DETAILED ACTION
1.	Claims 1-20 are pending in this examination.
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
3.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Double Patenting
4.1.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

4.2.	Claims 1-8, 10-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-7, 9-18 of the US Patent No. 11271966.
Although the conflicting claims are not identical, they are not patentably distinct from each other because claims 1-8, 10-20 are anticipated by claims 1-7, 9-18, of the US Patent No. 11271966.
Claims 1-18 of the US Patent No. 11271966 as shown in the table below contains every element of claims 1-8, 10-20 of the instant application and as such anticipates claims 1-8, 10-20 of the instant application.

Instant application
Claims: 1-20
US patent No. 11271966 
Claim 1-18
1. A method comprising:
receiving, at a browser extension operating in a browser application, a uniform resource locator (URL) requested within the browser application;
obtaining information indicating that the received URL is a counterfeit URL;
comparing content extracted from a website associated with the received URL with content associated with websites associated with each of a plurality of legitimate URLs based on obtaining information indicating that the received URL is counterfeit;
identifying a first legitimate URL included in the plurality of legitimate URLs whose associated website includes content that exceeds a threshold similarity to the content of the website associated with the received URL; and
redirecting the browser application to the first legitimate URL based on identifying the first legitimate URL with content exceeding the threshold similarity to the content of the website associated with the received URL.









2. The method of claim 1, further comprising:
transmitting the extracted content from the website associated with the received URL to a counterfeit URL detection system configured to analyze the extracted content, wherein said obtaining information includes receiving an assessment from the counterfeit URL detection system indicating that the received URL is counterfeit.
3. The method of claim 1, further comprising:
comparing the received URL with a listing of known counterfeit URLs, wherein said obtaining information includes matching the received URL with any counterfeit URL listed in the listing of known counterfeit URLs, indicating that the received URL is counterfeit.

4. The method of claim 1, further comprising: responsive to obtaining information indicating that the received URL is counterfeit, blocking the browser application from accessing content associated with the received URL.
5. The method of claim 1, wherein a portion of the plurality of legitimate URLs are included in a primary listing of legitimate URLs that represent legitimate entities that are subscribed to receive redirected URL requests, wherein the first legitimate URL is included in the primary listing of legitimate URLs.
6. The method of claim 1, further comprising: identifying a first set of characteristics of the content extracted from the website associated with the received URL, the first set of characteristics including at least one of detected objects, detected text, and detected source information included in the content extracted from the website associated with the received URL; and identifying a plurality of characteristics of the website associated with the first legitimate URL, wherein said comparing includes: 
comparing the first set of characteristics with the plurality of characteristics to determine a number of common characteristics between the first set of characteristics and the plurality of characteristics; and determining that the number of common characteristics between the first set of characteristics and the plurality of characteristics exceeds a threshold number of common characteristics representing that the website associated with first legitimate URL is within the threshold similarity to the website associated with the received URL.
7. The method of claim 1, further comprising: 
determining that all websites associated with legitimate URLs included in a portion of the plurality of legitimate URLs listed in a primary listing of legitimate URLs do not exceed the threshold similarity to the extracted content of the website associated with the received URL; comparing content extracted from the website associated with the received URL with content associated with websites of a portion of the plurality of legitimate URLs listed in a secondary listing of legitimate URLs, wherein the first legitimate URL is included in the secondary listing of legitimate URLs.

8. The method of claim 7, further comprising: identifying a primary characteristic of the extracted content of the website associated with the received URL; identifying each legitimate URL included in the secondary listing of legitimate URLs whose associated website includes characteristics matching the primary characteristic, 
wherein said redirecting the browser application to the first legitimate URL is based on determining that the bid associated with the first legitimate URL is greater than any bids of the other legitimate URLs included in the secondary listing of legitimate URLs whose associated websites include characteristics matching the primary characteristic.
10. The method of claim 9, wherein the analytics include at least one of: a number of URL requests received, a number of instances that the browser application was redirected from any received URL to a legitimate URL, a number of instances in which the browser application was redirected to any legitimate URL listed on a primary listing of legitimate URLs, and a number of instances in which the browser application was redirected to any legitimate URL listed on a secondary listing of legitimate URLs.
11. The method of claim 1, wherein the browser extension operating in the browser application is configured to execute on a smartphone
12. A non-transitory computer-readable storage medium storing a browser extension that comprises computer program instructions, the computer program instructions when executed by a processor causing the processor to: receive a uniform resource locator (URL); 
obtain information indicating that the received URL is a counterfeit URL; extract content from a webpage associated with the received URL and from webpages associated with each of a plurality of legitimate URLs associated with legitimate entities; compare the extracted content from the webpage associated with the received URL and the extracted content from the webpages associated with each of the plurality of legitimate URLs to identify a first legitimate URL included in the plurality of legitimate URLs whose associated webpage has a similarity to the content of the webpage associated with the received URL that exceeds a threshold similarity; and redirect a browser application to the first legitimate URL based on identifying the first legitimate URL.









13. The non-transitory computer-readable storage medium of claim 12, wherein the computer program instructions, when executed by the processor, further cause the processor to:
 compare the received URL with a listing of known counterfeit URLs; and transmit the extracted content of the webpage associated with the received URL to a counterfeit URL detection system configured to analyze the extracted content based on failing to match the received URL with any known counterfeit URL listed on the listing of known counterfeit URLs, wherein said obtaining information includes receiving an assessment from the counterfeit URL detection system indicating that the received URL is counterfeit.

