DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 02/12/2026.
Status of claims in the instant application:
Claims 1-18, 20-29 and 31-34 are pending.
Claims 19 and 30 have been canceled.
Claims 32-34 have been newly added.
Claims 1, 10, 20, 25 and 27-29 have been amended.
Response to Arguments
Applicant's arguments, see page [7-8] of the remarks filed on 02/12/2026, with respect to interpretation of claims under 35 USC 112(f), have been fully considered but they are not persuasive. Therefore the claim interpretations are maintained.
Applicants states that, “The term "classifier" is not a generic placeholder or nonce term but rather denotes sufficient structure, because it is described in the specification… The absence of the word "means" creates a rebuttable presumption against interpretation under 35 U.S.C. § 112(f), and Applicant has rebutted any such presumption by showing that the claim recites sufficient structure. Applicant notes that the corresponding structure is at least provided in the machine learning model as described in paragraphs [0052], [0069], [0079], and [0088] of the specification, and equivalents thereof.”
Examiner notes that there is no structure recited in the claim and that Applicant’s own arguments admits that to recognize the term “classifier” as having a definite structure one has to go into the specification to read the details regarding it. Therefore, one would not recognizes the term “classifier” as having a definite (known) structure just from the claim. Therefore the term “classifier”, as used/recited in the claim is a place holder (nonce) term.
Applicant's arguments, see the remarks filed on 02/12/2026, with respect to rejection of claims under 35 USC 103, have been fully considered but they are not persuasive. Therefore the claim rejections are maintained.
Furthermore, Applicant’s claim amendments and/or newly added claims have rendered new grounds for rejection (and objection).
Applicants states, see page [8-9] of the remarks regarding Independent claim 1, that “Oprea's risk scores focus on current malicious associations, not predictive assessment of future compromise based on pre-indicators of compromise, such as domains likely to be weaponized in the near future. Kutt's techniques address resistance to current disguises in static analysis, not domain-level prediction of future maliciousness within a predetermined period”.
In response, Examiner notes that claim does not explicitly recite that the maliciousness determination is for a “future time period.”
In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., the maliciousness determination for a future time period) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Applicants states, see page [9] of the remarks regarding dependent claim 5, that “Zhang discloses transfer learning for generating risk-control rules in financial fraud
contexts using weighted decision trees on source and target domain data. However, Zhang does not disclose or render obvious handling network traffic to or from a candidate domain based on a classification that the candidate domain is a higher risk website and a security policy, particularly in the context of websites at risk for future malware injection. The combination with Oprea and Kutt, which focus on current domain risks and URL classification, lacks motivation to incorporate Zhang's financial transaction rules for network traffic handling. This rejection relies on impermissible hindsight, as Zhang's domain adaptation for fraud rules does not suggest Applicant's traffic handling tied to predictive higher-risk classifications.”
In response, Examiner disagrees with Applicant’s above characterization of Zhang prior art. The cited portion (i.e. Para [0049]) of Zhang, along with combination of Oper-Kutt prior art, clearly discloses classifying data involving source/target domains and applying risk control rules based on weight (i.e. importance) of the risk.
In response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning. But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper. See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).
Applicants states, see page [9] of the remarks regarding dependent claims 6-8, that “Although Stein may disclose a priority queue for scanning domains based on name and IP features to determine risk priority scores for vulnerability assessment, Stein does not teach storing classifications for a subset of higher risk websites in a domain classification database used for detection and policy enforcement on traffic, or inferring classifications and performing actions based thereon. Stein's queue prioritizes scanning, not a database for real-time lookup and traffic handling as in Applicant's system. There is no motivation to combine Stein's vulnerability prioritization with Oprea and Kutt to achieve Applicant's offline database gating for inline content analysis and policy enforcement, rendering the combination non-obvious.”
In response, Examiner disagrees Applicant’s characterization of Stein prior not disclosing certain claimed elements.
Examiner would like to point out that claims 6-8 do not recite any real time lookup or traffic handling that the Applicant is arguing about.
Examiner also notes, in response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
The portion of Stein (col.9,10;ln.62-67,1-17) cited in the previous office action clearly disclosing storing domains with identifier and risk priority scores; and that the combination of Opera-Kutt prior arts already discloses “classifications for a subset of higher risk websites”.
