DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 09/08/2022.  Claims 1-20 are cancelled. Claims 21, 27, and 33 are amended. Claims 21-40 are pending in this examination.
 In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   This examination is in response to US Patent Application No. 16/921,581.
Examiner Note 
Examiner suggest Applicant to review the relevant prior art section at the conclusion section in this office action.
Terminal Disclaimer

The terminal disclaimer filed on 02/04/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent application No. 10708302 has been reviewed and is accepted.  The terminal disclaimer has been recorded.
Response to Arguments
Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). 


The Applicant respectfully submits on pages 9-11 of remarks filed on 09/08/2022 
that the combination of Dennison and Stellhorn does not teach or disclose all the limitations of amended claims 21, 27 and 33.

Examiner respectfully disagree with applicant argument on pages 9-11 of remarks filed on 09/08/2022. 
The combination of Dennison and Stellhorn disclose all the limitations of independent claims especially the new amendment: “accessing content available via the potential phishing website and analyzing of the content based on predefined phishing detection criteria”.
Dennison discloses [Col. 19 lines 56-59, According to block 808 of FIG. 8A, if a threshold number of matches are detected (for instance, one match, two matches, etc.), the system software can designate the associated URL as a possibly malicious URL data item], and [Col. 24 lines 47-56, FIG. 11B illustrates an example interface for marking or tagging data from the listing of FIG. 11A. When reviewing the listing of FIG. 11A, an analyst may determine that the first three listings warrant further investigation, because they were registered by the same organization on the same date. Accordingly, as shown in FIG. 11B, the analyst can use a user interface to create a tag to identify entries with a particular DNS registration date are possibly bad (malicious). In this example, the interface allows the user to add a note indicating the reason for the tag, here, and “Fake registration data”?].

		[Col. 8 Ln 62-67, the local IP addresses, URLs, and times can be logically associated as connection records indicating a particular communication from a particular computerized device to a particular external resource at a particular time, such that each of the connection records is associated with a particular device identifier, a particular URL, and a particular time (equated to the time difference between the second time and first time which shows that the requests are 
happening at different times)], and 

[Col.9 Ln 54-62, FIG. 2B represents visualization of certain calls out to a network resource.  An analyst can view the visualization in order to determine whether possible malicious activity actually is malicious activity.  The example graphical timeline shows all traffic to a specific domain or range of IP addresses.  If there are many requests out to that domain at about the same time each day (or some pattern of days)( equated to time value), especially of those times are ones that the user is typically not at the computer, the traffic is more likely to be caused by malicious malware], and [Col.11 Ln 48-56, filter 316A, which detects frequently established connections, such as the same or similar connection pairs (for example, multiple connection pairs from the same internal IP to the same external IP and/or domain) that occur with short intervals (or deltas) of time between them (for example, intervals on the order of seconds( equated to time value), or intervals that are shorter than are typically employed by beaconing malware); filter 316B, which detects connection pairs that have only been occurring for a short period of time (for example, for a week or less)], and [Col. 11 lines 16-65],  and [Col.22 Ln. 3-6, the model also takes as input a disposition determined by a human analyst with expertise in diagnosing a URL as benign or malicious….], and [Col. 22 Ln. 51-57, URLs and vectors associated with the URLs can be presented to a human analyst.  Such data can be presented via one or more user interfaces.  The data can be displayed to facilitate disposition of the data for training the machine learning model.  The data can also be displayed to allow for review of model output when URLs are automatically evaluated by the computing system], and [FIG 3 and see corresponding text for further detail].

 	And Stellhorn discloses [¶3, In addition, information related to these suspicious sites may be stored in a database, and algorithms may be used to classify, monitor, and respond to a particular suspicious phishing site. These algorithms may include statistical analysis, regular expressions, and/or other rule-based analysis], and [¶27, Database server 210 may be configured to store various types and amounts of data.  In one or more arrangements, database server 210 may be configured to store Uniform Resource Identifiers (URIs), IP addresses, and/or unique identifiers corresponding to one or more websites…], and [ ¶37, a suspicious site may be monitored automatically by an algorithm. For example, statistical analysis, regular expressions, and/or other rule-based analysis may be applied to the source code and/or linked content of the suspicious site in order to monitor the suspicious site. In other words, in one or more configurations, user input might not be required in order to monitor a suspicious site]; and
Examiner Note: in view of broadest interpretation, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention by combining Dennison and Stellhorn to indicate that the suspicious sites are classified based on many factors such as statistical analysis, regular expressions, traffic timeline and/or other rule-based analysis, IP address, websites unique identifiers and etc.].




