Prosecution Insights
Last updated: July 17, 2026
Application No. 18/355,478

STEMS AND METHODS FOR SECURING A SERVICE BY DETECTING CLIENT-SIDE WEB PAGE TAMPERING

Non-Final OA §103§112
Filed
Jul 20, 2023
Examiner
OLAEGBE, MUDASIRU K
Art Unit
2495
Tech Center
2400 — Computer Networks
Assignee
Behaviosec Inc.
OA Round
3 (Non-Final)
74%
Grant Probability
Favorable
3-4
OA Rounds
2m
Est. Remaining
91%
With Interview

Examiner Intelligence

Grants 74% — above average
74%
Career Allowance Rate
63 granted / 85 resolved
+16.1% vs TC avg
Strong +17% interview lift
Without
With
+17.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 2m
Avg Prosecution
27 currently pending
Career history
116
Total Applications
across all art units

Statute-Specific Performance

§101
1.2%
-38.8% vs TC avg
§103
93.6%
+53.6% vs TC avg
§102
3.5%
-36.5% vs TC avg
§112
0.9%
-39.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 85 resolved cases

Office Action

§103 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This communication is in response to an RCE filed on 03/05/2026. Claims 1-5, and 7-20 are currently pending. It is noted that claim 6 has been canceled from the application. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114, Applicant’s submission filed on 03/05/2026 has been entered. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1-5, and 7-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Regarding claims 1, 12, and 20, applicant recites the limitation of: “and wherein pre-configuration or specific user journey events are not required for the monitoring or the capturing.” However, it is noted in paragraphs 10, 38, 57, 58, 60, and 64 of applicant’s specification wherein interfaces, devices and modules are configured to carry out some functions in the implementation of the method. What type of pre-configuration is applicant referring to? It is not clear what applicant meant by pre-configuration not required for the monitoring or the capturing. If applicant is seeking patent based in parts on “pre-configuration not required for the monitoring or the capturing”, one of ordinary skill in the art would not understand what the applicant meant by pre-configuration not required for the monitoring or the capturing. Other, claims are rejected under 35 U.S.C. 112(b) due to dependency on the independent claims 1 and 12. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-5, 7-8, 10-17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over US PGPub. No. 20160088015 to Sivan et al. (hereinafter Sivan) in view US PGPub. No. 20250337779 to Chechik et al. (hereinafter Chechik). Regarding claim 1, Sivan discloses a method, comprising: monitoring, with a Mutation Observer instance, a web page Document associated with a Document Object Model (DOM) of a browsing session of a user (¶0011, “… observing changes to the DOM by a MutationObserver application programming interface (API) of the web browser,”), (¶0097, “Observing changes to the DOM may be performed, for example, by a MutationObserver API of the web browser. See https://developer.mozilla.org/en/docs/Web/API/MutationObserver,”); capturing one or more event-based mutations of the web page Document (¶0017, “…wherein the anti-injection client-side code comprises instructions which, when executed: (i) in a main execution thread running the web browser, intercept an injection of a node into the DOM (Document Object Model) of the web page, (ii) in a web worker execution thread, compare the injected node with a list, and (iii) in the main execution thread, based on the comparison, permit or block execution of the injected node in the web browser…”); retrieving, from a profile repository, user behaviometric history data (¶0110, “…The set of test rules may be determined according to the following method. In a first step, data from multiple clients may be collected. The data may pertain to a source code of a web page (or web pages), as it is available at each of the multiple clients. The data may be collected via a web browser of each client. It may be typically performed by a website owner implementing JavaScript code on pages of the website. For example, the JavaScript may be used to collect certain information (e.g., about the page and/or the visitor) and transmit it to a remote server. This may be performed whenever a page is retrieved by a web browser and/or when a JavaScript event occurs, such as a mouse click by the user or any event which is not user-initiated. The collection may also use asynchronous mechanisms such as setTimeout, setInterval and/or the like. Technically, the collection and transmittal of information to the remote server may utilize transparent image requests, Ajax-based requests, and/or WebSockets, as known in the art. In the Ajax case, when the page is retrieved by the web browser, a piece of Ajax code may call back to the dedicated server and pass information about the client. Oftentimes, the JavaScript code which collects the data is loaded and executed by the web browser prior to any injection of nodes.”), (¶0117, “…For example, user clicking patterns that occur on an object generated by the injected node may be identified as suspected to be malicious. Location and size of injected nodes, for example ad units such as a skyscraper which is located on the left side while in the original website there is no ad placement in the left side, may also increase the suspicion level. Generally, any content which is not according to the website profile database, may deem the node to be suspicious.”), (¶0063, “A second action is the comparison 110 of the injected node with a list. The list may be a white list which includes information relating to non-malicious (also “legitimate”) nodes, or a black list which includes information relating to malicious nodes. Namely, the list may include information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time.”, wherein information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time constitutes a repository); based on a predetermined similarity mismatch of the one or more event-based mutations of the web page Document to entries in the user behaviometric history data and output one or more indications of potential fraud (¶0063, “A second action is the comparison 110 of the injected node with a list. The list may be a white list which includes information relating to non-malicious (also “legitimate”) nodes, or a black list which includes information relating to malicious nodes. Namely, the list may include information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time.”, wherein information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time constitutes a repository), (¶0014, “In some embodiments, the list is a black list which comprises information relating to malicious nodes; and the execution of the injected node is blocked if the injected node matches the information, and is permitted if the injected node mismatches the information.”), (¶0016, “In some embodiments, the list is a white list which comprises information relating to non-malicious nodes; and the execution of the injected node is blocked if the injected node mismatches the information, and is permitted if the injected node matches the information.”), (¶0076, “A third action is permitting 114 or blocking 112 execution of the injected node in the web browser, based on the comparison. In the white list scenario, the execution of the injected node is blocked if it mismatches the information, and is permitted if the injected node matches the information. In the black list scenario, the execution of the injected node is blocked if it matches the information, and is permitted if the injected node mismatches the information.”), (¶0116, “By marking users who generate suspicious nodes (i.e., suspected to be malicious), one may see if the suspicious nodes are consistently injected for this user in case the user is seen in different websites. Continuous behavior of users may lead to identification of a node as malicious.”); wherein the one or more event-based mutations comprise a script injection or a code-triggered field value change that modifies a value in the web page Document without changing visible content displayed to the user, and wherein pre-configuration or specific user journey events are not required for the monitoring or the detecting. (¶0017, “Another embodiment provides a system comprising: (a) a non-transitory computer-readable storage medium having stored thereon instructions for: operating a web server to receive a call to an anti-injection client-side code from a web browser, wherein the call is facilitated by a code segment in a web page loaded by the web browser; and transmitting the anti-injection client-side code from the web server to the web browser, wherein the anti-injection client-side code comprises instructions which, when executed: (i) in a main execution thread running the web browser, intercept an injection of a node into the DOM (Document Object Model) of the web page, (ii) in a web worker execution thread, compare the injected node with a list, and (iii) in the main execution thread, based on the comparison, permit or block execution of the injected node in the web browser; and (b) at least one hardware processor configured to execute the instructions.”), (¶0015, “In some embodiments, the method further comprises creating the black list by: collecting information on injected nodes from multiple web browsers, by executing a data collection client-side code in each of the multiple web browsers, to intercept injection of nodes into the DOM of the web page and transmit the injected nodes to a web server; analyzing the collected information, to identify malicious ones of the injected nodes; and entering information associated with the malicious injected nodes into the list.”), (¶0115-¶0117, “… Anomaly analysis is a statistical analysis, which may be performed for the web site traffic in order to identify injected nodes as malicious by identifying injected nodes which appear only in a minority of the website visits. Thus, nodes which are identified as seldom injected may be suspected to be malicious, given the assumption that only a minority of users is affected by malicious node injection by third parties. By marking users who generate suspicious nodes (i.e., suspected to be malicious), one may see if the suspicious nodes are consistently injected for this user in case the user is seen in different websites. Continuous behavior of users may lead to identification of a node as malicious….”), (¶0038, “The term “client-side script” or “client-side code”, as referred to herein, may refer to a programming script which is executable by a web browser, thereby affecting the graphical view of a web page and/or otherwise affecting a behavior of the web browser. The programming script may be written, for example, in any one of JavaScript, Java, Microsoft Silverlight and Adobe Flash.”, wherein there is no need for a specific user journey to use a MutationObserver because it runs entirely on the client side within the browser’s Javascript environment and operates continuously and independently of user actions once initiated.), (¶0104, “fifth action may be the simulation of clicking patterns, to prevent malicious third-parties from noticing that their injections are being edited and/or blocked. For example, client-side code may be executed in the background, without the user noticing, in order to carry out the act intended to by these parties—but in a non-harmful manner. For example, if the malicious injection was intended to lure the user into clicking on an advertisement which directs to a certain landing page, then the client-side code may simulate such clicking and accessing the landing page.”). However, Sivan does not explicitly disclose the following limitation: responsive to comparing the one or more event-based mutations of the web page Document to the user behaviometric history data, denying continuation of the browsing session Chechik discloses responsive to comparing the one or more event-based mutations of the web page Document to the user behaviometric history data (¶0040-¶0042, “… the agent may analyze the rendered page for phishing attacks, by comparing one or more features and characteristics of the rendered page to recorded representations of one or more legitimate pages from the legitimate database….”), (¶0078… an element may be represented by one or more indications of attributes, properties, DOM elements, text, images, style, or the like, and the element may be identified in a page by extracting page properties and comparing the indicated properties of the element within the page properties. In some exemplary embodiments, the representation of the element may comprise DOM representations of attributes of the page element.”), denying continuation of the browsing session based on a predetermined similarity mismatch of the one or more event-based mutations of the web page Document to entries in the user behaviometric history data and output one or more indications of potential fraud (¶0100-¶0101, “the rendered page may be classified as a phishing page based on a determined domain name mismatch, based on an unsuccessful acquisition of one or more page elements in the rendered page (e.g., for a number of elements that overpasses a threshold), a combination thereof, or the like. In some exemplary embodiments, in response to determining that the representations of the page elements are acquired in the rendered page, but the domain names do not match, the rendered page may be determined to be a phishing page…one or more responsive actions may be performed in response to detecting the phishing attack, to classifying the target page as a phishing page, or the like. In some exemplary embodiments, the responsive actions may comprise displaying a warning to a user browsing the rendered page, blocking the user from using the rendered page, preventing the user from interacting with an input field of the rendered page, redirecting from the rendered page, issuing an alert to a manager of the legitimate page, or the like. For example, the rendered page may be blocked by terminating the browsing session, terminating a browser tab, inserting transparent objects that block the functionality of the page, or the like.”), (¶0079-¶0081, “On Step 130, the representations of the selected elements may be stored, logged, or the like, in a legitimate database that stores data of legitimate pages, websites, or the like. In some exemplary embodiments, each element representations may be stored in association with a legitimate page thereof, in association with a domain name of the page, in association with an order of the page within a multi-phase sequence, or the like. For example, each entry in the database may be related to a webpage and comprises the URL or another identifier of the webpage, representations of selected elements within the webpage… the database may be periodically updated, such as by loading for each entry the associated URL, browsing the associated page, and attempting to acquire recorded page elements from the page.”). See ¶0091 and ¶0096. Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of Sivan to include denying of further browsing as disclosed by Chechik and be motivated in doing so in order to prevent the user from further interaction with the rendered web page with phishing attack. Regarding claim 12, Sivan discloses a system, comprising: a processor (¶0017, “…at least one hardware processor configured to execute the instructions.”) and a memory having programming instructions stored thereon, which, when executed by the processor, cause the processor to (¶0022, “Another embodiment provides a computer program product comprising a non-transitory computer-readable medium having stored thereon instructions which, when executed by at least one hardware processor, cause the processor to…”): monitor, with a MutationObserver instance, a web page Document associated with a Document Object Model (DOM) of a browsing session of a user (¶0011, “… observing changes to the DOM by a MutationObserver application programming interface (API) of the web browser,”), (¶0097, “Observing changes to the DOM may be performed, for example, by a MutationObserver API of the web browser. See https://developer.mozilla.org/en/docs/Web/API/MutationObserver,”); detect one or more event-based mutations of the web page Document (¶0017, “…wherein the anti-injection client-side code comprises instructions which, when executed: (i) in a main execution thread running the web browser, intercept an injection of a node into the DOM (Document Object Model) of the web page, (ii) in a web worker execution thread, compare the injected node with a list, and (iii) in the main execution thread, based on the comparison, permit or block execution of the injected node in the web browser…”); store the one or more event-based mutations in the memory (¶0080, “the determination