DEVICE FOR PROVIDING PROTECTIVE SERVICE AGAINST EMAIL SECURITY-BASED ZERO-DAY URL ATTACK AND METHOD FOR OPERATING SAME

§102 §103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims Claims 1-14 are pending. Information Disclosure Statement The information disclosure statement (IDS) submitted on 5/31/2023 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “unit for” in claim 1. Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claim limitations “collection unit for”, “security threat inspection unit for”, “zero-day URL conversion unit for”, and “zero-day URL diagnosis unit for”, as in claim 1, as well as “collection step of”, “security threat inspection step of”, “zero-day URL conversion step of”, “zero-day URL diagnosis step of”, as in claim 8, invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The specification merely recites generic computer hardware (e.g. [0024]-[0025]) without directly linking the claimed functions to any specific hardware in the disclosure. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph. Applicant may: (a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph; (b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)). If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: (a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. Claim(s) 1-3, 7-10, 14 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Maylor et al (US 2020/0358798). Regarding Claims 1 and 8: Maylor teaches a service providing device and a method of operating a service providing device, the service providing device comprising: a collection unit for collecting information on mail transmitted and received between one or more user terminals ([0072] system receives as input an electronic message 401 that contains a reference 410 to a resource); a security threat inspection unit for inspecting, when a URL is included in the email information, the URL by a mail security process according to a preset security threat architecture, and storing and managing URL inspection information according to a result of the inspection ([0079] embodiment of the system that screens a web page first for possible threats, and then connects if the web page is deemed safe; proxy server 501 receives a decoded link 110 from the Decode module; it then performs a safety Check 601 on the web page; this check may use any desired method to determine whether the web page presents known or suspected threats of any kind; [0156]-[0157] systems of the present invention are configured to map a shortened URL to one or more stored objects such as JavaScript Object Notation (JSON) objects, wherein such objects may include informational data associated with them; by associating the shortened URLs with objects such as JSON objects and the vast amount of informational data associated therewith, such shortened URLs become “smart URLs”, in that the threat detection systems can utilize the informational data tied to any given short URL for more advanced processing such as, for example, providing detailed intermediary pages (since the systems knows the message), performing remediation (again, since the system knows the message), addressing other recipients (e.g., what actions did other recipients take, and has the system taken action for other recipients such as scanning, blocking, warning, triggering a browser isolation session, etc.); the system also knows all the other URLs in the message via the Smart URL, and the system can treat these other URLs as being bad by association); a zero-day URL conversion unit for converting, when the URL is determined as a zero-day URL having a potential zero-day attack risk, the zero-day URL into a preset secure URL on the basis of the URL inspection information ([0072] the system illustrated in FIG. 4 transforms the original message 401 to a transformed message 430 via Message Transformation Subsystem 420; Message Transformation Subsystem 420 includes a resource reference rewriting module 421 that transforms an original reference 410 to a protected reference 431; the transformed message 430 is then delivered to one or more message recipients; [0151] threat protection system can also create and provide an intermediary page to mitigate potential damage caused by a “zero day attack”; in many cases, at the time of the attack, the zero day attack is not even recognized as an attack at all; when the system does not know whether a resource that a user seeks to access is safe or not, the system creates and returns an intermediary page for the user notifying them to use caution; this may dissuade the user from accessing the resource and thwart the zero day attack; EXAMINER’S NOTE: this can be seen as an acknowledgment that an unknown URL has a potential zero-day attack risk, and is therefore a “zero-day URL”); and a zero-day URL diagnosis unit for periodically diagnosing whether the zero-day URL is a malicious URL ([0083] system is configured to monitor the webpage and account for webpage changes, thereby allowing the system to perform an analysis on the webpage to account for any changes (i.e., new page loads) and subsequently provide security-related information to a user associated with a webpage and the displayed content every time new content is loaded). Regarding Claims 2 and 9: Maylor teaches the device according to claim 1 and the method according to claim 8. In addition, Maylor teaches the device and method further comprising a mail processing unit for processing a mail state according to analysis of the URL inspection information ([0072] the system receives as input an electronic message 401 that contains a reference 410 to a resource; the reference 410 conceptually provides a link or a pointer 411 to a resource 480; the system illustrated in FIG. 4 transforms the original message 401 to a transformed message 430 via Message Transformation Subsystem 420), wherein the mail processing unit includes a zero-day mail processing unit for replacing the zero-day URL with the secure URL ([0072] the system illustrated in FIG. 4 transforms the original message 401 to a transformed message 430 via Message Transformation Subsystem 420; Message Transformation Subsystem 420 includes a resource reference rewriting module 421 that transforms an original reference 410 to a protected reference 431), and processing the mail including the zero-day URL into a receiving state that allows the user terminal to access ([0072] the transformed message 430 is then delivered to one or more message recipients). Regarding Claims 3 and 10: Maylor teaches the device according to claim 2 and the method according to claim 9. In addition, Maylor teaches the device and method further comprising a URL classification information management unit for storing and managing information determined as one among a normal URL, a malicious URL, and a zero-day URL as URL classification information according to analysis of the URL inspection information ([0156]-[0157] systems of the present invention are configured to map a shortened URL to one or more stored objects such as JavaScript Object Notation (JSON) objects, wherein such objects may include informational data associated with them; accordingly, by associating the shortened URLs with objects such as JSON objects and the vast amount of informational data associated therewith, such shortened URLs become “smart URLs”, in that the threat detection systems can utilize the informational data tied to any given short URL for more advanced processing such as, for example, providing detailed intermediary pages (since the systems knows the message), performing remediation (again, since the system knows the message), addressing other recipients (e.g., what actions did other recipients take, and has the system taken action for other recipients such as scanning, blocking, warning, triggering a browser isolation session, etc.); the system also knows all the other URLs in the message via the Smart URL, and the system can treat these other URLs as being bad by association). Regarding Claims 7 and 14: Maylor teaches the device according to claim 1 and the method according to claim 8. In addition, Maylor teaches wherein the malicious URL includes one or more among induction of personal information input, download of malicious codes, execution of malicious scripts, and attack on web vulnerability ([0069] malicious link; [0117] in phishing attacks a message may include a link to a malicious website that is a close replica of a legitimate website, i.e. “induction of personal information input”). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 4-6, 11-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Maylor, and further in view of Hunt et al (US 2018/0124110). Regarding Claims 4 and 11: Maylor teaches the device according to claim 3 and the method according to claim 10. Maylor does not explicitly teach wherein the zero-day URL diagnosis unit includes a URL tracking module for acquiring URL chain information by tracking and managing one or more first derived URLs connected from the zero-day URL and [n-th] derived URLs successively derived through the first derived URLs at regular intervals. However, Hunt teaches the concept of a URL diagnosis unit includes a URL tracking module for acquiring URL chain information by tracking and managing one or more first derived URLs connected from the URL and [n-th] derived URLs successively derived through the first derived URLs at regular intervals ([0004]-[0006] the accomplice model may determine that a URI is associated with malicious based upon the URI being associated with an attribute determined to be related to malicious behavior; the accomplice model may cause a web crawl to be initiated. During the web crawl, a URI corresponding to a web page may be identified; the URI may then be used to obtain a document to render the web page; the document (e.g., an HTML document) may include one or more instructions that cause a web page to be rendered; to render the web page, the document may be parsed, causing one or more additional URIs to be called during the rendering process; the web page may be determined to be malicious; in response to the web page being determined to be malicious, each URI that was called to render the web page may be added to a blacklist sequence (sometimes referred to as a list); accordingly, the blacklist sequence may include multiple URIs used to render the malicious web page); and Maylor teaches wherein the URL is a zero-day URL ([0072], [0151]). It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the URL chain diagnosis teachings of Hunt with the security threat inspection teachings of Maylor, with the benefit of increasing user safety and security by evaluating the links embedded in a page which would otherwise be determined to be safe, thereby preventing access to malicious links hidden in “safe” websites, or identifying websites which attempt to obfuscate malicious activity through layers of misdirection. Regarding Claims 5 and 12: Maylor in view of Hunt teaches the device according to claim 4 and the method according to claim 11. In addition, Hunt teaches wherein the URL diagnosis unit further includes a URL chain diagnosis module for diagnosing whether the [n-th] derived URL is a malicious URL at regular intervals on the basis of the URL chain information, and storing and managing chain diagnosis information ([0004]-[0006] the accomplice model may determine that a URI is associated with malicious based upon the URI being associated with an attribute determined to be related to malicious behavior; the accomplice model may cause a web crawl to be initiated. During the web crawl, a URI corresponding to a web page may be identified; the URI may then be used to obtain a document to render the web page; the document (e.g., an HTML document) may include one or more instructions that cause a web page to be rendered; to render the web page, the document may be parsed, causing one or more additional URIs to be called during the rendering process; the web page may be determined to be malicious; in response to the web page being determined to be malicious, each URI that was called to render the web page may be added to a blacklist sequence (sometimes referred to as a list); accordingly, the blacklist sequence may include multiple URIs used to render the malicious web page); and Maylor teaches wherein the URL is a zero-day URL ([0072], [0151]). The rationale to combine Maylor and Hunt is the same as provided in claims 4 and 11, due to the overlapping subject matter between claims 4 and 5, 11 and 12. Regarding Claims 6 and 13: Maylor in view of Hunt teaches the device according to claim 5 and the method according to claim 12. In addition, Maylor teaches the device and method further comprising a secure URL connection unit for primarily redirecting, when the user terminal receiving a mail including the secure URL requests connection to the secure URL, the request from the user terminal, and processing connection to the zero-day URL ([0079] proxy server 501 receives a decoded link 110 from the Decode module; it then performs a safety Check 601 on the web page; this check may use any desired method to determine whether the web page presents known or suspected threats of any kind; [0080] check 601 determines that the link 110 is either safe 603 or malicious or suspicious 602; if the link is deemed safe, the system proceeds to connect 604 to the web page; if the link is deemed malicious or suspicious, one or more embodiments may either block access 605, or warn the user 606); and Hunt teaches processing connection to the [n-th] derived URL determined not to be a malicious URL on the basis of the diagnosis information ([0007]-[0008] based upon a number of times the attribute reoccurs in at least one URI in different blacklist sequences, a score may be generated for the attribute; the score may indicate a likelihood that the attribute is associated with malicious behavior; in some examples, the score may be further based upon a number of times that a web crawl causes a URI with the attribute to be called without the web crawl resulting in the generation of a blacklist sequence (i.e., none of the URIs called during the web crawl were identified as malicious); the score may be compared to a threshold that indicates whether the attribute is malicious; when the attribute is determined to be malicious, a URI in the blacklist sequence may be determined to be malicious and output; output of the URI may be to a user to inform the user that the URI is malicious; in some examples, output of the URI may be to a system that either removes code that causes the URI to be called or, if the attribute is an element of a document used to render a web page, the attribute may be removed from the document; therefore, a URI which is not determined to be malicious continues to be processed). The rationale to combine Maylor and Hunt is the same as provided in claims 5 and 12, due to the overlapping subject matter between claims 5 and 6, 12 and 13. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached at (571) 272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /FORREST L CAREY/Examiner, Art Unit 2491 /WILLIAM R KORZUCH/Supervisory Patent Examiner, Art Unit 2491