality of phishing domain names based on a visual similarity of the phishing domain name to the legitimate domain name.  However, this would have been obvious to one of ordinary skill in the art.  Chapman, throughout the reference, teaches testing the susceptibility of users to phishing.  As known to one of ordinary skill in the art, phishing is more successful when the phishing site looks more legitimate.  As seen in paragraphs 5 and 6 of Chapman, fake websites have the look and feel of legitimate websites.  It would have been obvious to one of ordinary skill in the art to include the domain name itself looking legitimate. However, for a further teaching on rating the similarity of domain names, see O’Connor (paragraphs 17 and 18 with malicious domain names including similar domain names; edit distance and regular expression techniques are used for analysis; see paragraphs 78-81 for edit distance and regular expression ratings).  See further paragraph 63 wherein phishing pages are to impersonate legitimate web pages.
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of O’Connor with Chapman.  One of ordinary skill in the art would have been motivated to perform such an addition to provide more security by protecting users (paragraphs 16 and 17).
As per claim 3, the Chapman combination eaches wherein the rating of each phishing domain name of the plurality of phishing domain names is based, at least in part, on a visual similarity between the legitimate domain name and the phishing domain name (see O’Connor paragraphs 78-81 with edit distance and regular expression).
As per claim 5, the Chapman combination teaches building a plurality of phishing communciations that each references a different phishing domain name of the plurality of phishing domain names, and transmitting the plurality of phishing communications to the target entity (Chapman paragraph 24 and Figure 5 with multiple e-mails sent and multiple web pages sent; see also paragraph 41 and 42 with multiple emails sent to different groups with different content; see also paragraph 55, 61, 62, 67, with customization and selection of web pages based on admin/user choice; see also paragraph 12 wherein webpages are customized to appeal to particular company’s employees).
As per claim 6, the Chapman combination teaches receiving one or more responses to teach of the plurality of phishing communications, and collecting information based on the one or more responses (Chapmna paragraph 76; also see paragraph 17 with monotiring responses and providing analysis of responses).
As per claim 7, it would have been obvious over the Chapman combination further comprising determining a time to implement the test phishing campaign based on an indication of when network traffic or an email count is relatively high, wherein the implementing of the test phishing campaign is initiated at the time (obvious over Chapman; the Chapman combination teaches determining a time to implement the test phishing capmgain based on a time as seen in paragraph 53, 88, and throughout; see further paragraph 69-71 with different factors taken into consideration when sending phshing emails; for example, paragraph 71 with with sending more phishing emails to those who are susceptible).
As per claim 8, the Chapman combination teaches wherein the implement of the test phishing campaign comprises initiating two ormore email, instant messaging, phone call, a text message, or a social network communication with the target entity (Chapman paragraph 71 with two or more emails; also see paragraph 78, 79 with text or social network communication).  
 Claim 9 is rejected using the same basis of arguments used to reject claim 1.
Claim 11 is rejected using the same basis of arguments used to reject claim 3 above.
Claim 13 is rejected using the same basis of arguments used to reject claim 5 above.
Claim 14 is rejected using the same basis of arguments used to reject claim 6 above.
Claim 15 is rejected using the same basis of arguments used to reject claim 7 above.
Claim 16 is rejected using the same basis of arguments used to reject claim 1 above.
Claim 17 is rejected using the same basis of arguments used to reject claim 3 above.
Claim 19 is rejected using the same basis of arguments used to reject claim 5 above.
Claim 20 is rejected using the same basis of arguments used to reject claim 6 above.

Claim(s) 2 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over the Chapman combination as applied above, and further in view of Miller US Patent Application Publication 2014/0115704 (Miller).
As per claim 2, the Chapman combination teaches utilizing phishing domains to look like legitimate domain names, and further teachings utilizing multiple transformation changes (see O’Connor paragraphs 78-81), but does not explicitly teach utilizing homogloyphic transformation changes.  However, utilizing homoglyphic transformations in phishing is well known in the art.  For example, see Miller (paragarph 1, 14, and throughout, wherein homoglyphs are a well known way to phish).
At the time the invention was filed, it would have been obvious to one of ordinary skill in the art to combine the teachings of the Chapman combination with Miller.  One of ordinary skill in the art would have been motivated to perform such an addition to create spoofed domain names that look the same as a real domain name (paragraph 1).  
Claim 10 is rejected using the same basis of arguments used to reject claim 2 above.

Claim(s) 4, 12, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over the Chapman combination as applied above, and further in view of Myers et al. US Patent Application Publication 2009/0055642 (Myers).
As per claim 4, the Chapman combination teaches the rating of each phishing domain name (see rejection above), but does not explicitly teach a phishing domain based on a phonic of the phishing domain name.  However, utilizing phishing domains with similar sounds are notoriously well known in the art.  For example, see Myers (paragraph 7 with phishing domain names with similar sound).
At the time the invention was filed, it would have been obvious to combine the teachings of the Chapman combination with Myers.  One of ordinary skill in the art would have been motivated to perform such an addition to fool users by using similar sounds (paragraph 7 of Myers).
Claim 12 is rejected using the same basis of arguments used to reject claim 4 above.
Claim 18 is rejected using the same basis of arguments used to reject claim 4 above.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON KAI YIN GEE whose telephone number is (571)272-6431.  The examiner can normally be reached on Monday-Friday 8:30-5:00 PST Pacific.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/JASON K GEE/Primary Examiner, Art Unit 2495