of the baseline of the DOM may include a reading of the scripts and/or resources of other types that are called to from the source code of the web page, and storing copies thereof in a memory of the computerized device running the web browser and/or in a web server, such as the web server which hosts that anti-injection client-side code…”) retrieve, from a profile repository, user behaviometric history data (¶0110, “…The set of test rules may be determined according to the following method. In a first step, data from multiple clients may be collected. The data may pertain to a source code of a web page (or web pages), as it is available at each of the multiple clients. The data may be collected via a web browser of each client. It may be typically performed by a website owner implementing JavaScript code on pages of the website. For example, the JavaScript may be used to collect certain information (e.g., about the page and/or the visitor) and transmit it to a remote server. This may be performed whenever a page is retrieved by a web browser and/or when a JavaScript event occurs, such as a mouse click by the user or any event which is not user-initiated. The collection may also use asynchronous mechanisms such as setTimeout, setInterval and/or the like. Technically, the collection and transmittal of information to the remote server may utilize transparent image requests, Ajax-based requests, and/or WebSockets, as known in the art. In the Ajax case, when the page is retrieved by the web browser, a piece of Ajax code may call back to the dedicated server and pass information about the client. Oftentimes, the JavaScript code which collects the data is loaded and executed by the web browser prior to any injection of nodes.”), (¶0117, “…For example, user clicking patterns that occur on an object generated by the injected node may be identified as suspected to be malicious. Location and size of injected nodes, for example ad units such as a skyscraper which is located on the left side while in the original website there is no ad placement in the left side, may also increase the suspicion level. Generally, any content which is not according to the website profile database, may deem the node to be suspicious.”), (¶0063, “A second action is the comparison 110 of the injected node with a list. The list may be a white list which includes information relating to non-malicious (also “legitimate”) nodes, or a black list which includes information relating to malicious nodes. Namely, the list may include information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time.”, wherein information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time constitutes a repository); based on a predetermined similarity mismatch of the one or more event-based mutations of the web page Document to entries in the user behaviometric history data and output one or more indications of potential fraud (¶0063, “A second action is the comparison 110 of the injected node with a list. The list may be a white list which includes information relating to non-malicious (also “legitimate”) nodes, or a black list which includes information relating to malicious nodes. Namely, the list may include information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time.”, wherein information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time constitutes a repository), (¶0014, “In some embodiments, the list is a black list which comprises information relating to malicious nodes; and the execution of the injected node is blocked if the injected node matches the information, and is permitted if the injected node mismatches the information.”), (¶0016, “In some embodiments, the list is a white list which comprises information relating to non-malicious nodes; and the execution of the injected node is blocked if the injected node mismatches the information, and is permitted if the injected node matches the information.”), (¶0076, “A third action is permitting 114 or blocking 112 execution of the injected node in the web browser, based on the comparison. In the white list scenario, the execution of the injected node is blocked if it mismatches the information, and is permitted if the injected node matches the information. In the black list scenario, the execution of the injected node is blocked if it matches the information, and is permitted if the injected node mismatches the information.”), (¶0116, “By marking users who generate suspicious nodes (i.e., suspected to be malicious), one may see if the suspicious nodes are consistently injected for this user in case the user is seen in different websites. Continuous behavior of users may lead to identification of a node as malicious.”); wherein the one or more event-based mutations comprise a script injection or a code-triggered field value change that modifies a value in the web page Document without changing visible content displayed to the user, and wherein pre-configuration or specific user journey events are not required for the monitoring or the detecting. (¶0017, “Another embodiment provides a system comprising: (a) a non-transitory computer-readable storage medium having stored thereon instructions for: operating a web server to receive a call to an anti-injection client-side code from a web browser, wherein the call is facilitated by a code segment in a web page loaded by the web browser; and transmitting the anti-injection client-side code from the web server to the web browser, wherein the anti-injection client-side code comprises instructions which, when executed: (i) in a main execution thread running the web browser, intercept an injection of a node into the DOM (Document Object Model) of the web page, (ii) in a web worker execution thread, compare the injected node with a list, and (iii) in the main execution thread, based on the comparison, permit or block execution of the injected node in the web browser; and (b) at least one hardware processor configured to execute the instructions.”), (¶0015, “In some embodiments, the method further comprises creating the black list by: collecting information on injected nodes from multiple web browsers, by executing a data collection client-side code in each of the multiple web browsers, to intercept injection of nodes into the DOM of the web page and transmit the injected nodes to a web server; analyzing the collected information, to identify malicious ones of the injected nodes; and entering information associated with the malicious injected nodes into the list.”), (¶0115-¶0117, “… Anomaly analysis is a statistical analysis, which may be performed for the web site traffic in order to identify injected nodes as malicious by identifying injected nodes which appear only in a minority of the website visits. Thus, nodes which are identified as seldom injected may be suspected to be malicious, given the assumption that only a minority of users is affected by malicious node injection by third parties. By marking users who generate suspicious nodes (i.e., suspected to be malicious), one may see if the suspicious nodes are consistently injected for this user in case the user is seen in different websites. Continuous behavior of users may lead to identification of a node as malicious….”), (¶0038, “The term “client-side script” or “client-side code”, as referred to herein, may refer to a programming script which is executable by a web browser, thereby affecting the graphical view of a web page and/or otherwise affecting a behavior of the web browser. The programming script may be written, for example, in any one of JavaScript, Java, Microsoft Silverlight and Adobe Flash.”, wherein there is no need for a specific user journey to use a MutationObserver because it runs entirely on the client side within the browser’s Javascript environment and operates continuously and independently of user actions once initiated.), (¶0104, “fifth action may be the simulation of clicking patterns, to prevent malicious third-parties from noticing that their injections are being edited and/or blocked. For example, client-side code may be executed in the background, without the user noticing, in order to carry out the act intended to by these parties—but in a non-harmful manner. For example, if the malicious injection was intended to lure the user into clicking on an advertisement which directs to a certain landing page, then the client-side code may simulate such clicking and accessing the landing page.”). However, Sivan does not