Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required either to the claims or to the specification. “metadata of one or more of similar but not identical trusted domains” in the specification is not identified or recited corresponding to the claimed limitation of “correlate metadata of the domain with metadata of one or more of similar but not identical trusted domains” as recited in claims 1, 9 and 17.  The specification discusses on [0028-0029]: Known systems and methods generally check for domain name impersonation by way of seeking visual similarities between a domain name in question and a known list of trusted domain names, which is particularly useful in identifying domain names that have been altered by way of deceptive character use… A homograph attack is a method of deception wherein a threat actor leverages on the similarities of character scripts to create and register phony domains of existing ones to fool users and lure them into visiting. In one more additional occurrence of the phrase for “similarities”, the specification recites in [0042] The search for such anomalies can be triggered by similarities between the suspect domain and a list of trusted, high-value domains, by unexpected content such as obscenity in mail from a bank, or by other means. However, there is no citation in the speciation for “metadata of one or more of similar but not identical trusted domains”.

Response to Arguments
The examiner has fully considered the Applicant's argument remarks filed on September 27, 2022 but they are not persuasive to overcome the prior arts in record and place the claims in a better condition for allowance.
In the response, the applicant remarks that the proposed combination of Gillum, Zink, and Wright does not include a database with a plurality of trusted domains in which, if the target domain is determined to be similar but not identical to at least one of the trusted domains, the system correlates metadata of the domain with metadata of one or more of the similar but not identical trusted domains including at least one of an identity of a registrar for the domain being analyzed or an identity of one or more name servers serving the domain being analyzed and flags the domain as being legitimate or flag the domain as being illegitimate based on the correlation. 
However, the examiner disagrees with the applicant’s argument for the following reason. Gillum discloses a database with a plurality of trusted domains in which the above recited limitations are associated in (0013-0014: trusted domain and authorized domain; 0020: the email trust service is implemented to determine whether an email message can be trusted, such as whether an email message originated from a trusted business domain; 0029: add an authorized domain to an email safe list; 0037). Furthermore, Zink discloses a record for (0028; 0032-0033: align DMAC and domain in the From: address may be trusted domain; DMARC results are usually stamped in the Authentication-Results header in a message; 0039: the domain in the From: address may be checked to align with either the domain that passes SPF or the domain that passes DKIM (defined in the d= field). If a message passes all three, then it may be considered as passing DMARC as not being spoofed and forwarded to mail storage; 0043: reconstructed domain may be aligned from the selector against the actual domain in the “From” address to pass DMARC; 0064-0066). Similarly, Wright discloses domain DNS  activity in a database record ([0088] include querying a WHOIS server (e.g., performing a WHOIS lookup) with the attack domain name and/or related key works to determine availability of an attack domain name and/or related domain names. However, any suitable databases can be queried to determine attack domain name data. Attack domain name data can additionally or alternatively include: DNS resource records). In each of the prior art’s implantation, a database is  used  directly or indirectly for plurality of trusted domains. 
The applicant further remarked that, in Wright, all of the attack domain names are essentially illegitimate, which really is the premise of Wright, e.g., to identify attack domain names and determine if those domain names are available so that the target domain name owner can purchase them if desired. It is not clear what the applicant’s remarks suggesting over the prior art Wright. However, the prior art Wright discloses in [0040: the comparison at the similarity unit 141 can be between any distinct domain names including two or more generated or provided pseudo domain names or even, two or more legitimate target domain names. Wright further discloses. [0069] Even if an at-risk “lookalike” domain name is registered by a legitimate entity, phishing attacks based on the “lookalike” domain name can still be orchestrated if the proper preventative measures are not taken to restrict activity from the “lookalike” domain name.  [0070] The method 200 functions to reduce phishing activity by identifying at-risk “lookalike” domain names and restricting illegitimate activity from the “lookalike” domain names; the method 200 may further provide powerful tracking and/or analytical tools to enable companies and organizations to not only assess, but also reduce phishing risks. Write discuses both legitimate and illegitimate domains.  
For at least the above reasons, the applicant’s arguments are not persuasive to overcome the prior arts in record and place the claims in a better condition for allowance and therefore the following prior arts rejections are miniated.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5-6, 8-10, 13-14, 16-18, 20-21 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Gillum (US. Pub. No.: 2012/0167233) in view of Zink et al. (Hereinafter referred to as Zink, US. Pub. No.: 2017/0034100) and in further view Wright et al. (Hereinafter referred to as Wright, US 20180027013).

