Phishing Detection Method And System

§103 §112

Detailed Action -Claims 1, 17 and 21 are amended. -Objection to Figures 3A-3D is withdrawn based on the corrected figures. -Rejection under 112(b) of claims 17-20 is withdrawn based on the amendments. -Claims 1-22 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Drawings Figures 3E and 3F are objected to because the newly filed figures are still blurry and unclear. Please submit legible replacement figures. Response to Arguments Applicant’s Remarks filed on 11/26/2025 have been considered. -With respect to the argument regarding claims 1 and 21 that Everton does not teach “without segmentation”, this argument is not persuasive. Note that these claims are now rejected under 112(a) for lack of written description support for that feature, however even if support for the amended feature is provided, Everton paragraph 0014 only provides examples of machine vision techniques that may be used but are not necessarily required: such as stitching/registration, filtering, thresholding, pixel counting, segmentation, edge detection, color analysis, blob detection and extraction, neural net/deep learning pattern recognition, optical character recognition. Therefore, these techniques are provided as options but not as requirements. -With respect to the argument regarding claims 10-11 and 13-14, it is not persuasive because matching does teach resemblance or similarity. Also note that matching may be full or partial. -With respect to the argument regarding claims 15-16, the argument is not persuasive. It is clear from the cited paragraph [0050] configured to warn the user that he or she may be about to submit a password intended for another website to this website, which may not be the intended website (facebook.com in this example) that Goutal is comparing the domain associated with the webpage to the domains approved for the password. -With respect to the argument regarding claims 17-19, the argument is not persuasive. Vandervort para.0074, cited in the rejection of claim 17, teaches that the trusted third party 130 could then take responsibility for generating a key and a digital signature associated with the email, and forwarding all three data items to recipient 120. Therefore, the trusted third party, depicted in Fig.3 as being a remote facility, does generate and store the sender hash at a remote storage facility as recited in claim 17. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. Claims 1-9 and 21 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claims 1 and 21 were amended to recite “without segmentation” however the specification does not provide support for excluding segmentation. Claims 8-9 depend on claim 1 and therefore they inherit this rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2, 4-6, 8 and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Everton (US Pub.2018/0234368) based on its priority from Provisional Application No.62/459863 filed on 2/16/2017 in view of Koch et al, “Siamese Neural Networks for One-shot Image Recognition”, Proceedings of the 32nd International Conference on Machine Learning, Lille-France, 2015 JMLR:W&CP, vol.37. Re Claim 1. Everton discloses a method of detecting a phishing event, comprising: by a processor and a memory with computer code instructions stored thereon, the memory operatively coupled to the processor such that, when executed by the processor, the computer code instructions cause the system to implement: acquiring an image of visual content rendered in association with a source, and identifying a domain of the source (i.e. FIG. 2 is an example email message 202 where the content of the MAIL FROM field in the SMTP envelope 220 is sender@txdomain.com, the content of the "from" message header is alias@aliasdomain.com, the content of the RCPT TO field in the SMTP envelope 220 is user@rxdomain.com, and the content of the "to" message header is alias@aliasdomain.com. The message body 222 of the email message 202 comprises image 214, text 216, and image 218. Each of the images may be a CID embedded image (via an <img src=cid . . . > tag), a BASE64 inline embedded image, or a remote linked image (via an <img src=http:// . . . > tag)) [Everton, para.0016, provisional para.0014]; performing an object detection operation, using an object detection [CNN convolutional neural network], on one or more brand logos located within the visual content, to detect an instantiation of one or more targeted brands without segmentation regardless of arrangement of the visual content; determining, based on the object detection operation, that at least a portion of the visual content resembles content of a candidate brand (i.e. The brand recognizer 204 is operable to analyze email content (e.g., the visible body text, the raw HTML, embedded images, linked-to images, and/or attachments) in combination with brand content database 205 to detect whether an email purports to be associated with a particular brand. The brand content database 205 may comprise known-good (e.g., known to be malware free and from a trustworthy sender) and/or known-bad (e.g., known to be associated with a phishing scam) content associated with various brands (e.g., banks, shippers, retailers, and/or any other brand which may be used as part of a phishing scam). In an example implementation, the database 205 stores logos and/or other images or design marks associated with particular brands, and the brand recognizer 204 is operable to analyze images in emails to detect images that are associated with particular brands. Images stored may, for example, be stored in the database 205 in the form of an image file (e.g., of any suitable image format such as bitmap, jpeg, svg, etc.), or in the form of a hash of an image file) [Everton, para.0014, provisional para.0012], (i.e. The brand recognizer 204 may user “machine vision” techniques such as stitching/registration, filtering, thresholding, pixel counting, segmentation, edge detection, color analysis, blob detection and extraction, neural net/deep learning pattern recognition, optical character recognition); comparing the domain of the source with one or more authorized domains of the candidate brand (i.e. the additional processing may comprise comparing all URLs in the email 202 to URLs on a whitelist and/or blacklist in the database) [Everton, para.0026, provisional para.0026]; and declaring a phishing event when the comparing indicates that the domain of the source is not one of the authorized domains of the candidate brand (i.e. Where a brand has multiple domains, the database 207 may have this information for the