MAINTAINING STABLE UNIFORM RESOURCE LOCATOR VERDICTS WITH INTELLIGENT RECRAWLING

Detailed Action This office action is in response to applicant’s submission filed on February 3, 2026. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s Arguments (Remarks) filed February 3, 2026 have been fully considered, but are moot. Applicant’s arguments with respect to claims 1, 11, and 16 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-7 and 11-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 9058490 B1 to Barker et al. (hereinafter, “Barker”) in view of US 2022/0067146 A1 to Cai et al. (hereinafter, “Cai”). Regarding claim 1, Barker discloses: A method comprising: based on obtaining a stored verdict for a uniform resource locator (URL) indicating that the URL is malicious, initiating a recrawling policy for the URL to maintain stability of the stored verdict for the URL; recrawling the URL at each time for recrawling the URL in a first time window according to the recrawling policy to retrieve first recrawling data (“In one configuration, the monitoring module 322 may include refresh rate 326. The refresh rate 326 may be configurable and may indicate when a web site, previously classified by the classification module 324, is to be reanalyzed and (if needed) reclassified. For example, a user may submit an original URL associated with a web site. The URL shortening service module 312 may generate a shortened version of the original URL. The web site associated with the shortened URL may be initially analyzed and assigned a classification depending on the content and characteristics of the web site. The monitoring module 322 may continuously monitor the web site and when the refresh rate 326 expires, the analysis module 320 may reanalyze the web site. If the content or other characteristics of the web site have changed since the web site was assigned the initial classification, the classification module 324 may assign a different classification to the web site. The monitoring module 322 may continue to monitor the web site and when the refresh rate 326 expires again, the analysis module 320 may again analyze the web site and, if necessary, the classification module 324 may assign a different classification to the web site, depending on the analysis performed by the analysis module. As a result, real-time classification of web sites associated with shortened URLs may be performed” [Col. 5, lines 32-54] [Examiner notes that the recrawling policy is seen as a combination of the refresh rate and the monitoring cycle. The analysis module reclassifies the URL based on new content, keeping verdict stable and accurate. Examiner also notes that re-analyzing here is seen as re-crawling because the system access the website, load/retrieves the most up to date/recent content, and analyzes it to see if there needs to be a re-classification. The text shows the repeated action of the system, continuing to monitor and re-analyze (re-crawls multiple times based on the defined schedule until the refresh rate expires) which mirrors recrawling at each time in the first time window]); obtaining first verdicts for the URL based, at least in part, on the first recrawling data (“If the content or other characteristics of the web site have changed since the web site was assigned the initial classification, the classification module 324 may assign a different classification to the web site. The monitoring module 322 may continue to monitor the web site and when the refresh rate 326 expires again, the analysis module 320 may again analyze the web site and, if necessary, the classification module 324 may assign a different classification to the web site, depending on the analysis performed by the analysis module. As a result, real-time classification of web sites associated with shortened URLs may be performed” [Col. 5, lines 44-54]); and Barker does not disclose: based on the first verdicts satisfying evaluation criteria, inputting one or more feature vectors of the first recrawling data into a trained model to obtain a flipping verdict as output, wherein the flipping verdict indicates whether to flip the stored verdict from malicious to benign after the first time window. However, Cai discloses: based on the first verdicts satisfying evaluation criteria, inputting one or more feature vectors of the first recrawling data into a trained model to obtain a flipping verdict as output, wherein the flipping verdict indicates whether to flip the stored verdict from malicious to benign after the first time window (“In the present example, the network device 202 further includes a feedback and reporting module 220 configured to send the identified static features to the machine-learning training module 210 for training. The sandbox module 218 may also update the feature vector of the file based on identified static features and use the machine-learning based file processing module 216 to reclassify the file based on the updated feature vector. The feedback and reporting module 220 may also send feedback and/or an alter to other network devices or other sandbox appliances. The feedback and reporting and module 