As per claim 1:
Gillum discloses a system for domain name authentication, the system comprising:
a processor coupled to a memory containing instructions executable by the processor to cause the system to (0016):
maintain a database with a plurality of trusted domains (0013-0014: trusted domain and authorized domain; 0029: add an authorized domain to an email safe list; 0037);
analyze a domain associated with an undelivered message intended to be delivered to a recipient, wherein analysis of the domain comprises comparing the domain with one or more of the plurality of trusted domains (0020-0021);
if the domain is determined to be similar to at least one of the trusted domains, correlate metadata of the domain with metadata of the at least one similar trusted domain (0021-0022: DKIM); and
flag the domain as being legitimate or flag the domain as being illegitimate based on the correlation (0025-0028; 0025: trust indicator).

Gillum does not explicitly disclose the determined domains to be similar are not identical domains. Zink, in analogous art however, discloses the determined domains to be similar are not identical domains (0028; 0032-0033: align DMAC and domain in the From: address may be trusted domain; DMARC results are usually stamped in the Authentication-Results header in a message; 0039: the domain in the From: address may be checked to align with either the domain that passes SPF or the domain that passes DKIM (defined in the d= field). If a message passes all three, then it may be considered as passing DMARC as not being spoofed and forwarded to mail storage; 0043: reconstructed domain may be aligned from the selector against the actual domain in the “From” address to pass DMARC; 0064-0066). It is further noted that a DMARC verification as described in Zink et al. relies on a strict or relaxed alignment.  See e.g. Wikipedia "DMARC" under Alignment section.  This verification feature would likely read on the "similar but not identical" limitation. Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the method disclosed by Gillum to include the determined domains to be similar are not identical domains. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide methods and systems to address a need that arises from very large scale of operations created by networked computing and cloud based services that cannot be managed by humans and provide increased security and efficiency communication exchange such as emails, reduced processing and network bandwidth usage (malicious or undesired emails being filtered at email service provider), and improved user interaction by allowing recipients to authenticate their emails without having to acquire knowledge or pay a third party to configure their DKIM and SPF settings as suggested by Zink (0019-0020).

