AUGMENTATION OF PHISHING WEBSITE PREDICTOR USING COOKIE METADATA

Detailed Action The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Amendment filed on 12/11/2025 has been acknowledged. Claims 1 and 3-20 are currently pending and have been considered below. Claim 1, 12 and 20 are independent claim. Claim 1, 3, 7, 9,12-13 and 20 have been amended. Claim 2 has been cancelled. No claim is added new. Priority No Priority is claimed for this application. Remarks and Response Applicant’s arguments filed in the amendments on 12/11/2025 have been fully considered but moot in view of new ground of rejection. The reasons set forth below. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim 1, 3-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gardner (US Patent No 8,312,543 B1) in view of Cleveland (US Patent Application Publication No 2019/0014149 A1) and further in view of Buzbee (US Patent Application Publication No 2020/0252413 A1). Regarding Claim 1, Gardner discloses a method for detecting phishing activity by a webpage, comprising: receiving, by a processor, webpage data associated with the webpage (Gardner, col 2, line 55-65, the web server provides the client with web pages of the website. The web server provides the client with one or more cookies for the website); extracting, by the processor, cookie feature data from the webpage data (Gardner, col 3, line 10-20, the browser module communicates with the cookies cache for cookie data related to a website viewed by a client. Col 3, line 35-40, upon detecting the presence of a cookie associated with a website in a response from the web server, the security module communicates with the reputation server and determines the reputation of the website associated with the cookie); determining, by the processor, cookie score data based on an analysis of the cookie feature data with a cookie model (Gardner, col 3, line 50-60, the reputation score represents an assessment of whether the associated website is trustworthy, whether the website is known to use cookies to build profiles. The reputation server can determine the reputation score of a website based on a variety of criteria. Col 5, line 35-45, the cookie inspection module implements a deep packet inspection engine. If a cookie is detected in the network traffic stream, the cookie inspection module analyzes the cookie to identify its source); predicting, by the processor, fraudulent content of the webpage based on the cookie score data and a prediction model (Gardner, col 5, line 50-55, the reputation server determines a reputation score for the identified website and returns the score to the reputation determination module that can cache the reputation scores to avoid needing to query the reputation server each time a cookie associated with the website is detected. Line 60-65, reputation score determines if the website is good or bad. The score is compared with predetermined reputation threshold); and generating, by the processor, notification data including an indication of the fraudulent content (Gardner, col 6, line 5-10, the score determines if the website is good or bad. The reputation determination module sends a report to the cookie response module describing the reputation of the website). Gardner does not explicitly discuss the following limitation that Cleveland teaches: analyzing, by the processor, the webpage data to determine if at least one of a brand logo and credential entry box is present (Cleveland, ¶[0058], a detection event may comprise a user alert, which displays an image showing visually where on the webpage a logo was detected, and indicating that the user is not on an authorized login domain for that brand. Fig-5, a box overlay 502 is provided to show the relevant logo 504 and a user identification/password prompt 506, along with an indication of brand detection 508, authorized domain 510 associated with the detected brand, and the domain 512 detected as being associated with webpage URL. The authorized domain may be distinguished by the actual webpage URL domain using color); in response to a determination that the brand logo is present or the credential entry box is present (Cleveland, ¶[0058], a detection event may comprise a user alert, which displays an image showing visually where on the webpage a logo was detected, and indicating that the user is not on an authorized login domain for that brand. Fig-5, a box overlay 502 is provided to show the relevant logo 504 and a user identification/password prompt 506, along with an indication of brand detection 508, authorized domain 510 associated with the detected brand, and the domain 512 detected as being associated with webpage URL): Gardner in view of Cleveland are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “methods for user authentication and preventing phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Gardner in view of Cleveland to include the idea of identifying a domain of the source and performing an object detection using neural network to detect phishing attack (Cleveland, ¶[0004]). Gardner in view of Cleveland does not explicitly discuss the following limitation that Buzbee teaches: wherein the cookie feature data includes at least one of a length of a name of a cookie, a length of a cookie value, or a cookie lifespan (Buzbee, ¶[0070], four objects are typically provided: JavaScript file, a rendering file, an HTML file and a cookie. ¶[0183], authentication cookie is invalid (either expired or the user hasn’t logged in). ¶[0188], ¶[0190], the local application may parse the cookies into multiple different cookies). Gardner in view of Cleveland and Buzbee are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “methods for user authentication and preventing phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Gardner in view of