multiple domains. If the lookup reveals that sender@txdomain.com is authorized to send emails on behalf of BRAND and/or the email message 202 was sent from an IP address authorized to send on behalf of BRAND, then the message 202 may be routed to the mailbox 210 of user@rxdomain.com. On the other hand, if the lookup reveals that sender@txdomain.com is not authorized to send emails on behalf of BRAND and/or the email message 202 was sent from an IP address not authorized to send on behalf of BRAND, then the message 202 may be routed to the quarantine 212……………………………….when the email message 202 is delivered to the quarantine 212, a network administrator may be alerted so that the network administrator can inspect the email to confirm that it was a phishing email) [Everton, para.0017-0018, provisional para.0015-0016]. Everton does not explicitly disclose whereas Koch does that object detection is specifically: a convolutional neural network (CNN) (i.e. we employ large siamese convolutional neural networks which are capable of learning generic image features useful for making predictions about unknown class distributions even when very few examples from these new distributions are available ……………. develop a model for one-shot image classification, we aim to first learn a neural network that can discriminate between the class-identity of image pairs, which is the standard verification task for image recognition) [Koch, p.2, col.1, section 1]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Everton with Koch because it can outperform all available baselines by a significant margin and come close to the best numbers achieved by the previous authors. We have argued that the strong performance of these networks on this task indicate not only that human-level accuracy is possible with our metric learning approach, but that this approach should extend to one-shot learning tasks in other domains, especially for image classification [Koch, p.7, Conclusion]. Re Claim 2. Everton in view of Koch discloses the method of claim 1, Everton further discloses: wherein the source is a uniform resource locator (URL), and the visual content originates from an entity associated with the URL (i.e. FIG. 2 is an example email message 202 where the content of the MAIL FROM field in the SMTP envelope 220 is sender@txdomain.com, the content of the "from" message header is alias@aliasdomain.com, the content of the RCPT TO field in the SMTP envelope 220 is user@rxdomain.com, and the content of the "to" message header is alias@aliasdomain.com. The message body 222 of the email message 202 comprises image 214, text 216, and image 218. Each of the images may be a CID embedded image (via an <img src=cid . . . > tag), a BASE64 inline embedded image, or a remote linked image (via an <img src=http:// . . . > tag)) [Everton, para.0016, provisional para.0014], (i.e. the determination of whether the email message 202 contains content associated with any brand in the brand database 205 may be based on whether the email 202 contains any URL that is sufficiently similar to a URL in the brand content database 205 ) [Everton, para.0022]. Re Claim 4. Everton in view of Koch discloses the method of claim 1, Everton further discloses: wherein the object detection is performed as a first agent, and the remaining steps are performed as a second agent [Everton, Fig.2, where brand recognizer 204 is mapped to a first agent, and remaining components are mapped to a second agent]. Re Claim 5. Everton in view of Koch discloses the method of claim 4, Everton further discloses: wherein the first agent is configured to operate on a first hardware platform, and the second agent is configured to operate on a second hardware platform (i.e. As used herein, for example, a particular processor and memory may comprise a first "circuit" when executing a first one or more lines of code and may comprise a second "circuit" when executing a second one or more lines of code) [Everton, para.0035]. Re Claim 6. Everton in view of Koch discloses the method of claim 2, Everton further discloses: further comprising, upon declaring a phishing event, displaying an indication of one or more of (i) relevant logo, (ii) brand detection, (iii) authorized domain associated with the detected brand, (iv) domain detected as being associated with the detected brand, (v) domain detected as being associated with the URL, and (vi) notification as to a mismatch between the domain detected as being associated with the detected brand and the domain detected as being associated with the URL (i.e. Where the matching image in the brand content database is associated with a particular brand, the additional analysis may comprise checking all URLS in the email message against a whitelist and/or blacklist of domains and/or URLs associated with the particular brand in a brand content database and/or brand senders database………………………………….The processing circuitry is operable to determine, based on one or more records of the database (e.g., 402 and/or 404), that the detected image is associated with a particular brand, and process the email message based on whether one or more characteristics of the email message are associated with the particular brand in the database (e.g., in record 404). The one or more characteristics of the email message may comprise one or more of: sender domain, sender subdomain, and sender IP address. …………………..The processing of the email message may comprise an insertion of warning text and/or image in the email message if the one or more characteristics of the email message are not associated with the particular brand in the database) [Everton, para.0033-0034]. Re Claim 8. Everton in view of Koch discloses the method of claim 1, Everton further discloses: wherein the source is an email agent configured to compile and communicate email content (i.e. The system comprises an email processing backend 116 and a mail user agent (MUA) 112 communicatively coupled via one or more network(s) 150 (e.g., a local area network (LAN) and/or a wide area network (WAN) such as the Internet…… For purposes of illustration, it is assumed the MTA 116 handles email for the domain rxdomain.com, and the MUA is for User@txdomain.com(i.e., a user on a different domain)……The email processing circuitry 118 is operable to process emails (e.g., parse/analyze and/or modify text and/or images in email body and/or attachments) received from the MTA 126, route the processed emails to appropriate locations in the database 124 (e.g., user mailboxes and/or quarantine), generate emails to be sent via the MTA 126) [Everton, para.0008-0012], and