Gillum discloses wherein the metadata comprises an identity of one or more name servers serving the domain being analyzed (0023: the email trust service can extract the domain name from the sender address field of the email message and establish a secure connection with the domain, such as by connecting to a website associated with the domain).
Gillum and Zink do not explicitly disclose the correlated metadata of the domain with the metadata of the one or more of the similar but not identical trusted domains is including at least one of an identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  Wright, in analogous art however, discloses the correlated metadata of the domain with the metadata of the one or more of the similar but not identical trusted domains is including at least one of an identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed ([0013]: a domain name similarity determination (likeness) unit. [0021]: Domain identifying unit, searches entity-maintained or provided resources, such as entity-servers and computer networks of the target entity to identify domain names associated with the target entity. It also searches the Internet and/or domain name registration sites to identify one or more domain names associated with or being used by the target entity or otherwise, associated with the target entity name. [0040; 0044-0045] the generation unit 140 also includes the similarity determination unit (similarity unit) 141 and the pseudo domain name ranking unit (ranking unit) 142. The similarity unit 141 determines a similarity between at least two domain names and after comparing the at least two domain names, determines a fit score. The comparison at the similarity unit 141 can be between any distinct domain names including two or more generated or provided pseudo domain names or even, two or more legitimate target domain names. The fit score identified at the similarity unit 141 is provided or otherwise, accessible to the ranking unit 142 for the purposes of ranking the plurality of pseudo domain names generated at the generation unit 140.)
Wright further discloses ([0084]: Collecting Target Domain Name Data, information regarding a target domain name's associated domain registrar can be collected, and the domain registrar can be queried for additional domain names owned by the entity to which the target domain name belongs. Collecting subsidiary and/or parent company information for an organization associated with the target domain name, where domain names registered by the subsidiaries and/or parent companies can be used as additional target domain names. [0088]: Attack domain name data preferably includes determining whether an attack domain name is available to purchase and/or register. For example, S224 can include querying a WHOIS server (e.g., performing a WHOIS lookup) with the attack domain name and/or related key works to determine availability of an attack domain name and/or related domain names.  [0111]: Attack domain name activity preferably includes e-mail activity from the attack domain name. Restricting e-mail activity preferably includes creating one or more e-mail validation policies. E-mail validation policies can be setup for one or more of: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), sender ID, Domain-based Message Authentication Reporting and Conformance (DMARC), and/or any other suitable framework. For example, an SPF record can be added to a DNS zone file for the attack domain name, where the SPF record restricts the authorized senders for the domain. In another example, a DMARC policy can be created that rejects an e-mail from the attack domain name in all situations, whether or not a SPF and/or DKIM check fails or succeeds. Alternatively, in another example, a DMARC policy can be created that instructs an e-mail provider to reject an e-mail from the attack domain name if a SPF and/or DKIM check fails, but not if a SPF and/or DKIM check succeeds. Additionally or alternatively, restricting e-mail activity can include directly notifying message transfer agents to disregard e-mails associated with the attack domain name. [0112] Attack domain name activity can additionally or alternatively include: policy modification activity (e.g., modifying an e-mail validation policy), DNS activity (e.g., DNS record modification, DNS lookups, etc.), website activity (e.g., published content, redirection, visitor access, etc.), web browser activity (e.g., browser domain name block lists, etc.), web application activity (e.g., website builders, retail management platforms, etc.), database activity, and/or any other suitable activity that can be restricted).
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the limitations of domain being analyzed disclosed by Gillum to include the correlated metadata of the domain with the metadata of the one or more of the similar but not identical trusted domains is including at least one of an identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire for effectively preventing phishing activity and related cyber intrusions as suggested by Wright (0004-0006).

As per claim 2:
Gillum discloses wherein the domain is flagged as being legitimate based on a positive correlation and the domain is flagged as being illegitimate based on a negative correlation (0032-0033).

As per claims 5 and 6:
Gillum does not explicitly disclose wherein the metadata is stored in a domain name system and wherein the metadata comprises at least one of a Mail Exchanger (MX) record, a Sender Policy Framework (SPF) record, or a DomainKeys Identified Mail (DKIM) record. Zink, in analogous art however, discloses wherein the metadata is stored in a domain name system (DNS) (0022-0024: DNS records, DMARC records, SPF records, DKIM records; 0028; 0039), and wherein the metadata comprises at least one of a Mail Exchanger (MX) record, a Sender Policy Framework (SPF) record, and a DomainKeys Identified Mail (DKIM) record (0022-0024: DNS records, DMARC records, SPF records, DKIM records; 0028; 0039). Similarly, Wright, in a similar filed of endeavor, discloses wherein the metadata is stored in a domain name system (DNS) ([0084; 0111-0112]).
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the metadata disclosed by Gillum to include wherein the metadata is stored in a domain name system and wherein the metadata comprises at least one of a Mail Exchanger (MX) record, a Sender Policy Framework (SPF) record, and a DomainKeys Identified Mail (DKIM) record. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the same desire as provided above suggested by Zink (0019-0020) and Wright (0004-0006).