explicitly disclose the following limitation: responsive to comparing the one or more event-based mutations of the web page Document to the user behaviometric history data, denying continuation of the browsing session Chechik discloses responsive to comparing the one or more event-based mutations of the web page Document to the user behaviometric history data (¶0040-¶0042, “… the agent may analyze the rendered page for phishing attacks, by comparing one or more features and characteristics of the rendered page to recorded representations of one or more legitimate pages from the legitimate database….”), (¶0078… an element may be represented by one or more indications of attributes, properties, DOM elements, text, images, style, or the like, and the element may be identified in a page by extracting page properties and comparing the indicated properties of the element within the page properties. In some exemplary embodiments, the representation of the element may comprise DOM representations of attributes of the page element.”), denying continuation of the browsing session based on a predetermined similarity mismatch of the one or more event-based mutations of the web page Document to entries in the user behaviometric history data and output one or more indications of potential fraud (¶0100-¶0101, “the rendered page may be classified as a phishing page based on a determined domain name mismatch, based on an unsuccessful acquisition of one or more page elements in the rendered page (e.g., for a number of elements that overpasses a threshold), a combination thereof, or the like. In some exemplary embodiments, in response to determining that the representations of the page elements are acquired in the rendered page, but the domain names do not match, the rendered page may be determined to be a phishing page…one or more responsive actions may be performed in response to detecting the phishing attack, to classifying the target page as a phishing page, or the like. In some exemplary embodiments, the responsive actions may comprise displaying a warning to a user browsing the rendered page, blocking the user from using the rendered page, preventing the user from interacting with an input field of the rendered page, redirecting from the rendered page, issuing an alert to a manager of the legitimate page, or the like. For example, the rendered page may be blocked by terminating the browsing session, terminating a browser tab, inserting transparent objects that block the functionality of the page, or the like.”), (¶0079-¶0081, “On Step 130, the representations of the selected elements may be stored, logged, or the like, in a legitimate database that stores data of legitimate pages, websites, or the like. In some exemplary embodiments, each element representations may be stored in association with a legitimate page thereof, in association with a domain name of the page, in association with an order of the page within a multi-phase sequence, or the like. For example, each entry in the database may be related to a webpage and comprises the URL or another identifier of the webpage, representations of selected elements within the webpage… the database may be periodically updated, such as by loading for each entry the associated URL, browsing the associated page, and attempting to acquire recorded page elements from the page.”). See ¶0091 and ¶0096. Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of Sivan to include denying of further browsing as disclosed by Chechik and be motivated in doing so in order to prevent the user from further interaction with the rendered web page with phishing attack. Regarding claim 20, Sivan discloses a non-transitory computer-readable medium having stored thereon software instructions that, when executed by a processor (¶0022, “Another embodiment provides a computer program product comprising a non-transitory computer-readable medium having stored thereon instructions which, when executed by at least one hardware processor, cause the processor to…”) monitoring, with a Mutation Observer instance, a web page Document associated with a Document Object Model (DOM) of a browsing session of a user (¶0011, “… observing changes to the DOM by a MutationObserver application programming interface (API) of the web browser,”), (¶0097, “Observing changes to the DOM may be performed, for example, by a MutationObserver API of the web browser. See https://developer.mozilla.org/en/docs/Web/API/MutationObserver,”); capturing one or more event-based mutations of the web page Document (¶0017, “…wherein the anti-injection client-side code comprises instructions which, when executed: (i) in a main execution thread running the web browser, intercept an injection of a node into the DOM (Document Object Model) of the web page, (ii) in a web worker execution thread, compare the injected node with a list, and (iii) in the main execution thread, based on the comparison, permit or block execution of the injected node in the web browser…”); retrieving, from a profile repository, user behaviometric history data (¶0110, “…The set of test rules may be determined according to the following method. In a first step, data from multiple clients may be collected. The data may pertain to a source code of a web page (or web pages), as it is available at each of the multiple clients. The data may be collected via a web browser of each client. It may be typically performed by a website owner implementing JavaScript code on pages of the website. For example, the JavaScript may be used to collect certain information (e.g., about the page and/or the visitor) and transmit it to a remote server. This may be performed whenever a page is retrieved by a web browser and/or when a JavaScript event occurs, such as a mouse click by the user or any event which is not user-initiated. The collection may also use asynchronous mechanisms such as setTimeout, setInterval and/or the like. Technically, the collection and transmittal of information to the remote server may utilize transparent image requests, Ajax-based requests, and/or WebSockets, as known in the art. In the Ajax case, when the page is retrieved by the web browser, a piece of Ajax code may call back to the dedicated server and pass information about the client. Oftentimes, the JavaScript code which collects the data is loaded and executed by the web browser prior to any injection of nodes.”), (¶0117, “…For example, user clicking patterns that occur on an object generated by the injected node may be identified as suspected to be malicious. Location and size of injected nodes, for example ad units such as a skyscraper which is located on the left side while in the original website there is no ad placement in the left side, may also increase the suspicion level. Generally, any content which is not according to the website profile database, may deem the node to be suspicious.”), (¶0063, “A second action is the comparison 110 of the injected node with a list. The list may be a white list which includes information relating to non-malicious (also “legitimate”) nodes, or a black list which includes information relating to malicious nodes. Namely, the list may include information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time.”, wherein information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time constitutes a repository); based on a predetermined similarity mismatch of the one or more event-based mutations of the web page Document to entries in the user behaviometric history data and output one or more indications of potential fraud (¶0063, “A second action is the comparison 110 of the injected node with a list. The list may be a white list which includes information relating to non-malicious (also “legitimate”) nodes, or a black list which includes information relating to malicious nodes. Namely, the list may include information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time.”, wherein information which characterizes legitimate or malicious injections, respectively, based on data gathered from a large number of web browsers over time constitutes a repository), (¶0014, “In some embodiments, the list is a black list which comprises information relating to malicious nodes; and the execution of the injected node is blocked if the injected node matches the information, and is permitted if the injected node mismatches the information.”), (¶0016, “In some embodiments, the list is a white list which comprises information relating