the visual content is at least a part of the email content (i.e. brand recognizer 204 is operable to analyze email content (e.g., the visible body text, the raw HTML, embedded images, linked-to images, and/or attachments)in combination with brand content database 205 to detect whether an email purports to be associated with a particular brand) [Everton, para.0014]. Re Claim 9. Everton in view of Koch discloses the method of claim 8, Everton further discloses: comprising, upon declaring a phishing event, displaying an indication of one or more of (i) a notification that an address of the email content does not match a sender domain and (ii) an indication of an identified target brand (i.e. Where the matching image in the brand content database is associated with a particular brand, the additional analysis may comprise checking all URLS in the email message against a whitelist and/or blacklist of domains and/or URLs associated with the particular brand in a brand content database and/or brand senders database………………………………….The processing circuitry is operable to determine, based on one or more records of the database (e.g., 402 and/or 404), that the detected image is associated with a particular brand, and process the email message based on whether one or more characteristics of the email message are associated with the particular brand in the database (e.g., in record 404). The one or more characteristics of the email message may comprise one or more of: sender domain, sender subdomain, and sender IP address. …………………..The processing of the email message may comprise an insertion of warning text and/or image in the email message if the one or more characteristics of the email message are not associated with the particular brand in the database) [Everton, para.0033-0034]. Re Claim 21. In a manner similar to the rejection of claim 1, Everton in view of Koch discloses a non-transitory computer-readable medium with computer code instruction stored thereon, the computer code instructions, when executed by a processor, cause an apparatus to: acquire an image of visual content rendered in association with a source, and identifying a domain of the source; perform an object detection operation, using an object detection convolutional neural network (CNN), on one or more brand logos located within the visual content, to detect an instantiation of one or more targeted brands without segmentation and regardless of arrangement of the visual content; determine, based on the object detection operation and the spatial analysis, that at least a portion of the visual content resembles content of a candidate brand; compare the domain of the source with one or more authorized domains of the candidate brand; and declare a phishing event when the comparing indicates that the domain of the source is not one of the authorized domains of the candidate brand. Everton further discloses: perform a spatial analysis of the visual content (i.e. Criteria for an image match may be the image having a threshold number of features (e.g., corners, blobs, edges, ridges, color histograms, histograms of oriented gradients, text, and/or the like.) in common with an image associated with the brand in the brand database 205) [Everton, para.0022, provisional 0020] to identify one or more solicitations of personally identifiable information (PII) (i.e. The brand content database 205 may comprise known-good (e.g., known to be malware free and from a trustworthy sender) and/or known-bad (e.g., known to be associated with a phishing scam)) [Everton, para.0014, note: by definition, phishing is solicitation for PII, see definition provided in background of the instant application para.0002]; The same motivations to modify Everton with Koch, as in claim 1, applies. Re Claim 22. In a manner similar to the rejection of claim 10, Everton discloses a non-transitory computer-readable medium with computer code instruction stored thereon, the computer code instructions, when executed by a processor, cause an apparatus to: acquire an image of rendered visual content; generate image coordinates associated with an action triggered by a user click on the image, cropping a region of the image according to the coordinates to form a cropped region, Everton further discloses: and identifying a domain corresponding to a final terminus associated with the triggered action (i.e. the determination of whether the email message 202 contains content associated with any brand in the brand database 205 may be based on whether the email 202 contains any URL that is sufficiently similar to a URL in the brand content database 205) [Everton, para.0022]; In a manner similar to the rejection of claim 10, Everton in view of Koch further discloses: perform an object detection operation, using an object detection convolutional neural network (CNN), on the cropped region of the image to detect a brand logo located within the region; determine, based on the object detection operation, that the detected brand logo resembles content of a candidate brand; compare a characteristic associated with the triggered action, with one or more authorized characteristics associated with the candidate brand; and declare a phishing event when the comparing indicates that the domain of the embedded link is not one of the authorized domains of the candidate brand. The same motivation to modify Everton with Koch, as in claim 10, applies. Claims 3 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Everton in view of Koch, as applied to claims 1-2, further in view of Prakash (US Pub. No. 2016/0014151). Re Claim 3. Everton in view of Koch discloses the method of claim 2, Everton in view of Koch does not explicitly disclose whereas Prakash does: further comprising determining that the visual content includes personally identifiable information (i.e. comparing the recipient background information to the message characteristic at 440 and using the results of the comparison to influence the likelihood of the received message being a phishing message at 450) [Prakash, para.0100], (i.e. "recipient background information" comprises information associated with a recipient such as but not limited to third party authentication credentials for online social networks, access rights or authentication tokens to access online social networks on behalf of a recipient for the recipient or others associated with the recipient such as other people who may work or study at the same establishment as the recipient, information taken from an online social network, patterns, profiles, messages posted on the social network to the recipient or to