Prosecution Insights
Last updated: July 17, 2026
Application No. 18/219,552

MALICIOUS SITE DETECTION FOR A CYBER THREAT RESPONSE SYSTEM

Non-Final OA §103§112
Filed
Jul 07, 2023
Priority
Feb 20, 2018 — provisional 62/632,623 +3 more
Examiner
CHAO, MICHAEL W
Art Unit
2492
Tech Center
2400 — Computer Networks
Assignee
Darktrace Holdings Limited
OA Round
3 (Non-Final)
70%
Grant Probability
Favorable
3-4
OA Rounds
2m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 70% — above average
70%
Career Allowance Rate
384 granted / 549 resolved
+11.9% vs TC avg
Strong +41% interview lift
Without
With
+40.7%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
18 currently pending
Career history
583
Total Applications
across all art units

Statute-Specific Performance

§101
1.5%
-38.5% vs TC avg
§103
90.9%
+50.9% vs TC avg
§102
4.9%
-35.1% vs TC avg
§112
1.9%
-38.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 549 resolved cases

Office Action

§103 §112
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This action is in response to the claims filed 10/16/2023. Claims 21-41 are pending. Claims 21 (a machine), 33 (a method), and 41 (a non-transitory CRM) are independent. Response to Arguments Applicant’s arguments, see 12, filed 8/12/2024, with respect to the rejection(s) of claim(s) 21, 25, 30, 32, 33, 37, 40, and 41 under Kumar (US 2019/0104154) have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Kumar et al., US 2019/0104154 (filed 2017-10), in view of Oliver, US 2008/0131006 (published 2008). Specifically, Kumar functions by first detecting a keypoint (the claimed ‘text-like feature’) and then extracts a block of pixels having a predetermined size (the claimed ‘divide’ and ‘transform’). The blocks are then used to generate a descriptor (the claimed ‘signature’), see Kumar ¶ 59.) In other words, Kumar functions by first detecting a keypoint to know where to extract (‘divide’) in image to describe the keypoint (‘text-like feature’). If it were not done in this order, the extraction of blocks would be without regard to where keypoints are located and would function to divide keypoints; either by separating the text-like features horizontally or vertically; this would make the extracted blocks useless as they would not contain any text for performing further processing on. Consider (A) and (B), for example: (A): PNG media_image1.png 21 286 media_image1.png Greyscale (B): PNG media_image2.png 27 63 media_image2.png Greyscale Examiner notes that the Applicant’s specification also describes first determining the existence of a ‘key text-like feature’ and then ‘divide’ the image around said ‘text-like feature’. “The segmentation module both detects a set of key text-like features in the multiple segments of the image and determines coordinates around each key text-like feature in that set of key text-like features.” Applicant’s specification ¶ 24. “Each key text-like feature has its own bounding box formed around the coordinates of the four corners of that text-like feature (see Figure 6).” Applicant’s specification ¶ 25. “The segmentation module applying the machine learning algorithm identifies areas of key features along with their coordinates on the image of the page, (e.g. in the visual appearance of the site) as rendered on the end user's computing device. The segmentation module forms a bounding box around each of these key features.” Applicant’s specification ¶ 30. Applicant’s system also detects ‘key text-like features’ before dividing the image is how Applicant is able to create the bounding boxes around the ‘text-like features’ in Applicant’s Figures 2, 3, and 6. In summary, Examiner agrees that Kumar does not determine the existence of keypoints after dividing the image. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 21-41 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-10 of U.S. Patent No. 11,716,347. Although the claims at issue are not identical, they are not patentably distinct from each other because: As to pending independent claims 21, 33, and 41, claim 1 of ‘347 comprises analogous limitations. Similarly, the dependent claims 22-32, 34-40 are not patentably distinct from the limitations found in claims 1-10. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 21-41 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Independent claims 21, 33, and 41 have been amended to require “i) divide an image into a plurality of segments, ii) transform each segment of the plurality of segments into a fixed rendered size to generate a plurality of transformed segments, and iii) then analyze each of the plurality of transformed segments to determine whether the transformed segment includes a key text-like feature;” In other words, Applicant has amended the claims and presented arguments (see pp. 12-13 filed 08/12/2024) that assert that i, ii, and iii are performed in a particular order. No portion of the specification has been noted in support of this amendment and argument. Conversely, Applicant’s specification discloses the following: “The segmentation module both detects a set of key text-like features in the multiple segments of the image and determines coordinates around each key text-like feature in that set of key text-like features.” Applicant’s specification ¶ 24. “The machine