DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 12/16/2025.
In instant Amendment, claims 1, 7, 11 and 17 have been amended; and claims 1 and 11 are independent claims. Claims 1-20 have been examined and are pending. This Action is made Final.
Response to Arguments
Applicant's arguments filed 12/16/2025 with respect to the 35 U.S.C. 101 rejection have been fully considered and are persuasive. The 35 U.S.C 101 rejection of the claims has been withdrawn.
Applicant's arguments filed 12/16/2025 with respect to the 35 U.S.C. 103 rejection have been fully considered but they are not persuasive.
Applicant Argues: “First, McCloy fails to disclose a server generating a plurality of keys using a plurality of URL fragments, with each URL fragment having (1) a domain and (2) a respective permutation comprising a corresponding combination of (a) a path name and (b) one or more strings. The Office action purports that the generation of the plurality of keys is found in the description in
McCloy regarding computing a hash at [0032] and [0033]. McCloy, however, expressly lays out a computer is to "compute[] a hashing function for each [URL] component part or segment to produce a hash value [(the alleged 'second plurality of keys)] for that component part or segment" at [0032]. Nowhere does McCloy ever contemplate permutations of URL component parts or segments, much less permutations forming URL fragments. Even if the "hash values" of McCloy could somehow be equated with the recited "second respective permutation" (which is not conceded), there is no insinuation whatsoever in McCloy that the hash values comprise combination of URL strings in the recited manner. As such, the reference fails to disclose "generating, by the server, a second plurality of keys using a corresponding second plurality of URL fragments derived from the second URL, each of the second plurality of URL fragments having the second domain and a second respective permutation comprising a second corresponding combination of the second path name and the one or more second strings.”
Examiner’s Response: The examiner respectfully disagrees. The examiner respectfully notes that the claim states “...the record comprising a first plurality of keys for a corresponding first plurality of URL fragments derived from the first URL, each of the first plurality of URL fragments having the first domain name, the first path name, and a first respective permutation comprising a first corresponding combination of the one or more first strings.” (emphasis added). The examiner respectfully notes that McCloy does in fact disclose such features. The examiner respectfully notes in ¶[0044] McCloy states that the “For each URL in this set of URLs, classification module 150, at 415, classifies each component part as a primary domain 210, subdomain 215, or page 220. At 420, hashing module 155 hashes each classified component part to produce a corresponding hash value. Each computed hash value inherits the same classification as the component part from which it was computed. At 425, the resulting hash values are stored in database 135.” Further, in ¶[0037] McCloy states “In the illustrative embodiment of FIG. 2C, the component parts of a target URL 225, "www.us.products.corporation.com/widgets/2006.htm," are compared, in two separate scenarios labeled "A" and "B," with hash values stored in database 135. In Scenario A, the match is exact, and the score computed by comparison module 160 is maximized. In Scenario B, all of the individual component parts of the two URLs match, but the order of the subdomains in the network address is different.” The examiner notes the computed hash values inherit the same classification as the component part from which it was computed thus, and are stored in according to their classification and in accordance with hierarchical relationships among the segments to which they correspond, as discussed in ¶[0033]. The examiner notes that the hashes of the subdomain names are stored in a given classification/hierarchy for a given URL, therefore, reads on “a first respective permutation comprising a first corresponding combination of the one or more first strings” for that given URL. Therefore, with the reasonable construction above, McCloy does in fact disclose on “...the record comprising a first plurality of keys for a corresponding first plurality of URL fragments derived from the first URL, each of the first plurality of URL fragments having the first domain name, the first path name, and a first respective permutation comprising a first corresponding combination of the one or more first strings.” Therefore, the examiner finds this argument not persuasive..
Applicant Argues: “Second, McCloy fails to disclose a server determining a match between at least one a first plurality of keys of a record for a first URL and at least one of a second plurality of keys for a second URL. The Office action purports that the determination of the match can be found in the discussion in McCloy regarding comparison of hash values at [0032] and [0033]. To start with, however, McCloy fails to disclose generation of the second plurality of keys for at least the reasons laid out above. McCloy therefore cannot possibly disclose determination of a match between at least one of a first plurality of keys for a first URL and at least one of the second plurality of keys for a second URL that are generated using a corresponding plurality of URLs. As such, the reference fails to disclose "determining, by the server, a match between at least one of the first plurality of keys of the record for the first URL and at least one of the second plurality of keys for the second URL."