others, message characteristics, message content or any information obtained or derived from such information) [Prakash, para.0061]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Everton-Koch with Prakash because if one email contained a URL to a phishing site listed in threat intelligence data it would be determined to be bad and the organization would be notified that the email they had received was a phishing message [Prakash, para.0222]. Re Claim 7. Everton in view of Koch discloses the method of claim 1, Everton further discloses: further comprising performing a visual fingerprinting of the image of visual content by generating a visual hash of the visual content (i.e. The record 402 indicates that the image URL www.brand.com/image1 is associated with BRANDX, and that an image with the signature "fa21hk w%&w2e" (e.g., generated with a hashing algorithm) is associated with BRANDX) [Everton, para.0023, provisional .0012], Everton in view of Koch does not explicitly disclose whereas Prakash does: and comparing the generated visual hash to one or more hashes of known phishing examples (i.e. the step of comparing the metadata for the new received message to a threat intelligence data to determine if the new received message is a potentially dangerous message comprises at least one of…………….comparing a digital hash code representation associated with the new received message with a digital hash code representation in the updated threat intelligence data; comparing any of a message characteristic associated with the new received message with a message characteristic reported in the updated threat intelligence data; comparing a filename, a file size or a digital hash code associated with attachments included with the new received message with a digital hash code in the updated threat intelligence data) [Prakash, para.0210], and declaring a phishing event when the generated visual hash matches at least one of the hashes of known phishing examples (i.e. flagging new received message messages as new phishing messages if the received message has a set of message characteristics matching the set indicative of phishing messages) [Prakash, para.0086]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Everton-Koch with Prakash because if one email contained a URL to a phishing site listed in threat intelligence data it would be determined to be bad and the organization would be notified that the email they had received was a phishing message [Prakash, para.0222]. Claims 10-11 and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Everton in view of Wang et al (CN 106446617), and further in view of Koch. Re Claim 10. Everton discloses a method of detecting a phishing event, comprising: by a processor and a memory with computer code instructions stored thereon, the memory operatively coupled to the processor such that, when executed by the processor, the computer code instructions cause the system to implement: acquiring an image of rendered visual content (i.e. FIG. 2 is an example email message 202 where the content of the MAIL FROM field in the SMTP envelope 220 is sender@txdomain.com, the content of the "from" message header is alias@aliasdomain.com, the content of the RCPT TO field in the SMTP envelope 220 is user@rxdomain.com, and the content of the "to" message header is alias@aliasdomain.com. The message body 222 of the email message 202 comprises image 214, text 216, and image 218. Each of the images may be a CID embedded image (via an <img src=cid . . . > tag), a BASE64 inline embedded image, or a remote linked image (via an <img src=http:// . . . > tag)) [Everton, para.0016, provisional para.0014]; Everton does not explicitly disclose whereas Wang does: generating image coordinates associated with an action triggered by a user click on the image (i.e. when the client requests to access the initial static picture PIC INIT at the mouse click position of the linking, the reference chart shown in FIG. 2, the specific method is as follows) [Wang, page 3], cropping a region of the image according to the coordinates to form a cropped region (i.e. the server according to the mouse click position coordinate to obtain the coordinate area, then the coordinate area corresponding link address that points to the page analysis generates a new picture to be access to the static PIC-EXE, extracting the page coordinate region set ListArea) [Wang, page 3]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Everton with Wang can effectively prevent unauthorized page, ….. preventing virus, preventing the phishing website [Wang, Abstract]. Everton further discloses: and identifying a characteristic corresponding to a final terminus associated with the triggered action (i.e. The brand recognizer 204 is operable to analyze email content (e.g., the visible body text, the raw HTML, embedded images, linked-to images, and/or attachments)in combination with brand content database 205 to detect whether an email purports to be associated with a particular brand.………………..the database 205 stores logos and/or other images or design marks associated with particular brands, and the brand recognizer 204 is operable to analyze images in emails to detect images that are associated with particular brands. Images stored may, for example, be stored in the database 205 in the form of an image file (e.g., of any suitable image format such as bitmap, jpeg, svg, etc.), or in the form of a hash of an image file. Images stored in the database 205 may be authorized or known-good (i.e., images that are known to be legitimate images from the brand), and/or may be unauthorized or known-bad (e.g., images that are known to be forgeries or unauthorized copies)) [Everton, para.0014]; performing an object detection operation, using an object detection [CNN convolutional neural network], on the cropped region of the image to detect a brand logo located within the region; determining, based on the object detection operation, that the detected brand logo resembles content of a candidate brand (i.e. the database 205 stores logos and/or other images or design marks associated with particular brands, and the brand recognizer 204 is operable to analyze images in emails to detect images that are associated with particular brands) [Everton, para.0014], (i.e. perform feature extraction on the detected image(s) and determine whether the image matches any images in a brand content database) [Everton, para.0032]; comparing the characteristic associated with the triggered action, with one or more authorized characteristics associated with the candidate brand (i.e. the additional processing