Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on
sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an
application for patent published or deemed published under section 122(b), in which the patent or
application, as the case may be, names another inventor and was effectively filed before the
effective filing date of the claimed invention.

Claims 1, 3-6 and 8 are rejected under 35 U.S. C. 102(a)(2) as being anticipated by N.P.L. “CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing” (hereinafter “Zhang”)
Per claim 1, Zhang teaches “A method, comprising: receiving, by a process executing on a computer system, a request to access a website (Page 3, Paragraph 8: CrawlPhish first collects web page source code (along with any external file inclusions by visiting live phishing website); altering, by the process, the request to include one or more characteristics of anti-malware scanners; sending, by the process, the altered request to the website (Page 6, Paragraph 3: CrawlPhish can also reveal phishing content hidden behind multiple layers of cloaking… a cloaking technique that detects malicious content.); receiving, by the process, a response to the altered request; detecting, by the process, whether the received response utilizes one of a known set of anti- malware cloaking techniques (Abstract: CrawlPhish, a framework for automatically detecting and categorizing client-side cloaking used by known phishing websites); and providing, by the process based on the detecting, an output indicative of an outcome of the altered request (Page 12, Paragraph 7: Once we established that the cloaking techniques discovered by CrawlPhish … the corresponding JavaScript code for each technique tested were sent to the major anti-phishing blacklist operators (By adding a phishing webpage to a database of blacklist websites the CrawlPhish apparatus will prevent a browser from accessing these malicious webpages.)).”
Per claim 3, Zhang teaches “The method of claim 1, further comprising: sending, by the process, an unaltered version of the request to the website; and receiving a different response for the unaltered request (Page 5, Paragraph 7: CrawlPhish examines the visual similarity between force executed (phishing webpage detects anti-malware scanner) screenshots and a screenshot of the website rendered in an unmodified version of WebKitGTK+ (i.e .. as would be shown during a normal browser visit (phishing webpage doesn’t detect anti-malware scanner)) to detect if cloaking exists. For example. consider a phishing website that asks visitors to click on a button in a pop-up window prior to showing the phishing content. After forced execution, two different execution paths result in two different screenshots: one as an initial benign-looking page (Figure 4a). and the other with phishing content (Figure 4b) Therefore, we consider a phishing website as cloaked if any of the screenshots taken during forced execution noticeably differ from the original one.).”
Per claim 4, Zhang teaches “The method of claim 3, wherein the detecting includes comparing, by the process, the received response to the different response (Page 5, Paragraph 7: CrawlPhish examines the visual similarity between force executed (phishing webpage detects anti-malware scanner) screenshots and a screenshot of the website rendered in an unmodified version of WebKitGTK+ (i.e .. as would be shown during a normal browser visit (phishing webpage doesn’t detect anti-malware scanner)) to detect if cloaking exists. For example. consider a phishing website that asks visitors to click on a button in a pop-up window prior to showing the phishing content. After forced execution, two different execution paths result in two different screenshots (comparing the received response to the different response): one as an initial benign-looking page (Figure 4a). and the other with phishing content (Figure 4b) Therefore, we consider a phishing website as cloaked if any of the screenshots taken during forced execution noticeably differ from the original one.).”
Per claim 5, Zhang teaches “The method of claim 1, wherein the altering includes: accessing a database that includes the one or more characteristics of anti-malware scanners and respective information associated with the included characteristics; and selecting the one or more characteristics using the respective information (Page 6, Paragraph 5: Crawl Phish maintains a cloaking technique database that contains the code structure features for each instance of cloaking, annotated with the corresponding cloaking semantics. Using the database, CrawlPhish can not only identify known cloaking types, but also provide detailed information about emerging cloaking techniques.).”
Per claim 6, Zhang teaches “The method of claim 5, further comprising updating, by the process, the respective information associated with the selected one or more characteristics based on the outcome of the request (Page 6, Paragraph 5: Crawl Phish maintains a cloaking technique database that contains the code structure features for each instance of cloaking, annotated with the corresponding cloaking semantics. Using the database, CrawlPhish can not only identify known cloaking types (based off the cloaking outcome), but also provide detailed information about emerging cloaking techniques.).”