14. The non-transitory computer-readable storage medium of claim 12, wherein the computer program instructions, when executed by the processor, further cause the processor to: identify no legitimate URL, included in a listing of known legitimate URLs that have subscribed to receive redirected browser extensions, that has an associated webpage having a similarity to the extracted content of the webpage associated with the received URL that exceeds the threshold similarity; and
inspect extracted content from webpages associated with legitimate URLs included in a secondary listing of legitimate URLs, wherein the first legitimate URL is included in the secondary listing of legitimate URLs.





15. The non-transitory computer-readable storage medium of claim 12, wherein the computer program instructions, when executed by the processor, further cause the processor to: record, by the browser extension, user behaviors and interactions with the received URL and the first legitimate URL; generate analytics that quantify the user behaviors and interactions with the received URL and the first legitimate URL; and display the analytics on a webpage.

16. A method comprising: receiving a request to access a webpage associated with a requested uniform resource locator (URL) at a browser extension operating in a browser application on a user device; applying a first model to content extracted from the webpage, the first model trained to output an assessment indicating that the requested URL is counterfeit; determining that content extracted from a webpage associated with a legitimate URL has a similarity to content extracted from the webpage associated with the requested URL that exceeds a threshold similarity; redirecting the browser application from the requested URL to the legitimate URL based on the exceeded threshold similarity; recording interactions between the user device and the requested URL and the legitimate URL; and generating one or more analytics based on the recorded interactions.






17. The method of claim 16, wherein the analytics include at least one of: a number of URL requests received, a number of instances that the browser application was redirected from any requested URL to a legitimate URL, a number of instances in which the browser application was redirected to any legitimate URL listed on a primary listing of legitimate URLs, and a number of instances in which the browser application was redirected to any legitimate URL listed on a secondary listing of legitimate URLs.
18. The method of claim 16, wherein the extracted content of any of the webpage associated with the requested URL and the webpage associated with the legitimate URL comprises at least one of: an object detected in an image extracted from the webpage, text extracted from the webpage, a hypertext transfer protocol (HTTP) request header or body, and an HTTP response header or body.

19. The method of claim 16, further comprising: determining, from the recorded interactions, that a number of instances in which the browser application was redirected from a requested URL to a legitimate URL exceeds a threshold number; and displaying a social engineering module on the user device, the social engineering module providing instructions to identify legitimate URLs and avoid counterfeit URLs.


20. The method of claim 16, further comprising: determining, from the recorded interactions, that a number of instances in which the browser application was redirected from a requested URL to a legitimate URL exceeds a threshold number; and implementing a training module on the user device, the training module providing a series of instructions to train a user to identify legitimate URLs and avoid counterfeit URLs, wherein the training module tracks a progression of the user through the series of instructions. 

1. A method comprising: 
receiving, at a browser extension operating in a browser application, a uniform resource locator (URL) requested within the browser application; 
obtaining information indicating that the received URL is a counterfeit URL; 
comparing content extracted from a website associated with the received URL with content associated with websites associated with each of a plurality of legitimate URLs based on obtaining information indicating that the received URL is counterfeit;
 identifying a first legitimate URL included in the plurality of legitimate URLs whose associated website includes content that exceeds a threshold similarity to the content of the website associated with the received URL; and 
redirecting the browser application to the first legitimate URL based on identifying the first legitimate URL with content exceeding the threshold similarity to the content of the website associated with the received URL;
 wherein identifying the first legitimate URL includes: determining that all websites associated with legitimate URLs included in a portion of the plurality of legitimate URLs listed in a primary listing of legitimate URLs do not exceed the threshold similarity to the extracted content of the website associated with the received URL; and comparing content extracted from the website associated with the received URL with content associated with websites of a portion of the plurality of legitimate URLs listed in a secondary listing of legitimate URLs representing legitimate entities that include a bid to have the browser application redirected to their legitimate URLs, wherein the first legitimate URL is included in the secondary listing of legitimate URLs.
2. The method of claim 1, further comprising: 
transmitting the extracted content from the website associated with the received URL to a counterfeit URL detection system configured to analyze the extracted content, wherein said obtaining information includes receiving an assessment from the counterfeit URL detection system indicating that the received URL is counterfeit.

3. The method of claim 1, further comprising: 
comparing the received URL with a listing of known counterfeit URLs, wherein said obtaining information includes matching the received URL with any counterfeit URL listed in the listing of known counterfeit URLs, indicating that the received URL is counterfeit.

4. The method of claim 1, further comprising: responsive to obtaining information indicating that the received URL is counterfeit, blocking the browser application from accessing content associated with the received URL.
5. The method of claim 1, wherein the primary listing of legitimate URLs represents legitimate entities that are subscribed to receive redirected URL requests.

6. The method of claim 1, further comprising: identifying a first set of characteristics of the content extracted from the website associated with the received URL, the first set of characteristics including at least one of detected objects, detected text, and detected source information included in the content extracted from the website associated with the received URL; and identifying a plurality of characteristics of the website associated with the first legitimate URL, wherein said comparing includes:
 comparing the first set of characteristics with the plurality of characteristics to determine a number of common characteristics between the first set of characteristics and the plurality of characteristics; and determining that the number of common characteristics between the first set of characteristics and the plurality of characteristics exceeds a threshold number of common characteristics representing that the website associated with first legitimate URL is within the threshold similarity to the website associated with the received URL.
1… wherein identifying the first legitimate URL includes: 
determining that all websites associated with legitimate URLs included in a portion of the plurality of legitimate URLs listed in a primary listing of legitimate URLs do not exceed the threshold similarity to the extracted content of the website associated with the received URL; and comparing content extracted from the website associated with the received URL with content associated with websites of a portion of the plurality of legitimate URLs listed in a secondary listing of legitimate URLs representing legitimate entities that include a bid to have the browser application redirected to their legitimate URLs, wherein the first legitimate URL is included in the secondary listing of legitimate URLs.