Claim Rejections - 35 USC § 103

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 21-40 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Application No. 9,043894 to Dennison et al (“Dennison”) cited from IDS (10/16/2020) in view of US Patent No. 2009/0157675 issued to Stellhorn et al (“Stellhorn”) cited from IDS (10/16/2020).
Regarding claims 21, and 33, Dennison discloses A method for automatic detection of phishing websites, comprising [Col. 5 lines 37-39, FIG. 2B illustrates a sample visualization(monitoring) of outgoing network traffic, such as requests for external URLs from a particular computing system or group of computing systems], and [Col. 6 lines 34-36, computing systems for detecting activities that are indicative of cyber threats, such as beaconing activities, phishing activities]; and
detecting within network traffic a sequence of network traffic events that comprises at least: an initial communication from a network address to a first other network address [Col. 7 lines 5-14, The outbound data connection log 102 includes a large plurality of data items, such as thousands, millions, tens of millions, hundreds of millions, or even billions of data items…such data items include the IP addresses of internal resources, within the local network, that have attempted to communicate with an external resource outside the local network. The outbound data connection log 102 can also include a time, such as a time stamp indicating year, month, day, hour, minute, and/or second, associated with each attempted connection], and
a first subsequent communication to the initial communication from the first other network address at a first time [Col. 8 lines 47-52, Network communications and/or data traffic information between local and external resources may be captured in such a data connection log 102. Various items of information may be captured including, for example, the URLs transmitted from the local network, the local IP addresses transmitting the URLs, the times of transmission( first request, first time), and the like], and  [Col. 8 lines 62-67]; and [Col. 2 lines 33-37, each of the connection records indicating a communication from a computerized device to an external resource at a specific time, such that each of the connection records is associated with a device identifier and a URL], and [Col. 7 lines 11-16, the outbound data connection log 102 can also include a time, such as a time stamp indicating year, month, day, hour, minute, and/or second, associated with each attempted connection]; and
and a second subsequent communication from the network address to a second other network address at a second time subsequent to the first time [Col. 8 lines 62-67, The local IP addresses, URLs, and times can be logically associated as connection records indicating a particular communication from a particular computerized device to a particular external resource at a particular time, such that each of the connection records is associated with a particular device identifier, a particular URL, and a particular time( second request, second time)], and  [Col. 2 lines 33-37, each of the connection records indicating a communication from a computerized device to an external resource at a specific time, such that each of the connection records is associated with a device identifier and a URL], and  [Col.7 lines 11-16, the outbound data connection log 102 can also include a time, such as a time stamp indicating year, month, day, hour, minute, and/or second, associated with each attempted connection]; and
 wherein the classifying comprises: determining that the second other network address is not related to the first other network address Col. 9 lines 10-19, the connection records can be limited to those connection records occurring within a certain period of time (e.g., a 1-minute block, a 5-minute block, a 15-minute block, an hour block etc.). Each of the identified connection records will have an associated URL. The system can parse the one or more URLs for one or more domain names, such that each of the one or more URLs is associated with a particular first domain name], and [Col.7 lines 5-39, an example character string may be a URL. Such a URL can generally resemble the form: schm://3LD.2LD.TLD/filepath. The portion "schm" represents the scheme or prefix, such as ftp, http, mailto, and the like. The portion "3LD" is a combination of alphabetic characters, numbers, and/or hyphens representing the third level domain. The portion "2LD" is a combination of alphabetic characters, numbers, and/or hyphens representing the second level domain. The portion "TLD" represents the top-level domain, such as com, org, edu, gov, and the like. The portion "filepath" is a textual string that can include numeric, alphabetic, and punctuation characters such as backslashes, hyphens, question marks, periods, and the like. As used herein, and unless specified otherwise, the term "domain name" refers to the combination of the 2LD and the TLD. An example domain name has the form example.com], and [Col.10 lines 66-67, Col.11 lines 1-37, Referring to FIG. 3A, at block 312, network communications and/or data traffic information between the internal and external networks may be captured by the beaconing malware pre-filter system. Various items of information may be captured including, for example, external IP addresses contacted (312A), external domains contacted (312B), internal IP addresses contacting the external IP addresses and domains (312C), and the like…].