Per claim 8, Zhang teaches “The method of claim 1, wherein characteristics of a particular anti-malware scanner include one or more of: an internet protocol (IP) address, a hostname associated with the IP address, an indication of a referrer of the website, and a user agent used to send the request (Page 5, Paragraph 2: CrawlPhish switches between different configurations of IP addresses and user--agents in an effort to circumvent potential server-side cloaking techniques used by phishing websites.).”
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over N.P.L. 
“CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing” (hereinafter “Zhang”) and in further view of ORHAN (US 11,470,113 B1).
Regarding claim 2
Zhang does not disclose the following limitation “a deny-list database and a allow-list database; and determining, by the process based on the accessing, that the website is unfamiliar”
ORHAN discloses:
 The method of claim 1, further comprising, prior to the altering: accessing, by the process, a deny-list database and a allow-list database; and determining, by the process based on the accessing, that the website is unfamiliar (Claim 1: A method of data deception to eliminate data-theft through a phishing website comprising … which modifies data in a form submit event in the website, being input by the user or automatically in a random manner in order to disguise authentic content … checking a uniform resource locator (URL) … returning one of three different values by the data deception layer after check: the URL is in whitelist, the URL is in blacklist, the URL is in neither of the list or unknown). 
Given the teaching of ORHAN, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Zhang in order to integrate a feature in which a URL is processed through an allow-list and deny-list database. One of ordinary skill in the art would have been motivated to do so because Nakamoto recognizes that by implementing this feature a URL can be categorized as being unknown if it is not found in a allow-list or deny-list database (Claim 1).
Claims 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over N.P.L. “CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing” (hereinafter “Zhang”) and in further view of Saxe (US 2019/0108338 A1).
Regarding claim 7
Zhang does not disclose the following limitation “wherein the process is a plug-in module for a web browser installed on the computer system”
Saxe discloses:
The method of claim 1, wherein the process is a plug-in module for a web browser installed on the computer system (¶94: The malware detection device can be implemented as a plug-in for an internet browser. The malware detection device can be configured to analyze different website(s) to determine if the websites are malicious.).
Given the teaching of Saxe, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Zhang in order to integrate a feature in which a malware detection is implemented into an internet browser. One of ordinary skill in the art would have been motivated to do so because Saxe recognizes that by implementing this feature a browser has the ability to analyze different websites in order to determine if they malicious (¶94).
Claims 9, 12-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over N.P.L. “CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing” (hereinafter “Zhang”) and in further view of Hu (US 2014/0059649 A1).
Regarding claim 9
Zhang does not disclose the following limitation “A non-transitory computer-readable medium having instructions stored thereon that are executable within a browser on a computer system to perform operations comprising: in response to determining that a security risk of a website included in a received access request is undetermined”
Hu discloses: 
A non-transitory computer-readable medium having instructions stored thereon that are executable within a browser on a computer system to perform operations comprising: in response to determining that a security risk of a website included in a received access request is undetermined (¶80: When trying to open a URL which does not have a security attribute value, i.e., other URL of which the security level is unknown or risk, the user terminal browser may not provide an indication of safe browsing. A risk prompt may be popped up.)
Given the teaching of Hu, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Zhang in order to integrate a feature in which a URL is given an unknown security risk if the attributes associated with the URL are unknown. One of ordinary skill in the art would have been motivated to do so because Hu recognizes that by implementing this feature a bowser will prompt a user warning them that the URL they are browsing could be malicious (¶80). 
Regarding claim 12
The non-transitory computer-readable medium of claim 9, wherein determining whether the reply includes anti-malware cloaking techniques includes: sending an unmodified version of the received access request to the website; and comparing a different reply associated with the unmodified access request to the reply to the modified access request; and determining whether the reply includes anti-malware cloaking techniques based on the comparing (Refer to claim 4 rejection rationale).
Regarding claim 13
	The non-transitory computer-readable medium of claim 9, wherein selecting the one or more characteristics of anti-malware scanners, includes: accessing a database that includes the one or more characteristics of anti-malware scanners and respective information associated with the included characteristics; and selecting the one or more characteristics using the respective information and information included in the received access request (Refer to claim 5 rejection rationale).