7. The method of claim 1, further comprising: identifying a primary characteristic of the extracted content of the website associated with the received URL; identifying each legitimate URL included in the secondary listing of legitimate URLs whose associated website includes characteristics matching the primary characteristic, 
wherein said redirecting the browser application to the first legitimate URL is based on determining that the bid associated with the first legitimate URL is greater than any bids of the other legitimate URLs included in the secondary listing of legitimate URLs whose associated websites include characteristics matching the primary characteristic.
9. The method of claim 8, wherein the analytics include at least one of: a number of URL requests received, a number of instances that the browser application was redirected from any received URL to a legitimate URL, a number of instances in which the browser application was redirected to any legitimate URL listed on the primary listing of legitimate URLs, and a number of instances in which the browser application was redirected to any legitimate URL listed on the secondary listing of legitimate URLs.
10. The method of claim 1, wherein the browser extension operating in the browser application is configured to execute on a smartphone.
11. A non-transitory computer-readable storage medium storing a browser extension that comprises computer program instructions, the computer program instructions when executed by a processor causing the processor to: receive a uniform resource locator (URL); 
obtain information indicating that the received URL is a counterfeit URL; extract content from a webpage associated with the received URL and from webpages associated with each of a plurality of legitimate URLs associated with legitimate entities; compare the extracted content from the webpage associated with the received URL and the extracted content from the webpages associated with each of the plurality of legitimate URLs to identify a first legitimate URL included in the plurality of legitimate URLs whose associated webpage has a similarity to the content of the webpage associated with the received URL that exceeds a threshold similarity, wherein identifying the first legitimate URL includes: determining that no legitimate URL, included in a listing of known legitimate URLs that have subscribed to receive browser application redirects, has an associated webpage having a similarity to the extracted content of the webpage associated with the received URL that exceeds the threshold similarity; and inspecting extracted content from webpages associated with legitimate URLs included in a secondary listing of legitimate URLs that are associated with a bid to receive redirected URL requests, wherein the first legitimate URL is included in the secondary listing of legitimate URLs and includes a greater bid value than any other legitimate URL listed on the secondary listing of legitimate URLs that are associated with webpages having a similarity to the content of the webpage associated with the received URL that exceeds the threshold similarity; and redirect a browser application to the first legitimate URL based on identifying the first legitimate URL.

12. The non-transitory computer-readable storage medium of claim 11, wherein the computer program instructions, when executed by the processor, further cause the processor to:
 compare the received URL with a listing of known counterfeit URLs; and transmit the extracted content of the webpage associated with the received URL to a counterfeit URL detection system configured to analyze the extracted content based on failing to match the received URL with any known counterfeit URL listed on the listing of known counterfeit URLs, wherein said obtaining information includes receiving an assessment from the counterfeit URL detection system indicating that the received URL is counterfeit.
14. …. determining that 

no legitimate URL, included in a listing of known legitimate URLs that have subscribed to receive browser application redirects, has an associated webpage having a similarity to the extracted content of the webpage associated with the received URL that exceeds the threshold similarity; and inspecting extracted content from webpages associated with legitimate URLs included in a secondary listing of legitimate URLs that are associated with a bid to receive redirected URL requests, wherein the first legitimate URL is included in the secondary listing of legitimate URLs and includes a greater bid value than any other legitimate URL listed on the secondary listing of legitimate URLs that are associated with webpages having a similarity to the content of the webpage associated with the received URL that exceeds the threshold similarity; and redirect a browser application to the first legitimate URL based on identifying the first legitimate URL.

13. The non-transitory computer-readable storage medium of claim 11, wherein the computer program instructions, when executed by the processor, further cause the processor to: record, by the browser extension, user behaviors and interactions with the received URL and the first legitimate URL; generate analytics that quantify the user behaviors and interactions with the received URL and the first legitimate URL; and display the analytics on a webpage.

14. A method comprising: receiving a request to access a webpage associated with a requested uniform resource locator (URL) at a browser extension operating in a browser application on a user device; applying a first model to content extracted from the webpage, the first model trained to output an assessment indicating that the requested URL is counterfeit; making a similarity determination to determine that content extracted from a webpage associated with a legitimate URL has a similarity to content extracted from the webpage associated with the requested URL that exceeds a threshold similarity; redirecting the browser application from the requested URL to the legitimate URL based on the exceeded threshold similarity; recording interactions between the user device and the requested URL and the legitimate URL; and generating one or more analytics based on the recorded interactions; wherein the similarity determination includes: determining that all webpages associated with a primary listing of legitimate URLs do not exceed the threshold similarity to the extracted content of the webpage associated with the requested URL; and comparing content extracted from the webpage associated with the requested URL with content associated with webpages listed in a secondary listing of legitimate URLs representing legitimate entities that include a bid to have the browser application redirect to their legitimate URLs, wherein the legitimate URL is included in the secondary listing of legitimate URLs.
15. The method of claim 14, wherein the analytics include at least one of: a number of URL requests received, a number of instances that the browser application was redirected from any requested URL to a legitimate URL, a number of instances in which the browser application was redirected to any legitimate URL listed on the primary listing of legitimate URLs, and a number of instances in which the browser application was redirected to any legitimate URL listed on the secondary listing of legitimate URLs.

16. The method of claim 14, wherein the extracted content of any of the webpage associated with the requested URL and the webpage associated with the legitimate URL comprises at least one of: an object detected in an image extracted from the webpage, text extracted from the webpage, a hypertext transfer protocol (HTTP) request header or body, and an HTTP response header or body.