Applicants states, see page [10] of the remarks regarding dependent claims 10, 11, 23, and 26, that “Although Nabeel may disclose graph neural networks for batch blocklists and real-time predictions using PDNS crawls, with filtering of likely false positives based on rules like domain age or popularity, Nabeel does not teach a lightweight inline machine learning model for real-time risk analysis, an offline classifier asynchronous to traffic interception, or post-filtering of predicted classifications to determine false positives based on specific rules. For example, Nabeel's ensemble models and graph inference are not lightweight with fewer features for sub-100 ms responses, as in Applicant's inline classifier. The combination lacks motivation to adapt Nabeel's blocklist generation for Applicant's differentiated inline and offline classifiers with post-filtering, making the rejection reliant on hindsight”
In response, Examiner disagrees with Applicant’s characterization of Nabeel prior art.
Examiner notes for the Applicant that Nabeel prior art was NOT used in the previous office action disclosing applicant’s “lightweight inline machine learning model”. Therefore Applicant’s argument regarding Nabeel prior art is not responsive to the previous office action.
As for Applicant’s argument regarding “features for sub-100 ms responses” not taught by Nabeel is not responsive either. None of the claims 10, 11, 23, and 26 recite anything that relates to 100 ms; and that Nabeel prior was not used for the claimed feature relating 100 ms for the claims that Applicant is arguing about.
As for Applicant’s argument regarding “an offline classifier asynchronous to traffic interception” and “post-filtering of predicted classifications to determine false positives based on specific rules”, the cited portions of Nabeel prior art clearly discloses those features. The “batch-mode” feature described by Nabeel (Para [0023]:) and cited in the previous office action is the discloses Applicant’s claimed “offline classifier”. The “false positive detector 830” function described by Nabeel (Para [0074)]) and cited in the previous office action discloses Applicant’s claimed “post-filtering” feature.
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Applicants states, see page [10] of the remarks regarding dependent claim 12, that “Zhang's separation of offline and inline URL databases for efficiency does not teach training a lightweight inline model using fewer features than an offline model for detection or classification of websites. Zhang subsets database entries for memory constraints, not model training with reduced features. There is no motivation to combine this with the prior references to achieve Applicant's feature tradeoff for inline speed versus offline accuracy”.
In response, Examiner does not find Applicant’s arguments regarding Zhang prior not disclosing certain claimed feature in claim 12.
Zhang prior art discloses, as cited in previous office action, “offline URL classification mapping database containing hundreds of millions of websites and their corresponding categories and another separate inline URL classification mapping database that only contains a subset of websites”.
As disclosed by Zhang, the offline classification contains large number of websites and there corresponding categories, whereas inline (i.e. the real-time) contains only a subset. Therefore, Zhang prior art clearly discloses the feature in claim 12.
Claim Objections
Claim 29 is objected to because of the following informalities:
Claim 29 recites, “he set of training sample websites comprising a subset of benign or low risk domains, and a subset of high risk domains, wherein the set of features is generated based at least in part on one or more of crawled website content, lexical data, registration hostirical risk scores, passive domain name system (PDNS) data, and Virus Total reports”
There is a typographical error in “hostirical”. It should be “historical”
Appropriate correction is required.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f):
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f). The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are:
Claim 1: “a classifier is configured to predict whether a candidate domain is likely to become malicious within a predetermined period of time.”
Because these claim limitations are being interpreted under 35 U.S.C. 112(f), they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
Examiner has investigated the disclosure (specification, drawing …) of the instant application and find the following for the place holder terms identified above:
“ Para [0052]: In some embodiments, the classifier (e.g., ML model 176) is trained using a machine learning process. For example, the classifier is a random forest model. As an example, the ML model is trained from a training set comprising a subset of benign records or domains (e.g., records for known or previously classified benign domains) and a subset of malicious records or domains. As another example, the ML model is trained from a training set of domains comprising a subset of high risk domains, a subset comprising medium risk domains, and a subset comprising low risk domains. As another example, the ML model is trained from a training set of domains comprising a subset of domains that became malicious within a predefined period of time after evaluation/classification and a subset of domains that remain benign within a predefined period of time after evaluation/classification.
Para [0069]: In some embodiments, the classifier performs an ML-based computation of the risk score. For example, the classifier may comprise a ML model that uses an ML-based that generates a predicted risk score. The ML model can use information from a set of data sources. Examples of the data from the set of data sources include historical data/classifications, crawled content data, lexical data, registration data, historical risk scores, pDNS data, and third party risk assessments (e.g., VirusTotal™ reports, community ratings, etc.). Various other types of data or data sources can be implemented. The classifier extracts features based at least in part on this information from the set of data sources and queries the ML model for a predicted risk score.