Regarding claim 14
Zhang discloses:
The non-transitory computer-readable medium of claim 13, wherein the operations further comprise updating the database based on the generated output (Page 7, Paragraph 2: Consequently, by comparing the code structure similarity of all suspicious code blocks against records in the database, all known cloaking types can be identified in one website (even if there are multiple types). If the features of a suspicious code block are not sufficiently similar to any record in the database, we will manually examine it, label the cloaking type, and then add it to the database.).
Regarding claim 15
Zhang does not disclose: “By a process executing on a computer system, a request to access a website; accessing, by the process, a first database that indicates security risks of websites that have been classified in response to determining that a security risk of the requested website is undetermined”
Hu discloses:
A method comprising: receiving, by a process executing on a computer system, a request to access a website; accessing, by the process, a first database that indicates security risks of websites that have been classified (¶5: “According to stored webpage security database information, the security server performs security authentication, and returns a security authentication response result of the URL to the user terminal. According to the security authentication response result, the user terminal performs corresponding operations: if the security authentication response result is safe”); in response to determining that a security risk of the requested website is undetermined (¶36: The security authentication response result includes that a security level of the target webpage is unknown and the security level of the target webpage is risk.), 
Given the teaching of Hu, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Zhang in order to integrate a feature in which a system has a database in order to determine a security risk of a URL and determine if the URL has an unknown score. One of ordinary skill in the art would have been motivated to do so because Hu recognizes that by implementing this feature a bowser will prompt a user warning them that the URL they are browsing could be malicious (¶80). 
Zhang discloses: 
accessing, by the process, a second database that includes known triggers for anti-malware cloaking techniques; sending, by the process to the website, an altered request that includes one or more known triggers; determining, by the process, whether a received response to the altered request includes one of a known set of anti-malware cloaking techniques; and updating, by the process based on the determining, the first database (Page 6, Paragraph 5: Crawl Phish maintains a cloaking technique database that contains the code structure features for each instance of cloaking, annotated with the corresponding cloaking semantics. Using the database, CrawlPhish can not only identify known cloaking types (based off the cloaking outcome), but also provide detailed information about emerging cloaking techniques; Page 9, Paragraph 6: CrawlPhish compares the code structure features of all snippets flagged by Step 3 with the records in the database to discover all possible cloaking techniques in a given phishing website.).
Regarding claim 16
Zhang discloses:
The method of claim 15, further comprising updating, by the process based on the determining, the second database (Page 7, Paragraph 2: If the features of a suspicious code block are not sufficiently similar to any record in the database, we will manually examine it, label the cloaking type, and then add it to the database. which is the only process that requires manual effort in the CrawlPhish framework.). 
Regarding claim 17
Zhang discloses:
The method of claim 15, further comprising, in response to determining that the altered request includes at least one anti-malware cloaking technique: blocking, from a display of the computer system, content received in the response; and displaying, on the display, a warning to a user of the computer system (Page 2, Paragraph 8: Column The anti-phishing backends that display prominent Warnings across major web browsers when phishing is detected. These warnings are primarily blacklist-based (blocked): they rely on content-based detection.).
Regarding claim 18
Zhang discloses:
The method of claim 15, further comprising: sending a different request that includes at least one different known trigger for anti- malware cloaking techniques than the altered request; and receiving a different response to the different request (Page 5, Paragraph 7: CrawlPhish examines the visual similarity between force executed (phishing webpage detects anti-malware scanner) screenshots and a screenshot of the website rendered in an unmodified version of WebKitGTK+ (i.e .. as would be shown during a normal browser visit (phishing webpage doesn’t detect anti-malware scanner)) to detect if cloaking exists. For example. consider a phishing website that asks visitors to click on a button in a pop-up window prior to showing the phishing content. After forced execution, two different execution paths result in two different screenshots: one as an initial benign-looking page (Figure 4a). and the other with phishing content (Figure 4b) Therefore, we consider a phishing website as cloaked if any of the screenshots taken during forced execution noticeably differ from the original one.).