17. The method of claim 14, further comprising: determining, from the recorded interactions, that a number of instances in which the browser extension application was redirected from a requested URL to a legitimate URL exceeds a threshold number; and displaying a social engineering module on the user device, the social engineering module providing instructions to identify legitimate URLs and avoid counterfeit URLs.

18. The method of claim 14, further comprising: determining, from the recorded interactions, that a number of instances in which the browser application was redirected from a requested URL to a legitimate URL exceeds a threshold number; and implementing a training module on the user device, the training module providing a series of instructions to train a user to identify legitimate URLs and avoid counterfeit URLs, wherein the training module tracks a progression of the user through the series of instructions.


This is a nonstatutory obviousness-type double patenting rejection.

4.3.	Claims 1, 12 and 16 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 8 and 15 of the US Patent No. 11301560 in view of in view of US Patent Application No. 10616274 to Chang et al (“Chang”).
 	Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is substantially similar in nature of US Patent No. 11301560.

Instant application  
claims 1, 12 and 16
Patent No. 11301560
claims 1, 8 and 15
1, 12 and 16: A method comprising:
receiving, at a browser extension operating in a browser application, a uniform resource locator (URL) requested within the browser application;
obtaining information indicating that the received URL is a counterfeit URL;
comparing content extracted from a website associated with the received URL with content associated with websites associated with each of a plurality of legitimate URLs based on obtaining information indicating that the received URL is counterfeit; identifying a first legitimate URL included in the plurality of legitimate URLs whose associated website includes content that exceeds a threshold similarity to the content of the website associated with the received URL; and




redirecting the browser application to the first legitimate URL based on identifying the first legitimate URL with content exceeding the threshold similarity to the content of the website associated with the received URL.
claims 1, 8 and 15: A method comprising: 
receiving at a browser extension operating in a browser application, a uniform resource locator (URL) requested within the browser application; 
extracting by the browser extension, content from a webpage associated with the received URL;
 transmitting the extracted content to a counterfeit URL detection system configured to analyze the extracted content and return an assessment indicating whether the received URL is counterfeit, wherein the analysis of the extracted content includes one of image object detection; natural language processing, analyzing a hypertext transfer protocol (HTTP) request header or body, and analyzing an HTTP response header or body; and responsive to the assessment indicating that the received URL is counterfeit, blocking by the browser extension, the browser application from accessing content associated with the received URL; wherein the counterfeit URL detection system determines a score, wherein the assessment of whether the received URL is counterfeit is based in part on a threshold relative to the score, and wherein the threshold is based at least in part on a user-input threat tolerance.



Furthermore, as per as 1, 12 and 16: US patent No. 11301560 as described above table, however, US patent No. 11301560 does not explicitly disclose but Chang discloses redirecting the browser application to the first legitimate URL based on identifying the first legitimate URL with content exceeding the threshold similarity to the content of the website associated with the received URL (11:1-29, detection model 250 is a score indicating a likelihood that the base URL or website that returned the redirect URLs performs cloaking. For example, if the score is greater than a threshold value, the website is determined to perform cloaking, and if the score is less than the threshold, the website is determined not to perform cloaking).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of US patent No. 11301560 with the teaching of Chang by including the feature of redirecting, in order for US patent No. 11301560’s to maintaining privacy of the user. The URL logs received from the mobile devices allow the online system to assess a webpage's behavior and detect cloaking by the URL or website. The use of URL redirect logs also maintains privacy of the user because it does not involve transmitting any personal data of the user to the online system. In addition to maintaining privacy, transmitting a URL log involves a relatively small amount of data transfer between a mobile device and the online system (Chang, 2:27-34).
This is a nonstatutory obviousness-type double patenting rejection. 

Claim Rejections - 35 USC § 103
5.1.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


5.2.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 10104113 to Stein et al (“Stein”) in view of US Patent Application No. 10616274 to Chang et al (“Chang”), further in view of "A Layout-Similarity-Based Approach for Detecting Phishing” by Rosiello et al. (“Rosiello”).

 	As per claim 1, Stein discloses a method comprising: receiving, at a browser extractor operating in a browser application, a uniform resource locator (URL) requested within the browser application; obtaining information indicating that the received URL is a counterfeit URL (10:38-50, 2:46-60; URL features extracted from the selected URL in order to analyze the one or more URL features of the selected URL and determine a URL risk score based on its analysis of the one or more features. URL risk score represents a risk value associated with the selected URL that the selected URL contains malicious content); 
comparing content extracted from a website associated with the received URL with content associated with websites associated with each of a plurality of legitimate URLs based on obtaining information indicating that the received URL is counterfeit;(10:38-62, one or more URL features extracted from the selected URL in order to analyze the one or more URL features of the selected URL and … the selected URL that the selected URL contains malicious content., also see 3:1-15, 8:45-67);
identifying a first legitimate URL included in the plurality of legitimate URLs whose associated website includes content that exceeds a threshold similarity to the content of the website associated with the received URL (16:54-67, 15:28-34; FIG. 4B. If the URL risk score does not exceed the URL risk score threshold, then the URL has a reasonable likelihood of containing benign content).
Stein does not explicitly disclose however in the same field of endeavor, Chang discloses redirecting the browser application to the first legitimate URL based on identifying the first legitimate URL with content exceeding the threshold similarity to the content of the website associated with the received URL (11:1-29, detection model 250 is a score indicating a likelihood that the base URL or website that returned the redirect URLs performs cloaking. For example, if the score is greater than a threshold value, the website is determined to perform cloaking, and if the score is less than the threshold, the website is determined not to perform cloaking).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Stein with the teaching of Chang by including the feature of redirecting, in order for Stein’s system to maintaining privacy of the user. The URL logs received from the mobile devices allow the online system to assess a webpage's behavior and detect cloaking by the URL or website. The use of URL redirect logs also maintains privacy of the user because it does not involve transmitting any personal data of the user to the online system. In addition to maintaining privacy, transmitting a URL log involves a relatively small amount of data transfer between a mobile device and the online system (Chang, 2:27-34).
Stein and Stein do not explicitly disclose however in the same field of endeavor, Rosiello discloses a browser extension, additionally Rosiello discloses Similarity assessment of two websites (section 3.1, 3.2).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Stein/ Chang with the teaching of Rosiello by including the feature of a browser extension, in order for Stein’s system to preventing identity theft. In this paper, we present an extension of our system (called DOMAntiPhish) that mitigates the shortcomings of our previous system. In particular, our novel approach leverages layout similarity information to distinguish between malicious and benign web pages. This makes it possible to reduce the involvement of the user and significantly reduces the false alarm rate. Our experimental evaluation demonstrates that our solution is feasible in practice (Rosiello, abstract, section 1).

