Detailed Action
Claims 1-28 are pending in this application.
Drawings
The Drawings filed on 10/30/23 are acceptable.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-23 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
As per claims 1,10, the term “some cases” is a relative term which renders the claim indefinite. The term “some cases” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. The specification merely uses the term “some cases” and by definition of “some” which means an unspecified number or amount of and “unspecified” meaning not stated clearly or exactly. Therefore it is unclear to how many or what cases, are considered to be “some cases”.
As per claim 10, recites “the first Trojan resource request”, there is insufficient antecedent basis for this limitation in the claim. It is unclear to whether “the first Trojan resource request” is referring back to “a Trojan misappropriation detection resource request” or whether the applicant intended the limitation to be “a first Trojan resource request”.
As per claim 11, recites “the resource request”, there is insufficient antecedent basis for this limitation in the claim. It is unclear to whether this limitation is referring back to “a Trojan misappropriation detection resource request” or “first Trojan resource request”.
As per claim 12 recites “the request text string”, there is insufficient antecedent basis for this limitation in the claim. It is unclear to whether this limitation is referring back to “a misappropriation detection request text string” or whether the applicant intended the limitation to be “a request text string”.
All dependent claims are rejected for the same reasons set forth above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 8-14, 22-28 rejected under 35 U.S.C. 103 as being unpatentable over US 2009/0228780 issued to McGeehan in view of 2021/0006591 issued to Akuka et al.(Akuka).
As per claims 1,8,9, McGeehan teaches computer-implemented method of proactively detecting misappropriation of website source code/a computer program product comprising a tangible, non-transitory computer-readable medium embodying instructions which, when executed by at least one processor of a data processing system, cause the data processing system/ a data processing system comprising at least one processor and memory containing instructions which, when executed by the at least one processor, cause the data processing system to implement the method (Abstract, para.43) comprising: maintaining a first beacon embedded within the website source code, wherein the first beacon is adapted to transmit a first signal upon execution of the website source code in at least some cases of said execution, wherein the first signal identifies a domain of a host server hosting the website source code([0023] The primary website 100 includes in the code of its home page 102 (and/or any pages that are likely to be copied by a site forger) executable code 104, which is called herein "domain identification code". This code is client-side executable code, such as client-side JavaScript (or other dialects of ECMAScript), VBScript, and the like. The domain identification code 104 can be embedded directly in the home page 102, or incorporated by include references, or other programmatic methods. The domain identification code 104 is preferably obfuscated using code obfuscation techniques to make difficult for the site forger find and extract or disable….[0027] A second function of the domain identification code 104 is to provide to the primary website 100 an identification of the unauthorized domain. This can be implemented by a callback from the domain identification code 104 to the authorized server 118 at the primary website 100, including the domain name of the forged website 110 or other identifying information (e.g., IP address). This information can be sent in the clear, or it can be sent in encrypted form, so as to prevent the site forger from seeing that the forged website 110 has been identified. The authorized server 118 receives the identification of the unauthorized domain and can use this information to undertake various actions as countermeasures against the forged website 120 and the site forger.; “domain identification code” interpreted as the “first beacon”);
responsive to detecting the first signal from the first beacon, initiating a first response action([0028] Once the domain identification code 104 has determined that it is being served by an unauthorized domain, the browser 122 can execute countermeasures code 109. The countermeasures code 109 can be implemented by code that is included in the home page 102 (or other pages) on the primary website 100, or alternatively by additional client-side executable code that is transmitted to the browser 122 by a server at the primary website 100. Generally, the countermeasures code 109 alters the operation of the page in which it is included, such as copied home page 102'. One way to alter the operation of the copied home page 102' is to modify the appearance of the copied home page 102'. Modifying the appearance can include blanking out the copied home page 102' in whole or in part. FIGS. 3 and 4 illustrates this type of modification. FIG. 3 illustrates a page 300 of a primary website that has been copied and hosted at a forged website at the unauthorized domain "www.faccebook.com". FIG. 4 illustrates this same page after it has been blanked out entirely. The blanked out page can appear on the client device 120 as an empty page such as in FIG. 4 (e.g., against a white, black or other background), for example, or as have various sections missing. Modifying the appearance can include displaying a warning or other notice to the user that they are accessing the forged website 120.).
McGeehan however does not monitoring server; monitoring, by the monitoring server, for the first signal from the first beacon.