learning algorithm looks on the image under analysis for specific key features that appear be text-like by detecting for, for example, gradients in color change in one or more areas and a ratio to a background color to establish a beginning and an end of each specific key feature that appears be text-like. These key text-like features will then have a bounding box formed around the coordinates of the four corners of each key text-like feature. Each key text-like feature has its own bounding box formed around the coordinates of the four corners of that text- like feature (see Figure 6).” Applicant’s specification ¶ 25. “The segmentation module applying the machine learning algorithm identifies areas of key features along with their coordinates on the image of the page, (e.g. in the visual appearance of the site) as rendered on the end user's computing device. The segmentation module forms a bounding box around each of these key features.” Applicant’s specification ¶ 30. See also Applicant’s specification ¶ 48. Thus, to the extent that an order of timing is considered with regard to statements i, ii, and iii; statement iii must be performed first; contrary to Applicant’s arguments and amendment. The fact that iii detecting a text-like feature is performed first makes logical sense as seen in Applicant’s figures 2, 3, and 6. If the image were segmented without regard to where the text was, the segmentation would divide the text and frustrate any detection of text within the segmentations. Thus, any segmentation must be centered on the ‘text-like feature’ for such a feature to be utilized in further processing. The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 21-41 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claims 21, 33, and 41 have been amended to require: iii) then analyze each of the plurality of transformed segments to determine whether the transformed segment includes a key text-like feature;” In view of Applicant’s specification ¶¶ 24, 25, and 30 describing that the segmentation is performed based on detecting key text-like features, it is unclear what this ‘then analyze’ would require. Once the segmentation is performed around text-like features, what is left to be determined? Examiner notes that the signature creator and AI model further process (analyze) the key text-like features. It is not evident from the claim what processing is performed in step iii; which is performed after segmentation of the image around key-text like features that are already detected yet before the further analysis steps defined in the claims. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 21, 25, 30, 32, 33, 37, 40, and 41 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al., US 2019/0104154 (filed 2017-10), in view of Oliver, US 2008/0131006 (published 2008). As to claims 21, 33, and 41, Kumar discloses a machine/method/non-transitory CRM comprising: one or more processors; and (See Kumar Fig. 4) a non-transitory memory storage device accessible by the one or more processors, the non-transitory memory storage device comprises (“FIG. 4 is an exemplary embodiment of a logical representation of the phishing detection and analysis system of FIG. 1. The phishing detection and analysis system (PDAS) 400, in an embodiment, may be stored on a non-transitory computer-readable storage medium of an endpoint device” Kumar ¶ 71) a phishing site detector (“Embodiments of systems and methods for detecting phishing attacks are described.” Kumar ¶ 11) configured to i) divide an image into a plurality of segments, (“the feature generation logic 106 is responsible for: (1) detecting keypoints within the screenshot, (2) generating keypoint descriptors based on the detected keypoints,” Kumar ¶ 47) ii) transform each segment of the plurality of segments into a fixed rendered size to generate a plurality of transformed segments, (“The feature generation logic 106 uses computer vision techniques to detect keypoints within the screenshot. The feature generation logic 106 extracts blocks of pixels from the screenshot having a predetermined size, e.g., a 16×16 block, that includes the keypoint.” Kumar ¶ 59. “Known keypoint detection techniques such as rule sets that detect keypoints based on pixel density. Scale-Invariant Feature Transform (SIFT)” Kumar ¶ 17) and iii) then analyze each of the plurality of transformed segments to determine whether the transformed segment includes a key text-like feature; (“the keypoints can be selected so as to capture the common branding, and design elements of a webpage family” Kumar ¶ 20. “The plurality of keypoint descriptors describing the keypoints detected within a screenshot is stored in a vector, referred to herein as a “feature vector.” … The feature vector is then provided to the classifier 112.”) a signature creator configured to create a plurality of digital signatures, each digital signature, corresponding to one the plurality of transformed segments including a corresponding key text-like feature, is at least indicative of a visual appearance of the corresponding key text-like feature; and (“Each block of pixels is then used to generate a keypoint descriptor for the keypoint included within the block of pixels as discussed above. The plurality of keypoint descriptors describing