220 may use a universal security language via a standardized reporting framework to categorize malware techniques and report the identified threat (which may also be referred to herein as malware). In one embodiment, the module 220 may share threat intelligence across a fully integrated security architecture to automate breach protection in real-time as threats are discovered” [0043] [Examiner notes that this text is working on an existing file-reclassification showing that there was already a stored classification. The “updated feature vectors” are new information gathered from the file, fulfilling the recrawling/updated data part. The reclassification is explicitly done using a machine-leaning module and it is reclassifying (deciding to update the prior label if the new data warrants it, showing the flipping verdict/updating classification action)]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Barker with the added structure of Cai to update classifications after recrawling when needed. Claim 11 recites substantially the same limitation as claim 1, in the form of a non-transitory computer readable medium comprising computer readable program code for implementing the corresponding method, therefore it is rejected under the same rationale. Examiner wants to note that “recrawl the URL n times in a first time window according to a recrawling policy, wherein the recrawling policy specifies n and time intervals between recrawls in the first time window” limitation stated in the claim are read upon in Barker (see Col. 1, lines 54-63). This is because the refresh rate directly corresponds to the “time intervals between recrawls” as it defines when to re-check the website. The determination of whether the refresh rate has expired reflects the logic of the re-crawling policy specifying timing since the system checks when it is time to re-crawl. The re-accessing and re-classifying steps correspond to re-crawling multiple times (n times) within the first window (each refresh triggers another round of crawling and classification. It essentially captures the concept of scheduled, repeated re-crawling based on a timing policy (refresh rate). Claim 16 recites substantially the same limitation as claim 1, in the form of an apparatus for implementing the corresponding method, therefore it is rejected under the same rationale. Regarding claims 2, 12, and 17, a combination of Barker-Cai discloses the system of claims 1/11/16. Barker further discloses: wherein the evaluation criteria comprise that a number of benign verdicts in the first verdicts is above a first threshold (“If the content or other characteristics of the web site have changed since the web site was assigned the initial classification, the classification module 324 may assign a different classification to the web site. The monitoring module 322 may continue to monitor the web site and when the refresh rate 326 expires again, the analysis module 320 may again analyze the web site and, if necessary, the classification module 324 may assign a different classification to the web site, depending on the analysis performed by the analysis module. As a result, real-time classification of web sites associated with shortened URLs may be performed” [Col. 5, lines 44-54] [Examiner notes that a "threshold" defines how much change or evidence is needed before re-classification and "if a content has changed" serves as that threshold condition (if the changes are significant enough/cross a threshold, a re-classification will happen)]). Regarding claims 3, 13, and 18, a combination of Barker-Cai discloses the system of claims 1/11/16. Barker further discloses: flipping the stored verdict for the URL from malicious to benign based on corresponding indications in the flipping verdict (“The reclassification of the web site associated with the shortened URL may be stored 510 in a database” [Col. 6, lines 32-34]). Regarding claim 4, a combination of Barker-Cai discloses the system of claim 3. Barker further discloses: recrawling the URL at each time for recrawling the URL in a second time window according to the recrawling policy to obtain second recrawling data (“In one configuration, the monitoring module 322 may include refresh rate 326. The refresh rate 326 may be configurable and may indicate when a web site, previously classified by the classification module 324, is to be reanalyzed and (if needed) reclassified. For example, a user may submit an original URL associated with a web site. The URL shortening service module 312 may generate a shortened version of the original URL. The web site associated with the shortened URL may be initially analyzed and assigned a classification depending on the content and characteristics of the web site. The monitoring module 322 may continuously monitor the web site and when the refresh rate 326 expires, the analysis module 320 may reanalyze the web site. If the content or other characteristics of the web site have changed since the web site was assigned the initial classification, the classification module 324 may assign a different classification to the web site. The monitoring module 322 may