Examiner Note: It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to indicate that by parsing the URLs for one or more domains to indicate that they belong to different domains with different network address such as IP addresses.
 and determining that a time difference between the second time and the first time meets predefined criteria [Col. 8 Ln 62-67, the local IP addresses, URLs, and times can be logically associated as connection records indicating a particular communication from a particular computerized device to a particular external resource at a particular time, such that each of the connection records is associated with a particular device identifier, a particular URL, and a particular time ( equated to the time difference between the second time and first time which shows that the requests are happening at different times)], and [Col.9 Ln 54-62,FIG. 2B represents visualization of certain calls out to a network resource.  An analyst can view the visualization in order to determine whether possible malicious activity actually is malicious activity.  The example graphical timeline shows all traffic to a specific domain or range of IP addresses.  If there are many requests out to that domain at about the same time each day (or some pattern of days) (equated to time value), especially of those times are ones that the user is typically not at the computer, the traffic is more likely to be caused by malicious malware], and 
[Col.11 Ln 48-56, filter 316A, which detects frequently established connections, such as the same or similar connection pairs (for example, multiple connection pairs from the same internal IP to the same external IP and/or domain) that occur with short intervals (or deltas) of time between them (for example, intervals on the order of seconds( equated to time value), or intervals that are shorter than are typically employed by beaconing malware); filter 316B, which detects connection pairs that have only been occurring for a short period of time (for example, for a week or less)], and [FIG 3 and see corresponding text for further detail]; and 
	Dennison does not explicitly disclose; however, Stellhorn discloses classifying the first other network address as a potential phishing website [¶3, In addition, information related to these suspicious sites may be stored in a database, and algorithms may be used to classify, monitor, and respond to a particular suspicious phishing site. These algorithms may include statistical analysis, regular expressions, and/or other rule-based analysis], and [¶27, Database server 210 may be configured to store various types and amounts of data.  In one or more arrangements, database server 210 may be configured to store Uniform Resource Identifiers (URIs), IP addresses, and/or unique identifiers corresponding to one or more websites…], and [ ¶37, a suspicious site may be monitored automatically by an algorithm. For example, statistical analysis, regular expressions, and/or other rule-based analysis may be applied to the source code and/or linked content of the suspicious site in order to monitor the suspicious site. In other words, in one or more configurations, user input might not be required in order to monitor a suspicious site]; and
Examiner Note: in view of broadest interpretation, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to indicate that Stellhorn classifies the suspicious sites based on many factors such as statistical analysis, regular expressions, and/or other rule-based analysis, IP address, websites unique identifiers and etc.
accessing content available via the potential phishing website and analyzing of the content based on predefined phishing detection criteria
The combination of Dennison and Stellhorn disclose these limitations as: 
Dennison discloses [Col. 19 lines 56-59, According to block 808 of FIG. 8A, if a threshold number of matches are detected (for instance, one match, two matches, etc.), the system software can designate the associated URL as a possibly malicious URL data item], and [Col. 24 lines 47-56, FIG. 11B illustrates an example interface for marking or tagging data from the listing of FIG. 11A. When reviewing the listing of FIG. 11A, an analyst may determine that the first three listings warrant further investigation, because they were registered by the same organization on the same date. Accordingly, as shown in FIG. 11B, the analyst can use a user interface to create a tag to identify entries with a particular DNS registration date are possibly bad (malicious). In this example, the interface allows the user to add a note indicating the reason for the tag, here, and “Fake registration data”?].
		[Col. 8 Ln 62-67, the local IP addresses, URLs, and times can be logically associated as connection records indicating a particular communication from a particular computerized device to a particular external resource at a particular time, such that each of the connection records is associated with a particular device identifier, a particular URL, and a particular time (equated to the time difference between the second time and first time which shows that the requests are 
happening at different times)], and 
[Col.9 Ln 54-62, FIG. 2B represents visualization of certain calls out to a network resource.  An analyst can view the visualization in order to determine whether possible malicious activity actually is malicious activity.  The example graphical timeline shows all traffic to a specific domain or range of IP addresses.  If there are many requests out to that domain at about the same time each day (or some pattern of days)( equated to time value), especially of those times are ones that the user is typically not at the computer, the traffic is more likely to be caused by malicious malware], and [Col.11 Ln 48-56, filter 316A, which detects frequently established connections, such as the same or similar connection pairs (for example, multiple connection pairs from the same internal IP to the same external IP and/or domain) that occur with short intervals (or deltas) of time between them (for example, intervals on the order of seconds( equated to time value), or intervals that are shorter than are typically employed by beaconing malware); filter 316B, which detects connection pairs that have only been occurring for a short period of time (for example, for a week or less)], and [Col. 11 lines 16-65],  and [Col.22 Ln. 3-6, the model also takes as input a disposition determined by a human analyst with expertise in diagnosing a URL as benign or malicious….], and [Col. 22 Ln. 51-57, URLs and vectors associated with the URLs can be presented to a human analyst.  Such data can be presented via one or more user interfaces.  The data can be displayed to facilitate disposition of the data for training the machine learning model.  The data can also be displayed to allow for review of model output when URLs are automatically evaluated by the computing system], and [FIG 3 and see corresponding text for further detail].