to non-malicious nodes; and the execution of the injected node is blocked if the injected node mismatches the information, and is permitted if the injected node matches the information.”), (¶0076, “A third action is permitting 114 or blocking 112 execution of the injected node in the web browser, based on the comparison. In the white list scenario, the execution of the injected node is blocked if it mismatches the information, and is permitted if the injected node matches the information. In the black list scenario, the execution of the injected node is blocked if it matches the information, and is permitted if the injected node mismatches the information.”), (¶0116, “By marking users who generate suspicious nodes (i.e., suspected to be malicious), one may see if the suspicious nodes are consistently injected for this user in case the user is seen in different websites. Continuous behavior of users may lead to identification of a node as malicious.”); wherein the one or more event-based mutations comprise a script injection or a code-triggered field value change that modifies a value in the web page Document without changing visible content displayed to the user, and wherein pre-configuration or specific user journey events are not required for the monitoring or the detecting. (¶0017, “Another embodiment provides a system comprising: (a) a non-transitory computer-readable storage medium having stored thereon instructions for: operating a web server to receive a call to an anti-injection client-side code from a web browser, wherein the call is facilitated by a code segment in a web page loaded by the web browser; and transmitting the anti-injection client-side code from the web server to the web browser, wherein the anti-injection client-side code comprises instructions which, when executed: (i) in a main execution thread running the web browser, intercept an injection of a node into the DOM (Document Object Model) of the web page, (ii) in a web worker execution thread, compare the injected node with a list, and (iii) in the main execution thread, based on the comparison, permit or block execution of the injected node in the web browser; and (b) at least one hardware processor configured to execute the instructions.”), (¶0015, “In some embodiments, the method further comprises creating the black list by: collecting information on injected nodes from multiple web browsers, by executing a data collection client-side code in each of the multiple web browsers, to intercept injection of nodes into the DOM of the web page and transmit the injected nodes to a web server; analyzing the collected information, to identify malicious ones of the injected nodes; and entering information associated with the malicious injected nodes into the list.”), (¶0115-¶0117, “… Anomaly analysis is a statistical analysis, which may be performed for the web site traffic in order to identify injected nodes as malicious by identifying injected nodes which appear only in a minority of the website visits. Thus, nodes which are identified as seldom injected may be suspected to be malicious, given the assumption that only a minority of users is affected by malicious node injection by third parties. By marking users who generate suspicious nodes (i.e., suspected to be malicious), one may see if the suspicious nodes are consistently injected for this user in case the user is seen in different websites. Continuous behavior of users may lead to identification of a node as malicious….”), (¶0038, “The term “client-side script” or “client-side code”, as referred to herein, may refer to a programming script which is executable by a web browser, thereby affecting the graphical view of a web page and/or otherwise affecting a behavior of the web browser. The programming script may be written, for example, in any one of JavaScript, Java, Microsoft Silverlight and Adobe Flash.”, wherein there is no need for a specific user journey to use a MutationObserver because it runs entirely on the client side within the browser’s Javascript environment and operates continuously and independently of user actions once initiated.), (¶0104, “fifth action may be the simulation of clicking patterns, to prevent malicious third-parties from noticing that their injections are being edited and/or blocked. For example, client-side code may be executed in the background, without the user noticing, in order to carry out the act intended to by these parties—but in a non-harmful manner. For example, if the malicious injection was intended to lure the user into clicking on an advertisement which directs to a certain landing page, then the client-side code may simulate such clicking and accessing the landing page.”). However, Sivan does not explicitly disclose the following limitation: responsive to comparing the one or more event-based mutations of the web page Document to the user behaviometric history data, denying continuation of the browsing session Chechik discloses responsive to comparing the one or more event-based mutations of the web page Document to the user behaviometric history data (¶0040-¶0042, “… the agent may analyze the rendered page for phishing attacks, by comparing one or more features and characteristics of the rendered page to recorded representations of one or more legitimate pages from the legitimate database….”), (¶0078… an element may be represented by one or more indications of attributes, properties, DOM elements, text, images, style, or the like, and the element may be identified in a page by extracting page properties and comparing the indicated properties of the element within the page properties. In some exemplary embodiments, the representation of the element may comprise DOM representations of attributes of the page element.”), denying continuation of the browsing session based on a predetermined similarity mismatch of the one or more event-based mutations of the web page Document to entries in the user behaviometric history data and output one or more indications of potential fraud (¶0100-¶0101, “the rendered page may be classified as a phishing page based on a determined domain name mismatch, based on an unsuccessful acquisition of one or more page elements in the rendered page (e.g., for a number of elements that overpasses a threshold), a combination thereof, or the like. In some exemplary embodiments, in response to determining that the representations of the page elements are acquired in the rendered page, but the domain names do not match, the rendered page may be determined to be a phishing page…one or more responsive actions may be performed in response to detecting the phishing attack, to classifying the target page as a phishing page, or the like. In some exemplary embodiments, the responsive actions may comprise displaying a warning to a user browsing the rendered page, blocking the user from using the rendered page, preventing the user from interacting with an input field of the rendered page, redirecting from the rendered page, issuing an alert to a manager of the legitimate page, or the like. For example, the rendered page may be blocked by terminating the browsing session, terminating a browser tab, inserting transparent objects that block the functionality of the page, or the like.”), (¶0079-¶0081, “On Step 130, the representations of the selected elements may be stored, logged, or the like, in a legitimate database that stores data of legitimate pages, websites, or the like. In some exemplary embodiments, each element representations may be stored in association with a legitimate page thereof, in association with a domain name of the page, in association with an order of the page within a multi-phase sequence, or the like. For example, each entry in the database may be related to a webpage and comprises the URL or another identifier of the webpage, representations of selected elements within the webpage… the database may be periodically updated, such as by loading for each entry the associated URL, browsing the associated page, and attempting to acquire recorded page elements from the page.”). See ¶0091 and ¶0096. Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of Sivan to include denying of further browsing as disclosed by Chechik and be motivated in doing so in order to prevent the user from further interaction with the rendered web page with phishing attack. Regarding claim 2, Sivan in view Chechik discloses the method of claim 1. Sivan further discloses wherein the one or more event-based mutations comprise one or more of a visible mutation, a hidden mutation, a script injection, and/or a code-triggered field value change (¶0121, “Visual structure anomaly analysis may be performed, for example, by taking a screen shot of a webpage which is known to be authentic and comparing it, using image processing method, with a suspected page, to identify visual differences which may be indicative of malicious injection of nodes.”), (¶0006, “…wherein the anti-injection client-side code comprises instructions which, when executed: (a) in a main execution thread running the web browser, intercept an injection of a node into the DOM (Document Object Model) of the web page…”), (¶0044, “The term “block”, as referred to herein with respect to source code, may relate to any operation that prevents changes to the source code, or causes such changes to be hidden from the user of the pertinent web browser…”). See also ¶0045. Regarding claim 13, Sivan in view Chechik discloses the system of claim 12. Sivan further discloses wherein the one or more event-based mutations comprise one or more of a visible mutation, a hidden mutation, a script injection, and/or a code-triggered field value change (¶0121, “Visual structure anomaly analysis may be performed, for example, by taking a screen shot of a webpage which is known to be authentic and comparing it, using image processing method, with a suspected page, to identify visual differences which may be indicative of malicious injection of nodes.”), (¶0006, “…wherein the anti-injection client-side code comprises instructions which, when executed: (a) in a main execution thread running the web browser, intercept an injection of a node into the DOM (Document Object Model) of the web page…”), (¶0044, “The term “block”, as referred to herein with respect to source code, may relate to any operation that prevents changes to the source code, or causes such changes to be hidden from the user of the pertinent web browser…”). See also ¶0045. Regarding claim 3, Sivan in view Chechik discloses the method of claim 1. Sivan further discloses wherein the one or more event-based mutations of the web page Document are associated with a JavaScript thread (¶0038, “…The programming script may be written, for example, in any one of JavaScript, Java, Microsoft Silverlight and Adobe Flash.”), (0057, “…The injection is, essentially, the loading and/or execution of a client-side code (such as JavaScript) in the web browser, which loading and/or execution are capable of affecting the content, operation and/or references, including the graphical view, of the web page…”). Regarding claim 14, Sivan in view Chechik discloses the system of claim 12. Sivan further discloses wherein the one or more event-based mutations of the web page Document are associated with a JavaScript thread (¶0038, “…The programming script may be written, for example, in any one of JavaScript, Java, Microsoft Silverlight and Adobe Flash.”), (0057, “…The injection is, essentially, the loading and/or execution of a client-side code (such as JavaScript) in the web browser, which loading and/or execution are capable of affecting the content, operation and/or references, including the graphical view, of the web page…”). Regarding claim 4, Sivan in view Chechik discloses the method of claim 1. Sivan further discloses wherein the one or more event-based mutations of the web page Document modifies a value without changing visible content displayed to the user (¶0044, “The term “block”, as referred to herein with respect to source code, may relate to any operation that prevents changes to the source code, or causes such changes to be hidden from the user of the pertinent web browser…”). Regarding claim 15, Sivan in view Chechik discloses the system of claim 12. Sivan further discloses wherein the one or more event-based mutations of the web page Document modifies a value without changing visible content displayed to the user (¶0044, “The term “block”, as referred to herein with respect to source code, may relate to any operation that prevents changes to the source code, or causes such changes to be hidden from the user of the pertinent web browser…”). Regarding claim 5, Sivan in view Chechik discloses the method of claim 1. Sivan further discloses wherein responsive to the capturing the one or more event-based mutations, the MutationObserver instance updates a variable containing a list of document mutations triggered by a user interaction or code execution (¶0030-¶0031, “Methods, systems and computer program products are disclosed herein, for detecting, editing and/or blocking nodes which were maliciously-injected, at a client side, into a source code of a web page…”), (¶0045, “The term “edit” and its derivations, as referred to herein with respect to source code and including nodes, may relate to any change made to the source code, including removal, deletion, modification, insertion and/or restoration of source code.”), (¶0015, “… analyzing the collected information, to identify malicious ones of the injected nodes; and entering information associated with the malicious injected nodes into the list.”), (¶0106, “…The intercepting may use one or more of the proactive and reactive techniques discussed above. In the analysis, malicious ones of the injected nodes may be identified. Then, information associated with the malicious injected nodes may be entered into the list.”, wherein the information associated with the malicious injected nodes is interpreted as the variable containing a list of document mutations). Regarding claim 16, Sivan in view Chechik discloses the system of claim 12. Sivan further discloses wherein responsive to the capturing the one or more event-based mutations, the MutationObserver instance updates a variable containing a list of document mutations triggered by a user interaction or code execution (¶0030-¶0031, “Methods, systems and computer program products are disclosed herein, for detecting, editing and/or blocking nodes which were maliciously-injected, at a client side, into a source code of a web page…”), (¶0045, “The term “edit” and its derivations, as referred to herein with respect to source code and including nodes, may relate to any change made to the source code, including removal, deletion, modification, insertion and/or restoration of source code.”), (¶0015, “… analyzing the collected information, to identify malicious ones of the injected nodes; and entering information associated with the malicious injected nodes into the list.”), (¶0106, “…The intercepting may use one or more of the proactive and reactive techniques discussed above. In the analysis, malicious ones of the injected nodes may be identified. Then, information associated with the malicious injected nodes may be entered into the list.”, wherein the information associated with the malicious injected nodes is interpreted as the variable containing a list of document mutations). Regarding claim 7, Sivan in view of Chechik discloses the method of claim 1. Sivan further discloses wherein the one or more event-based mutations are related to user deception, (¶0032, “The user may be further exposed to attempts to steal sensitive information of personal, financial and/or business importance. Examples of such occurrences may include stealing credit card data entered into a web page form by the user, injection of advertisements from which the malicious third-parties benefit, injection of referrals to other Internet resources, such as online stores, from which the malicious third-parties benefit, clickjacking, etc. Overall, such malicious injections may circumvent the user's activity away from the interests of the web page owner or may violate the user's privacy.”), (¶0104, “...if the malicious injection was intended to lure the user into clicking on an advertisement which directs to a certain landing page, then the client-side code may simulate such clicking and accessing the landing page”); Regarding claim 8, Sivan in view Chechik discloses the method of claim 1. Sivan further discloses further comprising updating and storing in the profile repository, user behaviometric history data based on captured event-based mutations of the web page Document that are usual user-specific document modifications (¶0030-¶0031, “Methods, systems and computer program products are disclosed herein, for detecting, editing and/or blocking nodes which were maliciously-injected, at a client side, into a