As per claim 2, the combination of Stein, Chang and Rosiello discloses the method of claim 1, further comprising: transmitting the extracted content from the website associated with the received URL to a counterfeit URL detection system configured to analyze the extracted content, wherein said obtaining information includes receiving an assessment from the counterfeit URL detection system indicating that the received URL is counterfeit (Stein, 15:12-20, 17:50-62; content classifier logic 124 is trained, content classifier logic 124 can be applied to the one or more content features extracted from the webpage content associated with the URL in order to analyze the one or more content features and determine a maliciousness risk score based on its analysis of the one or more features. Maliciousness risk score represents a risk value associated with the selected URL that the selected URL contains malicious content based on an analysis of one or more content features)

As per claim 3, the combination of Stein, Chang and Rosiello discloses the method of claim 1, further comprising: comparing the received URL with a listing of known counterfeit URLs, wherein said obtaining information includes matching the received URL with any counterfeit URL listed in the listing of known counterfeit URLs, indicating that the received URL is counterfeit (Stein, 17:35-60, also see 18:14-35).

As per claim 4, the combination of Stein, Chang and Rosiello discloses the method of claim 1, further comprising: responsive to obtaining information indicating that the received URL is counterfeit, blocking the browser application from accessing content associated with the received URL (Chang, 13:57-67 to 14:1-16). The motivation regarding the obviousness of claim 1 is also applied to claim 4.

As per claim 5, the combination of Stein, Chang and Rosiello discloses the method of claim 1, wherein a portion of the plurality of legitimate URLs are included in a primary listing of legitimate URLs that represent legitimate entities that are subscribed to receive redirected URL requests, wherein the first legitimate URL is included in the primary listing of legitimate URLs (Chang, 15:5-20, also see 11: 35-67). The motivation regarding the obviousness of claim 1 is also applied to claim 5.

As per claim 6, the combination of Stein, Chang and Rosiello discloses the method of claim 1, further comprising: identifying a first set of characteristics of the content extracted from the website associated with the received URL, the first set of characteristics including at least one of detected objects, detected text, and detected source information included in the content extracted from the website associated with the received URL (Stein, 15: 30-35, 16: 32-41, extraction logic 122 may be programmed to extract a text distance feature from the webpage content associated with the selected URL. A text distance feature is a content feature and is a value that represents how dissimilar two strings are to one another); and
identifying a plurality of characteristics of the website associated with the first legitimate URL (wherein said comparing includes maliciousness risk score threshold is a configurable threshold setting that may be pre-stored. If the maliciousness risk score exceeds the maliciousness risk score threshold, then the URL has a reasonable likelihood of containing malicious content, therefore, content classifier system 120 can classify the URL as being malicious. If the content risk score does not exceed the maliciousness risk score threshold, then the URL has a reasonable likelihood of containing benign content, therefore, the content classifier system 120 can classify the URL as benign. Stein, 11:40-55, 13:1-20, 15: 30-35)
comparing the first set of characteristics with the plurality of characteristics to determine a number of common characteristics between the first set of characteristics and the plurality of characteristics; (Stein, 13:1-20,11:40-45, extraction logic 122 may be programmed to extract a text distance feature from the webpage content associated with the selected URL. A text distance feature is a content feature and is a value that represents how dissimilar two strings are to one another. …To illustrate, the string "ABCA" could be represented by the vector [2, 1, 1] to indicate that the "A" character occurs twice, and the "B" and "C" characters occur once. Likewise, the string "ABCB" could be represented by the vector [1, 2, 1] to indicate that the "A" and "C" characters occur once, and the "B" character occurs twice. Accordingly, the cosine distance between the strings "ABCA" and "ABCB" can be determined by taking the cosine of the vectors [2, 1, 1] and [1, 2, 1].); and
determining that the number of common characteristics between the first set of characteristics and the plurality of characteristics exceeds a threshold number of common characteristics representing that the website associated with first legitimate URL is within the threshold similarity to the website associated with the received URL (Stein, 11:40-55, 13:1-20, 15: 30-35, extract one or more character count features from the webpage content associated with the selected URL. Character count features are content features of the webpage content. In one embodiment, unique character count is a content feature that represents the number of unique characters found in the webpage content. In one embodiment, unique character count is case-sensitive, so that characters of different cases (e.g., "A" and "a") are counted as separate characters. In another embodiment, unique character count is case-insensitive, so that characters of different cases (e.g., "A" and "a") are counted as a single character. Total character count is a content feature that represents the total number of characters found in the webpage content.. .;, ..maliciousness risk score threshold is a configurable threshold setting that may be pre-stored. If the maliciousness risk score exceeds the maliciousness risk score threshold, then the URL has a reasonable likelihood of containing malicious content, therefore, content classifier system 120 can classify the URL as being malicious. If the content risk score does not exceed the maliciousness risk score threshold, then the URL has a reasonable likelihood of containing benign content, therefore, the content classifier system 120 can classify the URL as benign.).