Since McCloy fails to meet the exacting standard of disclosing each and every element of claims 1 and 11, independent claims 1 and 11 as well as dependent claims 2-10 and 12-20 are patentable and in condition for allowance. Accordingly, withdrawal of the rejection under 35 U.S.C. § 102 of claims 1-20 is respectfully requested.”
Examiner’s Response: The examiner respectfully disagrees. McCloy discusses use of a “Comparison module 160 compares the hash values of the segments from a target URL with hash values stored in database 135 and computes a score indicating the extent to which they match” in ¶[0033]. McCloy further clarifies this in ¶[0041]-[0042], as McCloy states “These operations of segmentation, classification, and hashing that are performed on the target URL 225 are, of course, the same as those performed on the comparison URLs whose hashed segments are stored in database 135 so that a direct comparison can be made between the hash values derived from the target URL 225 and the hash values stored in the database 135.... . Comparison module 160, at 335, computes a score indicating the extent to which the hash values of the segments from the target URL match hash values stored in database 135.” Thus, a given target URL is segmented, classified, and hashed in the same manner to determine “...a second plurality of keys for a second URL”, which would be similar as discussed above. Thus, McCloy comparison is in fact the “server determining a match between at least one a first plurality of keys of a record for a first URL and at least one of a second plurality of keys for a second URL.” Therefore, the examiner finds this argument not persuasive.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by McCloy et al. (US 2008/0034073 A1).
Regarding Claim 1;
McCloy discloses a method of determining a match between uniform resource locators (URL) fragments ([0008]), comprising:
maintaining, by a server, a record for a first URL against which to compare ([0044]), the first URL having a first domain name (FIG., 2A – primary domain, 2B and C and [0044]), a first path name (FIG., 2A – page, 2B and C and [0044]), and one or more first strings (FIG., 2A – subdomain, 2B and C and [0044] the record comprising a first plurality of keys for a corresponding first plurality of URL fragments derived from the first URL, each of the first plurality of URL fragments having the first domain name, the first path name, and a first respective permutation of the one or more first strings comprising a first corresponding combination ([0033] - To make the job of comparison module 160 easier, the segment hash values stored in database 135 may be organized according to their classification and in accordance with hierarchical relationships among the segments to which they correspond. FIG. 2B is a diagram showing one example of hierarchical relationships among the segments of a URL in accordance with an illustrative embodiment of the invention. FIG. 2B indicates that the subdomain 215 "products" is subordinate (narrower in scope) than primary domain 210 "corporation.com," that subdomain 215 "www" is subordinate to subdomain 215 "products," and that page 220 "widgets/2006.htm" is subordinate to all of the other URL segments and [0037] and [0042] and [0044] – FIG. 4 is a flowchart of a method for constructing a database 135 for use in identifying network addresses associated with suspect network destinations in accordance with another illustrative embodiment of the invention. At 405, a set of URLs that are associated with known suspect network destinations (e.g., pestware or porn sites) is acquired. At 410, segmentation module 145 separates each URL in this set of URLs into component parts. For each URL in this set of URLs, classification module 150, at 415, classifies each component part as a primary domain 210, subdomain 215, or page 220. At 420, hashing module 155 hashes each classified component part to produce a corresponding hash value. Each computed hash value inherits the same classification as the component part from which it was computed. At 425, the resulting hash values are stored in database 135. In this illustrative embodiment, database 135 is organized according to the classifications of the respective component parts from which they were computed and in accordance with hierarchical relationships among the component parts such as those illustrated in FIG. 2B. This organization of database 135 allows rapid and efficient comparisons with the hashed component parts of a target URL 225. At 430, the process terminates.);
identifying, by the server, a second URL having a second domain name, a second path name, and one or more second strings comprising a second corresponding combination ([0032]-[0033] - Once a URL has been segmented and its component parts have been classified, hashing module 155 computes a hashing function for each component part or segment to produce a hash value for that component part or segment. Each computed hash value retains the classification (primary domain, subdomain, or page/file) of the segment from which it was computed ...Comparison module 160 compares the hash values of the segments from a target URL with hash values stored in database 135 and computes a score indicating the extent to which they match and [0037]);