Para [0079]: In response to extracting the set of features, system 300 trains a classifier, such as a machine learning model (e.g., a random forest model) …
Para [0088]: Figure 4 is an illustration of a service for classifying domains according to various embodiments. In some embodiments, system 400 is implemented at least in part by system 100 of Figure 1. In some embodiments, system 400 implements at least part of one or more of processes 500-1500 of Figure 5-15. In some embodiments, system 400 is implemented to implement a classifier (e.g., a machine learning model) to perform an ML-based domain classification, such as to classify whether the candidate domain is a likely to become malicious within a predefined period of time (e.g., in the near future).
Examiner interprets “classifier” as a software element, based on at-least the above cited portions of specification pf the instant application. Furthermore, independent claim recites “a processor” performing the claimed functions using instructions stored in a memory coupled to the processor. Therefore, classifier is interpreted to be executed by the claimed processor to perform the claimed function(s).
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f), applicant may: (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-4, 9, 20, 21 and 27-28 are rejected under 35 U.S.C. 103 as being unpatentable over Patent. No.: US 9838407 B1 to Oprea et al. (hereinafter “Oprea”) in view of Pub. No.: US 20220046057 A1 to Kutt et al. (hereinafter “Kutt”), and further in view of Pub. No.: US 20250126140 A1 to Mayfield et al. (hereinafter “Mayfield”).
Regarding Claim 1. Oprea discloses A system (Oprea: FIG. 1), comprising:
one or more processors (Oprea: FIG. 1), configured to:
identify a subset of higher risk websites based on using a classifier [configured to predict whether a candidate domain is expected to become malicious within a predetermined period of time], wherein the higher risk websites are at risk for potential malware (Oprea, Abstract; col.10-11,ln.65-67,1-18; col.16,ln.49-55; col.22,ln.23-39: … A processing device in one embodiment comprises a processor coupled to a memory and is configured to obtain internal log data of a computer network of an enterprise, to extract values of a plurality of designated internal features from the log data, to obtain additional data from one or more external data sources, and to extract values of a plurality of designated external features from the additional data. The extracted values are applied to a regression model based on the internal and external features to generate malicious activity risk scores for respective ones of a plurality of domains, illustratively external domains having fully-qualified domain names (FQDNs). A subset of the domains are identified based on their respective malicious activity risk scores, and one or more proactive security measures are taken against the identified subset of domains. The processing device may be implemented in the computer network or an associated network security system … the malicious activity risk scores generated for respective domains are processed in step 206 to identify a subset of the domains having malicious activity risk scores above a specified threshold … In step 210, the regression model 114 is updated. For example, the model can be updated to reflect additional or alternative features associated with particular ones of the domains determined to have high malicious activity risk scores relative to other ones of the domains … A large number of content types on a domain suggests the domain might not be used to deliver regular web content. Moreover, certain content types (e.g., .exe and .jar) have higher associations with malware and exploits. To capture this, we consider the number and fraction of URLs within each category (html, java script, application, image, video, text) …) [injection or modification]; and
in response to identifying the subset of higher risk websites, perform an active measure based at least in part on the identified subset of higher risk websites (Oprea; col.18,ln.58-67; Abstract: … The first question we address is which metrics should be used for evaluating different predictive models. We consider a predictive model M built on the training set, which applied to a domain d in the testing set predicts the probability M (d) the domain is malicious. The higher the predicted probability M (d), the more suspicious the domain is considered … A subset of the domains are identified based on their respective malicious activity risk scores, and one or more proactive security measures are taken against the identified subset of domains …); and
a memory coupled to the one or more processors and configured to provide the one or more processors with instructions (Oprea, FIG. 1, col.5,ln.48-57: memory … processor … The risk score generator 110 in this embodiment comprises a data collector 112 and a regression model 114, and is configured to interact with a malicious domain identifier 116 coupled to a proactive malware infection prevention module 118. It is to be appreciated that this particular arrangement of modules is presented by way of example only, and alternative arrangements can be used in other embodiments. For example, the functionality associated with the modules 112, 114, 116 and 118 in other embodiments can be combined into a single module, or separated across a larger number of modules … ).