Akuka explicitly teaches monitoring server(Fig.5, security server); monitoring, by the monitoring server, for the first signal from the first beacon([0095] Finally, in step 214, in response to detecting the malicious use of the web code, web agent 22 transmits, over Internet 36, notification beacon 178 to security server 176, and the method ends. In some embodiments, notification beacon 178 can include information about phishing web page 152 and information about the unsuspecting victim (whose personal information may have been compromised in the attack), thereby enabling security server 176 to start taking take appropriate action to halt the phishing attack and, when possible, apprehend the attacker responsible for the attack. ).
Therefore it would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify McGeehan’s teaching of domain identification code that identifies domain of forged website to apply the teaching of Akuka of a security server for receiving information about phishing webpage in order to provide the predictable result of a security server that receives information about forged/phishing website from domain identification code.
One ordinary skill in the art would have been motivated to combine the teachings in order identify, report, and mitigate unauthorized use of software code(Akuka, para.2)
As per claim 2, McGeehan in view of Akuka teaches the method of claim 1, wherein the first beacon is adapted to: determine whether the domain of the host server is unfamiliar; and transmit the first signal only if the domain of the host server is unfamiliar(McGeehan, [0025] A first function of the domain identification code 104 is to determine whether it was served to the client device 120 from an authorized domain. In one embodiment, this is done by identifying the domain from which the page 102 is served, and then matching that domain against a list of one or more authorized domains. The domain can be identified from the URL for the page. If the serving domain is found in the list of authorized domains, then the serving domain is authorized; otherwise the serving domain is an unauthorized domain. The list of authorized domains can be included as part of the domain identification code 104, or obtained by request from the primary website 100. Alternatively, the domain identification code 104 can pass the domain name itself to the authorized server 118 for determining whether it is authorized).
As per claim 3, McGeehan in view of Akuka teaches the method of claim 2, wherein the first response action is a remedial action(McGeehan, [0028] Once the domain identification code 104 has determined that it is being served by an unauthorized domain, the browser 122 can execute countermeasures code 109. The countermeasures code 109 can be implemented by code that is included in the home page 102 (or other pages) on the primary website 100, or alternatively by additional client-side executable code that is transmitted to the browser 122 by a server at the primary website 100. Generally, the countermeasures code 109 alters the operation of the page in which it is included, such as copied home page 102'. One way to alter the operation of the copied home page 102' is to modify the appearance of the copied home page 102'. Modifying the appearance can include blanking out the copied home page 102' in whole or in part. FIGS. 3 and 4 illustrates this type of modification. FIG. 3 illustrates a page 300 of a primary website that has been copied and hosted at a forged website at the unauthorized domain "www.faccebook.com". FIG. 4 illustrates this same page after it has been blanked out entirely. The blanked out page can appear on the client device 120 as an empty page such as in FIG. 4 (e.g., against a white, black or other background), for example, or as have various sections missing. Modifying the appearance can include displaying a warning or other notice to the user that they are accessing the forged website 120).
As per claims 10, 22, 23, McGeehan teaches a method of proactively detecting misappropriation of website source code/a computer program product comprising a tangible, non-transitory computer-readable medium embodying instructions which, when executed by at least one processor of a data processing system, cause the data processing system to implement/a data processing system comprising at least one processor and memory containing instructions which, when executed by the at least one processor, cause the data processing system to implement, the method comprising:
maintaining Trojan misappropriation detection code embedded in the website source code, wherein the Trojan misappropriation detection code is adapted to incorporate domain identification data for a host server hosting the website source code upon execution of the website source code in at least some cases of said execution(([0023] The primary website 100 includes in the code of its home page 102 (and/or any pages that are likely to be copied by a site forger) executable code 104, which is called herein "domain identification code". This code is client-side executable code, such as client-side JavaScript (or other dialects of ECMAScript), VBScript, and the like. The domain identification code 104 can be embedded directly in the home page 102, or incorporated by include references, or other programmatic methods. The domain identification code 104 is preferably obfuscated using code obfuscation techniques to make difficult for the site forger find and extract or disable; domain identification code is interpreted as the “Trojan misappropriation detection code” as described in applicant’s spec. para.33);
wherein the domain identification data identifies a domain of the host server hosting the website source code(….[0027] A second function of the domain identification code 104 is to provide to the primary website 100 an identification of the unauthorized domain. This can be implemented by a callback from the domain identification code 104 to the authorized server 118 at the primary website 100, including the domain name of the forged website 110 or other identifying information (e.g., IP address). This information can be sent in the clear, or it can be sent in encrypted form, so as to prevent the site forger from seeing that the forged website 110 has been identified. The authorized server 118 receives the identification of the unauthorized domain and can use this information to undertake various actions as countermeasures against the forged website 120 and the site forger);
initiating a first response action([0028] Once the domain identification code 104 has determined that it is being served by an unauthorized domain, the browser 122 can execute countermeasures code 109. The countermeasures code 109 can be implemented by code that is included in the home page 102 (or other pages) on the primary website 100, or alternatively by additional client-side executable code that is transmitted to the browser 122 by a server at the primary website 100. Generally, the countermeasures code 109 alters the operation of the page in which it is included, such as copied home page 102'. One way to alter the operation of the copied home page 102' is to modify the appearance of the copied home page 102'. Modifying the appearance can include blanking out the copied home page 102' in whole or in part. FIGS. 3 and 4 illustrates this type of modification. FIG. 3 illustrates a page 300 of a primary website that has been copied and hosted at a forged website at the unauthorized domain "www.faccebook.com". FIG. 4 illustrates this same page after it has been blanked out entirely. The blanked out page can appear on the client device 120 as an empty page such as in FIG. 4 (e.g., against a white, black or other background), for example, or as have various sections missing. Modifying the appearance can include displaying a warning or other notice to the user that they are accessing the forged website 120).