the keypoints detected within a screenshot is stored in a vector, referred to herein as a “feature vector.”” Kumar ¶ 59) an Artificial-Intelligence (AI) model (“As an overview the training process involves receipt of a list of URLs for use the detection of phishing websites. The list of URLs may be based on internal analytics, a third-party source, or the like. The URLs included in the list of URLs may be either known, benign websites (e.g., those that are often used in carrying out phishing attacks) and/or known phishing websites.” Kumar ¶ 44) configured to compare i) the plurality of digital signatures associated with a plurality of key text-like features detected in the image from an unknown site under analysis to (“The classifier 112 uses the feature vector of the subject screenshot as an input to the model generated during training. Analyzing the feature vector of the subject screenshot using the model results in a plurality of confidences.” Kumar ¶ 60) ii) digital signatures associated with a second plurality of text-like features from a plurality of known bad phishing sites (“known phishing websites.” Kumar ¶ 44) to output a likelihood of maliciousness of the unknown site under analysis. (“a first confidence may correspond to the Bank of America webpage, a second confidence may correspond to the Wells Fargo webpage, etc., with each confidence indicating the likelihood that the subject webpage is attempting to mimic the webpage corresponding to the webpage family. Continuing the example, the first confidence indicates the likelihood that the subject webpage is attempting to mimic the Bank of America webpage” Kumar ¶ 60) Kumar does not disclose “divide… transform… then analyze” Oliver discloses: Divide… transform (“The OCR module may split the image into several character-blocks that each has a reasonable probability of containing a character (e.g., an ASCII character). The OCR module may form a sequence of blocks that represent a candidate match for the search term and estimate the probability of a match between the sequence of blocks and the search term.” Oliver ¶ 12) Then analyze (“For anti-phishing applications, links to phishing sites may be included in the expressions 322. In that case, the antispam engine 320 may be configured to determine if an image included in an email has text content matching a link to a phishing site” Oliver ¶ 47) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kumar with Oliver, by utilizing OCR splitting and searching in the system of Oliver to either, detect the keypoints for text or to extract text to match to fishing websites after the keypoints are detected. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Kumar with Oliver in order to detect malicious or phishing text that has been obfuscated or is otherwise difficult for machine vision to process, see Oliver Figures. As to claim 25, Kumar discloses the machine/method/CRM of claim 21 and further discloses: wherein the Al model is trained to compare i) digital signatures associated with one or more key text-like features (“The classifier 112 uses the feature vector of the subject screenshot as an input to the model generated during training. ” Kumar ¶ 60) pertaining to a first category of key text-like features from the plurality of key text-like features in the image under analysis to ii) digital signatures in the first category (“As an illustrative example, when the training set includes URLs for Bank of America, Wells Fargo, First Republic, and other known banking webpages for a total of twenty (20) banking webpages in the training set, the analysis of the feature vector of the subject screenshot during the detection process may result in 20 confidences.” Kumar ¶ 60) that are associated with one or more key text-like features from the second plurality of key text-like features that are associated with the plurality of known bad phishing sites stored in a library of digital signatures. (“Analyzing the feature vector of the subject screenshot using the model results in a plurality of confidences. Each confidence of the plurality of confidences corresponds to a separate webpage family of the URLs provided to the PDAS 400 during training (“the training set”).” Kumar ¶ 60) As to claim 30, Kumar discloses the machine/method/CRM of claim 21 and further discloses: wherein the trained Al model is configured to compare the plurality of digital signatures from the plurality (“The classifier 112 uses the feature vector of the subject screenshot as an input to the model generated during training. Analyzing the feature vector of the subject screenshot using the model results in a plurality of confidences.” Kumar ¶ 60) of key text-like features detected in the image (“the keypoints can be selected so as to capture the common branding, and design elements of a webpage family” Kumar ¶ 20) to the digital signatures associated with the second plurality of key text-like features (“Analyzing the feature vector of the subject screenshot using the model results in a plurality of confidences.” Kumar ¶ 60) and output a result of the compare identifying a likelihood of malicious of the unknown site under analysis including the image, (“a first confidence may correspond to the Bank of America webpage, a second confidence may correspond