DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in response to Application with case number 17/073986 in which claims 1-20 are presented for examination.
Status of Claims
	Claims 1-20 are pending, of which claims 1, 9, and 16 are in independent form.	
Specification
The examiner notes that the Specification does not include any URL links and Trademark terms requiring capitalization.
The examiner notes that the abstract is in narrative form and is limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. 
IDS
References cited in the IDS filed on 10/19/2020 and 5/2/2022 have been considered by the examiner.
Allowable Subject Matter
Claim(s) 3, 4, 11, 12, 17, 18 is/are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter: Regarding claims 3, 11, and 17, further search and references of record does not explicitly teach the following limitation in claim 3, 11, and 17 “wherein the machine-learning algorithm is Naive Bayes algorithm that uses the website gateway data and the threat data as inputs to a learned Naive Bayes model, wherein the learned Naive Bayes model comprises a plurality of attributes, a plurality of class probabilities, and a plurality of conditional probabilities based on the web gateway data and the threat data, and wherein the plurality of attributes comprise a cyberattack campaign attribute, a secure website reputation attribute, a secure website category attribute, and a malicious content presence attribute”;
Regarding claims 4, 12, and 18, Palazzo et al. (US 2016/0255105 A1) teaches “determining a number of user connection attempts to access the predetermined website using end user data” in para. [0089] but the combination of SpaceK (“Current Issues of Malicious Domains Blocking”, 2019) and Abu (US 2017/0026391 A1) does not explicitly teach “wherein the end user data is obtained from a plurality of end user logs that are located on the plurality of user devices; and determining the impact level based on the number of user connection attempts”.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 2, 8-10, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Spacek et al. (“Current Issues of Malicious Domains Blocking”, 2019) hereinafter Spacek, in view of Abu-Nimeh (US 2017/0026391 A1) hereinafter Abu. 
As to claim 1, Spacek teaches a method (see Fig. 2 regarding DNS RPZ handling a blocked website unblock request message), comprising: 
obtaining, by a computer processor, a request to unblock a predetermined website in a network and that is associated with a predetermined list (e.g., DNS firewall blacklist disclosed in page 554, LHS, second para.), wherein the predetermined list is used to determine whether a respective user device among a plurality of user devices can access one or more websites (see page 554 LHS, 2nd para. “These anomalies encompass infected devices trying to connect their C&C servers…”, 3rd para lines 10-14 for submitting complaint and delisting request); and
 	transmitting, by the computer processor and in response to determining that the predetermined website should be unblocked, a command that modifies the predetermined list to enable at least the respective user device of the plurality of user devices to access the predetermined website (see page 554, LHS para. 3, lines 13-15); and 
determining, by the computer processor, whether to unblock the predetermined website based on the impact level and the probability of a security breach (see page 554, LHS, paragraph 3 line 13),
.
	Spacek does not explicitly teach but Abu taches the following limitations - 
determining, by the computer processor, an impact level of the predetermined website (e.g. domain or IP address) for an organization using a machine-learning algorithm (see para. [0006] for machine learning approaches to security problems) and website gateway data (see claim 2 for threat feeds, DNS logs, HTTP Logs and para. [0026]; see para. [0032] “In one embodiment, when prompted, the automated service 120 may produce a detailed output listing Malice Scores and Malicious Components 180 as well as Network Risk Reports 190. Malice Scores may be numbers ranging from 0, indicating benign traffic, and 1, indicating malicious traffic. Malicious Components may include IP addresses, domain names, network blocks, and URLs. The service may also include a reason why such traffic was classified as malicious. Network Risk Reports may include an updated list of IPs, domains, and CIDRs that have high threat scores.”; see also para [0002], [0026] and [0027]); 
determining, by the computer processor, a probability of a security breach using the machine-learning algorithm and threat data (see para. [0103]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Spacek and Abu before him or her, to modify the scheme of Spacek by including Abu. The suggestion/motivation for doing so would have been to alleviate the burden of detection and prediction of a threat of online transaction by using machine learning based automated process of classification/identification/prediction of an attack, as briefly discussed in para. [0006] of Abu.
Claims 10 and 16 includes similar limitations as claim 1 and thus claims 10 and 16 is/are rejected under the same rationale as in claim 1.