 	And Stellhorn discloses [¶3, In addition, information related to these suspicious sites may be stored in a database, and algorithms may be used to classify, monitor, and respond to a particular suspicious phishing site. These algorithms may include statistical analysis, regular expressions, and/or other rule-based analysis], and [¶27, Database server 210 may be configured to store various types and amounts of data.  In one or more arrangements, database server 210 may be configured to store Uniform Resource Identifiers (URIs), IP addresses, and/or unique identifiers corresponding to one or more websites…], and [ ¶37, a suspicious site may be monitored automatically by an algorithm. For example, statistical analysis, regular expressions, and/or other rule-based analysis may be applied to the source code and/or linked content of the suspicious site in order to monitor the suspicious site. In other words, in one or more configurations, user input might not be required in order to monitor a suspicious site]; and
Examiner Note: in view of broadest interpretation, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention by combining Dennison and Stellhorn to indicate that the suspicious sites are classified based on many factors such as statistical analysis, regular expressions, traffic timeline and/or other rule-based analysis, IP address, websites unique identifiers and etc.].
Dennison  does not explicitly disclose, however, Stellhorn discloses and taking one or more protective measures in response to the classifying, wherein the one or more protective measures comprise blocking the first other network address [abstract, If, however, the suspicious network site is classified as fraudulent, the fraudulent website may be monitored and further action may be taken], and[¶3, a method and system for processing fraud alerts and identifying fraudulent sites allows an organization to classify, monitor, and shut down (blocking) fraudulent site such as websites in an efficient manner… if the suspicious site is classified as fraudulent, the fraudulent site may then be monitored and further action, such as sending a cease and desist letter to the owner of the IP address corresponding to the fraudulent site or an owner of the domain, may be taken].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Dennison with the teaching Stellhorn in order for processing fraud notifications allow an organization to classify, monitor, and shut down fraudulent websites [Stellhorn, abstract].
Regarding claim 22,  Dennison discloses  comprising monitoring the network traffic using a log of network traffic events, and wherein the log has a machine readable log format, and comprises network addresses of requested and/or responding sites [Col. 8 lines 47-59, Network communications and/or data traffic information between local and external resources may be captured in such a data connection log 102…the network traffic may be captured by, for example, other types of computerized sensors], and [Col. 8 lines 49-52, Various items of information may be captured including, for example, the URLs transmitted from the local network, the local IP addresses transmitting the URLs, the times of transmission, and the like].
Regarding claims 23, 40,  Dennison discloses the method of claim 21, wherein the second subsequent communication is within a limited number of network events relative to the first time; and comprising: Page 4 of 9APPLICATION NO. 16/921,581 (ATTORNEY DOCKET No. 60957US02) classifying the first other network address as a potential phishing website based on a determination that the limited number of network events is smaller than a defined limit value [Col. 19 lines 56-59, According to block 808 of FIG. 8A, if a threshold number of matches are detected (for instance, one match, two matches, etc.), the system software can designate the associated URL as a possibly malicious URL data item], and [Col. 24 lines 47-56, FIG. 11B illustrates an example interface for marking or tagging data from the listing of FIG. 11A. When reviewing the listing of FIG. 11A, an analyst may determine that the first three listings warrant further investigation, because they were registered by the same organization on the same date. Accordingly, as shown in FIG. 11B, the analyst can use a user interface to create a tag to identify entries with a particular DNS registration date are possibly bad (malicious). In this example, the interface allows the user to add a note indicating the reason for the tag, here, and “Fake registration data”?].
Regarding claims 24, and 31,  Dennison discloses, wherein the defined limit value is 5 or 3[Col. 19 lines 56-59, According to block 808 of FIG. 8A, if a threshold number of matches are detected (for instance, one match, two matches, etc.), the system software can designate the associated URL as a possibly malicious URL data item], and [Col. 24 lines 47-56, FIG. 11B illustrates an example interface for marking or tagging data from the listing of FIG. 11A. When reviewing the listing of FIG. 11A, an analyst may determine that the first three listings warrant further investigation, because they were registered by the same organization on the same date. Accordingly, as shown in FIG. 11B, the analyst can use a user interface to create a tag to identify entries with a particular DNS registration date are possibly bad (malicious). In this example, the interface allows the user to add a note indicating the reason for the tag, here, and “Fake registration data”?].