As per claim 7, the combination of Stein, Chang and Rosiello discloses the method of claim 1, further comprising: determining that all websites associated with legitimate URLs included in a portion of the plurality of legitimate URLs listed in a primary listing of legitimate URLs do not exceed the threshold similarity to the extracted content of the website associated with the received URL (Stein, 15: 30-35,  If the content risk score does not exceed the maliciousness risk score threshold, then the URL has a reasonable likelihood of containing benign content, therefore, the content classifier system 120 can classify the URL as benign, also see 11:40-55, 13:1-20).
comparing content extracted from the website associated with the received URL with content associated with websites of a portion of the plurality of legitimate URLs listed in a secondary listing of legitimate URLs, wherein the first legitimate URL is included in the secondary listing of legitimate URLs (Stein, 16:35-67, URL classifier system 110 can send the URL and/or URL risk score to content classifier system 120 for further analysis… If the URL risk score does not exceed the URL risk score threshold, then the URL has a reasonable likelihood of containing benign content)

As per claim 8, the combination of Stein, Chang and Rosiello discloses the method of claim 7, further comprising identifying a primary characteristic of the extracted content of the website associated with the received URL (Stein, 11:40-55, 13:1-20, 15: 30-35), 
identifying each legitimate URL included in the secondary listing of legitimate URLs whose associated website includes characteristics matching the primary characteristic (Stein, 16:35-67, URL classifier system 110 can send the URL and/or URL risk score to content classifier system 120 for further analysis… If the URL risk score does not exceed the URL risk score threshold, then the URL has a reasonable likelihood of containing benign content).
Stein does not explicitly disclose however in the same field of endeavor, Chang discloses wherein said redirecting the browser application to the first legitimate URL is based on determining that the bid associated with the first legitimate URL is greater than any bids of the other legitimate URLs included in the secondary listing of legitimate URLs whose associated websites include characteristics matching the primary characteristic (Chang, 7:4-26, … expected value to the online system 140 of presenting the content from the content item may be determined by multiplying the bid amount by a probability of the content of the content item being accessed by a user). The motivation regarding the obviousness of claim 1 is also applied to claim 8.
As per claim 9, the combination of Stein, Chang and Rosiello discloses the method of claim 1, further comprising: generating analytics that quantify the user interactions with one of the received URL and the first legitimate URL (Stein, 5:52-60, URL frequency distribution data may be stored for each value of n and/or for each URL component. By comparing the n-stem for a URL component against the previously -stored n-stem frequency distribution data, feature extraction logic 112 is able to determine an n-stem score URL feature that indicates the frequency with which a particular n-stem appears in one or more URL components in a set of benign reference URLs.).
Stein does not explicitly disclose however in the same field of endeavor, Chang discloses recording, by the browser extension, user interactions with one of the received URL and the first legitimate URL (Chang, 8:27-50, 7:40-50, also see 2:25-35).  The motivation regarding the obviousness of claim 1 is also applied to claim 9.

As per claim 10, the combination of Stein, Chang and Rosiello discloses the method of claim 9, wherein the analytics include at least one of: a number of URL requests received, a number of instances that the browser application was redirected from any received URL to a legitimate URL, a number of instances in which the browser application was redirected to any legitimate URL listed on a primary listing of legitimate URLs, and a number of instances in which the browser application was redirected to any legitimate URL listed on a secondary listing of legitimate URLs. (Chang, 11:35-67, also see 14:28-56). The motivation regarding the obviousness of claim 1 is also applied to claim 10.

As per claim 11, the combination of Stein, Chang and Rosiello discloses the method of claim 1, wherein the browser extension operating in the browser application is configured to execute on a smartphone (Chang, 3:24-45).  The motivation regarding the obviousness of claim 1 is also applied to claim 11.

As per claim 12, Stein discloses a non-transitory computer-readable storage medium storing a browser extractor that comprises computer program instructions, the computer program instructions when executed by a processor causing the processor to: receive a uniform resource locator (URL); obtain information indicating that the received URL is a counterfeit URL (10:38-50, 2:46-60; URL features extracted from the selected URL in order to analyze the one or more URL features of the selected URL and determine a URL risk score based on its analysis of the one or more features);
extract content from a webpage associated with the received URL and from webpages associated with each of a plurality of legitimate URLs associated with legitimate entities (16:54-67, 15:28-34; FIG. 4B. …If the URL risk score does not exceed the URL risk score threshold, then the URL has a reasonable likelihood of containing benign content);
compare the extracted content from the webpage associated with the received URL and the extracted content from the webpages associated with each of the plurality of legitimate URLs to identify a first legitimate URL included in the plurality of legitimate URLs whose associated webpage has a similarity to the content of the webpage associated with the received URL that exceeds a threshold similarity (16:54-67, 10:55-60,15:28-34; FIG. 4B. If the URL risk score does not exceed the URL risk score threshold, then the URL has a reasonable likelihood of containing benign content., also see 3:1-15, 8:45-67).
Stein does not explicitly disclose however in the same field of endeavor, Chang discloses redirect a browser application to the first legitimate URL based on identifying the first legitimate URL (11:1-29, detection model 250 is a score indicating a likelihood that the base URL or website that returned the redirect URLs performs cloaking. For example, if the score is greater than a threshold value, the website is determined to perform cloaking, and if the score is less than the threshold, the website is determined not to perform cloaking).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Stein with the teaching of Chang by including the feature of redirecting, in order for Stein’s system to maintaining privacy of the user. The URL logs received from the mobile devices allow the online system to assess a webpage's behavior and detect cloaking by the URL or website. The use of URL redirect logs also maintains privacy of the user because it does not involve transmitting any personal data of the user to the online system. In addition to maintaining privacy, transmitting a URL log involves a relatively small amount of data transfer between a mobile device and the online system (Chang, 2:27-34).
Stein and Stein do not explicitly disclose however in the same field of endeavor, Rosiello discloses a browser extension, additionally Rosiello discloses Similarity assessment of two websites (section 3.1, 3.2).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Stein/ Chang with the teaching of Rosiello by including the feature of a browser extension, in order for Stein’s system to preventing identity theft. In this paper, we present an extension of our system (called DOMAntiPhish) that mitigates the shortcomings of our previous system. In particular, our novel approach leverages layout similarity information to distinguish between malicious and benign web pages. This makes it possible to reduce the involvement of the user and significantly reduces the false alarm rate. Our experimental evaluation demonstrates that our solution is feasible in practice (Rosiello, abstract, section 1).