to the Wells Fargo webpage, etc., with each confidence indicating the likelihood that the subject webpage is attempting to mimic the webpage corresponding to the webpage family. Continuing the example, the first confidence indicates the likelihood that the subject webpage is attempting to mimic the Bank of America webpage” Kumar ¶ 60) wherein each key text-like feature of the plurality of key text-like features detected in the image categorized as part of a first category is compared to a key text-like feature of the second plurality of key text-like features in the first category. (“As an illustrative example, when the training set includes URLs for Bank of America, Wells Fargo, First Republic, and other known banking webpages for a total of twenty (20) banking webpages in the training set, the analysis of the feature vector of the subject screenshot during the detection process may result in 20 confidences.” Kumar ¶ 60. Categories.) As to claim 32, Kumar discloses the machine/method/CRM of claim 21 and further discloses: wherein the access module is further configured to capture a screenshot of the page of the unknown site as the image and provide the screenshot to a segmentation module of the phishing site detector to divide the screenshot into the plurality of segments. (“the URL is provided to the content fetcher 104, which obtains a screenshot of the webpage to which the URL resolves, as discussed above with respect to the training process in accordance with FIG. 1. The content fetcher 104 then provides the screenshot of the webpage (e.g., an image file, or an identifier enabling, retrieval of the image file) to the feature generation logic 106.” Kumar ¶ 59) As to claim 37, Kumar discloses the machine/method/CRM of claim 33 and further discloses: wherein the segmentation module is further configured to detect the plurality of key text-like features in the image and determine coordinates around each key text-like feature of the plurality of key text- like features. (“A keypoint descriptor may include a set of one or more parameters that describe the keypoint such as keypoint center coordinates x and y relative to the screenshot, a scale (e.g., being a radius of a circular image region, when applicable), and/or an orientation determined by the gradient of the pixel greyscale within the keypoint.” Kumar ¶ 18). As to claim 40, Kumar discloses the machine/method/CRM of claim 21 and further discloses: wherein after the comparing of i) the plurality of digital signatures associated with the plurality of key text-like features to ii) the digital signatures associated with the second plurality of text-like features, (“The classifier 112 uses the feature vector of the subject screenshot as an input to the model generated during training. Analyzing the feature vector of the subject screenshot using the model results in a plurality of confidences.” Kumar ¶ 60) the method further comprising: outputting a result identifying a likelihood of malicious of the unknown site under analysis including the image, (“when the result of the image comparison is greater than or equal to the predefined threshold e.g., indicating a match of the two screenshots meets or exceeds the predefined threshold (yes at block 316), the method 300 determines the subject URL is a phishing URL (block 320) and subsequently generates and issues an alert (block 322). The alert may be issued to, for example, a user attempting to access the URL using an endpoint device, a network administer and/or a cybersecurity analyst.” Kumar ¶ 70) wherein each key text-like feature of the plurality of key text-like features detected in the image categorized as part of a first category is compared to a key text-like feature of the second plurality of key text-like features in the first category. (“a first confidence may correspond to the Bank of America webpage, a second confidence may correspond to the Wells Fargo webpage, etc., with each confidence indicating the likelihood that the subject webpage is attempting to mimic the webpage corresponding to the webpage family. Continuing the example, the first confidence indicates the likelihood that the subject webpage is attempting to mimic the Bank of America webpage” Kumar ¶ 60, comparison of page family categories.) Claim(s) 22, 27-29, 38, and 39 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al., US 2019/0104154 (filed 2017-10), in view of Oliver, US 2008/0131006 (published 2008), and Flament et al., US 2019/0019020 (filed 2018-07). As to claim 22, Kumar in view of Oliver discloses the machine/method/CRM of claim 21 and further discloses: wherein the phishing site detector comprises a segmentation module configured to use a … algorithm for dividing the image associated with a site under analysis into the plurality of segments. (“The feature generation logic 106 may utilize the computer vision techniques to detect edges and corners in images in the screenshot or more generally to perform density location operations, which detect groupings of pixels within the screenshot that include a high density of pixels (e.g., non-white space). The feature generation logic 106 may detect keypoints of the screenshots” Kumar ¶ 47) Kumar in view of Oliver does not disclose that the algorithm for segmentation is a machine