source code of a web page…”), (¶0045, “The term “edit” and its derivations, as referred to herein with respect to source code and including nodes, may relate to any change made to the source code, including removal, deletion, modification, insertion and/or restoration of source code.”), (¶0015, “… analyzing the collected information, to identify malicious ones of the injected nodes; and entering information associated with the malicious injected nodes into the list.”), (¶0106, “…The intercepting may use one or more of the proactive and reactive techniques discussed above. In the analysis, malicious ones of the injected nodes may be identified. Then, information associated with the malicious injected nodes may be entered into the list.”), (¶0080, “The determination of the baseline of the DOM may include a reading of the scripts and/or resources of other types that are called to from the source code of the web page, and storing copies thereof in a memory of the computerized device running the web browser and/or in a web server, such as the web server which hosts that anti-injection client-side code…”), (¶0111, “The collected data may include, for example, anything ranging from the complete source code at the client-side, to specific pieces of interest from the source code, such as subdomains and/or other domains that are called for by the source code, in particular ad networks and ad delivery systems as well as placement positions and sizes that are used by the website, user mouse activities, stack traces, JavaScript code and/or other events detectable using JavaScript. Furthermore, the collected data may include metadata such as a location of the user, its “user-agent” information, system and web browser information, etc.”), and Chechik further discloses the limitation of authorizing continuation of the browsing session based on a predetermined similarity match of the one or more event-based mutations to entries in the user behaviometric history data (¶0117-¶0118, “… a DOM representation of Page 340 may be extracted, and textboxes therein may be compared to indicated textboxes that are represented in Page 300. Page 340 may be determined to match or correspond to Page 300 in case it resembles the representations of Page 300 in a sufficient manner, e.g., above a similarity threshold. In case defined elements and their properties, as defined with respect to Page 300, are fully or partially identified in the extracted data of Page 340, the pages may be determined to match.”), (¶0123, “… For example, Alert 360 may comprise a Report and Leave 362 button, a Continue 364 button, or the like. The Report and Leave 362 button may enable the user to report Page 340 as being a phishing page, such as to relevant authorities, and to leave Page 340, while Continue 364 may enable to user to continue to browse Page 340”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of Sivan and Chechik to include authorizing continuation of the browsing session based on a predetermined similarity match of the one or more event-based mutations to entries in the user behaviometric history data as disclosed by Chechik and be motivated in doing so in order to encourage user to browse legitimate web page safely. Regarding claim 17, Sivan in view Chechik discloses the system of claim 12. Sivan further discloses wherein the programming instructions further cause the processor to update and store in the profile repository, user behaviometric history data based on captured event-based mutations of the web page Document that are usual user-specific document modifications (¶0030-¶0031, “Methods, systems and computer program products are disclosed herein, for detecting, editing and/or blocking nodes which were maliciously-injected, at a client side, into a source code of a web page…”), (¶0045, “The term “edit” and its derivations, as referred to herein with respect to source code and including nodes, may relate to any change made to the source code, including removal, deletion, modification, insertion and/or restoration of source code.”), (¶0015, “… analyzing the collected information, to identify malicious ones of the injected nodes; and entering information associated with the malicious injected nodes into the list.”), (¶0106, “…The intercepting may use one or more of the proactive and reactive techniques discussed above. In the analysis, malicious ones of the injected nodes may be identified. Then, information associated with the malicious injected nodes may be entered into the list.”), (¶0080, “The determination of the baseline of the DOM may include a reading of the scripts and/or resources of other types that are called to from the source code of the web page, and storing copies thereof in a memory of the computerized device running the web browser and/or in a web server, such as the web server which hosts that anti-injection client-side code…”), (¶0111, “The collected data may include, for example, anything ranging from the complete source code at the client-side, to specific pieces of interest from the source code, such as subdomains and/or other domains that are called for by the source code, in particular ad networks and ad delivery systems as well as placement positions and sizes that are used by the website, user mouse activities, stack traces, JavaScript code and/or other events detectable using JavaScript. Furthermore, the collected data may include metadata such as a location of the user, its “user-agent” information, system and web browser information, etc.”), and Chechik further discloses the limitation of authorizing continuation of the browsing session based on a predetermined similarity match of the one or more event-based mutations to entries in the user behaviometric history data (¶0117-¶0118, “… a DOM representation of Page 340 may be extracted, and textboxes therein may be compared to indicated textboxes that are represented in Page 300. Page 340 may be determined to match or correspond to Page 300 in case it resembles the representations of Page 300 in a sufficient manner, e.g., above a similarity threshold. In case defined elements and their properties, as defined with respect to Page 300, are fully or partially identified in the extracted data of Page 340, the pages may be determined to match.”), (¶0123, “… For example, Alert 360 may comprise a Report and Leave 362 button, a Continue 364 button, or the like. The Report and Leave 362 button may enable the user to report Page 340 as being a phishing page, such as to relevant authorities, and to leave Page 340, while Continue 364 may enable to user to continue to browse Page 340”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of Sivan and Chechik to include authorizing continuation of the browsing session based on a predetermined similarity match of the one or more event-based mutations to entries in the user behaviometric history data as disclosed by Chechik and be motivated in doing so in order to encourage user to browse legitimate web page safely. Regarding claim 10, Sivan in view Chechik discloses the method of claim 1. Sivan further discloses wherein the capturing of the one or more event-based mutations of the web page Document comprises recording mutations made to the web page Document with a timeline to detect user-specific behavior (¶0111-¶0112, “The collected data may include, for example, anything ranging from the complete source code at the client-side, to specific pieces of interest from the source code, such as subdomains and/or other domains that are called for by the source code, in particular ad networks and ad delivery systems as well as placement positions and sizes that are used by the website, user mouse activities, stack traces, JavaScript code and/or other events detectable using JavaScript. Furthermore, the collected data may include metadata such as a location of the user, its “user-agent” information, system and web browser information, etc… Additionally or alternatively, the collected data may include performance metrics obtained from a performance API of the web browsers. These metrics are indicative of the time it takes to execute various DOM elements and the exact time their execution started. For example, the function performance.getEntries( ) may be used to get a list of PerformanceResourceTiming objects. Elements which take longer to execute than others may be suspected as malicious, since web site owners usually refrain from structuring their web sites in way which causes them to load slowly