continue to monitor the web site and when the refresh rate 326 expires again, the analysis module 320 may again analyze the web site and, if necessary, the classification module 324 may assign a different classification to the web site, depending on the analysis performed by the analysis module. As a result, real-time classification of web sites associated with shortened URLs may be performed” [Col. 5, lines 32-54] [Examiner notes that the recrawling policy is seen as a combination of the refresh rate and the monitoring cycle. The analysis module reclassifies the URL based on new content, keeping verdict stable and accurate. Examiner also notes that re-analyzing here is seen as re-crawling because the system access the website, load/retrieves the most up to date/recent content, and analyzes it to see if there needs to be a re-classification. The text shows the repeated action of the system, continuing to monitor and re-analyze (re-crawls multiple times based on the defined schedule until the refresh rate expires) which mirrors recrawling at each time in the first time window. Examiner wants to note that monitoring and crawling a URL in a second time window does not add novelty to the limitation]); obtaining second verdicts for the URL based, at least in part, on the second recrawling data (“If the content or other characteristics of the web site have changed since the web site was assigned the initial classification, the classification module 324 may assign a different classification to the web site. The monitoring module 322 may continue to monitor the web site and when the refresh rate 326 expires again, the analysis module 320 may again analyze the web site and, if necessary, the classification module 324 may assign a different classification to the web site, depending on the analysis performed by the analysis module. As a result, real-time classification of web sites associated with shortened URLs may be performed” [Col. 5, lines 44-54]); and based on obtaining a malicious verdict in the second verdicts during the recrawling in the second time window, flipping the stored verdict from benign to malicious (“The reclassification of the web site associated with the shortened URL may be stored 510 in a database” [Col. 6, lines 32-34]). Claim 14 recites substantially the same limitation as claims 1 and 11, a non-transitory computer readable medium comprising computer readable program code for implementing the corresponding method/non-transitory computer readable medium comprising computer readable program code, therefore it is rejected under the same rationale. Claim 19 recites substantially the same limitation as claim 4, in the form of an apparatus for implementing the corresponding system, therefore it is rejected under the same rationale. Regarding claims 5, 15, and 20, a combination of Barker-Cai discloses the system of claims 4/11/19. Barker further discloses: wherein the times for recrawling in the first time window and in the second time window according to the recrawling policy are successively more infrequent in each time window (“In one embodiment, a determination may be made as to whether the web site associated with the shortened URL has been previously classified. In addition, a determination may be made whether a refresh rate associated with the classification of the web site has expired. The classified web site may be accessed upon determining that the refresh rate has expired. A determination may be made as to whether changes have occurred to the web site. The web site associated with the shortened URL may be reclassified upon detecting changes to the web site” [Col. 1, lines 54-63]; “In one configuration, when a long URL (i.e., an original URL) is submitted for shortening, the classification rating for the web site associated with the long URL may be checked and constantly updated. If the affiliated web site were at one point malicious and then later benign the URL shortening service module 112 may refresh the previous rating in a timely manner (and vice versa). If the rating of the web site were unknown, the web site may be queued up for eventual analysis and classification. This may provide a frequent detection rate for classifying web sites and providing a high efficacy” [Col. 7, lines 41-51] [Examiner notes that the first text establishes the mechanism of the refresh rate triggering recrawls as the recrawling frequency is dependent on detected changes. If the system sees that the site's content is stable over multiple recrawls, it could adaptively increase the refresh rate, meaning it waits longer before checking again. The second text explains the adaptive logic of the URLs being refreshed "in a timely manner" depending on classification changes. It shows that the system can start frequent then space out recrawls]). Regarding claim 6, a combination of Barker-Cai discloses the system of claim 4. Barker further discloses: restarting the recrawling policy after a third time window subsequent to the second time window has elapsed (“In one embodiment, a determination may be made as to whether the web site associated with the shortened URL has been previously