generating, by the server, a second plurality of keys using a corresponding second plurality of URL fragments derived from the second URL, each of the second plurality of URL fragments having the second domain and a second respective permutation of the second path name and the one or more second strings ([0032]-[0033] - Once a URL has been segmented and its component parts have been classified, hashing module 155 computes a hashing function for each component part or segment to produce a hash value for that component part or segment. Each computed hash value retains the classification (primary domain, subdomain, or page/file) of the segment from which it was computed ... Comparison module 160 compares the hash values of the segments from a target URL with hash values stored in database 135 and computes a score indicating the extent to which they match and [0037] and [0041]-[0042] and [0044]);
determining, by the server, a match between at least one of the first plurality of keys of the record for the first URL and at least one of the second plurality of keys for the second URL ([0032]-[0033] - Once a URL has been segmented and its component parts have been classified, hashing module 155 computes a hashing function for each component part or segment to produce a hash value for that component part or segment. Each computed hash value retains the classification (primary domain, subdomain, or page/file) of the segment from which it was computed ... Comparison module 160 compares the hash values of the segments from a target URL with hash values stored in database 135 and computes a score indicating the extent to which they match and [0037] - One significant advantage of the invention is that it takes into account imperfect matches between the segments of a target URL and a comparison database. How sensitive network address analyzer 140 should be to such imperfect matches can, in some embodiments, be configured by the user. One way in which an imperfect match can occur is illustrated in FIG. 2C. In the illustrative embodiment of FIG. 2C, the component parts of a target URL 225, "www.us.products.corporation.com/widgets/2006.htm," are compared, in two separate scenarios labeled "A" and "B," with hash values stored in database 135. In Scenario A, the match is exact, and the score computed by comparison module 160 is maximized. In Scenario B, all of the individual component parts of the two URLs match, but the order of the subdomains in the network address is different. Such a match may be termed an "out-of-order match. and [0037] and [0041]-[0042] and [0044]);); and
generating, by the server, an output comprising an action to be executed to control access to an information resource identified by the second URL based at least on the match ([0036] - Once all of the individual segment-hash-value matches have been found for a given target URL, the weighted values assigned to the respective segment matches are combined (e.g., summed or multiplied) to yield an overall score indicating the degree of match and [0039] - The corrective action taken by security module 165 can also take on a variety of forms, depending on the particular embodiment. In one illustrative embodiment, security module 165 notifies a user that the target URL is believed to be associated with a suspect network destination); and
causing, by the server, execution of the action to control access to the information resource identified by the second URL according to the output (FIG. 3 – Criterion Satisfied →No/Yes (Corrective Action))
Regarding Claim 2;
McCloy discloses the method to Claim 1.
McCloy further discloses further comprising identifying, by the server, responsive to determining the match between a key of the first plurality of keys and at least one of the second plurality of keys, a rule for the key to apply to the second URL to provide the output associated with the match ([0037]-[0038] - In Scenario A, the match is exact, and the score computed by comparison module 160 is maximized. In Scenario B, all of the individual component parts of the two URLs match, but the order of the subdomains in the network address is different. Such a match may be termed an "out-of-order match." Comparison module 160 may account for an out-of-order match by weighting matches of segments that occur out of order less heavily than those that occur in the order indicated by database 135...Security module 165 is configured to take corrective action if the score computed by comparison module 160 satisfies a predetermined criterion. The predetermined criterion can take on many forms, depending on the particular embodiment. In one embodiment, the predetermined criterion is that the score exceed a threshold. The threshold is fixed in some embodiments; in other embodiments, it is adjustable by a user. In another embodiment, the predetermined criterion is that the computed score satisfy some other condition or set of conditions other than the exceeding of a threshold. For example, security module 165 could be configured to take corrective action based on a primary-domain match without further segment matches. Such a condition is, in some embodiments, specified by a user).