As per claim 8:
Gillum discloses wherein the metadata comprises an identity expressed in Secure Sockets Layer (SSL), Transport Layer Security (TLS), other cryptographic certificates (0048).

As per claim 9:
Gillum discloses a system for detecting a spoofed email message from a sender based on detection of the sender's fraudulent domain associated with the spoofed email message, the system comprising:
a processor coupled to a memory containing instructions executable by the processor to cause the system to (0016):
maintain a database with a plurality of trusted domains (0013-0014: trusted domain and authorized domain; 0020: the email trust service is implemented to determine whether an email message can be trusted, such as whether an email message originated from a trusted business domain; 0029: add an authorized domain to an email safe list; 0037);
receive an email message (0020-0021: verify that the email message is received from an authorized domain as specified in a sender address field of the email message);
compare a domain name given in the received email message with one or more of the plurality of trusted domains and determine a level of resemblance between the domain name and one or more of the trusted domains based on the comparison (0021: the email trust service verifies that an email message is received from a reputable source, such as a well-known company, financial institution, or other legitimate business at a known business domain; 0022: Various authentication techniques can be applied by the email trust service to an email message, the email trust service applies DomainKeys Identified Mail (DKIM) authentication techniques and/or SenderID authentication techniques to an email message. Both DKIM and SenderID can be used to verify that an email message is received from an authorized domain as specified in the sender address field of the email message; 0033-0035);
if there is a positive level of resemblance between the domain name and one or more similar trusted domains of the plurality of trusted domains, correlated published metadata of the domain name with published metadata of one or more of the similar (0029: if an email message is received from a domain that is listed in the email safe list, the email trust service may determine that the email is trusted without applying authentication techniques and/or without determining whether an Extended Validation certificate is associated with the domain. The email distribution service 106 can also maintain an email block list 132 of domain names that are not trusted by a user, or that have been determined as untrusted; 0033-0035); and
the metadata comprises an identity of a registrar for the domain being analyzed (0047: To verify that the email message is received from an authorized domain; authentication techniques include a DomainKeys Identified Mail (DKIM) authentication technique and a SenderID authentication technique; 0048: the email trust service determines whether an Extended Validation certificate is associated with the authorized domain by extracting a domain name from a sender address field of the email message and then examining a certificate provided by a website that is associated with the domain name) or wherein the metadata comprises an identity of one or more name servers serving the domain being analyzed (0023: the email trust service can extract the domain name from the sender address field of the email message and establish a secure connection with the domain, such as by connecting to a website associated with the domain).
flag the domain name as being legitimate and the email message as safe or flag the domain name as being illegitimate and the email message as potentially harmful based on the correlation (0025-0028: trust indicator; The email trust service can obtain a Favicon that is associated with an authorized business domain. A Favicon that is associated with a business domain generally includes a logo or picture that is associated with the particular domain, such as a logo of a business or organization; 0049).
Gillum does not explicitly disclose the determined domains to be similar are not identical domains. Zink, in analogous art however, discloses the determined domains to be similar are not identical domains (0028; 0032-0033: align DMAC and domain in the From: address may be trusted domain; DMARC results are usually stamped in the Authentication-Results header in a message; 0039: the domain in the From: address may be checked to align with either the domain that passes SPF or the domain that passes DKIM (defined in the d= field). If a message passes all three, then it may be considered as passing DMARC as not being spoofed and forwarded to mail storage; 0043: reconstructed domain may be aligned from the selector against the actual domain in the “From” address to pass DMARC; 0064-0066). It is further noted that a DMARC verification as described in Zink et al. relies on a strict or relaxed alignment.  See e.g. Wikipedia "DMARC" under Alignment section.  This verification feature would likely read on the "similar but not identical" limitation. Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the method disclosed by Gillum to include the determined domains to be similar are not identical domains. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide methods and systems to address a need that arises from very large scale of operations created by networked computing and cloud based services that cannot be managed by humans and provide increased security and efficiency communication exchange such as emails, reduced processing and network bandwidth usage (malicious or undesired emails being filtered at email service provider), and improved user interaction by allowing recipients to authenticate their emails without having to acquire knowledge or pay a third party to configure their DKIM and SPF settings as suggested by Zink (0019-0020). 