McGeehan does not explicitly teach Trojan misappropriation detection request text string for a misappropriation detection resource request; monitoring, by a monitoring server, for the first Trojan resource request; and responsive to detecting the Trojan resource request, initiating a first response action.
Akuka explicitly teaches Trojan misappropriation detection request text string for a misappropriation detection resource request([0108] In this embodiment, web agent 22 can generate a transmission 240 that is disguised as a call requesting to load data, such as image 238, from proxy server 230 that is disguised as a content delivery server. For example, although the most commonly used way to send information to an external server would be using an ‘HTTP POST’ request, web agent 22 may embed the information (such as URL 166 of web page 132 on which modified code 130 is running) in transmission 240 using an ‘HTTP GET’ content request 242, which is disguised to appear as a normal picture loading request. [0109] For example, a URL 244 for proxy server 230 may be encrypted and included as a tag in the URL path of the HTT.GET, as depicted in the following JavaScript code: [0110] https://an-innocent-domain/images/<domain-id>/<location.href-as-hash>/<image>.png); monitoring, by a monitoring server, for the first Trojan resource request(([0111] In some embodiments of the invention, upon proxy server 230 receiving HTTP.GET request 242, the proxy server may actually return, in transmission 246, image 238 for web agent 22 to store in memory 156 and to load by web code 139 executing on browser 168…proxy server interpreted as the “monitoring server”) and responsive to detecting the Trojan resource request, initiating a first response action([0111] In some embodiments of the invention, upon proxy server 230 receiving HTTP.GET request 242, the proxy server may actually return, in transmission 246, image 238 for web agent 22 to store in memory 156 and to load by web code 139 executing on browser 168, and hence not alert the attackers about the real purpose of the external communication. Proxy server 230 can also decode the tag to recover the encoded URL (or forward the tag to a separate cyber-security server for this purpose). In this embodiment, upon processor 234 receiving HTTP.GET request 242 and recovering the encoded URL, processor 234 can convey, via a transmission 248 to security server 176, the encoded URL (and other information as described supra) in notification beacon 178.).
Therefore it would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify McGeehan’s teaching of domain identification code that identifies domain of forged website to apply the teaching of Akuka of send information through a call request to load data such as an image in order to provide the predictable result of sending domain of forged/phishing website through the use of a call request.
One ordinary skill in the art would have been motivated to combine the teachings in order identify, report, and mitigate unauthorized use of software code(Akuka, para.2) and conceal the operations of the web agent, which detects phishing attacks(Akuka, para.51,107)
As per claim 11, McGeehan in view of Akuka teaches the method of claim 10, wherein the resource request is an image request(Akuka, ([0108] In this embodiment, web agent 22 can generate a transmission 240 that is disguised as a call requesting to load data, such as image 238, from proxy server 230 that is disguised as a content delivery server. For example, although the most commonly used way to send information to an external server would be using an ‘HTTP POST’ request, web agent 22 may embed the information (such as URL 166 of web page 132 on which modified code 130 is running) in transmission 240 using an ‘HTTP GET’ content request 242, which is disguised to appear as a normal picture loading request. [0109] For example, a URL 244 for proxy server 230 may be encrypted and included as a tag in the URL path of the HTT.GET, as depicted in the following JavaScript code: [0110] https://an-innocent-domain/images/<domain-id>/<location.href-as-hash>/<image>.png). Motivation to combine set forth in claim 10.