learning algorithm. Flament discloses: a machine learning algorithm (“the heat maps produced by the convolutional neural network are depicted in the figure.” Flament ¶ 38. “heat maps or bounding boxes corresponding to feature types such as text, face, signature, document background, and image background.” Flament ¶ 11) (“the heat maps may indicate areas that are bounded by distinct lines (bounding boxes), where the portion of the image within a bounding box has an above-threshold likelihood of having the particular feature type and the portion of the image outside the bounding box has a below-threshold likelihood of having the particular feature type.” Flament ¶ 39) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kumar in view of Oliver with Flament by utilizing Flament’s convolutional neural network to determine bounding boxes for the keypoints of Kumar. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Kumar in view of Oliver with Flament in order to automatically determine particular types of features points, thereby allowing selection of (“common branding, and design elements of a webpage family” Kumar ¶ 20. See also Flament ¶ 11). As to claim 27, Kumar discloses the machine/method/CRM of claim 22 and further discloses: wherein the segmentation module is further configured to detect the plurality of key text-like features in the image and determine coordinates around each key text-like feature of the plurality of key text- like features. (“A keypoint descriptor may include a set of one or more parameters that describe the keypoint such as keypoint center coordinates x and y relative to the screenshot, a scale (e.g., being a radius of a circular image region, when applicable), and/or an orientation determined by the gradient of the pixel greyscale within the keypoint.” Kumar ¶ 18). As to claims 28, 38 Kumar discloses the machine/method/CRM of claims 21 and 33 and further discloses: wherein the phishing site detector is configured to determine whether the transformed segment includes one or more key-like features, including the key text-like feature that correspond to actual text and logos on the image of the page under analysis, (“keypoints can be selected so as to capture the common branding, and design elements of a webpage family ” Kumar ¶ 20. “keypoint descriptors that indicate a point of interest within the screenshot (e.g., a logo or a portion thereof).” Kumar ¶ 19) by at least detecting gradients in color change (“and/or an orientation determined by the gradient of the pixel greyscale within the keypoint.” Kumar ¶ 18) in one or more areas and a ratio to a background color to establish a beginning and an end of each specific key feature that appears text-like. Kumar in view of Oliver does not disclose: in one or more areas and a ratio to a background color to establish a beginning and an end of each specific key feature that appears text-like. Flament discloses: in one or more areas and a ratio to a background color to establish a beginning and an end of each specific key feature that appears text-like. (“one of the maps shows where in the original image text has been detected, while another may show where a face, a signature, document background, image background, or another type of feature has been detected.” Flament ¶ 37 “The heat maps may use colors, shades of gray, or other means to indicate a range of likelihoods of finding a particular feature type at specific locations within the image (e.g., blues and greens may represent lower likelihoods, while oranges and reds represent higher likelihoods). Alternatively, the heat maps may indicate areas that are bounded by distinct lines (bounding boxes), where the portion of the image within a bounding box has an above-threshold likelihood of having the particular feature type and the portion of the image outside the bounding box has a below-threshold likelihood of having the particular feature type. The threshold may be set by default to a predetermined value (e.g., 0.5 on a scale from 0 to 1)” (ratios) Flament ¶ 39. “Referring again to FIG. 4, the heat map for text in the image is used in this embodiment to determine the boundaries (e.g., bounding boxes) of the text in the image, and optical character recognition (OCR) is used to detect and/or identify the text within these boundaries (408).” Flament ¶ 40). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kumar in view of Oliver with Flament by utilizing Flament’s convolutional neural network to determine bounding boxes for the keypoints of Kumar. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Kumar in view of Oliver with Flament in order to automatically determine particular types of features points, thereby allowing selection of (“common branding, and design elements of a webpage family” Kumar ¶ 20. See also Flament ¶ 11). As to claims 29, 39 Kumar in view of Oliver and Flament discloses the machine/method/CRM of claims 28 and 38 and further discloses: wherein the one or more text- like features having a bounding box formed around the coordinates of each key text-like feature of the one or more key text-like features. (“A keypoint descriptor may include a set of one or more parameters that describe the keypoint such as keypoint center coordinates x and y relative to the screenshot, a scale (e.g., being a radius of a circular image region, when applicable), and/or an orientation determined by the gradient of the pixel greyscale within the keypoint.” Kumar ¶ 18. “The heat maps may use colors, shades of gray, or other means to indicate a range of likelihoods of finding a particular feature type at specific locations within the image (e.g., blues and greens may represent lower likelihoods, while oranges and reds represent higher likelihoods). Alternatively, the heat maps may indicate areas that are bounded by distinct lines (bounding boxes), where the portion of the image within a bounding box has an above-threshold likelihood of having the particular feature type and the portion of the image outside the bounding box has a below-threshold likelihood of having the particular feature type. The threshold may be set by default to a predetermined value (e.g., 0.5 on a scale from 0 to 1)” (ratios) Flament ¶ 39.) Claim(s) 23, 24, 26, and 34-36 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al., US 2019/0104154 (filed 2017-10), in view of Oliver, US 2008/0131006 (published 2008), and Waterson et al., US 2012/0023566 (filed 2009). As to claims 23 and 34, Kumar discloses the machine/method/CRM of claims 21 and 33 and further discloses: The cyber security appliance of claim 21, wherein the phishing site detector further comprises a categorizing module to analyze at least a first transformed segment of the plurality of transformed segments of the image determined to have a first key text-like feature by at least … ii) determining a category belonging to the first key text-like feature using both the resulting text and a visual appearance of the key text-like feature, wherein the image is from a page of an unknown site under analysis. (“when the training set includes URLs for Bank of America, Wells Fargo, First Republic, and other known banking webpages for a total of twenty (20) banking webpages in the training set, the analysis of the feature vector of the subject screenshot during the detection process may result in 20 confidences. Specifically, a first confidence may correspond to the Bank of America webpage, a second confidence may correspond to the Wells Fargo webpage, etc., with each confidence indicating the likelihood that the subject webpage is attempting to mimic the webpage corresponding to the webpage family.” Kumar ¶ 60. The category are the respective different banks.) Kumar does not disclose: i) conducting optical character recognition (OCR) on the first transformed segment to produce resulting text including the first key text-like feature and Waterson discloses: i) conducting optical character recognition (OCR) on the first transformed segment to produce resulting text including the first key text-like feature and (“As well as extracting tokens from text, the plug in tool extracts tokens in another manner. It first takes an image of the retrieved page and then performs optical character recognition on it along with the title of the page, step 1002. This turns the page image into a set of characters, from which tokens can be extracted. Again a token probability is obtained for each extracted token, step 1003, and from those the page probability is found, step 1004. Using this method may extract tokens that would not otherwise be found from text alone. The plug in tool then determines which page probability is the largest, the one determined from OCR extracted tokens, or the one taken from text extracted tokens, step 1008. If the selected page probability is larger than a threshold, the plug in determines the page as being a fraudulent page, step 1009.” Waterson ¶ 95) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kumar with Waterson by incorporating an OCR functionality to characterize the keypoints. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kumar with Waterson in order to obtain token characteristics from images for comparison in phishing website detection that detects commonality despite changing fonts and colors or other image alterations that may avoid the machine vision of Kumar. As to claims 24, 35, Kumar in view of Waterson discloses the machine/method/CRM of claims 23 and 34 and further discloses: wherein the page is a log-in page that harvests log-in credentials for the unknown site. (“In some embodiments, two webpage families may correspond to the same overall webpage “owner.” For example, as Bank of America may have multiple login webpages for which the “look and feel” differs, a first Bank of America login webpage may include two text boxes corresponding to an entry of a customer's username and password, while a second Bank of America login webpage may include three text boxes corresponding to an entry of a customer's email address, social security number and birthday.” Kumar ¶ 64). As to claims 26, 36, Kumar discloses the machine/method/CRM of claims 21 and 33 and further discloses: wherein the phishing site detector includes an autonomous response module configured to, upon determining a prescribed correlation between the digital signatures associated with one or more key text-like features from the plurality of key text-like features and the digital signatures associated with one or more key text-like features from the second plurality of key text- like