Gillum and Zink do not explicitly disclose the correlated metadata of the domain with the metadata of the one or more of the similar but not identical trusted domains is including at least one of an identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  Wright, in analogous art however, discloses the correlated metadata of the domain with the metadata of the one or more of the similar but not identical trusted domains is including at least one of an identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed ([0013]: a domain name similarity determination (likeness) unit. [0021]: Domain identifying unit, searches entity-maintained or provided resources, such as entity-servers and computer networks of the target entity to identify domain names associated with the target entity. It also searches the Internet and/or domain name registration sites to identify one or more domain names associated with or being used by the target entity or otherwise, associated with the target entity name. [0040; 0044-0045] the generation unit 140 also includes the similarity determination unit (similarity unit) 141 and the pseudo domain name ranking unit (ranking unit) 142. The similarity unit 141 determines a similarity between at least two domain names and after comparing the at least two domain names, determines a fit score. The comparison at the similarity unit 141 can be between any distinct domain names including two or more generated or provided pseudo domain names or even, two or more legitimate target domain names. The fit score identified at the similarity unit 141 is provided or otherwise, accessible to the ranking unit 142 for the purposes of ranking the plurality of pseudo domain names generated at the generation unit 140.)
Wright further discloses ([0084]: Collecting Target Domain Name Data, information regarding a target domain name's associated domain registrar can be collected, and the domain registrar can be queried for additional domain names owned by the entity to which the target domain name belongs. Collecting subsidiary and/or parent company information for an organization associated with the target domain name, where domain names registered by the subsidiaries and/or parent companies can be used as additional target domain names. [0088]: Attack domain name data preferably includes determining whether an attack domain name is available to purchase and/or register. For example, S224 can include querying a WHOIS server (e.g., performing a WHOIS lookup) with the attack domain name and/or related key works to determine availability of an attack domain name and/or related domain names.  [0111]: Attack domain name activity preferably includes e-mail activity from the attack domain name. Restricting e-mail activity preferably includes creating one or more e-mail validation policies. E-mail validation policies can be setup for one or more of: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), sender ID, Domain-based Message Authentication Reporting and Conformance (DMARC), and/or any other suitable framework. For example, an SPF record can be added to a DNS zone file for the attack domain name, where the SPF record restricts the authorized senders for the domain. In another example, a DMARC policy can be created that rejects an e-mail from the attack domain name in all situations, whether or not a SPF and/or DKIM check fails or succeeds. Alternatively, in another example, a DMARC policy can be created that instructs an e-mail provider to reject an e-mail from the attack domain name if a SPF and/or DKIM check fails, but not if a SPF and/or DKIM check succeeds. Additionally or alternatively, restricting e-mail activity can include directly notifying message transfer agents to disregard e-mails associated with the attack domain name. [0112] Attack domain name activity can additionally or alternatively include: policy modification activity (e.g., modifying an e-mail validation policy), DNS activity (e.g., DNS record modification, DNS lookups, etc.), website activity (e.g., published content, redirection, visitor access, etc.), web browser activity (e.g., browser domain name block lists, etc.), web application activity (e.g., website builders, retail management platforms, etc.), database activity, and/or any other suitable activity that can be restricted).
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the limitations of domain being analyzed disclosed by Gillum to include the correlated metadata of the domain with the metadata of the one or more of the similar but not identical trusted domains is including at least one of an identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire for effectively preventing phishing activity and related cyber intrusions as suggested by Wright (0004-0006).