As per claim 12, McGeehan in view of Akuka teaches the method of claim 10, wherein the request text string further incorporates user data for a user whose browser transmitted the Trojan misappropriation detection resource request(Akuka, [0096] Examples of information about malicious phishing web page 152 that web agent 22 can collect and include in notification beacon 178 includes public IP address 162, public domain name 164, public URL 166 and any web proxies used by the malicious phishing page. Examples of information on the unsuspecting victim that web agent 22 can collect and include in notification beacon 178 include public IP address 180 and a username (not shown) of the victim. In some embodiments, security server 176 can use the information collected and conveyed by web agent 22 to identify the victims who have been compromised, as well as a geographical area targeted by the attack). Motivation to combine set forth in claim 10.
As per claim 13, McGeehan in view of Akuka teaches the method of claim 10, wherein the Trojan misappropriation detection code is adapted to: determine whether the domain of the host server is unfamiliar; and transmit the Trojan misappropriation detection resource request only if the domain of the host server is unfamiliar(McGeehan, [0025] A first function of the domain identification code 104 is to determine whether it was served to the client device 120 from an authorized domain. In one embodiment, this is done by identifying the domain from which the page 102 is served, and then matching that domain against a list of one or more authorized domains. The domain can be identified from the URL for the page. If the serving domain is found in the list of authorized domains, then the serving domain is authorized; otherwise the serving domain is an unauthorized domain. The list of authorized domains can be included as part of the domain identification code 104, or obtained by request from the primary website 100. Alternatively, the domain identification code 104 can pass the domain name itself to the authorized server 118 for determining whether it is authorized).
As per claim 14, McGeehan in view of Akuka teaches the method of claim 13, wherein the first response action is a remedial action(McGeehan, [0028] Once the domain identification code 104 has determined that it is being served by an unauthorized domain, the browser 122 can execute countermeasures code 109. The countermeasures code 109 can be implemented by code that is included in the home page 102 (or other pages) on the primary website 100, or alternatively by additional client-side executable code that is transmitted to the browser 122 by a server at the primary website 100. Generally, the countermeasures code 109 alters the operation of the page in which it is included, such as copied home page 102'. One way to alter the operation of the copied home page 102' is to modify the appearance of the copied home page 102'. Modifying the appearance can include blanking out the copied home page 102' in whole or in part. FIGS. 3 and 4 illustrates this type of modification. FIG. 3 illustrates a page 300 of a primary website that has been copied and hosted at a forged website at the unauthorized domain "www.faccebook.com". FIG. 4 illustrates this same page after it has been blanked out entirely. The blanked out page can appear on the client device 120 as an empty page such as in FIG. 4 (e.g., against a white, black or other background), for example, or as have various sections missing. Modifying the appearance can include displaying a warning or other notice to the user that they are accessing the forged website 120).
As per claims 24, 27, 28, McGeehan teaches a method for concealing threat detection and notification code in a website code base/ A computer program product comprising a tangible, non-transitory computer-readable medium embodying instructions which, when executed by at least one processor of a data processing system, cause the data processing system to implement/ A data processing system comprising at least one processor and memory containing instructions which, when executed by the at least one processor, cause the data processing system to implement(Abstract, para.43), the method comprising: maintaining at least one beacon within the website code base, wherein the at least one beacon is adapted to transmit at least one signal identifying misappropriation of the website code base([0023] The primary website 100 includes in the code of its home page 102 (and/or any pages that are likely to be copied by a site forger) executable code 104, which is called herein "domain identification code". This code is client-side executable code, such as client-side JavaScript (or other dialects of ECMAScript), VBScript, and the like. The domain identification code 104 can be embedded directly in the home page 102, or incorporated by include references, or other programmatic methods. The domain identification code 104 is preferably obfuscated using code obfuscation techniques to make difficult for the site forger find and extract or disable….[0027] A second function of the domain identification code 104 is to provide to the primary website 100 an identification of the unauthorized domain. This can be implemented by a callback from the domain identification code 104 to the authorized server 118 at the primary website 100, including the domain name of the forged website 110 or other identifying information (e.g., IP address). This information can be sent in the clear, or it can be sent in encrypted form, so as to prevent the site forger from seeing that the forged website 110 has been identified. The authorized server 118 receives the identification of the unauthorized domain and can use this information to undertake various actions as countermeasures against the forged website 120 and the site forger.);
wherein the at least one beacon is disguised as code([0023] ….The domain identification code 104 is preferably obfuscated using code obfuscation techniques to make difficult for the site forger find and extract or disable….