Cleveland and Buzbee to include the idea of rendering cookie because the cookie typically includes connection information to facilitate persistence remote browsing sessions (Buzbee, ¶[0070]). Regarding claim 3, Gardner in view of Cleveland and Buzbee discloses the method of claim 1, wherein the cookie feature data further includes at least one of a presence of a unique identifier session cookie, a presence of first party cookie, a presence of a third party cookie, or a ratio of first party to third party cookies (Gardner, col 1, line 20-25, cookies can be used to track a user’s page browsing at a website. Cookies provided by certain types of third parties, such as online advertisers, can be used to track a user’s browsing habits across a variety of websites. Also Buzbee, ¶[0057], data repositories may store third party websites that are able to be harmonized for an application isolation session. ¶[0070], the cookie typically includes connection information to facilitate persistent remote browsing sessions. ¶[0066], an indicator (i.e. cookie) that identifies whether the user or client computing device is associated with one or more browsing session). Regarding claim 4, Gardner in view of Cleveland and Buzbee discloses the method of claim 1, wherein the cookie model includes a classification model that has been trained on a dataset associated with the cookie feature data (Gardner, Col 5, line 40-45, the cookie inspection module implements a deep packet inspection (DPI) engine to filter the network traffic stream. If a cookie is detected in the network traffic stream, the cookie inspection module analyzes the cookie to identify its source. The identified source can be for example the website that provided the cookie, the domain of the server that created the cookie. Line 45-55, the reputation determination module receives information regarding the identified source of the detected cookie and determines the reputation of the source. Cleveland, ¶[0011], using an object detection convolutional network. ¶[0050], an object detection convolutional neural network that is trained to detect the logo images. ¶[0068], MailEye may comprise an object detection convolutional neural network that is trained to detect the logos). Regarding Claim 5, Gardner in view of Cleveland and Buzbee discloses the method of claim 4, wherein the cookie model is trained to look for similarities in the cookie feature data (Gardner, col 1, line 20-25, cookies can be used to track a user’s page browsing at a website. Cookies provided by certain types of third parties, such as online advertisers, can be used to track a user’s browsing habits across a variety of websites. Such tracking can allow the third party to build a profile of the user and provide targeted advertising based on the profile. Cleveland, ¶[0011], using an object detection convolutional network. ¶[0050], an object detection convolutional neural network that is trained to detect the logo images. ¶[0068], MailEye may comprise an object detection convolutional neural network that is trained to detect the logos). Regarding Claim 6, Gardner in view of Cleveland and Buzbee discloses the method of claim 1, further comprising: extracting, by the processor, visual feature data from the webpage data (Cleveland, ¶[0004], identify a domain of the source and perform an object detection using an object detection convolutional neural network, on one or more brand logos located within visual content, to detect an instantiation of one or more targeted brands. Determine, based on the object detection, that at least a portion of the visual content resembles content of a candidate brand, to compare the domain of the source with one or more authorized domains of the candidate brand, and declare a phishing event when the comparing indicates that the domain of the source is not one of the authorized domains of the candidate brand. ¶[0008], performing a visual fingerprinting by generating a visual hash. ¶[0009]); and determining, by the processor, visual score data based on an analysis of the visual feature data with a visual model (Cleveland, ¶[0011], determining based on the object detection that the detected brand logo resembles content of a candidate brand. The method may further comprise comparing the characteristic associated with the triggered action, with one or more authorized characteristics associated with the candidate brand, and declaring a phishing event when the comparing indicates that the characteristic associated with the triggered action is not one of the authorized characteristics of the candidate brand), wherein the predicting, by the processor, the fraudulent content of the webpage is further based on the visual score data (Cleveland, ¶[0011], comparing the characteristic associated with the triggered action, with one or more authorized characteristics associated with the candidate brand, and declaring a phishing event when the comparing indicates that the characteristic associated with the triggered action is not one of the authorized characteristics of the candidate brand. ¶[0050], ¶[0053]). Regarding Claim 7, Gardner in view of Cleveland and Buzbee discloses the method of claim 6, wherein the visual feature data includes at least one of a brand logo, a credential/login prompt box, informational text content, or an internal hyperlink (Cleveland, ¶[0011], comparing the characteristic associated with the triggered action, with one or more authorized characteristics associated with the candidate brand, and declaring a phishing event when the comparing indicates that the characteristic associated with the triggered action is not one of the authorized characteristics of the candidate brand. ¶[0050], ¶[0053]. ¶[0058], a detection event may comprise a user alert, which displays an image showing visually where on the