Regarding claim 25,  Dennison discloses wherein the pre-defined criteria comprise the time difference between the second time and the first time being smaller than a defined time value [Col. 8 Ln 62-67, the local IP addresses, URLs, and times can be logically associated as connection records indicating a particular communication from a particular computerized device to a particular external resource at a particular time, such that each of the connection records is associated with a particular device identifier, a particular URL, and a particular time ( equated to the time difference between the second time and first time which shows that the requests are happening at different times)], and [Col.9 Ln 54-62,FIG. 2B represents visualization of certain calls out to a network resource.  An analyst can view the visualization in order to determine whether possible malicious activity actually is malicious activity.  The example graphical timeline shows all traffic to a specific domain or range of IP addresses.  If there are many requests out to that domain at about the same time each day (or some pattern of days)( equated to  time value), especially of those times are ones that the user is typically not at the computer, the traffic is more likely to be caused by malicious malware], and [Col.11 Ln 48-56, filter 316A, which detects frequently established connections, such as the same or similar connection pairs (for example, multiple connection pairs from the same internal IP to the same external IP and/or domain) that occur with short intervals (or deltas) of time between them (for example, intervals on the order of seconds( equated to time value), or intervals that are shorter than are typically employed by beaconing malware); filter 316B, which detects connection pairs that have only been occurring for a short period of time (for example, for a week or less)], and [FIG 3 and see corresponding text for further detail].
Regarding claims 26, and 32,  Dennison discloses, wherein the defined time value is smaller than 1 second, and preferably smaller than 0.1 seconds [Col. 8 Ln 62-67, the local IP addresses, URLs, and times can be logically associated as connection records indicating a particular communication from a particular computerized device to a particular external resource at a particular time, such that each of the connection records is associated with a particular device identifier, a particular URL, and a particular time ( equated to the time difference between the second time and first time which shows that the requests are happening at different times)], and [Col.9 Ln 54-62, FIG. 2B represents visualization of certain calls out to a network resource.  An analyst can view the visualization in order to determine whether possible malicious activity actually is malicious activity.  The example graphical timeline shows all traffic to a specific domain or range of IP addresses.  If there are many requests out to that domain at about the same time each day (or some pattern of days)( equated to time value), especially of those times are ones that the user is typically not at the computer, the traffic is more likely to be caused by malicious malware], and [Col.11 Ln 48-56, filter 316A, which detects frequently established connections, such as the same or similar connection pairs (for example, multiple connection pairs from the same internal IP to the same external IP and/or domain) that occur with short intervals (or deltas) of time between them (for example, intervals on the order of seconds( equated to time value), or intervals that are shorter than are typically employed by beaconing malware); filter 316B, which detects connection pairs that have only been occurring for a short period of time (for example, for a week or less)], and [FIG 3 and see corresponding text for further detail].
Regarding claim 27, Dennison discloses  method for protecting websites from phishing attacks, comprising[Col. 5 lines 37-39,  FIG. 2B illustrates a sample visualization( monitoring) of outgoing network traffic, such as requests for external URLs from a particular computing system or group of computing systems], and [(44), network traffic router( monitoring… other types of computerized sensors ], and [Col. 6 lines 34-36, computing systems for detecting activities that are indicative of cyber threats, such as beaconing activities, phishing activities]; and
 detecting within network traffic a communication from a network address to a target website [Col. 7 lines 5-14, The outbound data connection log 102 includes a large plurality of data items, such as thousands, millions, tens of millions, hundreds of millions, or even billions of data items…such data items include the IP addresses of internal resources, within the local network, that have attempted to communicate with an external resource outside the local network. The outbound data connection log 102 can also include a time, such as a time stamp indicating year, month, day, hour, minute, and/or second, associated with each attempted connection], and
 evaluating network events involving the network address prior to the detected communication to detect a communication with the network address to a website not related to the target website, wherein the evaluating comprises obtaining time measurements that are independent of network latency;
[Col. 8 lines 47-52, Network communications and/or data traffic information between local and external resources may be captured in such a data connection log 102. Various items of information may be captured including, for example, the URLs transmitted from the local network, the local IP addresses transmitting the URLs, the times of transmission( first request, first time), and the like], and  [Col. 8 lines 62-67, The local IP addresses, URLs, and times can be logically associated as connection records indicating a particular communication from a particular computerized device to a particular external resource at a particular time, such that each of the connection records is associated with a particular device identifier, a particular URL, and a particular time( second request, second time)],  and [Col. 2 lines 33-37, each of the connection records indicating a communication from a computerized device to an external resource at a specific time, such that each of the connection records is associated with a device identifier and a URL], and [Col7 lines 11-16, the outbound data connection log 102 can also include a time, such as a time stamp indicating year, month, day, hour, minute, and/or second, associated with each attempted connection]; and