However, Oprea does not explicitly teach, but Kutt from same or similar field of endeavor teaches:
“risk for potential malware injection or modification (Kutt, Abstract, Para [0100-0112]: … Techniques for providing deep learning for malicious URL classification (URLC) … In general, the amount of good (benign) traffic vastly outnumbers the amount of malicious traffic, thus minimizing the amount of good traffic called malicious (e.g., generally referred to as a false positive (FP)) is typically desired for effective and efficient security solutions. Malware authors understand this and try to disguise their malicious code to look more like benign code. The most straightforward way to accomplish this is what is generally known as an append attack (e.g., also known as an injection, bundling, etc.) in which an attacker takes an (e.g., typically large) amount of benign content and injects their malicious content into it without compromising the functionality of the malware … malicious content can be injected into large benign files to evade detection (e.g., benign library injections or also by adding more white spaces is a common form of append attacks such as using various jQuery plugins and custom bundled files with website dependencies, which can cause incorrect benign classifications by many classifiers as the classification results can be perturbed by such benign library/other content injections into such files) …)”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Kutt into the teachings of Oprea, because it discloses that, “IUPG-trained networks can provide significant advantages in common real-world problem settings, such as certain noise-based adversarial attacks in computer/network security contexts, handling distributional shifts, and out-of-distribution classification. Because IUPG is general enough to be applied to any architecture where categorical cross-entropy (CCE) can be used, various opportunities for combinations of IUPG with existing adversarial learning/OOD detectors present themselves which render better performance than either technique used in isolation as will also be further described below (Kutt, Para [0104])”.
However the combination of Oprea-Kutt does not explicitly teach but Mayfield from same or similar field of endeavor teaches, “configured to predict whether a candidate domain is expected to become malicious within a predetermined period of time (Mayfield, Claim 17: …The computer system of claim 16, wherein the determining whether the flow data associated with the web traffic for the website indicates the likelihood of the malicious enumeration attack further comprises: calculating, by the one or more processors, a security score based on: the volume of requests by the requester over the predetermined data analysis period; whether the threshold percentage of the requests made by the requester matches a request on the word list of common web pages; and whether the requester matches at least one name on an agent name list …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mayfield into the teachings of Oprea-Kutt, because it discloses that, “advantageously, embodiments described herein rely on a review of metadata and information available to routers or other networking devices, such as IP addresses, MAC addresses, the number of bytes, host names, web pages, packet headers and the like (Mayfield, Para [0023)”.
Regarding Claim 2. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, Oprea further discloses, “wherein the classifier is a machine learning model (Oprea, col.6.ln.20-25: … embodiments implement regression models and associated machine learning functionality to detect those domains that are most likely to be associated with malicious activity …).”
Regarding Claim 3. The combination of Oprea-Kutt-Mayfield discloses the system of claim 2, Oprea further discloses, “wherein the machine learning model comprises a random forest machine learning model (Oprea, col.8.ln.59-67: … Examples of particular types of regression models that can be utilized in illustrative embodiments include a random forest model, a logistic regression model and a decision trees regression model. However, embodiments of the invention are not limited to utilizing these particular types of regression models, and accordingly the regression model 114 may be replaced in other embodiments with a linear model, a Poisson model, a Bayesian model or another type of regression model. …).”
Regarding Claim 4. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, Oprea further discloses, “wherein performing the active measure in response to determining that a candidate domain is comprised in the subset of higher risk websites comprises:
applying a security policy based on a classification of the candidate domain as being a higher risk website (Oprea, Abstract, col.11.ln.14-27: … one or more proactive security measures are taken to prevent malware infection from the identified subset of domains … Steps 206 and 208 in the present embodiment provide one example of a manner in which one or more proactive measures are taken to prevent malware infection in one or more of the host devices based at least in part on the malicious activity risk scores. Other arrangements can be used to trigger proactive measures based at least in part on malicious activity risk scores determined in the manner described herein. For example, in some embodiments, investigation of alerts generated by various security products deployed within the enterprise can be prioritized based on the malicious activity risk scores. As mentioned previously, incident response teams have limited capacity for handling security incidents, and prioritization of alerts can help in focusing on the most relevant, highest-risk incidents …).”
Regarding Claim 9. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, Oprea further discloses, “wherein the subset of higher risk websites comprises one or more subdomains and one or more registered domains (Oprea, FIG. 3 Claim 5, col.14-15,ln.62-67,1-7: … The method of claim 1 wherein the one or more domain structure related features comprise one or more of a domain name length, a number of domain levels, a number of sub-domains, and a top-level domain … Malicious domains are not uniformly distributed across the available TLDs (top-level domains). It's a known strategy for attackers to register their domains on inexpensive TLDs to reduce their cost of operation. As such, we extract the TLD from the domain name and consider it as a categorical feature. We also look into the number of levels in the domain, the number of sub-domains on the same SLD (second-level domain) and domain name length. These features should be distinguishing for CDN and cloud services, which typically include a larger number of sub-domains and levels than malicious domains …).”