features, … and generate a notice to the user that the unknown site is likely a malicious phishing site. (“When the subject URL and the subject webpage are determined to be part of a phishing attack, the reporting engine 122 generates an alert to a cybersecurity analyst, an administrator, and/or users of one or more endpoints indicating that the subject URL and subject webpage are part of a phishing attack.” Kumar ¶ 62) Kumar does not explicitly disclose: preclude user access to the unknown site under analysis Waterson discloses: preclude user access to the unknown site under analysis (“If the plug in tool determines that the retrieved page is a fraudulent page, step 407, then it will reject the web page, or disable the entry fields, and/or provide a warning to the user, step 409.” Waterson ¶ 76). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kumar with Waterson rejecting the webpage or disabling entry fields of a suspect phishing site. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kumar with Waterson in order to prevent user information from being phished in a suspected phishing site so that a user that disregards or speedily clicks through the notification of Kumar will not compromise their data. Claim(s) 31 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al., US 2019/0104154 (filed 2017-10), in view of Oliver, US 2008/0131006 (published 2008), and Govardhan et al., US 2019/0334947 (filed 2018-06). As to claim 31, Kumar discloses the machine/method/CRM of claim 21 and further discloses: wherein the trained Al model is configured to compare the plurality of digital signatures from the plurality (“The classifier 112 uses the feature vector of the subject screenshot as an input to the model generated during training. Analyzing the feature vector of the subject screenshot using the model results in a plurality of confidences.” Kumar ¶ 60) of key text-like features detected in the image (“the keypoints can be selected so as to capture the common branding, and design elements of a webpage family” Kumar ¶ 20) to the digital signatures associated with the second plurality of key text-like features, (“Analyzing the feature vector of the subject screenshot using the model results in a plurality of confidences.” Kumar ¶ 60) Kumar does not disclose: wherein the phishing site detector includes an access module that is configured to access, when an email under analysis is checked, a link in the email to capture the image of at least a login page associated with the unknown site accessed through the link. Govardhan discloses: wherein the phishing site detector includes an access module that is configured to access, when an email under analysis is checked, (“may receive the URL via email traffic 210 (i.e., Simple Mail Transfer Protocol (SMTP))” Govardhan ¶ 22. Also ¶ 35) a link in the email to capture the image of (“First, webpage crawler 214 crawls one or more webpages of a website associated with the URL. Once webpage crawler 214 has browsed each of the one or more webpages, webpage crawler 214 captures one or more images associated with each of the one or more webpages.” Govardhan ¶ 25) at least a login page associated with the unknown site accessed through the link. (“The webpage category may include login page (for example, for email or storage)” Govardhan ¶ 28). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Kumar with Govardhan by using the system of Kumar to scan emails with potentially malicious URLs. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Kumar with Govardhan in order to extract and classify URLs of websites which users of a system are prompted with to thereby secure the user’s in the system from malicious phishing attacks via fraudulent URLs, Govardhan ¶ 4. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly: Kumar et al., US 10,489,682, discloses OCR using deep learning training data by segmenting an image. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MICHAEL W CHAO/ Primary Examiner, Art Unit 2492
Read full office action

Prosecution Timeline

Show 5 earlier events
Mar 17, 2025
Notice of Allowance
Mar 17, 2025
Response after Non-Final Action
Aug 14, 2025
Response after Non-Final Action
Aug 23, 2025
Response after Non-Final Action
Oct 17, 2025
Response after Non-Final Action
Dec 22, 2025
Request for Continued Examination
Jan 08, 2026
Response after Non-Final Action
Jul 14, 2026
Non-Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683970
PERFORMING SERVICES ON A HOST
2y 9m to grant Granted Jul 14, 2026
Patent 12675565
DETECTION OF A CLASS OF PROCESSES
4y 6m to grant Granted Jul 07, 2026
Patent 12652284
SYSTEMS, METHODS, AND COMPUTER PROGRAM PRODUCTS FOR AUTHENTICATING DEVICES WITH DEVICE AUTHENTICATION IDENTIFIERS
2y 1m to grant Granted Jun 09, 2026
Patent 12641081
FAST JOINS AND LOW MEMORY USAGE FOR END-TO-END (E2E)-SECURE APPLICATIONS USING LIGHT MLS CLIENTS
2y 1m to grant Granted May 26, 2026
Patent 12634132
ELECTRONIC DEVICE FOR CONTROLLING POWER CONSUMPTION OF ACCESSORY DEVICE AND OPERATING METHOD THEREFOR
3y 0m to grant Granted May 19, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
70%
Grant Probability
99%
With Interview (+40.7%)
3y 3m (~2m remaining)
Median Time to Grant
High
PTA Risk
Based on 549 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month