obtaining information relating to a other communication between a second network address and the other website
[Col. 2 lines 33-37, each of the connection records indicating a communication from a computerized device to an external resource at a specific time, such that each of the connection records is associated with a device identifier and a URL], and
[Col.7 lines 5-37, an example character string may be a URL. Such a URL can generally resemble the form: schm://3LD.2LD.TLD/filepath. The portion "schm" represents the scheme or prefix, such as ftp, http, mailto, and the like. The portion "3LD" is a combination of alphabetic characters, numbers, and/or hyphens representing the third level domain. The portion "2LD" is a combination of alphabetic characters, numbers, and/or hyphens representing the second level domain. The portion "TLD" represents the top-level domain, such as com, org, edu, gov, and the like. The portion "filepath" is a textual string that can include numeric, alphabetic, and punctuation characters such as backslashes, hyphens, question marks, periods, and the like. As used herein, and unless specified otherwise, the term "domain name" refers to the combination of the 2LD and the TLD. An example domain name has the form example.com], and
[Col. 7 lines 11-16, the outbound data connection log 102 can also include a time, such as a time stamp indicating year, month, day, hour, minute, and/or second, associated with each attempted connection], and
[Col. 8 lines 47-52, Network communications and/or data traffic information between local and external resources may be captured in such a data connection log 102. Various items of information may be captured including, for example, the URLs transmitted from the local network, the local IP addresses transmitting the URLs, the times of transmission (first request, first time), and the like], and 
 [Col. 8 lines 62-67, The local IP addresses, URLs, and times can be logically associated as connection records indicating a particular communication from a particular computerized device to a particular external resource at a particular time, such that each of the connection records is associated with a particular device identifier, a particular URL, and a particular time (second request, second time)], and
[Col. 8 Ln 62-67, the local IP addresses, URLs, and times can be logically associated as connection records indicating a particular communication from a particular computerized device to a particular external resource at a particular time, such that each of the connection records is associated with a particular device identifier, a particular URL, and a particular time ( equated to the time difference between the second time and first time which shows that the requests are happening at different times)], and 
[Col.9 Ln 54-62, FIG. 2B represents visualization of certain calls out to a network resource.  An analyst can view the visualization in order to determine whether possible malicious activity actually is malicious activity.  The example graphical timeline shows all traffic to a specific domain or range of IP addresses.  If there are many requests out to that domain at about the same time each day (or some pattern of days) (equated to time value), especially of those times are ones that the user is typically not at the computer, the traffic is more likely to be caused by malicious malware], and 
[ Col. 9 lines 10-19, the connection records can be limited to those connection records occurring within a certain period of time (e.g., a 1-minute block, a 5-minute block, a 15-minute block, an hour block etc.). Each of the identified connection records will have an associated URL. The system can parse the one or more URLs for one or more domain names, such that each of the one or more URLs is associated with a particular first domain name], and
 [Col. 10 lines 66-67, Col.11 lines 1-37, Referring to FIG. 3A, at block 312, network communications and/or data traffic information between the internal and external networks may be captured by the beaconing malware pre-filter system. Various items of information may be captured including, for example, external IP addresses contacted (312A), external domains contacted (312B), internal IP addresses contacting the external IP addresses and domains (312C), and the like…], and
	[Col.11 Ln 48-56, filter 316A, which detects frequently established connections, such as the same or similar connection pairs (for example, multiple connection pairs from the same internal IP to the same external IP and/or domain) that occur with short intervals (or deltas) of time between them (for example, intervals on the order of seconds( equated to time value), or intervals that are shorter than are typically employed by beaconing malware); filter 316B, which detects connection pairs that have only been occurring for a short period of time (for example, for a week or less)], and [FIG 3 and see corresponding text for further detail].
Examiner Note: in view of broadest interpretation, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to indicate that Dennison in his application discloses   the local IP addresses, URLs, and times can be logically associated as connection records indicating a particular communication from a particular computerized device( from a second network address) to a particular external resource( equated to the second other network/target device) at a particular time, such that each of the connection records is associated with a particular device identifier, a particular URL, and a particular time ( equated to the time difference between the second time and first time which shows that the requests are happening at different times) without the communication of these two go through another device hence, directly communicating with each other.