in web browsers.”), and Chechik further discloses wherein the capturing of the one or more event-based mutations of the web page Document comprises recording visible and hidden mutations made to the web page Document with a timeline to detect user-specific behavior (¶0039, “in order to identify that a rendered sequence of one or more target pages imitates a sequence of one or more legitimate source pages, one or more portions of each legitimate page may be recorded. In some exemplary embodiments, a user such as an operator of a website, an operator of an anti-phishing organization, or any other human user, automation program, or the like, may select for each legitimate page that is desired to be protected, a plurality of elements that are estimated to visually represent the page…”), (¶0041, “… each recorded element may be recorded in association with its housing page and the order of the source page within the sequence…”), (¶0106, “the recording logic may automatically scrape and extract attributes of the one or more selected elements from Page 300, and generate one or more representations for each selected element. In some exemplary embodiments, representations for each selected element may be generated based on properties of the selected element, DOM representations thereof, a domain name of Page 300, invisible or visible attributes of the element, or the like. In some exemplary embodiments, representations for an element may be generated to acquire a selected element using DOM-based representations, contextual representations, representations of visual attributes, representations of invisible attributes, or the like.”), (¶0081, “…In some exemplary embodiments, the database may be periodically updated, such as by loading for each entry the associated URL, browsing the associated page, and attempting to acquire recorded page elements from the page.”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of Sivian and Chechik to include recording visible and hidden mutations made to the web page Document with a timeline as disclosed by Chechik and be motivated in doing so in order to provide a complete diagnostic audit trail of the web page’s state and precise session replay. Regarding claim 11, Sivan in view Chechik discloses the method of claim 1. Sivan further discloses wherein the user behaviometric history data comprises one or more of keystroke dynamics, key press time, key flight time, mouse movement, swipe pressure, swipe position, operating system, browser type, device information, screen refresh rate, and usual user-specific document modifications (¶0060, “… Exemplary events include mouse clicks, mouse moves, opening of windows, focusing on elements, and more.”) Regarding claim 19, Sivan in view Chechik discloses the system of claim 12. Sivan further discloses wherein the user behaviometric history data comprises one or more of keystroke dynamics, key press time, key flight time, mouse movement, swipe pressure, swipe position, operating system, browser type, device information, screen refresh rate, and usual user-specific document modifications (¶0060, “… Exemplary events include mouse clicks, mouse moves, opening of windows, focusing on elements, and more.”) Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over US PGPub. No. 20160088015 to Sivan et al. (hereinafter Sivan in view US PGPub. No. 20250337779 to Chechik et al. (hereinafter Chechik) and further in view of US PGPub. No. 20200257756 to Sheng et al. (hereinafter Sheng). Regarding claim 9, Sivan in view Chechik discloses the method of claim 8. However, Sivan in view Chechik does not explicitly disclose the limitation of: wherein the usual user-specific document modifications comprise one or more of popup hiding, content translation, and/or forcing dark mode on a web page using one or more web browser extensions. Sheng discloses forcing dark mode on a web page using one or more web browser extensions (¶0049, “a variety of different options may be provided to allow the user to change the style, layout, or format of the web page. In some cases, a browser menu option may allow the user to change the color scheme of the current web page (e.g., dark mode, light mode, or select different color patterns), change the background pattern of the web page, change the sizes of web elements on the page, change the text sizes or fonts, change the character spacing or spacing between elements, change the text style, change the size or display characteristics of images on the page, change the layout of the web elements on the page, etc. It should be understood that there need not be a fixed or enumerated set of style/format/layout change options provided by the browser 122 or browser extension 124…”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of Sivan and Chechik to include forcing dark mode on a web page using one or more web browser extensions as disclosed by Sheng and be motivated in doing so in order to have an unlimited number of possible style/format/layout changes and configurations may be supported on the client-side using dynamically generated cascading style sheets (CSS) (and/or other web content)-Sheng ¶0049 in parts. Regarding claim 18, Sivan in view Chechik discloses the system of claim 17. However, Sivan in view of Chechik does not explicitly disclose the limitation of: wherein the usual user-specific document modifications comprise one or more of popup hiding, content translation, and/or forcing dark mode on a web page using one or more web browser extensions. Sheng discloses forcing dark mode on a web page using one or more web browser extensions (¶0049, “a variety of different options may be provided to allow the user to change the style, layout, or format of the web page. In some cases, a browser menu option may allow the user to change the color scheme of the current web page (e.g., dark mode, light mode, or select different color patterns), change the background pattern of the web page, change the sizes of web elements on the page, change the text sizes or fonts, change the character spacing or spacing between elements, change the text style, change the size or display characteristics of images on the page, change the layout of the web elements on the page, etc. It should be understood that there need not be a fixed or enumerated set of style/format/layout change options provided by the browser 122 or browser extension 124…”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the system of Sivan and Chechik to include forcing dark mode on a web page using one or more web browser extensions as disclosed by Sheng and be motivated in doing so in order to have an unlimited number of possible style/format/layout changes and configurations may be supported on the client-side using dynamically generated cascading style sheets (CSS) (and/or other web content)-Sheng ¶0049 in parts. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US. 20230385528, US. 20130042298. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MUDASIRU K OLAEGBE/Examiner, Art Unit 2495 /FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495
Read full office action

Prosecution Timeline

Show 6 earlier events
Dec 10, 2025
Final Rejection mailed — §103, §112
Jan 15, 2026
Interview Requested
Jan 28, 2026
Applicant Interview (Telephonic)
Feb 04, 2026
Examiner Interview Summary
Feb 10, 2026
Response after Non-Final Action
Mar 05, 2026
Request for Continued Examination
Mar 17, 2026
Response after Non-Final Action
Jun 18, 2026
Non-Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683932
DYNAMIC ROUTING OF APPLICATION TRAFFIC TO ZTNA CONNECTORS
3y 6m to grant Granted Jul 14, 2026
Patent 12676887
METHOD AND SYSTEM FOR GENERATING DECOY FILES USING A DEEP LEARNING ENGINE FOR PROTECTION AGAINST RANSOMWARE ATTACKS
3y 4m to grant Granted Jul 07, 2026
Patent 12621320
SYSTEMS, METHODS, AND APPARATUSES FOR DETERMINING RESOURCE MISAPPROPRIATION BASED ON DISTRIBUTION FREQUENCY IN AN ELECTRONIC NETWORK
3y 5m to grant Granted May 05, 2026
Patent 12574406
SYSTEM AND METHOD FOR DATA FILTERING IN MACHINE LEARNING MODEL TO DETECT IMPERSONATION ATTACKS
5y 3m to grant Granted Mar 10, 2026
Patent 12489623
SYSTEMS AND COMPUTER-IMPLEMENTED METHODS FOR GENERATING PSEUDO RANDOM NUMBERS
3y 4m to grant Granted Dec 02, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
74%
Grant Probability
91%
With Interview (+17.2%)
3y 2m (~2m remaining)
Median Time to Grant
High
PTA Risk
Based on 85 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month