classified. In addition, a determination may be made whether a refresh rate associated with the classification of the web site has expired. The classified web site may be accessed upon determining that the refresh rate has expired. A determination may be made as to whether changes have occurred to the web site. The web site associated with the shortened URL may be reclassified upon detecting changes to the web site” [Col. 1, lines 54-63] “In one configuration, when a long URL (i.e., an original URL) is submitted for shortening, the classification rating for the web site associated with the long URL may be checked and constantly updated. If the affiliated web site were at one point malicious and then later benign the URL shortening service module 112 may refresh the previous rating in a timely manner (and vice versa). If the rating of the web site were unknown, the web site may be queued up for eventual analysis and classification. This may provide a frequent detection rate for classifying web sites and providing a high efficacy” [Col. 7, lines 41-51] [Examiner notes that these two texts support the claim limitations because a refresh rate triggers re-analysis and re-classification when expired. This same mechanism can apply after the third time window (once the refresh rate expires, the system initiates the recrawl). Examiner also notes that the system constantly updates and refreshed ratings "in a timely manner" depending on the URL's behavior. That supports the idea that after a long period (third time window), the system can restart the monitoring cycle without needing new mechanisms]). Regarding claim 7, a combination of Barker-Cai discloses the system of claim 3. Barker further discloses: wherein flipping the stored verdict for the URL from malicious to benign comprises disabling the stored verdict for the URL in a database (“The reclassification of the web site associated with the shortened URL may be stored 510 in a database” [Col. 6, lines 32-34] [Examiner notes that the reclassification = flipping which means that inherently, you need to disable or remove the old verdict in order to label/store the next flipped verdict]). Claims 8-10 are rejected under 35 U.S.C. 103 as being unpatentable over US 9058490 B1 to Barker et al. (hereinafter, “Barker”) in view of US 2022/0067146 A1 to Cai et al. (hereinafter, “Cai”) and in further view of US 2021/0049207 A1 to Cao et al. (hereinafter, “Cao”). Regarding claim 8, a combination of Barker-Cai disclose the system of claim 1. Barker-Cai do not disclose: a machine learning model trained on recrawling data for URLs in time windows and indications of whether corresponding ground truth verdicts flipped from malicious to benign in the time windows. However, Cao discloses: a machine learning model trained on recrawling data for URLs in time windows and indications of whether corresponding ground truth verdicts flipped from malicious to benign in the time windows (“In various embodiments, different features included in a feature vector are used in conjunction with different types of machine learning approaches incorporated into a classification model, such as model 156. Examples of such machine learning approaches include Naïve Bayes, support vector machines, random forest, logistic regression, and gradient descent boosting trees. Classifier 170 uses a model, such as model 156, to classify a given site (e.g., as NEWS, ADULT, etc.) based on its associated feature vector. In various embodiments, a model such as model 156 is trained using a training set of manually labeled websites. Categorizations determined using model 156 are stored in database 166. The contents of database 166 can be used for a variety of purposes, including generating database 312 discussed in conjunction with FIG. 3, and responding to queries (e.g., with URL classification server 168 being an example of remote URL classification server 320, responding to queries by consulting database 166). As will be described in more detail below, other approaches can also be used to respond to queries (e.g., instead of or in addition to using embodiments of URL classification server 168 and database 166)” [0030] [Examiner notes that the historical classification labels (whether a site was previously malicious and then benign) server as the "ground truth" for training by training on manually labeled websites. Since these labels are from different recrawling sessions, the different time windows are implied]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Barker-Cai with the added structure of Cao to provide a combined perspective of behavior of the URL across the first observation window by training one half successfully (machine leaning model). Regarding claim 9, a combination of Barker-Cai disclose the system of claim 1. Barker-Cai do not disclose: at least one of malicious hyperlinks in a web page of the URL, a number of Internet Protocol (IP) address sources for the web page, a length of content in the web page, a number of documents in the web page, a number of scripts in the web page, and a third-party security score for the URL. However, Cao discloses: at least one