SYSTEMS AND METHODS FOR UTILIZING GRAPH NEURAL NETWORKS FOR SCAM WEBSITE DETECTION

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s argument, see Remarks, filed 12/10/2025, with respect to the rejection(s) of independent claims 1, 11 and 20 under 35 USC § 103 have been fully considered but are moot because of the new ground rejection issued herewith based on a newly found prior art, Belák, US 2024/0354406. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 4, 11, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 2014/0033307 A1 to Schmidtler, US-PGPUB No. 2024/0354406 A1 to Belák et al. (hereinafter “Belák”), and further in view of US-PGPUB No. 2010/0186088 A1 to Banerjee et al. (hereinafter “Banerjee”) Regarding claim 1: Schmidtler discloses: A computer-implemented method […] for scam website detection (¶13: “a method is provided, the method creating a feature vector for a website, and providing the feature vector to a model to determine whether or not the website is a phishing website.”), at least a portion of the method being performed by one or more computing devices (see Fig. 6, computing devices 604) comprising at least one processor (see Fig. 8, Processing 804), the method comprising: creating, by the one or more computing devices, a dataset of target websites comprising unknown websites and known scam websites (¶51: “one or more URLs may be received at a pre-filter/feature vector generator 404. The URLs may correspond to known phishing sites as well as unknown fishing sites.”) with corresponding scam categories (¶55: “a score may be provided that is indicative of whether or not the phishing site targets a category of entities,”); extracting, by the one or more computing devices, a plurality of website constructs utilized for executing scam attacks from the dataset of target websites (¶51: “feature vectors produced by the feature vector generator 404 … detecting phishing websites may be used to determine if the passed feature vectors appear to be associated with one or more phishing websites.”); However, Schmidtler does not explicitly disclose the following limitations taught by Belák: […] for utilizing graph neural networks (Belák, ¶46: “… the graph neural network methods described herein can be applied … to identify money laundering and identifying malicious websites by a graph of their linkage, …”) determining, by the one or more computing devices using a graph neural network (GNN), a similarity score representing a probability of an edge between the unknown websites and the one or more of the scam categories based on the grouping (Belák, ¶07: “The graph is provided to a graph neural network that is trained to generate … a degree of relatedness between the geometric representation of the computer instructions and … base graphs known to be malicious is determined.”); performing, by the one or more computing devices, a security action in response to the graph neural network (GNN) identifying the unknown websites as potential scam websites based on the similarity score determined from the plurality of website constructs (Belák, ¶27: “If the graph neural network module determines that the application is likely malicious, it notifies the user, stops execution of the application, uninstalls the application, or performs other such functions to restrict execution of the malicious instructions and/or notify the user in various examples, thereby protecting the user 126's smart phone 124 from malware.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Schmidtler to incorporate the functionality of the method of detecting likely malicious activity by identifying a set of behaviors of the computer instructions and representing the identified behaviors as a graph, wherein the graph is provided to a graph neural network to generate a degree of relatedness to a malicious graph, as disclosed by Belák, such modification would enable the system to identify and fix potential vulnerabilities in a website. The combination of Schmidtler and Belák does not explicitly disclose the following limitation taught by Banerjee: building, by the one or more computing devices, a graph comprising a plurality of nodes (Banerjee, ¶125: “A graph is generated by representing a web-site (or a web-page) as a node and the hyper-links between the sites as edges in the graph 802. The graph is analyzed 803 to calculate a threat score 804.”) for associating each of the target websites with one or more of the corresponding scam categories (Banerjee, ¶54: “… can identify rogue websites and pinpoint the specific vulnerabilities or threats, including … linked websites.”) using a plurality of edges (Banerjee, p125: “A graph is generated by representing a web-site (or a web-page) as a node and the hyper-links between the sites as edges in the graph 802.”); grouping, by the one or more computing devices and for each of the nodes, the target websites based on sharing a common construct within the plurality of website constructs (Banerjee, ¶127: “… identifying bi-partite cliques (loosely groups of sites that point to the same websites or are pointed to by the same websites).”); It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Schmidtler and Belák to incorporate the functionality of the method to generate a graph by representing a web-site as a node and the hyper-links between the sites as edges in the graph, as disclosed by Banerjee, such modification would enable the system to identify common features and similarities between web-sites, and determine if a web-site belongs to a blacklist or a good list. Regarding claim 4: The combination of Schmidtler, Belák and Banerjee discloses: The computer-implemented method of claim 1, wherein extracting the website constructs comprises retrieving, from the dataset of target websites, at least one of: text data; image data; hypertext markup language (HTML) structure data (Schmidtler, ¶48: “an HTML content feature vector,”); web analytics identifier data; online payment processor account data; or cryptographic key data. Regarding claim 11: Schmidtler discloses: A system for utilizing graph neural networks for scam website detection (see the system of Fig. 8), the system comprising: at least one physical processor (see Fig. 8, Processor 804); and physical memory (see Fig. 8, Memory 808) comprising computer-executable instructions and one or more modules that, when executed by the physical processor (¶66: “… memory 808 may be used in connection with the execution of programming instructions by the processor/controller 804, and for the temporary or long term storage of data and/or program instructions.”), cause the physical processor to: In addition to the above limitations claim 11 substantially recites the same limitations as claim 1 in the form of a system implementing the corresponding functionality. Therefore, it is rejected by the same rationale. Regarding claim 14: Claim 14 substantially recites the same limitations as claim 4 in the form of a system implementing the corresponding functionality. Therefore, it is rejected by the same rationale. Regarding claim 20: Schmidtler discloses: A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device (¶15: “a non-transitory computer readable medium is provide[d], the non-transitory computer readable containing instructions that when executed by a processor and memory, cause the processor to facilitate the classification of one or more websites,”), cause the computing device to: In addition to the above limitations claim 20 substantially recites the same limitations as claim 1 in the form of a non-transitory computer-readable medium comprising one or more computer-executable instructions to execute the corresponding functionality. Therefore, it is rejected by the same rationale. Claims 2-3 and 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Schmidtler, Belák, Banerjee, and further in view of US-PGPUB No. 2024/0330960 A1 to Bitaab et al. (hereinafter “Bitaab”) Regarding claim 2: The combination of Schmidtler, Belák and Banerjee discloses the computer-implemented method of claim 1, but does not explicitly teach the following limitation taught by Bitaab: wherein creating the dataset of target websites comprises: retrieving scam data identifying the known scam websites and the corresponding scam categories (Bitaab, ¶91: “After collecting a dataset, the labeled FCWs can be categorized to understand the different types of FCWs.”, FCW: Fraudulent e-Commerce Websites) from one or more data sources (Bitaab, see Fig. 5, Dataset, and External Data Sources); and detecting, from the data sources, the unknown websites (Bitaab, ¶108: “detect FCWs from in-the-wild websites. Various features are defined based on analysis of the collected dataset.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Schmidtler, Belák and Banerjee to incorporate the functionality of the method to collect a dataset of fraudulent websites and categorizing the websites based on various features, as disclosed by Bitaab, such modification would enable the system to identify fraudulent websites in various categories. Regarding claim 3: The combination of Schmidtler, Belák, Banerjee and Bitaab discloses: The computer-implemented method of claim 2, wherein retrieving the scam data comprises querying the data sources for at least two of: telemetry data; malicious universal resource locator (URL) feeds (Bitaab, ¶148: “a URL can be received at 702 by security platform 122 from a feed (e.g., … provided by a third party service such as VirusTotal).”); public website scam reports (Bitaab, ¶85: “users discussing FCWs (/r/Scams), from which a dataset of users' submissions and comments can be constructed.”); and scam forum threads. The same motivation which is applied to claim 2 with respect to Bitaab is applies to claim 3. Regarding claims 12-13: Claims 12-13 substantially recite the same limitations as claims 2-3, respectively, in the form of a system implementing the corresponding functionality. Therefore, they are rejected by the same rationale. Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Schmidtler, Belák, Banerjee, US-PGPUB No. 2024/0362563 A1 to Schmidt et al. (hereinafter “Schmidt”), and further in view of US-PGPUB No. 2024/0346080 A1 to Palumbo et al. (hereinafter “Palumbo”) Regarding claim 5: The combination of Schmidtler, Belák and Banerjee discloses the computer-implemented method of claim 1, but does not explicitly teach the following limitation taught by Schmidt: wherein building the graph comprises: assigning a first set of nodes corresponding to the target websites comprising the unknown websites and known scam websites (Schmidt, ¶31: “other node(s) can be selected to be target nodes”); assigning a second set of nodes corresponding to each of the scam categories (Schmidt, ¶30: “The risk categories can be assigned to certain nodes …”); It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Schmidtler, Belák and Banerjee to incorporate the functionality of the method to assign risk categories to nodes, as disclosed by Schmidt, such modification would enable the system to associate nodes to risk categories, and apply a risk propagation model that quantifies a risk value for that risk category at a target node. The combination of Schmidtler, Belák, Banerjee and Schmidt does not explicitly teach the following limitation taught by Palumbo: assigning a third set of nodes corresponding to each of the website constructs (Palumbo, ¶81: “… the graph further includes (610) a third set of nodes, each node in the third set of nodes corresponding to metadata associated with the respective content item.”); and utilizing a plurality of edges that joins the first set of nodes with the second set of nodes (Palumbo, ¶83: “the graph further includes (612) a first set of edges between two or more nodes, wherein each edge in the first set of edges connects, for a respective search query, a node from the first set of nodes corresponding to the respective search query with a node from the second set of nodes corresponding to the respective content item selected from the respective search query.”) and the first set of nodes with the third set of nodes (Palumbo, ¶81: “edges connect the metadata nodes with the respective content item and/or query nodes associated with the metadata.