As per claim 13, the combination of Stein, Chang and Rosiello discloses the non-transitory computer-readable storage medium of claim 12, wherein the computer program instructions, when executed by the processor, further cause the processor to: compare the received URL with a listing of known counterfeit URLs (Stein, 5:32-50, also see 6:52-60); and 
transmit the extracted content of the webpage associated with the received URL to a counterfeit URL detection system configured to analyze the extracted content based on failing to match the received URL with any known counterfeit URL listed on the listing of known counterfeit URLs, wherein said obtaining information includes receiving an assessment from the counterfeit URL detection system indicating that the received URL is counterfeit (Stein, 17:35-60, also see 18:14-35).
As per claim 14, the combination of Stein, Chang and Rosiello discloses the computer program instructions, when executed by the processor, further cause the processor to: identify no legitimate URL, included in a listing of known legitimate URLs that have subscribed to receive redirected browser extensions, that has an associated webpage having a similarity to the extracted content of the webpage associated with the received URL that exceeds the threshold similarity (Stein, 15: 30-35,  If the content risk score does not exceed the maliciousness risk score threshold, then the URL has a reasonable likelihood of containing benign content, therefore, the content classifier system 120 can classify the URL as benign, also see 11:40-55, 13:1-20) and
inspect extracted content from webpages associated with legitimate URLs included in a secondary listing of legitimate URLs, wherein the first legitimate URL is included in the secondary listing of legitimate URLs (Stein, 16:35-67, URL classifier system 110 can send the URL and/or URL risk score to content classifier system 120 for further analysis… If the URL risk score does not exceed the URL risk score threshold, then the URL has a reasonable likelihood of containing benign content).
As per claim 15, the combination of Stein, Chang and Rosiello discloses the non-transitory computer-readable storage medium of claim 12, wherein the computer program instructions, when executed by the processor, further cause the processor to: generate analytics that quantify the user behaviors and interactions with the received URL and the first legitimate URL; and display the analytics on a webpage (Stein, 5:52-60, URL frequency distribution data may be stored for each value of n and/or for each URL component. By comparing the n-stem for a URL component against the previously -stored n-stem frequency distribution data, feature extraction logic 112 is able to determine an n-stem score URL feature that indicates the frequency with which a particular n-stem appears in one or more URL components in a set of benign reference URLs.).
Stein does not explicitly disclose however in the same field of endeavor, Chang discloses record, by the browser extension, user behaviors and interactions with the received URL and the first legitimate URL (Chang, 8:27-50, 7:40-50, also see 2:25-35).  The motivation regarding the obviousness of claim 13 is also applied to claim 15.

As per claim 16, Stein discloses a method comprising receiving a request to access a webpage associated with a requested uniform resource locator (URL) at a browser extractor operating in a browser application on a user device (Stein, 10:38-50, 2:46-60; URL features extracted from the selected URL in order to analyze the one or more URL features of the selected URL and determine a URL risk score based on its analysis of the one or more features. URL risk score represents a risk value associated with the selected URL that the selected URL contains malicious content);
determining that content extracted from a webpage associated with a legitimate URL has a similarity to content extracted from the webpage associated with the requested URL that exceeds a threshold similarity (16:54-67, 15:28-34; FIG. 4B. If the URL risk score does not exceed the URL risk score threshold, then the URL has a reasonable likelihood of containing benign content., also see 3:1-15, 8:45-67); 
generating one or more analytics based on the recorded interactions (Stein, 5:52-60, URL frequency distribution data may be stored for each value of n and/or for each URL component. By comparing the n-stem for a URL component against the previously -stored n-stem frequency distribution data, feature extraction logic 112 is able to determine an n-stem score URL feature that indicates the frequency with which a particular n-stem appears in one or more URL components in a set of benign reference URLs.).
Stein does not explicitly disclose however in the same field of endeavor, Chang discloses applying a first model to content extracted from the webpage, the first model trained to output an assessment indicating that the requested URL is counterfeit (Chang, 10:60-67, 11:1-35) 
redirecting the browser application from the requested URL to the legitimate URL based on the exceeded threshold similarity (11:1-29, detection model 250 is a score indicating a likelihood that the base URL or website that returned the redirect URLs performs cloaking. For example, if the score is greater than a threshold value, the website is determined to perform cloaking, and if the score is less than the threshold, the website is determined not to perform cloaking); 
recording interactions between the user device and the requested URL and the legitimate URL (Chang, 8:27-50, 7:40-50, also see 2:25-35).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Stein with the teaching of Chang by including the feature of redirecting, in order for Stein’s system to maintaining privacy of the user. The URL logs received from the mobile devices allow the online system to assess a webpage's behavior and detect cloaking by the URL or website. The use of URL redirect logs also maintains privacy of the user because it does not involve transmitting any personal data of the user to the online system. In addition to maintaining privacy, transmitting a URL log involves a relatively small amount of data transfer between a mobile device and the online system (Chang, 2:27-34).
Stein and Stein do not explicitly disclose however in the same field of endeavor, Rosiello discloses a browser extension, additionally Rosiello discloses Similarity assessment of two websites (section 3.1, 3.2).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Stein/ Chang with the teaching of Rosiello by including the feature of a browser extension, in order for Stein’s system to preventing identity theft. In this paper, we present an extension of our system (called DOMAntiPhish) that mitigates the shortcomings of our previous system. In particular, our novel approach leverages layout similarity information to distinguish between malicious and benign web pages. This makes it possible to reduce the involvement of the user and significantly reduces the false alarm rate. Our experimental evaluation demonstrates that our solution is feasible in practice (Rosiello, abstract, section 1).