As per claim 10:
Gillum discloses wherein the domain name is flagged as being legitimate based on a positive correlation and the domain name is flagged as being illegitimate based on a negative correlation (0034-0036: List view includes Trust indicator; Safe list; Block list; 0049-0051: a trust indicator is a Favicon that is associated with a domain name; the email trust service requests a Favicon from a website that is associated with the authorized domain and configured to distribute the Favicon, and then receives the Favicon from the website).

As per claims 13-14 and 16:
Claims 13-14 and 16 are directed to limitations having substantially similar features corresponding to limitations of claims 5-6 and 8 respectively and therefore claims 13-14 and 16 are rejected with the same rationale given above to reject corresponding claims 5-6 and 8.

As per claim 17:
Gillum discloses a system for detecting one or more dangerous websites including one or more fraudulent domains, the system comprises
a processor coupled to a memory containing instructions executable by the processor to cause the system to (0016): 
maintain a database with a plurality of trusted domains (0013-0014: trusted domain and authorized domain; 0020: the email trust service is implemented to determine whether an email message can be trusted, such as whether an email message originated from a trusted business domain; 0029: add an authorized domain to an email safe list; 0037);
compare an unrecognized domain associated with a website with one or more of the plurality of trusted domains and determine a level of resemblance between the unrecognized domain and one or more of the trusted domains based on the comparison (0021: the email trust service verifies that an email message is received from a reputable source, such as a well-known company, financial institution, or other legitimate business at a known business domain; 0022: Various authentication techniques can be applied by the email trust service to an email message, the email trust service applies DomainKeys Identified Mail (DKIM) authentication techniques and/or SenderID authentication techniques to an email message. Both DKIM and SenderID can be used to verify that an email message is received from an authorized domain as specified in the sender address field of the email message; 0023: the email trust service can extract the domain “starbank.com" from the sender address "john@starbank.com", and then establish a secure connection with the website "www.starbank.com", which may be a business domain; 0048-0049);
if there is a positive level of resemblance between the unrecognized domain and one or more similar trusted domains of the plurality of trusted domains, analyze the unrecognized domain associated with the website, wherein analysis of the unrecognized domain comprises correlating published metadata of the unrecognized domain with published metadata of one or more of the similar trusted domains (0029: if an email message is received from a domain that is listed in the email safe list, the email trust service may determine that the email is trusted without applying authentication techniques and/or without determining whether an Extended Validation certificate is associated with the domain. The email distribution service 106 can also maintain an email block list 132 of domain names that are not trusted by a user, or that have been determined as untrusted; 0035-0037);
at least one of an identity of a registrar for the domain being analyzed or an identity of one (0047: To verify that the email message is received from an authorized domain; authentication techniques include a DomainKeys Identified Mail (DKIM) authentication technique and a SenderID authentication technique; 0048: the email trust service determines whether an Extended Validation certificate is associated with the authorized domain by extracting a domain name from a sender address field of the email message and then examining a certificate provided by a website that is associated with the domain name) or more name servers serving the domain being analyzed (0023: the email trust service can extract the domain name from the sender address field of the email message and establish a secure connection with the domain, such as by connecting to a website associated with the domain); and
flag the domain as being legitimate and the website as safe or flag the domain as being illegitimate and the website as potentially dangerous based on the correlation (0025-0028: trust indicator; The email trust service can obtain a Favicon that is associated with an authorized business domain. A Favicon that is associated with a business domain generally includes a logo or picture that is associated with the particular domain, such as a logo of a business or organization; 0049).
Gillum does not explicitly disclose the determined domains to be similar are not identical domains. Zink, in analogous art however, discloses the determined domains to be similar are not identical domains (0028; 0032-0033: align DMAC and domain in the From: address may be trusted domain; DMARC results are usually stamped in the Authentication-Results header in a message; 0039: the domain in the From: address may be checked to align with either the domain that passes SPF or the domain that passes DKIM (defined in the d= field). If a message passes all three, then it may be considered as passing DMARC as not being spoofed and forwarded to mail storage; 0043: reconstructed domain may be aligned from the selector against the actual domain in the “From” address to pass DMARC; 0064-0066). It is further noted that a DMARC verification as described in Zink et al. relies on a strict or relaxed alignment.  See e.g. Wikipedia "DMARC" under Alignment section.  This verification feature would likely read on the "similar but not identical" limitation. Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the method disclosed by Gillum to include the determined domains to be similar are not identical domains. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide methods and systems to address a need that arises from very large scale of operations created by networked computing and cloud based services that cannot be managed by humans and provide increased security and efficiency communication exchange such as emails, reduced processing and network bandwidth usage (malicious or undesired emails being filtered at email service provider), and improved user interaction by allowing recipients to authenticate their emails without having to acquire knowledge or pay a third party to configure their DKIM and SPF settings as suggested by Zink (0019-0020). 