Regarding claim 19
Zhang discloses:
The method of claim 18, wherein determining that the received response includes at least one anti-malware cloaking technique includes: comparing the received response to the different response; and detecting differences between the received response and the different response (Page 5, Paragraph 7: CrawlPhish examines the visual similarity between force executed (phishing webpage detects anti-malware scanner) screenshots and a screenshot of the website rendered in an unmodified version of WebKitGTK+ (i.e .. as would be shown during a normal browser visit (phishing webpage doesn’t detect anti-malware scanner)) to detect if cloaking exists. For example. consider a phishing website that asks visitors to click on a button in a pop-up window prior to showing the phishing content. After forced execution, two different execution paths result in two different screenshots: one as an initial benign-looking page (Figure 4a). and the other with phishing content (Figure 4b) Therefore, we consider a phishing website as cloaked if any of the screenshots taken during forced execution noticeably differ from the original one.).
Regarding claim 20
Zhang discloses:
The method of claim 18, wherein the different request is sent in response to determining that the received response has no indications of anti-malware cloaking technique (Page 5, Paragraph 7: CrawlPhish examines the visual similarity between force executed (phishing webpage detects anti-malware scanner) screenshots and a screenshot of the website rendered in an unmodified version of WebKitGTK+ (i.e .. as would be shown during a normal browser visit (phishing webpage doesn’t detect anti-malware scanner)) to detect if cloaking exists. For example. consider a phishing website that asks visitors to click on a button in a pop-up window prior to showing the phishing content. After forced execution, two different execution paths result in two different screenshots: one as an initial benign-looking page (Figure 4a). and the other with phishing content (Figure 4b) Therefore, we consider a phishing website as cloaked if any of the screenshots taken during forced execution noticeably differ from the original one.).
Claims 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over N.P.L. “CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing” (hereinafter “Zhang”), in view of view of Hu (US 2014/0059649 A1), and in view of WANG (US 2021/0092155 A1).
Regarding claim 10
Zhang and Hu do not disclose the following limitation “wherein determining that the security risk of the website is undetermined includes: accessing a database that includes a deny-list of websites that have been determined to include malicious content; and determining that the website is currently excluded from the deny-list”
WANG discloses:
The non-transitory computer-readable medium of claim 9, wherein determining that the security risk of the website is undetermined includes: accessing a database that includes a deny-list of websites that have been determined to include malicious content; and determining that the website is currently excluded from the deny-list (Claim 1: The website identified as a security risk based on a whitelist of website addresses).
Given the teaching of WANG, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Zhang and Hu in order to integrate a feature in which a security risk of a URL is based on if a URL is in a whitelist database. One of ordinary skill in the art would have been motivated to do so because WANG recognizes that by implementing this feature a security risk can further evaluate a URL after determining that it is on an allow list (Claim 1).
Claims 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over N.P.L. “CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing” (hereinafter “Zhang”), in view of Hu (US 2014/0059649 A1), and in further view of Kumar (US 10,356,050 B1).
Regarding claim 11
Zhang and Hu do not disclose the following limitation “wherein operations further comprise: accessing a database that includes a allow-list of websites on which no malicious content has been found; and in response to determining that the website is currently included on the allow-list, including user information that is included in the received access request in the modified access request”
Kumar discloses:
The non-transitory computer-readable medium of claim 9, wherein operations further comprise: accessing a database that includes a allow-list of websites on which no malicious content has been found; and in response to determining that the website is currently included on the allow-list, including user information that is included in the received access request in the modified access request (Column 2, Line 58: “At decision block 814 (uses a database), the web request scrubber determines whether the intended recipient is represented in a whitelist (allowed) maintained by the web request scrubber … If the intended destination is in the set of intended destinations defined by the whitelist, execution advances to block 826 where the web request scrubber forwards the modified web request (access request) to the intended destination”).	
Given the teaching of Kumar, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Zhang and Hu in order to integrate a feature in which a website forwards an access request if it is on an allow list. One of ordinary skill in the art would have been motivated to do so because Kumar recognizes that by implementing this feature a database can be used to identify non-malicious URL and will then allow the URL to request for the modified data (Column 2, Line 58).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/             Examiner, Art Unit 2431                                                                                                                                                                                           
/LYNN D FEILD/             Supervisory Patent Examiner, Art Unit 2431