webpage a logo was detected. Fig-5, a box overlay 502 is provided to show the relevant logo 504 and a user identification/password prompt 506, along with an indication of brand detection 508). Regarding Claim 8, Gardner in view of Cleveland and Buzbee discloses the method of claim 1, further comprising: extracting, by the processor, uniform resource locator (URL) feature data from the webpage data (Cleveland, ¶[0003], identify deceptive phishing communications such as emails and URLs across an array of communication platform. ¶[0005], the source may be a uniform resource locator (URL) and the visual content may originate from an entity associated with the URL. ¶[0007], mismatch between the domain detected as being associated with the detected brand and the domain detected as being associated with the URL. ¶[0055]- ¶[0056]); and determining, by the processor, URL score data based on an analysis of the URL feature data with a URL model (Cleveland, ¶[0058], the domain detected as being associated with webpage URL. The authorized domain may be distinguished by the actual webpage URL domain using color), wherein the predicting, by the processor, the fraudulent content of the webpage is further based on the URL score data (Cleveland, ¶[0062], detect phishing URLs sharing identical image patterns with previously identified phishing URLs. ¶[0076],selects an embedded link associated with a logo in their browser that would lead to an unauthorized web URL). Regarding Claim 9, Gardner in view of Cleveland and Buzbee discloses the method of claim 8, wherein the URL feature data includes at least one of a URL length, a URL depth or direction, binary executables, and URL token attributes (Cleveland, ¶[0062], detect phishing URLs sharing identical image patterns with previously identified phishing URLs. Buzbee, ¶[0156], the setting may include generating one or more authentication values and providing a cookie, JSON web token to include the one or more authentication values. ¶[0164], the state information may be included in or appended to a uniform resource identifier (URI) (for example, a URL string, cookie, JSON object (for example, a JSON web token), or other object. ¶[0189], when the URL meets or exceeds a predetermined length, different local application behave in different ways). Regarding Claim 10, Gardner in view of Cleveland and Buzbee discloses the method of claim 1, wherein the prediction model is a rule-based model that predicts fraudulent or legitimate based on a value of the cookie score data (Gardner, col 3, line 50-60, the reputation score represents an assessment of whether the associated website is trustworthy, whether the website is known to use cookies to build profiles. The reputation server can determine the reputation score of a website based on a variety of criteria. Col 5, line 35-45, the cookie inspection module implements a deep packet inspection engine. If a cookie is detected in the network traffic stream, the cookie inspection module analyzes the cookie to identify its source). Regarding Claim 11, Gardner in view of Cleveland and Buzbee discloses the method of claim 1, wherein the prediction model is a logistical regression model that predicts at least one of fraudulent and legitimate based on a value of the cookie score data, wherein the logistical regression model further provides a prediction confidence or probability (Gardner, Col 5, line 40-45, the cookie inspection module implements a deep packet inspection (DPI) engine to filter the network traffic stream. If a cookie is detected in the network traffic stream, the cookie inspection module analyzes the cookie to identify its source. The identified source can be for example the website that provided the cookie, the domain of the server that created the cookie. Line 45-55, the reputation determination module receives information regarding the identified source of the detected cookie and determines the reputation of the source. Cleveland, ¶[0011], using an object detection convolutional network. ¶[0050], an object detection convolutional neural network that is trained to detect the logo images. ¶[0068], MailEye may comprise an object detection convolutional neural network that is trained to detect the logos). Regarding Claim 12, Gardner discloses a system for detecting phishing activity by a webpage, comprising: one or more processors (Gardner, Fig-1); a non-transitory computer-readable storage medium storing instructions which, when executed by the one or more processors, cause the one or more processors to (Gardner, Fig-1): receive webpage data associated with the webpage (Gardner, col 2, line 55-65, the web server provides the client with web pages of the website. The web server provides the client with one or more cookies for the website); extract cookie feature data from the webpage data (Gardner, col 3, line 10-20, the browser module communicates with the cookies cache for cookie data related to a website viewed by a client. Col 3, line 35-40, upon detecting the presence of a cookie associated with a website in a response from the web server, the security module communicates with the reputation server and determines the reputation of the website associated with the cookie); determine cookie score data based on an analysis of the cookie feature data with a cookie model (Gardner, col 3, line 50-60, the reputation score represents an assessment of whether the associated website is trustworthy, whether the website is known to use cookies to build profiles. The reputation server can determine the reputation score of a website based on a variety of criteria. Col 5, line 35-45, the cookie inspection module implements a deep packet inspection engine. If a cookie is detected in the network traffic stream, the cookie inspection module analyzes the cookie to identify its source); predict