Dennison does not explicitly disclose; however, Stellhorn discloses classifying the target website as potential phishing website [¶3, In addition, information related to these suspicious sites may be stored in a database, and algorithms may be used to classify, monitor, and respond to a particular suspicious phishing site. These algorithms may include statistical analysis, regular expressions, and/or other rule-based analysis], and [¶27, Database server 210 may be configured to store various types and amounts of data.  In one or more arrangements, database server 210 may be configured to store Uniform Resource Identifiers (URIs), IP addresses, and/or unique identifiers corresponding to one or more websites…], and [ ¶37, a suspicious site may be monitored automatically by an algorithm. For example, statistical analysis, regular expressions, and/or other rule-based analysis may be applied to the source code and/or linked content of the suspicious site in order to monitor the suspicious site. In other words, in one or more configurations, user input might not be required in order to monitor a suspicious site]; and
Examiner Note: in view of broadest interpretation, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to indicate that Stellhorn classifies the suspicious sites based on many factors such as statistical analysis, regular expressions, and/or other rule-based analysis, IP address, websites unique identifiers and etc.
Dennison  does not explicitly disclose, however, Stellhorn discloses and taking one or more protective measures in response to the classifying, wherein the one or more protective measures comprise blocking the target website[abstract, If, however, the suspicious network site is classified as fraudulent, the fraudulent website may be monitored and further action may be taken], and[¶3, a method and system for processing fraud alerts and identifying fraudulent sites allows an organization to classify, monitor, and shut down (blocking) fraudulent site such as websites in an efficient manner… if the suspicious site is classified as fraudulent, the fraudulent site may then be monitored and further action, such as sending a cease and desist letter to the owner of the IP address corresponding to the fraudulent site or an owner of the domain, may be taken].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Dennison with the teaching Stellhorn in order for processing fraud notifications allow an organization to classify, monitor, and shut down fraudulent websites [Stellhorn, abstract].
Claims 28-29, and 34-35 are interpreted and rejected for the same rational set forth in claim 22.
Regarding claim 30,  Dennison discloses wherein the evaluation is limited to network traffic events involving the network address within a limited number of network traffic events in a sequence of network traffic events[Col. 19 lines 56-59, According to block 808 of FIG. 8A, if a threshold number of matches are detected (for instance, one match, two matches, etc.), the system software can designate the associated URL as a possibly malicious URL data item], and [Col. 24 lines 47-56, FIG. 11B illustrates an example interface for marking or tagging data from the listing of FIG. 11A. When reviewing the listing of FIG. 11A, an analyst may determine that the first three listings warrant further investigation, because they were registered by the same organization on the same date. Accordingly, as shown in FIG. 11B, the analyst can use a user interface to create a tag to identify entries with a particular DNS registration date are possibly bad (malicious). In this example, the interface allows the user to add a note indicating the reason for the tag, here, and “Fake registration data”?].
Regarding claim 36, Dennison discloses , further comprising an address collector configured to collect addresses corresponding to requested and/or responding sites from one or more different sources [Col. 8 lines 47-59, Network communications and/or data traffic information between local and external resources may be captured in such a data connection log 102…the network traffic may be captured by, for example, other types of computerized sensors], and [Col. 8 lines 49-52, Various items of information may be captured including, for example, the URLs transmitted from the local network, the local IP addresses transmitting the URLs, the times of transmission, and the like]
Regarding claim 37,  Dennison discloses further comprising a pattern matching engine configured to identify potential phishing addresses based on analysis of addresses in plaintext logs[Col. 8 lines 47-59, Network communications and/or data traffic information between local and external resources may be captured in such a data connection log 102…the network traffic may be captured by, for example, other types of computerized sensors], and [Col. 8 lines 49-52, Various items of information may be captured including, for example, the URLs transmitted from the local network, the local IP addresses transmitting the URLs, the times of transmission, and the like]
Regarding claim 38, Dennison discloses, further comprising a feature extractor configured to extract and analyze features of particular websites [Col. 8 lines 49-52, Various items of information may be captured including, for example, the URLs transmitted from the local network, the local IP addresses transmitting the URLs, the times of transmission, and the like], and [Col.25 lines 43-49, a computer-implemented system accesses a server's proxy log. The system is configured to execute the timing pre-filter and the beaconing malware pre-filter to identify potentially malicious URLs. An additional pre-filter is executed on the URLs identified by the beaconing malware pre-filer to filter out domain names that are not ranked in Alexa Internet's list of the top-1000 or top-10,000 websites], and [Col.24, lines 57-67].