may comprise comparing all URLs in the email 202 to URLs on a whitelist and/or blacklist in the database) [Everton, para.0026, provisional para.0026]; and declaring a phishing event when the comparing indicates that the characteristic associated with the triggered action is not one of the authorized characteristics of the candidate brand (i.e. Where a brand has multiple domains, the database 207 may have this information for the multiple domains. If the lookup reveals that sender@txdomain.com is authorized to send emails on behalf of BRAND and/or the email message 202 was sent from an IP address authorized to send on behalf of BRAND, then the message 202 may be routed to the mailbox 210 of user@rxdomain.com. On the other hand, if the lookup reveals that sender@txdomain.com is not authorized to send emails on behalf of BRAND and/or the email message 202 was sent from an IP address not authorized to send on behalf of BRAND, then the message 202 may be routed to the quarantine 212 ……………………………….when the email message 202 is delivered to the quarantine 212, a network administrator may be alerted so that the network administrator can inspect the email to confirm that it was a phishing email) [Everton, para.0017-0018, provisional para.0015-0016]. Everton in view of Wang does not explicitly disclose whereas Koch teaches that the object detection is specifically: a convolutional neural network (CNN) (i.e. we employ large siamese convolutional neural networks which are capable of learning generic image features useful for making predictions about unknown class distributions even when very few examples from these new distributions are available ……………. develop a model for one-shot image classification, we aim to first learn a neural network that can discriminate between the class-identity of image pairs, which is the standard verification task for image recognition) [Koch, p.2, col.1, section 1]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Everton-Wang with Koch because it can outperform all available baselines by a significant margin and come close to the best numbers achieved by the previous authors. We have argued that the strong performance of these networks on this task indicate not only that human-level accuracy is possible with our metric learning approach, but that this approach should extend to one-shot learning tasks in other domains, especially for image classification [Koch, p.7, Conclusion]. Re Claim 11. Everton in view of Wang and Koch discloses the method of claim 10, Everton further discloses: wherein the triggered action is an activation of an embedded link (i.e. The brand recognizer 204 is operable to analyze email content (e.g., the visible body text, the raw HTML, embedded images, linked-to images, and/or attachments) in combination with brand content database) [Everton, para.0014, implicitly discloses activation of linked-to images], and the characteristics associated with the triggered action and the candidate brand are authorized domain destinations (i.e. Where a brand has multiple domains, the database 207 may have this information for the multiple domains. If the lookup reveals that sender@txdomain.com is authorized to send emails on behalf of BRAND and/or the email message 202 was sent from an IP address authorized to send on behalf of BRAND, then the message 202 may be routed to the mailbox 210 of user@rxdomain.com. On the other hand, if the lookup reveals that sender@txdomain.com is not authorized to send emails on behalf of BRAND and/or the email message 202 was sent from an IP address not authorized to send on behalf of BRAND, then the message 202 may be routed to the quarantine 212……………………………….when the email message 202 is delivered to the quarantine 212, a network administrator may be alerted so that the network administrator can inspect the email to confirm that it was a phishing email) [Everton, para.0017-0018, provisional para.0015-0016]. Re Claim 13. Everton in view of Wang and Koch discloses the method of claim 10, Everton further discloses: wherein the object detection is performed by a first agent, and the remaining steps are performed by a second agent [Everton, Fig.2, where brand recognizer 204 is mapped to a first agent, and remaining components are mapped to a second agent]. Re Claim 14. Everton in view of Wang and Koch discloses the method of claim 13, Everton further discloses: wherein the first agent is configured to operate on a first hardware platform, and the second agent is configured to operate on a second hardware platform (i.e. As used herein, for example, a particular processor and memory may comprise a first "circuit" when executing a first one or more lines of code and may comprise a second "circuit" when executing a second one or more lines of code) [Everton, para.0035]. Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Everton in view of Wang and Koch as applied to claim 10, further in view of Prakash (US Pub. No. 2016/0014151). Re Claim 12. Everton in view of Wang and Koch discloses the method of claim 10, Everton in view of Koch and Wang does not explicitly disclose whereas Prakash does: wherein the triggered action is an activation of a download event (i.e. Some fake emails contain links that when followed takes the user to a website, which may install malware on the recipient's compute) [Prakash, para.0007], and the characteristics associated with the triggered action and the candidate brand are authorized file formats (i.e. the step of comparing the metadata for the new received message to a threat intelligence data to determine if the new received message is a potentially dangerous message comprises at least one of: ………………………………….comparing a filename, a file size or a digital hash code associated with attachments included with the new received message with a digital hash code in the updated threat intelligence data) [Prakash, para.0210]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Everton-Wang-Koch with Prakash because Prakash allows changing an original URL of the new received message to a changed URL whereby any clicks to the original URL are redirected through a well-known proxy server; and the step of regularly comparing the metadata for the new received message to an updated threat intelligence data to determine if the new received message is a potentially dangerous message comprises regularly comparing the original URL for the new received message to the updated threat intelligence data [Prakash, para.0212]. Claims 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Goutal et al (US Pub.2018/00343283). Re Claim 15. Goutal discloses a method of