fraudulent content of the webpage based on the cookie score data and a prediction model (Gardner, col 5, line 50-55, the reputation server determines a reputation score for the identified website and returns the score to the reputation determination module that can cache the reputation scores to avoid needing to query the reputation server each time a cookie associated with the website is detected. Line 60-65, reputation score determines if the website is good or bad. The score is compared with predetermined reputation threshold); and generate notification data including an indication of the fraudulent content (Gardner, col 6, line 5-10, the score determines if the website is good or bad. The reputation determination module sends a report to the cookie response module describing the reputation of the website). Gardner does not explicitly discuss the following limitation that Cleveland teaches: analyze the webpage data to determine if at least one of a brand logo or a credential entry box is present (Cleveland, ¶[0058], a detection event may comprise a user alert, which displays an image showing visually where on the webpage a logo was detected, and indicating that the user is not on an authorized login domain for that brand. Fig-5, a box overlay 502 is provided to show the relevant logo 504 and a user identification/password prompt 506, along with an indication of brand detection 508, authorized domain 510 associated with the detected brand, and the domain 512 detected as being associated with webpage URL. The authorized domain may be distinguished by the actual webpage URL domain using color); in response to a determination that the brand logo is present or the credential entry box is present (Cleveland, ¶[0058], a detection event may comprise a user alert, which displays an image showing visually where on the webpage a logo was detected, and indicating that the user is not on an authorized login domain for that brand. Fig-5, a box overlay 502 is provided to show the relevant logo 504 and a user identification/password prompt 506, along with an indication of brand detection 508, authorized domain 510 associated with the detected brand, and the domain 512 detected as being associated with webpage URL): Gardner in view of Cleveland are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “methods for user authentication and preventing phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Gardner in view of Cleveland to include the idea of identifying a domain of the source and performing an object detection using neural network to detect phishing attack (Cleveland, ¶[0004]). Gardner in view of Cleveland does not explicitly discuss the following limitation that Buzbee teaches: wherein the cookie feature data includes at least one of a length of a name of a cookie, a length of a cookie value, or a cookie lifespan (Buzbee, ¶[0070], four objects are typically provided: JavaScript file, a rendering file, an HTML file and a cookie. ¶[0183], authentication cookie is invalid (either expired or the user hasn’t logged in). ¶[0188], ¶[0190], the local application may parse the cookies into multiple different cookies). Gardner in view of Cleveland and Buzbee are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “methods for user authentication and preventing phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Gardner in view of Cleveland and Buzbee to include the idea of rendering cookie because the cookie typically includes connection information to facilitate persistence remote browsing sessions (Buzbee, ¶[0070]). Regarding Claim 13, Gardner in view of Cleveland and Buzbee discloses the system of claim 12, wherein the cookie feature data further includes at least one of presence of a unique identifier session cookie, a presence of first party cookie, a presence of a third party cookie, and a ratio of first party to third party cookies (Gardner, Col 4, line 1-10, a small, unknown website may be assigned a reputation score indicating a bad reputation. Col 5, line 40-45, if a cookie is detected in the network traffic stream, the cookie inspection module analyzes the cookie to identify its source. The identified source can be for example the website that provided the cookie, the domain of the server that created the cookie. Also Buzbee, ¶[0057], data repositories may store third party websites that are able to be harmonized for an application isolation session. ¶[0070], the cookie typically includes connection information to facilitate persistent remote browsing sessions. ¶[0066], an indicator (i.e. cookie) that identifies whether the user or client computing device is associated with one or more browsing session). Regarding Claim 14, Gardner in view of Cleveland and Buzbee discloses the system of claim 12, wherein the cookie model includes a classification model that has been trained on a dataset associated with the cookie feature data (Gardner, Col 5, line 40-45, the cookie inspection module implements a deep packet inspection (DPI) engine to filter the network traffic stream. If a cookie is detected in the network traffic stream, the cookie inspection module analyzes the cookie to identify its source. The identified source can be for example the website that provided the cookie, the domain of the server that created the cookie. Line 45-55, the reputation determination module receives information regarding the identified source of the detected cookie and determines the reputation of the source. Cleveland, ¶[0011], using an object detection convolutional network. ¶[0050], an object detection convolutional neural network that is trained to detect the logo images. ¶[0068], MailEye may comprise an object detection convolutional neural network that is trained to detect the logos). Regarding Claim 15, Gardner in view of Cleveland and Buzbee