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Schmidtler, Belák, Banerjee and Schmidt to incorporate the functionality of the electronic device to generate a graph that includes a third set of nodes, each node in the third set of nodes corresponding to metadata associated with the respective content item, as disclosed by Palumbo, such modification offers a significant advantage to analyze both the individual features of the website and the relationships between the metadata nodes and the respective websites. Regarding claim 15: Claim 15 substantially recites the same limitations as claim 5 in the form of a system implementing the corresponding functionality. Therefore, it is rejected by the same rationale. Claims 6-7 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Schmidtler, Belák, Banerjee, and further in view of US-PGPUB No. 2017/0264626 A1 to Xu et al. (hereinafter “Xu”) Regarding claim 6: The combination of Schmidtler, Belák and Banerjee discloses the computer-implemented method of claim 1, but does not explicitly teach the following limitation taught by Xu: wherein grouping, for each of the nodes, the target websites based on sharing a common construct within the plurality of website constructs comprises clustering a set of the nodes sharing the common construct (Xu, ¶47: “determine if the common patterns are shared with a known malware family (e.g., by performing a cluster-based analysis …)”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Schmidtler, Belák and Banerjee to incorporate the functionality of the method to perform cluster-based analysis using common strings extraction to determine least common strings using the well-known longest common subsequence (LCS) algorithm for finding the longest subsequence common to all sequences in a set of sequences, as disclosed by Xu, such modification would enable the system to reveal underlying structures or patterns in a dataset that are not immediately obvious. Regarding claim 7: The combination of Schmidtler, Belák, Banerjee and Xu discloses: The computer-implemented method of claim 6, wherein clustering the set of the nodes sharing the common construct comprises utilizing a longest common substring for each of the plurality of website constructs to identify the common construct for the grouping (Xu, ¶47: “… performing a cluster-based analysis using common strings extraction to determine least common strings using the well-known longest common subsequence (LCS) algorithm for finding the longest subsequence common to all sequences in a set of sequences…”). The same motivation which is applied to claim 6 with respect to Xu applies to claim 7. Regarding claims 16-17: Claims 16-17 substantially recite the same limitations as claims 6-7, respectively, in the form of a system implementing the corresponding functionality. Therefore, they are rejected by the same rationale. Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Schmidtler, Belák, Banerjee, Xu, and further in view of US-PGPUB No. 2021/0099484 A1 to Li et al. (hereinafter “Li”) Regarding claim 8: The combination of Schmidtler, Belák, Banerjee and Xu discloses the computer-implemented method of claim 6, but does not explicitly teach the following limitation taught by Li: wherein clustering the set of the nodes sharing the common construct comprises utilizing perceptual hashing for each of the plurality of website constructs to identify the common construct for the grouping (Li, ¶16: “generate … a screenshot of a webpage. … perceptual hashing … can be used. … the use of a perceptual hashing … generates only a limited number of unique fingerprints …”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Schmidtler, Belák, Banerjee and Xu to incorporate the functionality of the method to perform perceptual hashing of a screenshot of a webpage, as disclosed by Li, such modification would enable the system to facilitate fast calculation and similarity comparisons of suspicious URLs associated to a website. Regarding claim 18: Claim 18 substantially recites the same limitations as claim 8 in the form of a system implementing the corresponding functionality. Therefore, it is rejected by the same rationale. Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Schmidtler, Belák, Banerjee, and further in view of US-PGPUB No. 20250077609 A1 to Yu et al. (hereinafter “Yu”) Regarding claim 9: The combination of Schmidtler, Belák and Banerjee discloses the computer-implemented method of claim 1, but does not explicitly teach the following limitation taught by Yu: wherein performing the security action that trains the GNN for identifying the unknown websites as potential scam websites based on the similarity score determined from the plurality of website constructs comprises: capturing structural information embedded in the graph to detect similarities between the unknown websites and the known scam websites (Yu, ¶28: “target graph data for the target webpage and the historical webpage is determined based on the structural data of the target webpage, the first association relationship and the historical graph data.”); and determining the similarity score based on the detected similarities (Yu, ¶29: “similarity between the target webpage and the historical webpage is determined based on the target graph data.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Schmidtler, Belák and Banerjee to incorporate the functionality of the method to determine a similarity between a target webpage and the historical webpage (Yu in paragraph [0034] teaches a historical webpage can be a category of plagiarism), as disclosed by Yu, such modification would enable the system to identify webpages (websites) that are similar to known (historical) malicious categories. Regarding claim 19: Claim 19 substantially recites the same limitations as claim 9 in the form of a system implementing the corresponding functionality. Therefore, it is rejected by the same rationale. Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Schmidtler, Belák, Banerjee, and further in view of US-PGPUB No. 2023/0206029 A1 to Qiao et al. (hereinafter “Qiao”) Regarding claim 10: The combination of Schmidtler, Belák and Banerjee discloses the computer-implemented method of claim 1, but does not explicitly teach the following limitation taught by Qiao: wherein the GNN comprises an inductive GNN (Qiao, ¶33: “each GNN trained at step (308) is an inductive GNN.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Schmidtler, Belák and Banerjee to incorporate the functionality of the method to implement a trained inductive GNN, as disclosed by Qiao, such modification would enable the system to process new data, or unseen nodes, which is crucial for dynamic, real-world applications. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William R. Korzuch can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /M.H./ Examiner, Art Unit 2491 /DANIEL B POTRATZ/Primary Examiner, Art Unit 2491