As per claim 17, the combination of Stein, Chang and Rosiello discloses the method of claim 16, wherein the analytics include at least one of: a number of URL requests received, a number of instances that the browser application was redirected from any requested URL to a legitimate URL, a number of instances in which the browser application was redirected to any legitimate URL listed on a primary listing of legitimate URLs, and a number of instances in which the browser application was redirected to any legitimate URL listed on a secondary listing of legitimate URLs. (Chang, 11:35-67, also see 14:28-56). The motivation regarding the obviousness of claim 16 is also applied to claim 17.

As per claim 18, the combination of Stein, Chang and Rosiello discloses the method of claim 16, wherein the extracted content of any of the webpage associated with the requested URL and the webpage associated with the legitimate URL comprises at least one of: an object detected in an image extracted from the webpage, text extracted from the webpage, a hypertext transfer protocol (HTTP) request header or body, and an HTTP response header or body (Stein, 4:45-60).

As per claim 19, the combination of Stein, Chang and Rosiello discloses the method of claim 16, further comprising: displaying a social engineering module on the user device, the social engineering module providing instructions to identify legitimate URLs and avoid counterfeit URLs (Stein, 5:52-60, URL frequency distribution data may be stored for each value of n and/or for each URL component. By comparing the n-stem for a URL component against the previously -stored n-stem frequency distribution data, feature extraction logic 112 is able to determine an n-stem score URL feature that indicates the frequency with which a particular n-stem appears in one or more URL components in a set of benign reference URLs.).
Stein does not explicitly disclose however in the same field of endeavor, Chang discloses determining, from the recorded interactions, that a number of instances in which the browser application was redirected from a requested URL to a legitimate URL exceeds a threshold number (Chang, 8:27-50, 7:40-50, also see 2:25-35).   The motivation regarding the obviousness of claim 16 is also applied to claim 19.
As per claim 20, the combination of Stein, Chang and Rosiello discloses the method of claim 16, further comprising:  implementing a training module on the user device, the training module providing a series of instructions to train a user to identify legitimate URLs and avoid counterfeit URLs, wherein the training module tracks a progression of the user through the series of instructions (Stein, 5:52-60, URL frequency distribution data may be stored for each value of n and/or for each URL component. By comparing the n-stem for a URL component against the previously -stored n-stem frequency distribution data, feature extraction logic 112 is able to determine an n-stem score URL feature that indicates the frequency with which a particular n-stem appears in one or more URL components in a set of benign reference URLs.).
Stein does not explicitly disclose however in the same field of endeavor, Chang discloses determining, from the recorded interactions, that a number of instances in which the browser application was redirected from a requested URL to a legitimate URL exceeds a threshold number (Chang, 8:27-50, 7:40-50, also see 2:25-35).   The motivation regarding the obviousness of claim 16 is also applied to claim 20.

6.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art discloses many of the claim features (See PTO-form 892). 
	a).	US Patent Application No. 20150067853 to Amrutkar et al., disclosed technology includes techniques for identifying malicious mobile electronic documents, e.g., webpages or emails, based on static document features. The static features may include mobile-specific features, such as mobile web API calls, hosted mobile-specific binaries, noscript content, or misleading URL tokens visible on a mobile-specific interface. The static features may instead or also include various JavaScript (JS) features, HTML features, and URL features detected in numbers outside ranges expected for desktop electronic documents. These features may be used with machine learning techniques to classify benign and malicious documents in real time.

b).	US Patent Application No. 20180115584 to Alhumaisan et al., discloses generally relates to information security and, more particularly, to systems and methods implementing color image ray transform (IRT) for detecting phishing web pages. A focus is comparing the features of a questionable website to features of a legitimate website. Detection of a phishing website using color IRT includes: requesting access, on at least one computing device, to a web page having a Universal Resource Locator (URL); comparing, using the at least one computing device, the URL of the requested web page to a reference URL within a database stored in a memory; determining, using the at least one computing device, that the URL of the requested web page matches the reference URL; and generating, using the at least one computing device, a message that the web page is legitimate when there is a match between the URL of the requested web page and the reference URL.

Conclusion
7.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARUNUR RASHID whose telephone number is (571)270-7195.  The examiner can normally be reached on 9 AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


HARUNUR . RASHID
Primary Examiner
Art Unit 2497


/HARUNUR RASHID/Primary Examiner, Art Unit 2497