Gillum and Zink do not explicitly disclose the correlated metadata of the domain with the metadata of the one or more of the similar but not identical trusted domains is including at least one of an identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  Wright, in analogous art however, discloses the correlated metadata of the domain with the metadata of the one or more of the similar but not identical trusted domains is including at least one of an identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed ([0013]: a domain name similarity determination (likeness) unit. [0021]: Domain identifying unit, searches entity-maintained or provided resources, such as entity-servers and computer networks of the target entity to identify domain names associated with the target entity. It also searches the Internet and/or domain name registration sites to identify one or more domain names associated with or being used by the target entity or otherwise, associated with the target entity name. [0040; 0044-0045] the generation unit 140 also includes the similarity determination unit (similarity unit) 141 and the pseudo domain name ranking unit (ranking unit) 142. The similarity unit 141 determines a similarity between at least two domain names and after comparing the at least two domain names, determines a fit score. The comparison at the similarity unit 141 can be between any distinct domain names including two or more generated or provided pseudo domain names or even, two or more legitimate target domain names. The fit score identified at the similarity unit 141 is provided or otherwise, accessible to the ranking unit 142 for the purposes of ranking the plurality of pseudo domain names generated at the generation unit 140.)
Wright further discloses ([0084]: Collecting Target Domain Name Data, information regarding a target domain name's associated domain registrar can be collected, and the domain registrar can be queried for additional domain names owned by the entity to which the target domain name belongs. Collecting subsidiary and/or parent company information for an organization associated with the target domain name, where domain names registered by the subsidiaries and/or parent companies can be used as additional target domain names. [0088]: Attack domain name data preferably includes determining whether an attack domain name is available to purchase and/or register. For example, S224 can include querying a WHOIS server (e.g., performing a WHOIS lookup) with the attack domain name and/or related key works to determine availability of an attack domain name and/or related domain names.  [0111]: Attack domain name activity preferably includes e-mail activity from the attack domain name. Restricting e-mail activity preferably includes creating one or more e-mail validation policies. E-mail validation policies can be setup for one or more of: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), sender ID, Domain-based Message Authentication Reporting and Conformance (DMARC), and/or any other suitable framework. For example, an SPF record can be added to a DNS zone file for the attack domain name, where the SPF record restricts the authorized senders for the domain. In another example, a DMARC policy can be created that rejects an e-mail from the attack domain name in all situations, whether or not a SPF and/or DKIM check fails or succeeds. Alternatively, in another example, a DMARC policy can be created that instructs an e-mail provider to reject an e-mail from the attack domain name if a SPF and/or DKIM check fails, but not if a SPF and/or DKIM check succeeds. Additionally or alternatively, restricting e-mail activity can include directly notifying message transfer agents to disregard e-mails associated with the attack domain name. [0112] Attack domain name activity can additionally or alternatively include: policy modification activity (e.g., modifying an e-mail validation policy), DNS activity (e.g., DNS record modification, DNS lookups, etc.), website activity (e.g., published content, redirection, visitor access, etc.), web browser activity (e.g., browser domain name block lists, etc.), web application activity (e.g., website builders, retail management platforms, etc.), database activity, and/or any other suitable activity that can be restricted).
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the limitations of domain being analyzed disclosed by Gillum to include the correlated metadata of the domain with the metadata of the one or more of the similar but not identical trusted domains is including at least one of an identity of a registrar for the domain being analyzed or correlate an identity of one or more name servers serving the domain being analyzed.  This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire for effectively preventing phishing activity and related cyber intrusions as suggested by Wright (0004-0006).