Regarding Claim 3;
McCloy discloses the method to Claim 1.
McCloy further discloses further comprising: determining, by the server, a score based at least on (i) the match between a key of the first plurality of keys and at least one of the second plurality of keys ([0036] - Once all of the individual segment-hash-value matches have been found for a given target URL, the weighted values assigned to the respective segment matches are combined (e.g., summed or multiplied) to yield an overall score indicating the degree of match), (ii) a source identifier for a source of the second URL ([0034]-[0036] - The comparison can begin at the primary-domain level, and a match on a primary domain 210 can be followed up with a search of subdomains 215 within that primary domain 210 and, finally, with a search of pages 220 within that primary domain 210 and subdomain 215 and [0044]), (iii) one or more factors associated with the second URL ([0034]-[0036] - The comparison can begin at the primary-domain level, and a match on a primary domain 210 can be followed up with a search of subdomains 215 within that primary domain 210 and, finally, with a search of pages 220 within that primary domain 210 and subdomain 215 and [0044]), and wherein providing the output further comprises providing the output in accordance with the score ([0036] - Once all of the individual segment-hash-value matches have been found for a given target URL, the weighted values assigned to the respective segment matches are combined (e.g., summed or multiplied) to yield an overall score indicating the degree of match).
Regarding Claim 4;
McCloy discloses the method to Claim 1.
McCloy further discloses further comprising identifying, by the server, a classification of abuse for the second URL in accordance with the match between a key of the first plurality of keys and at least one of the second plurality of keys (FIG. 3 – Criterion satisfied → YES and [0022] - In this illustrative embodiment, a set of network addresses (e.g., URLs) associated with known suspect network destinations is gathered (As construed URLs include second, third, etc. URLs) and [0043] At 340, if the score computed at 335 satisfies a predetermined criterion, security module 165 takes corrective action at 345, as explained above. At 350, the process terminates. (As construed the process terminates with corrective action is a form classification of abuse for the second URL).
Regarding Claim 5;
McCloy discloses the method to Claim 1.
McCloy further discloses determining, by the server, a lack of match between the first plurality of keys of the record for the first URL and a third plurality of keys for a third URL (FIG. 3 – Criterion satisfied → NO and [0022] - In this illustrative embodiment, a set of network addresses (e.g., URLs) associated with known suspect network destinations is gathered (As construed URLs include second, third, etc. URLs) and [0043] At 340, if the score computed at 335 satisfies a predetermined criterion, security module 165 takes corrective action at 345, as explained above. At 350, the process terminates.); and providing, by the server, a second output for the third URL based at least on the lack of match (FIG. 3 – Criterion satisfied → NO and [0022] - In this illustrative embodiment, a set of network addresses (e.g., URLs) associated with known suspect network destinations is gathered (As construed URLs include second, third, etc. URLs) and [0043] At 340, if the score computed at 335 satisfies a predetermined criterion, security module 165 takes corrective action at 345, as explained above. At 350, the process terminates. (As construed the process terminates with no corrective action is a form of a second output based on the lack of match).
Regarding Claim 6;
McCloy discloses the method to Claim 1.
McCloy further discloses further comprising identifying, the server, a classification of a third URL as safe responsive to a lack of a match between the first plurality of keys of the record for the first URL and a third plurality of keys for the third URL (FIG. 3 – Criterion satisfied → NO and [0022] - In this illustrative embodiment, a set of network addresses (e.g., URLs) associated with known suspect network destinations is gathered (As construed URLs include second, third, etc. URLs) and [0043] At 340, if the score computed at 335 satisfies a predetermined criterion, security module 165 takes corrective action at 345, as explained above. At 350, the process terminates. (As construed the process terminates with no corrective action is a form safe as no corrective action is taken).
Regarding Claim 7;
McCloy discloses the method to Claim 1.