detecting an unauthorized password event, comprising: by a processor and a memory with computer code instructions stored thereon, the memory operatively coupled to the processor such that, when executed by the processor, the computer code instructions cause the system to implement: receiving a password entered by a user into a webpage password prompt; determining a domain associated with the webpage (i.e. the present password leakage preventing component may capture a password received via an input modality (e.g., keyboard, voice, etc.), as the user attempts to log onto a website. As shown at B202, the domain name of the website may then be checked against the list of trusted websites in the TRUSTED_WEBSITES list. This list may be stored and/or managed by the computing device running the password leakage preventing component according to one embodiment. At block B202, it is determined whether the domain of the website or webpage to which the user is logging onto is present in the TRUSTED_WEBSITES data structure) [Goutal, para.0048]; Goutal does not explicitly discloses: upon receiving the password, halting a submission of the password to a source of the webpage. However, Goutal teaches that upon receiving the password, analysis is performed before deciding whether to send the password to a source of the webpage (i.e. capture every password submitted by the end user; analyze the password and, based on the results of the analysis, either generate and show a warning page or allow the login credentials to be sent to the website) [Goutal, 0031-0032]; Therefore it would have be obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Goutal to include “halting a submission of the password” in order to prevent password leakage as taught by Goutal. Goutal further discloses: querying a password-domain record for a list of domains approved for the password; comparing the domain associated with the webpage to the domains approved for the password (i.e. If, however, the hash of the password submitted to the website upon logon is present in the TRUSTED_WEBSITES_PASSWORDS data structure ([Yes] branch of B205), a warning may be generated, to alert the user of a potential security risk in submitting the password captured in B201 to the website to which the user is logging on. One example of such a warning is shown in FIG. 3 at 300. The warning may be configured to warn the user that he or she may be about to submit a password intended for another website to this website, which may not be the intended website (facebook.com in this example)) [Goutal, para.0050]; and preventing the password from being sent to the webpage when the domain associated with the webpage does not match one or more of the associated domains (i.e. In the case in which the user clicked the button 302 indicating that the website is unknown, the password captured at B201 is not submitted to the likely fraudulent website, thereby avoiding compromising the user's facebook.com credential) [Goutal, para.0050]. Re Claim 16. Goutal discloses the method of claim 15, Goutal further discloses: wherein the password-domain record comprises at least one of (i) a hash of the password associated with the approved domain (i.e. the List of Passwords May be Stored in TRUSTED_WEBSITES_PASSWORDS data structure, stored on a non-volatile physical memory store such as, for example, a solid-state memory and/or one or more hard disk drives. Each of the passwords stored in the TRUSTED_WEBSITES_PASSWORDS data structure is associated with a trusted website……………the password may be stored as a hash) [Goutal, para.0039-0040]; and (ii) the hash of the password associated with the approved domain, and one or both of: (a) a hash associated with the approved domain, the hash being a hash of the password and the device ID; and (b) a hash associated with the approved domain, the hash being a hash of the password, the device ID, and a domain ID. Claims 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Vandervort (US Pub. No. 2013/0166914) in view of Golan (US Pub.No.2017/0359288). Re Claim 17. Vandervort discloses a method of detecting a phishing event, comprising: by a processor and a memory with computer code instructions stored thereon, the memory operatively coupled to the processor such that, when executed by the processor, the computer code instructions cause the system to implement: sending, by a first user, an email associated with a sender domain; generating a sender hash based on one or more components of the email, and storing the sender hash in a [remote] data storage facility (i.e. sender 110 may generate original content. Original content can refer to any kind of content, information, or data that sender 110 may wish to impart to recipient 120. For example, the original content may be understandable by humans, such as an email message, a document, or an image………. sender 110 may generate a digital signature of the original content (hereinafter, "original digital signature") using the key generated in step 320. For example, sender 110 may generate a digest of the original content using a hashing or other digest algorithm that is capable of mapping an arbitrarily-sized data set to a fixed-size data set in a deterministic manner. A digital signature may be generated by encrypting the digest using the generated key……sender 110 may store a record in a database (or one or more associated records) that relate the original digital signature to the key used to generate the digital signature and the address of a recipient for whom or for which the original content is intended to be sent) [Vandervort, para.0025-0028] remote data storage facility accessible by at least the first user and a second user (i.e. one or more operations described above could be performed by a trusted third party 130. For example, sender 110 could send a normal email (i.e., without digital signature and key) to trusted third party 130 that is addressed to recipient 120. Trusted third party 130 could then take responsibility for generating a key and a digital signature associated with the email, and forwarding all three data items to recipient 120) [Vandervort, para.0074, Fig. 1, Note: i.e. the third party may be a remote data storage facility accessible by both the sender and the recipient]; receiving, by the second user, the email (i.e. recipient 120 may receive the original message transmitted by sender 110 in step 360) [Vandervort, para.0032]; Although the above embodiment of Vandervort para.0074 indicates that the message sent to the third party by the sender does not include the digital