As to claim 2, in view of claim 1, Spacek teaches wherein the predetermined list is a blacklist stored in a domain name system (DNS) server that manages DNS records for a network, and wherein the command removes the predetermined website from the blacklist (see page 551, LHS para. 3 “a DNS firewall, able to distinguish whether a malicious or a benign domain is being translated and prevent potentially harmful connection”).
As to claim 10, in view of claim 9, Spacek teaches wherein the predetermined list is a whitelist stored in a web gateway server (see page 551 RHS first and second para. The examiner sees no difference between whitelist and blacklist in that whitelist could be all the website other than the blacklist.), and wherein the command adds the predetermined website to the whitelist (see page 551 LHS para. 3; The examiner sees no difference between removing a site from blacklist and adding a list to a whitelist since adding a website can be achieved by removing an item from a blacklist.).
As to claim 8, in view of claim 1, Spacek teaches wherein the request is transmitted to a server by a user device among the plurality of user devices, wherein the computer processor is located on the server, and wherein the server stores the web gateway data and the threat data (see page 551 RHS first and second paragraphs “We fitted our DNS firewall with the blacklist and logged events on our network …”).

Claim(s) 5, 13, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Spacek, in view of Abu, and further in view of Patuni et al. (WO 2019/144039 A1) hereinafter Paturi.
As to claim 5, in view of claim 1, the combination of Spacek and Abu does not explicitly teach but Patuni teaches “further comprising: obtaining, from a threat intelligence server, external threat data regarding one or more security vulnerabilities; and obtaining, from within the network, internal threat data based on one or more cybersecurity attacks against the network, and wherein the threat data comprises the external threat data and the internal threat data” (see para. [0050] “The service provider responsible for quantifying the security risk for its clients (organizations) creates and manages such Master TTE index…the master TTE index is a mapping of known vulnerabilities, threats, indicators of compromise (IoCs), …combined with publicly available security incident databases.”).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Spacek, Abu, Paturi before him or her, to modify the scheme of Spacek and Abu by including Paturi. The suggestion/motivation for doing so would have been to more accurately access the cyber risk on a target enterprise based on threat data from the organization as well as threat data from outside organizations, as briefly mentioned in Paturi para. [0026], [0027].
Claims 13 and 19 include similar limitations as claim 5 and thus claims 13 and 19 is/are rejected under the same rationale as in claim 5.

Claim(s) 6, 14, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Spacek, in view of Abu, and further in view of Kudtarkar et al. (US 2021/0092596 A1) hereinafter Kudtarkar.
As to claim 6, 14, and 20, in view of claims 1, 9, and 16  and respectively, the combination of Spacek and Abu does not explicitly teach but Kudtarkar teaches “wherein the web gateway data comprise website reputation data and website category data, and wherein the web gateway data is obtained from a URL category database located outside the network” (see [0044] In operation 408, the security platform 132 may access the database 214 based on one or more aspects of the received network parameter from the home network 104 or mobile device 126. For example, the security platform 132 may obtain a requested webpage or URL from the received request and, based on the obtained URL, access one or more entries in the database 214 associated with the URL. Entries in the database 214 may include a reputation, a category, a security risk score, and the like associated with the URL. In another example, the security platform 132 may obtain, from the request, an identifier of a file or other downloaded content from a device of the Internet 108. The security platform 132 may utilize the identifier of the file or other content to access one or more entries in the database 214 to obtain information of the requested file, such as a reputation, category, risk of the file containing a virus, etc. In general, any aspect of the received request may be used by the security platform 132 to access entries in the database 214 for application of one or more security features, such as a destination IP address, a URL, a webpage identifier, a file identifier, an Internet device identifier, and the like.”).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Spacek, Abu, Kudtarkar before him or her, to modify the scheme of Spacek and Abu by including Kudtarkar. The suggestion/motivation for doing so would have been to collect useful information needed for a risk score pertinent to a website usig a URL and a database storing information on URL’s reputation, risk, and category.
Claim(s) 7, 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Spacek, in view of Abu, and further in view of Tang (US 2021/0194909 A1).
As to claim 7, in view of claim 1, the combination of Spacek and Abu does not explicitly teach but Tang teaches “further comprising: obtaining, from a plurality of antivirus engines disposed on the plurality of user devices, antivirus engine data, wherein the antivirus engine data is used by the machine-learning algorithm to determine the impact level and the probability of the security breach” (see claims 30 and 31; It is noted that the host security logs can be collected from an anti-virus software or a data leakage protection agent.)
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Spacek, Abu, Tang before him or her, to modify the scheme of Spacek and Abu by including Tang. The suggestion/motivation for doing so would have been to effectively perform security analysis using a machine learning algorithm model based on data from security logs by being able to identify an attack behavior related to an abnormal feature(s), as briefly discussed in Tang para. [0005]-[0016].
Claims 15 includes similar limitations as claim 7 and thus claims 15 is/are rejected under the same rationale as in claim 7.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HEE K SONG whose telephone number is (571)270-3260. The examiner can normally be reached on M-F 9:00 am – 5:00 pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867 .  The fax phone number for the organization where this application or proceeding is assigned is 571-273-7291.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/HEE K SONG/Examiner, Art Unit 2497