McGeehan teaches the beacon is disguised as code in para.23,however does not explicitly teach disguising as a resource request.
Akuka explicitly teaches disguising as a resource request([0108] In this embodiment, web agent 22 can generate a transmission 240 that is disguised as a call requesting to load data, such as image 238, from proxy server 230 that is disguised as a content delivery server. For example, although the most commonly used way to send information to an external server would be using an ‘HTTP POST’ request, web agent 22 may embed the information (such as URL 166 of web page 132 on which modified code 130 is running) in transmission 240 using an ‘HTTP GET’ content request 242, which is disguised to appear as a normal picture loading request.)
Therefore it would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify McGeehan’s teaching of domain identification code that is obfuscated to apply the teaching of Akuka of disguising as a call request and/or picture loading request in order to provide the predictable result of the domain identification code is disguised as a call request and/or picture loading request.
One ordinary skill in the art would have been motivated to combine the teachings in order identify, report, and mitigate unauthorized use of software code(Akuka, para.2)
As per claim 25, McGeehan in view of Akuka teaches the method of claim 24, wherein the at least one signal contains host data identifying a threat actor who has misappropriated the website code base(McGeehan, [0027] A second function of the domain identification code 104 is to provide to the primary website 100 an identification of the unauthorized domain. This can be implemented by a callback from the domain identification code 104 to the authorized server 118 at the primary website 100, including the domain name of the forged website 110 or other identifying information (e.g., IP address)….; [0033]…. The browser 122 then sends a message to the authorized server 118 at the primary website 100, providing 208 an identification of the forged website 110, such as its domain name and/or IP address.).
As per claim 26, McGeehan in view of Akuka teaches the method of claim 24, wherein the at least one signal identifies compromised credentials(Akuka, [0096] …. Examples of information on the unsuspecting victim that web agent 22 can collect and include in notification beacon 178 include public IP address 180 and a username (not shown) of the victim..). Motivation to combine set forth in claim 24.
Allowable Subject Matter
Claims 4-7, 15-21 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892.
US 10,645,117 issued to Vargas Gonzalez, teaches detect the identities of victims of phishing activities, in which embedding, in an item, an element having a reference to a server, is embedded in an item (e.g., a webpage or a mobile application) that may be copied by attackers. When used on a user computer, the element generates a request to the server. Based on the request, the server identifies a user of the element embedded in the item or a copy of the item. Based on uses of the element, the server tracks a history of the user using the item or the copy of the item. In response to a determination that the element is currently being used by the user in the item and the history indicates that the user has used the copy of the item, the server identifies the user as a victim of the copy of the item.
US 10,498,761 issued to Wright et al., teaches hindering cyber-attacks include: modifying a target website of a remote service provider, wherein modifying the target website includes: reconfiguring a structure of the target website to include a tattler, wherein when the tattler is executed at a non-authorized copy of the target website, the tattler is configured to transmit to a cyber-attack mitigation platform tattler data associated with the non-authorized copy of the target website; receiving the tattler data, wherein the tattler data includes website monitoring data, wherein the website monitoring data comprises a URL of the non-authorized copy of the target website; using the website monitoring data to evaluate the non-authorized copy of the target website, wherein the evaluating includes identifying whether the non-authorized copy of the target website comprises an attack website; and implementing one or more attack mitigation protocols when the non-authorized copy of the target website comprises the attack website.
US 2017/0063923 issued to Yang et al., teaches identifying and interfering with the operation of computer malware, as a mechanism for improving system security. Some implementations include a computer-implemented method by which a computer security server system performs actions including receiving a request for content directed to a particular content server system; forwarding the request to the particular content server system; receiving executable code from the particular content server system; inserting executable injection code into at least one file of the executable code; applying a security countermeasure to the combined executable code and executable injection code to create transformed code; and providing the transformed code to a client computing device.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BACKHEAN TIV whose telephone number is (571)272-5654. The examiner can normally be reached on Mon.-Thurs. 5:30-3:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, TONIA DOLLINGER can be reached on (571) 272-4170. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BACKHEAN TIV/
Primary Examiner
Art Unit 2459