signature, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Vandervort such that the digital signature/hash generated by the sender is sent with the email to the third party, since Vandervort already discloses in cited embodiments that the sender may generate the digital signature/hash and further suggests that different steps/embodiments may be combined: various steps may be omitted, repeated, combined, or divided, as necessary to achieve the same or similar objectives or enhancements [Vandervort, para.0083]. Vandervort does not explicitly disclose whereas Golan does: determining that the sender domain is an accepted organization domain; when the determining establishes that the sender domain is the accepted organization domain, generating (i.e. As used herein, the term “component,” when used with reference to a message, refers to a part of a message that can serve a proof that a message was sent and/or that a message was sent or received. Examples of components can include information regarding one or more of the following: information that identifies at least one participant (e.g., a sender or a recipient of the message); time information associated with the message such as day, date or time that the message was sent or received; information regarding language the message is written in; information regarding protocol used to communicate the message; information regarding subject of the message; information regarding payload of the message; information from the body of the message; information from attachments to the message or information describing attachments to the message; information regarding originating network address of the message) [Golan, para.0024], (i.e. the recipient process 114 of the second message server 112 uses the extracted information to access a corresponding block that is stored at the distributed database system 110, and at 310, selects one or more component(s) from the received message that correspond to the component(s) stored in the corresponding block of the distributed database system 110. At 312, the verification module 116 of the recipient process 114 can determine whether selected component(s) of the received message match the component(s) stored in a corresponding block at the distributed database system 110. In one embodiment, the selected component(s) of the received message will be determined to match the component(s) stored in a corresponding block when every component of the received message identically matches the corresponding component(s) stored in the corresponding block. When the verification module 116 determines (at 312) that the selected component(s) of the received message match the component(s) stored in a corresponding block at the distributed database system 110, the verification module 116 can mark the message as “wanted.”……………………………. When the verification module 116 determines (at 316) that one or more of the selected component(s) of the received message partially match the component(s) stored in the corresponding block at the distributed database system 110 (i.e., determines that one or more of the component(s) of the received message do partially match one or more of component(s) that are stored in the corresponding block), then the verification module 116 can perform further processing) [Golan, para.0044-0049]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Vandervort with Golan because by recording meta information pertaining to the message into a Blockchain during a server-side sending process, including, but not limited to the hash of a legitimate message, and allowing the server-side recipient to verify the recorded information, both senders and recipients can be provided with a secure, and anonymous, method to ensure the integrity of all message communications [Golan, para.0030]. Vandervort in view of Golan further discloses: generating a receiver hash based on the one or more components of the email; retrieving the sender hash from the remote data storage facility (i.e. recipient 120 may receive the original message transmitted by sender 110 in step 360. In step 420, recipient 120 may extract the information necessary to confirm the authenticity and integrity of the message. Thus, recipient 120 may extract from the original message the original content, the original digital signature, the key, and the originating address…………….. recipient 120 may verify message integrity by determining whether the original digital signature matches the original content. For example, recipient 120 may attempt to duplicate the steps performed by sender 110 in generating the original digital signature by generating a digest of the original content and encrypting the digest with the received key…………. Recipient 120 may determine whether the received digital signature matches the original content by determining whether the digital signature that recipient 120 generated using the original content and the received key match the received digital signature) [Vandervort, para.0032-0034], (i.e. Trusted third party 130 could then take responsibility for …… forwarding all three data items to recipient 120) [Vandervort, para.0074]; and declaring a [phishing] event when the sender hash does not match the receiver hash (i.e. If the original digital signature does not match the original content (step 430, No), then various reasons may exist for the mismatch………………….a malicious third party may have intercepted the message transmitted by sender 110 and modified the content of the message before transmitting the modified message to recipient) [Vandervort, para.0033-0034]. Vandervort and Golan do not explicitly indicate that the malicious event is a phishing event, however Vandervort indicates a malicious event and Golan indicates a spam message [Golan, para.0067], therefore it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Vandervort in view of Golan to include declaring a phishing event, because phishing is one of a limited number of choices of spam email and therefore it is rendered obvious over Vandervort in view of Golan. Re Claim 18. Vandervort in view of Golan discloses the method of claim 17, Golan further discloses: further comprising upon receiving the email, comparing the sender domain to a receiver domain associated with the receiver, and skipping one or more steps that follow receiving the email when the sender domain is different from the receiver domain (i.e. When the verification module 116 determines (at 516) that none of the selected component(s) of the received email message partially match the component(s) stored in the corresponding block at the distributed database system 110 (i.e., determines that