of malicious hyperlinks in a web page of the URL, a number of Internet Protocol (IP) address sources for the web page, a length of content in the web page, a number of documents in the web page, a number of scripts in the web page, and a third-party security score for the URL (“Also shown in FIG. 1 is a URL classification system 150. URL classification system 150 uses a set of crawlers 152 to crawl sites (e.g., sites 112-122), extract metadata/content, and store information associated with the crawled sites (including the time of the crawl) in database 166. Where multiple crawls of a site are performed, the historical crawl information (e.g., results of the first crawl, second crawl, etc.) are preserved in database 166, along with results of the current crawl. Examples of tools that can be used to crawl/extract content from sites include PageDump (WebKit), HtmlUnit, and j soup. Database 166 is, in various embodiments, implemented using MongoDB. Example tables that can be included in database 166 are a crawl queue (of sites to be crawled), a crawl log (a history of sites crawled), a classification result (a to-publish category, invalid site, or no category), and a crawl content report (a summary of crawled sites, language, and number of pages crawled). The information extracted for a site (e.g., title, description, body text, keywords, inlinks, outlinks, language, etc.) is used (e.g., by classifier 170) to generate a feature vector (or set of feature vectors, as applicable). One example of a feature is whether or not any of the outlinks of a site lead to sites known to be classified as ADULT sites. Other example features variously include features related to body text, features related to metadata, features related to incoming links, and features related to the URL itself” [0029] [Examiner notes that the text explicitly mentions body text which corresponds to the length of content which is one of the types of information extracted during a crawl that would be included in the first recrawling data]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Barker-Cai with the added structure of Cao to provide a combined perspective of behavior of the URL across the first observation window by creating a feature vector based on the types of flags from the data gathered via crawl. Regarding claim 10, a combination of Barker-Cai disclose the system of claim 1. Barker-Cai do not disclose: prior to initiating the recrawling policy, determining that the URL does not satisfy high confidence criteria for a malicious verdict. However, Cao discloses: prior to initiating the recrawling policy, determining that the URL does not satisfy high confidence criteria for a malicious verdict (“In the event that URL 316 is also absent from URL classification server 320 (and any additional URL servers available to appliance 102 as applicable), a category of UNKNOWN will be returned and appropriate policies applied, based on the category, such as by blocking access to URL 316. Cache 306 can also be updated by switching the temporary category of UNRESOLVED to UNKNOWN. As with cache 310, cache 314 is updated based on results returned by URL classification server 320. In some embodiments, URLs with UNKNOWN categorization have a timeout, thus allowing for resolution of the categorization during a subsequent request” [0042] [Examiner notes that the "UNKNOWN" here is seen as not confidently malicious or benign, which is exactly what "does not satisfy high confidence criteria" means. The timeout represents a pause before the next analysis (before initiating the next re-crawl)]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Barker-Cai with the added structure of Cao to provide a system that is able to recognize the high confidence malicious indicators that are highly correlated with maliciousness of the URL and that exclude the URL from flipping its verdict from malicious to benign. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: Azad (US 2021/0344693 A1) teaches techniques for systems and methods that include, responsive to starting a plurality of listener modules, receiving a Uniform Resource Locator (URL) for a site on the Internet into a database; loading the URL; receiving artifacts based on the loading; using the plurality of listener modules to run rules based on the received artifacts; scoring the URL based on the rules and the received artifacts; and determining whether the URL is one of benign, suspicious, or malicious based on the scoring. The steps can include any of blocking the URL, allowing the URL, further analyzing the URL, adding the URL to a whitelist or blacklist, and providing a notification, based on whether the URL is benign, suspicious, or malicious. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARON MATTHEWOS WORKU whose telephone number is (703)756-1761. The examiner can normally be reached Monday - Friday, 9:30 am - 6:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Linglan Edwards can be reached on 571-270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SARON MATTHEWOS WORKU/Examiner, Art Unit 2408 /LINGLAN EDWARDS/Supervisory Patent Examiner, Art Unit 2408