discloses the system of claim 14, wherein the cookie model is trained to look for similarities in the cookie feature data (Gardner, col 1, line 20-25, cookies can be used to track a user’s page browsing at a website. Cookies provided by certain types of third parties, such as online advertisers, can be used to track a user’s browsing habits across a variety of websites. Such tracking can allow the third party to build a profile of the user and provide targeted advertising based on the profile. Cleveland, ¶[0011], using an object detection convolutional network. ¶[0050], an object detection convolutional neural network that is trained to detect the logo images. ¶[0068], MailEye may comprise an object detection convolutional neural network that is trained to detect the logos). Regarding Claim 16, Gardner in view of Cleveland and Buzbee discloses the system of claim 12, wherein the computer-readable storage medium is further configured to store instructions which, when executed by the one or more processors, cause the one or more processors to: extract visual feature data from the webpage data (Cleveland, ¶[0004], identify a domain of the source and perform an object detection using an object detection convolutional neural network, on one or more brand logos located within visual content, to detect an instantiation of one or more targeted brands. Determine, based on the object detection, that at least a portion of the visual content resembles content of a candidate brand, to compare the domain of the source with one or more authorized domains of the candidate brand, and declare a phishing event when the comparing indicates that the domain of the source is not one of the authorized domains of the candidate brand. ¶[0008], performing a visual fingerprinting by generating a visual hash. ¶[0009]); determine visual score data based on an analysis of the visual feature data with a visual model (Cleveland, ¶[0011], determining based on the object detection that the detected brand logo resembles content of a candidate brand. The method may further comprise comparing the characteristic associated with the triggered action, with one or more authorized characteristics associated with the candidate brand, and declaring a phishing event when the comparing indicates that the characteristic associated with the triggered action is not one of the authorized characteristics of the candidate brand), and predict the fraudulent content of the webpage further based on the visual score data (Cleveland, ¶[0011], comparing the characteristic associated with the triggered action, with one or more authorized characteristics associated with the candidate brand, and declaring a phishing event when the comparing indicates that the characteristic associated with the triggered action is not one of the authorized characteristics of the candidate brand. ¶[0050], ¶[0053]). Regarding Claim 17, Gardner in view of Cleveland and Buzbee discloses the system of claim 12, wherein the computer-readable storage medium is further configured to store instructions which, when executed by the one or more processors, cause the one or more processors to: extract uniform resource locator (URL) feature data from the webpage data (Cleveland, ¶[0003], identify deceptive phishing communications such as emails and URLs across an array of communication platform. ¶[0005], the source may be a uniform resource locator (URL) and the visual content may originate from an entity associated with the URL. ¶[0007], mismatch between the domain detected as being associated with the detected brand and the domain detected as being associated with the URL. ¶[0055]- ¶[0056]); determine, by the processor, URL score data based on an analysis of the URL feature data with a URL model (Cleveland, ¶[0058], the domain detected as being associated with webpage URL. The authorized domain may be distinguished by the actual webpage URL domain using color); and predict the fraudulent content of the webpage further based on the URL score data (Cleveland, ¶[0062], detect phishing URLs sharing identical image patterns with previously identified phishing URLs. ¶[0076],selects an embedded link associated with a logo in their browser that would lead to an unauthorized web URL). Regarding Claim 18, Gardner in view of Cleveland and Buzbee discloses the system of claim 12, wherein the prediction model is a rule-based model that predicts fraudulent or legitimate based on a value of the cookie score data (Gardner, col 3, line 50-60, the reputation score represents an assessment of whether the associated website is trustworthy, whether the website is known to use cookies to build profiles. The reputation server can determine the reputation score of a website based on a variety of criteria. Col 5, line 35-45, the cookie inspection module implements a deep packet inspection engine. If a cookie is detected in the network traffic stream, the cookie inspection module analyzes the cookie to identify its source). Regarding Claim 19, Gardner in view of Cleveland and Buzbee discloses the system of claim 12, wherein the prediction model is a logistical regression model that predicts at least one of fraudulent and legitimate based on a value of the cookie score data, wherein the logistical regression model further provides a prediction confidence or probability (Gardner, Col 5, line 40-45, the cookie inspection module implements a deep packet inspection (DPI) engine to filter the network traffic stream. If a cookie is detected in the network traffic stream, the cookie inspection module analyzes the cookie to identify its source. The identified source can be for example the website that provided the cookie, the domain of the server that created the cookie. Line 45-55, the reputation determination module receives information regarding the identified