the component(s) of the received email message do not partially match component(s) that are stored in the corresponding block), then the verification module 116 can mark the email message as “spam” at 518, and in some implementations can perform other actions at 520 such as discarding the email message) [Golan, para.0067]. The same motivation to modify with Golan, as in claim 17, applies. Re Claim 19. Vandervort in view of Golan discloses the method of claim 17, Vandervort in view of Golan further discloses: wherein the data storage facility is one of (i) a remote database memory [Vandervort, as in claim 17] and (ii) a distributed data storage ledger, the distributed data storage ledger consisting of a set of nodes that maintain independent records, each of which is validated according to a private consensus procedure (i.e. a “transaction” can refer to a message being sent from one computer to another computer. One or more components of a message can be recorded in a block of the blockchain to represent that message being sent. In other words, the one or more components of the message that are recorded into the blockchain serve as information that represents that the message was sent. This information can then be used to verify or prove or represent the fact that message was sent and/or received. After the transaction is recorded, it must then be validated before being added into the blockchain……… a transaction is not added to the blockchain until it is recognized as valid. For a transaction to be added to the block chain, other participants in the given system must approve/validate the transaction. This helps ensure that only valid transactions are added to the blockchain. To validate the transaction, the transaction can be sent (e.g., broadcast) to nodes of other participants who are part of (or belongs to) a given system. Each node can validate a transaction, add it to their copy of the blockchain and then broadcast the addition to other nodes. After a number of those other participants approve or validate the transaction, the transaction can be added to the chain, which provides a record of the transactions existence. This record cannot be tampered with because each of the other participants has a copy) [Golan, para.0028-0029]. The same motivation to modify with Golan, as in claim 17, applies. Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Vandervort (US Pub. No. 2013/0166914) in view of Golan (US Pub. No.2017/0359288) and further in view of Roennow et al (US Pub. No. 2020/0021446). Re Claim 20. Vandervort in view of Golan discloses the method of claim 19, Golan further discloses: wherein the data storage facility is a distributed data storage ledger, and further comprising: digitally signing, by the first user [based on a private key of a key pair], the hash header, timestamping the signed hash header, and conveying the signed and timestamped hash header to a leader node in a peer-to-peer network (i.e. the header can include things like the source of the message (or information that identifies who the message is from), the destination (or information that identifies who the message is to), information regarding a protocol used to transport the message, time stamps, etc. The body of the message includes that data that makes up the message itself…………. The blockchain includes a chain of linked blocks that represent a complete transaction history. Each block can store a reference that links that block to a previous block in the chain, a summary of the transaction (e.g., one or more components of a message), a time stamp, and Proof of Work that went into creating the secure block. The reference that links that block to the previous block and to each additional block reinforces those before it. For example, each block can include a hash of the prior block thereby linking the blocks together) [Golan, para.0024-0027]; broadcasting, by the leader node, the signed and timestamped hash header to one or more peer nodes in the peer-to-peer network; verifying, by the one or more peer nodes, the signed and timestamped hash header [by validating the signature and determining that the associated public key belongs to a user in a corresponding organization], and returning a verification result to the leader node; declaring a consensus, by the leader node, based on the received verification result, according to a private consensus procedure; broadcasting, by the leader node, a command to insert the timestamped hash header into a storage ledger of each peer node (i.e. To validate the transaction, the transaction can be sent (e.g., broadcast) to nodes of other participants who are part of (or belongs to) a given system. Each node can validate a transaction, add it to their copy of the blockchain and then broadcast the addition to other nodes. After a number of those other participants approve or validate the transaction, the transaction can be added to the chain, which provides a record of the transactions existence) [Goulan, para.0028-0029]. The same motivation to modify with Golan, as in claim 17, applies. Vandervort in view of Goulan does not explicitly disclose whereas Roennow does: digitally signing ……based on a private key of a key pair (i.e. The public key has a corresponding private key pair that allows signing transactions on the blockchain) [Roennow, para.0149] and verifying….. by validating the signature and determining that the associated public key belongs to a user in a corresponding organization (i.e. the client node transmits a public key of the client node to the server node. In step 332, the server node encrypts the domain public key and the domain certificate information using the public key of the client node to provide encrypted response, and transmits the encrypted response to the client node. In step 333, the client node decrypts the encrypted response using a private key of the client node to generate the domain public key and the domain certificate information, and compares the generated domain certificate information to the domain certificate information received from the domain name node to verify the server node) [Roennow, para.0256]. It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Vandervort in view of Golan with Roennow because any kind of previous trusting problems that could be caused by using a single CA is not a problem anymore since any changes made to the existing domain names and their associated certificates will be verified by the multiple blockchain nodes on the ledger [Roennow, para.0263]. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /NOURA ZOUBAIR/Primary Examiner, Art Unit 2434