As per claim 18:
Claim 18 is directed to limitations having substantially similar features corresponding to limitations of claim 10 and therefore claim 18 is rejected with the same rationale given above to reject claim 10.

As per claims 20-21 and 23:
Claims 20-21 and 23 are directed to limitations having substantially similar features corresponding to limitations of claims 5-6 and 8 respectively and therefore claims 20-21 and 23 are rejected with the same rationale given above to reject corresponding claims 5-6 and 8.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 7, 15 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Gillum and Zink in view of Wright et al. (Hereinafter referred to as Wright, US 20180027013) and in further view of Shull et al. (hereinafter referred to as Shull, US. Pub. No.: 20080034211).

As per claims 7, 15 and 22:
Gillum, Zink and Wright do not explicitly disclose wherein the metadata comprises information stored in a WHOIS database. Shull, in analogous art however, discloses wherein the metadata comprises information stored in a WHOIS database (0064; 0083; 0092). Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the method disclosed by Gillum, Zink and Wright to include wherein the metadata comprises information stored in a WHOIS database. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to provide methods and systems for validating ownership of domain names as suggested by Shull (0011).

BRI (Broadest Reasonable Interpretation)
The above claims under examination have been given their BRI consistent with the applicant’s disclosure as it would be interpreted by one of ordinary skill in the art and the following claim words or terms or phrases or languages have been given to them the following reasonable BRI considerations in view of the applicant’s disclosure in order to construe boundary and scope of the claimed limitations. For example, for the following claim words or terms or phrases or languages, the examiner recites BRI considerations from the applicant’s disclosure as follows:
DNS metadata: [0014; 0032; 0039: The system 10 is configured to analyze most, if not all, DNS metadata provided by a DNS system, for example, for a given domain under inspection, including, but not limited to, the registrar of the domain, the IP addresses of Mail Exchanger (MX) records, DomainKeys Identified Mail (DKIM) records, and other service addresses beyond Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP), and Post Office Protocol (POP). The system 10 is further configured to utilize other data associated with the domain name under inspection, such as behavioral attributes of the trusted entity or party, including, but not limited to, server software in use and policies the entity or party enforces].
Correlate Registrar: [0035: A security module for analyzing the email message, specifically determining a correlation between the domain of the email message under inspection and a well-known target domain (e.g., trusted domain) in order to further determine the legitimacy of the email message under inspection. FIG. 3 generally illustrates a decision module based on inspection of domain registrar information with a security module 201 comparing the domain of the message being examined (referred to as the “suspect domain”) with a well-known target domain. It should be noted that, as an initial step, the system is configured to compare the suspect domain with a plurality of known and trusted domains (i.e., “target domains”)].
[0038: For example, FIG. 4 is a flow diagram illustrating a decision module of the security system for determining whether an email message is authentic upon inspection of the domain based, at least in part, on metadata stored in a Domain Name System (DNS). For example, most companies register all of their domains with a single registrar, or serve as their own registrar. In either case, there are only a small number of registrars, and this can be used to identify questionable domains. For example, if “Mimecast.x.com” uses a different registrar than the Mimecast domains do, it is likely an attempt to fool someone. Similarly, the contents of a DNS record may hold similar clues. If a company has a DKIM or SPF record, it is likely to be consistent throughout the company, so a different DKIM or SPF record would be another red flag]. 

Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784.  The examiner can normally be reached on 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TECHANE GERGISO/Primary Examiner, Art Unit 2494