source of the detected cookie and determines the reputation of the source. Cleveland, ¶[0011], using an object detection convolutional network. ¶[0050], an object detection convolutional neural network that is trained to detect the logo images. ¶[0068], MailEye may comprise an object detection convolutional neural network that is trained to detect the logos). Regarding Claim 20, Gardner discloses a non-transitory computer-readable storage device storing instructions which, when executed by one or more processors, cause the one or more processors to: receive webpage data associated with a webpage (Gardner, col 2, line 55-65, the web server provides the client with web pages of the website. The web server provides the client with one or more cookies for the website); extract cookie feature data from the webpage data (Gardner, col 3, line 10-20, the browser module communicates with the cookies cache for cookie data related to a website viewed by a client. Col 3, line 35-40, upon detecting the presence of a cookie associated with a website in a response from the web server, the security module communicates with the reputation server and determines the reputation of the website associated with the cookie); determine cookie score data based on an analysis of the cookie feature data with a cookie model (Gardner, col 3, line 50-60, the reputation score represents an assessment of whether the associated website is trustworthy, whether the website is known to use cookies to build profiles. The reputation server can determine the reputation score of a website based on a variety of criteria. Col 5, line 35-45, the cookie inspection module implements a deep packet inspection engine. If a cookie is detected in the network traffic stream, the cookie inspection module analyzes the cookie to identify its source); predict fraudulent content of the webpage based on the cookie score data and a prediction model (Gardner, col 5, line 50-55, the reputation server determines a reputation score for the identified website and returns the score to the reputation determination module that can cache the reputation scores to avoid needing to query the reputation server each time a cookie associated with the website is detected. Line 60-65, reputation score determines if the website is good or bad. The score is compared with predetermined reputation threshold); and generate notification data including an indication of the fraudulent content (Gardner, col 6, line 5-10, the score determines if the website is good or bad. The reputation determination module sends a report to the cookie response module describing the reputation of the website). Gardner does not explicitly discuss the following limitation that Cleveland teaches: analyze the webpage data to determine if at least one of a brand logo or a credential entry box is present (Cleveland, ¶[0058], a detection event may comprise a user alert, which displays an image showing visually where on the webpage a logo was detected, and indicating that the user is not on an authorized login domain for that brand. Fig-5, a box overlay 502 is provided to show the relevant logo 504 and a user identification/password prompt 506, along with an indication of brand detection 508, authorized domain 510 associated with the detected brand, and the domain 512 detected as being associated with webpage URL. The authorized domain may be distinguished by the actual webpage URL domain using color); in response to a determination that the brand logo is present or the credential entry box is present (Cleveland, ¶[0058], a detection event may comprise a user alert, which displays an image showing visually where on the webpage a logo was detected, and indicating that the user is not on an authorized login domain for that brand. Fig-5, a box overlay 502 is provided to show the relevant logo 504 and a user identification/password prompt 506, along with an indication of brand detection 508, authorized domain 510 associated with the detected brand, and the domain 512 detected as being associated with webpage URL): Gardner in view of Cleveland are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “methods for user authentication and preventing phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Gardner in view of Cleveland to include the idea of identifying a domain of the source and performing an object detection using neural network to detect phishing attack (Cleveland, ¶[0004]). Gardner in view of Cleveland does not explicitly discuss the following limitation that Buzbee teaches: wherein the cookie feature data includes at least one of a length of a name of a cookie, a length of a cookie value, or a cookie lifespan (Buzbee, ¶[0070], four objects are typically provided: JavaScript file, a rendering file, an HTML file and a cookie. ¶[0183], authentication cookie is invalid (either expired or the user hasn’t logged in). ¶[0188], ¶[0190], the local application may parse the cookies into multiple different cookies). Gardner in view of Cleveland and Buzbee are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “methods for user authentication and preventing phishing attack”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Gardner in view of Cleveland and Buzbee to include the idea of rendering cookie because the cookie typically includes connection information to facilitate persistence remote browsing sessions (Buzbee, ¶[0070]). Conclusion Applicant’s amendment necessitated the new ground(s) of rejection presented in this office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to WASIKA NIPA whose telephone number is (571)272-8923. The examiner can normally be reached on M-F (7:30 - 5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JEFFRY PWU can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /WASIKA NIPA/ Primary Examiner, Art Unit 2433