Regarding claim 39,  Dennison discloses, wherein the feature extractor is configured to compare extracted features for a particular website with pre-stored website features to identify the particular website[Col. 8 lines 49-52, Various items of information may be captured including, for example, the URLs transmitted from the local network, the local IP addresses transmitting the URLs, the times of transmission, and the like], and [Col.25 lines 43-49, a computer-implemented system accesses a server's proxy log. The system is configured to execute the timing pre-filter and the beaconing malware pre-filter to identify potentially malicious URLs. An additional pre-filter is executed on the URLs identified by the beaconing malware pre-filer to filter out domain names that are not ranked in Alexa Internet's list of the top-1000 or top-10,000 websites], and [Col.24, lines 57-67].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Glommen (US6766370) [Internet Website Traffic Flow Analysis Using Timestamp Data].
Baddour (US2008/0010683) [ System and Method for Analyzing Web Content].
GB2462456A [Phishing Website Determining Method for Computer, Involves Comparing Characteristics of Genuine Website with Corresponding Characteristics of Subject Website, And Determining Whether Subject Website Is Phishing Website Based on Comparison].
CN104580254A [A Phishing Website Identification System and Method].
BACH(US2016/0057167) [ PHISHING AND THREAT DETECTION AND PREVENTION].
Brinson (US2006/0080735) [ Methods and Systems for Phishing Detection and Notification].
Zhang (US2010/0251380) [ Method and System for Identifying Suspected Phishing Websites].
CN102739679A [A Classification Based on URL Of the Fishing Website Detection Method].
Abe (US2018/0083990) [ Abstract, the present invention passively monitors computer network traffic to determine when a potential network attack is underway. The system, method and computer program product initiate the process using a learning mode that identifies unique source and destination Internet Protocol (IP) address pairs. Then the frequency of these the IP pairs are computed for multiple periods. In the analyze mode, the frequency for each IP pair is statistically analyzed and a threshold set based on rules. In the run mode, the frequency of IP pairs is computed and compared to the thresholds. If a threshold is crossed, an alert is generated that a network administrator or other user can react to].
Adams (US8370932) [ Method and Apparatus for Detecting Malware in Network Traffic].
Raugas (US2015/0128263) [ Methods and Systems for Malware Detection, Abstract, Methods, system, and media for detecting malware are disclosed. A network may be monitored for a configured time interval collecting all of or some of the network traffic or samples of the network traffic…].
WO2011032789A1[METHOD FOR DETECTING ANOMALIES IN A CONTROL NETWORK].
Balabine (US2015/0229661) [ METHOD AND SYSTEM FOR CONFIDENT ANOMALY DETECTION IN COMPUTER NETWORK TRAFFIC, ¶179, The following network traffic characteristics may be assessed for each monitored IP layer protocol for the duration of each collection time interval].
Hu (8087085) [ Wireless Intrusion Prevention System and Method, see claim 1, detect changes in the amounts of network traffic over the time intervals to a particular destination relative to the determined normal amount of network traffic to the particular destination over the time intervals…].
LIU(2016/0021141)[ RATING NETWORK SECURITY POSTURE AND COMPARING NETWORK MALICIOUSNESS, ¶7, The network analyzer may include a network interface configured to monitor network traffic …aggregate sets of internet protocol (IP) addresses within the monitored network traffic over a sampling period; (2) measure a number of malicious IP addresses within each of the aggregated sets of IP addresses at a plurality of time intervals within the sampling period; (3) generate a plurality of aggregate signals having a magnitude at each of the plurality of time intervals based on the number of malicious IP addresses within each of the plurality of time intervals…].
Supple (US2015/0101053) [ SYSTEM AND METHOD FOR DETECTING INSIDER THREATS, ¶29, In one embodiment, to detect anomalous traffic, a baseline or normal profile of network traffic observed in a certain time interval may be analyzed…].
Foulger (US2003/0018769) [ Method of Backtracing Network Performance, Fig.7, shows a network over time view of network performance; FIG.10, shows a network latency over time view of network performance].
Baker (US9578046) [ Analysis of Time Series Data, time indexed data related to network traffic].
Higbee (US2014/0230064) [simulated phishing attack with sequential messages].
Brown (US2006/0164992) [¶54, MTAs provide a method for limiting the number of simultaneous connections or messages sent per time interval.]. 
Chen (US2015/0128272) [ system and method for finding phishing website].
Dong (US2014/0096242) [Method, system and client terminal for detection of phishing websites].                                                                                                                                                                                                                                                                                            
Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHAHRIAR ZARRINEH/Examiner, Art Unit 2496