McCloy further discloses wherein identifying the second URL further comprises receiving the second URL from a data source ([0022]), and the method further comprising:
identifying, by the server, from a plurality of rules, a rule for the data source, responsive to determining the match, the rule defining the action of a plurality of actions to be executed (FIG. 5A – Segment, classify, and hash the target URL → Compare hash values form target url with hash values stored in the database ... → Criterion Satisfied →No/Yes (Corrective Action) (as noted the satisfied is a no or yes rule) and [0038]-[0039] - The corrective action taken by security module 165 can also take on a variety of forms, depending on the particular embodiment. In one illustrative embodiment, security module 165 notifies a user that the target URL is believed to be associated with a suspect network destination. In a different illustrative embodiment, security module 165 prevents a network connection between a computer and the network destination associated with the target URL. In embodiments in which computer 100 is a server, security module 165 prevents a connection between another computer on the network (e.g., the Internet) and the network destination associated with the target URL. In embodiments in which computer 100 is a client, security module 165 blocks a connection between computer 100 and the network destination associated with the target URL); and
wherein generating the output further comprises generating the output comprising an instruction defining the action in accordance with a rule for the data source (FIG. 3 – Criterion Satisfied →No/Yes (Corrective Action) and [0038]-[0039]] - In some embodiments, taking corrective action includes alerting a user that the target URL is believed to be associated with a suspect network destination. In other embodiments, taking corrective action includes blocking a network connection between a computer and the network destination associated with the target URL).
Regarding Claim 8;
McCloy discloses the method to Claim 1.
McCloy further discloses wherein the record further comprises a third plurality of keys for a corresponding third plurality of URL fragments derived from a third URL ([0022] - In this illustrative embodiment, a set of network addresses (e.g., URLs) associated with known suspect network destinations is gathered (As construed URLs include second, third, etc. URLs) and [0044] - Each computed hash value inherits the same classification as the component part from which it was computed. At 425, the resulting hash values are stored in database 135. In this illustrative embodiment, database 135 is organized according to the classifications of the respective component parts from which they were computed and in accordance with hierarchical relationships among the component parts such as those illustrated in FIG. 2B. This organization of database 135 allows rapid and efficient comparisons with the hashed component parts of a target URL 225. At 430, the process terminates.) each of the third plurality of URL fragments having the first domain name (FIG., 2A – subdomains, 2B and C and [0044]), a third path name (FIG., 2A – subdomains, 2B and C and [0044]) and a first respective permutation of one or more third strings (FIG., 2A – subdomains, 2B and C and [0044]).
Regarding Claim 9;
McCloy discloses the method to Claim 1.
McCloy further discloses wherein each of the first plurality of keys in the record for the first URL further comprises a transposition of the first domain name and a respective hash of a corresponding first URL fragment of the first URL fragments ([0032] - Once a URL has been segmented and its component parts have been classified, hashing module 155 computes a hashing function for each component part or segment to produce a hash value for that component part or segment. Each computed hash value retains the classification (primary domain, subdomain, or page/file) of the segment from which it was computed).
Regarding Claim 10;
McCloy discloses the method to Claim 1.
McCloy further discloses wherein the record further comprises a first plurality of values corresponding to a plurality of source identifiers, each of the first plurality of values identifying a classification of abuse for a corresponding source identifier of the plurality of source identifiers (FIG. 3 – Criterion satisfied → YES and [0022] - In this illustrative embodiment, a set of network addresses (e.g., URLs) associated with known suspect network destinations is gathered (As construed URLs include second, third, etc. URLs) and [0038] - For example, security module 165 could be configured to take corrective action based on a primary-domain match without further segment matches. Such a condition is, in some embodiments, specified by a user and [0043] At 340, if the score computed at 335 satisfies a predetermined criterion, security module 165 takes corrective action at 345, as explained above. At 350, the process terminates. (As construed the process terminates with corrective action is a form classification of abuse for a primary-domain match).
Regarding Claim(s) 11-20; claim(s) 11-20 is/are directed to a/an system associated with the method claimed in claim(s) 1-10. Claim(s) 11-20 is/are similar in scope to claim(s) 1-10, and is/are therefore rejected under similar rationale.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KARI L SCHMIDT/Primary Examiner, Art Unit 2439