Regarding Claim 20. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, Mayfield further discloses, “wherein the classifier assigns a risk score based on a likelihood that the candidate domain will become malicious within the predetermined period of time (Mayfield, Claim 17: … The computer system of claim 16, wherein the determining whether the flow data associated with the web traffic for the website indicates the likelihood of the malicious enumeration attack further comprises: calculating, by the one or more processors, a security score based on: the volume of requests by the requester over the predetermined data analysis period; whether the threshold percentage of the requests made by the requester matches a request on the word list of common web pages; and whether the requester matches at least one name on an agent name list …).”
The motivation to further combine Mayfield remains same as in claim 1.
Regarding Claim 21. The combination of Oprea-Kutt-Mayfield discloses system of claim 20, Oprea further discloses, “wherein the risk score is based at least in part on a machine learning-based computation that incorporates information from multiple data sources (Oprea, Abstract: … A processing device in one embodiment comprises a processor coupled to a memory and is configured to obtain internal log data of a computer network of an enterprise, to extract values of a plurality of designated internal features from the log data, to obtain additional data from one or more external data sources, and to extract values of a plurality of designated external features from the additional data …).”
Regarding Claim 27. This claim contains all the same or similar limitations as claim 1, hence similarly rejected as claim 1.
Regarding Claim 28. This claim contains all the same or similar limitations as claim 1, hence similarly rejected as claim 1.
*** Oprea also discloses the “computer program product embodied in a non-transitory computer readable medium” (Oprea: col.6.ln.46-56)
Claims 5 is rejected under 35 U.S.C. 103 as being unpatentable over Patent. No.: US 9838407 B1 to Oprea et al. (hereinafter “Oprea”) in view of Pub. No.: US 20220046057 A1 to Kutt et al. (hereinafter “Kutt”) and Pub. No.: US 20250126140 A1 to Mayfield et al. (hereinafter “Mayfield”) as applied to claim 4 above, and further in view of Pub. No.: US 20200372424 A1 to Zhang et al. (hereinafter “Zhang”).
Regarding Claim 5. The combination of Oprea-Kutt-Mayfield discloses the system of claim 4, however it does not explicitly teach but Zhang from same or similar field of endeavor teaches:
“wherein applying the security policy comprises:
handling network traffic to/from the candidate domain based at least in part on (i) a classification that the candidate domain is a higher risk website, and (ii) the security policy (Zhang, Para [0049]: … By applying the weighted decision tree algorithm and the classification model to the sample data set that includes both the source domain data and the target domain data, the system can quickly determine the set of characteristic parameter values. In addition, the accuracy of the characteristic parameter values can be effectively increased by including the source domain data which can improve the accuracy of the risk-control rules in the target domain, thereby effectively increasing the efficiency of the process for generating the risk-control rules. …).” – *** Note that combination of Oprea-Kutt already discloses identifying/classifying higher risk websites.
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhang into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “the accuracy of the characteristic parameter values can be effectively increased by including the source domain data which can improve the accuracy of the risk-control rules in the target domain, thereby effectively increasing the efficiency of the process for generating the risk-control rules (Zhang, Para [0049])”.
Claims 6-8 are rejected under 35 U.S.C. 103 as being unpatentable over Patent. No.: US 9838407 B1 to Oprea et al. (hereinafter “Oprea”) in view of Pub. No.: US 20220046057 A1 to Kutt et al. (hereinafter “Kutt”) and Pub. No.: US 20250126140 A1 to Mayfield et al. (hereinafter “Mayfield”), as applied to claim 1 above, and further in view of Patent. No.: US 10440042 B1 to Stein et al. (hereinafter “Stein”).
Regarding Claim 6. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, however it does not explicitly teach, but Stein from same or similar field of endeavor teaches:
“wherein the active measure comprises storing a set of classifications for the subset of higher risk website in a domain classification database (Stein; col.9,10;ln.62-67,1-17: … Once classifier logic 114 is trained, classifier logic 114 can be applied to the one or more features extracted for a particular domain name in order to analyze the one or more features of the particular domain name and determine a risk priority score of the particular domain name based on its analysis of the one or more features. Classifier logic 114 may add a unique identifier that identifies the domain name and the risk priority score for the domain name to a scanner priority queue 120 that is coupled to classification system 110. In one embodiment the unique identifier may be the domain name itself. Scanner priority queue 120 is a priority queue data structure that is similar to a regular queue data structure, however each element of the queue additionally has a priority associated with it, and an element with a higher priority is served before an element with lower priority. If two elements of a priority queue data structure have identical priority they are served according to their order in the queue. By storing the unique identifier that identifies the domain name and the risk priority score for the domain name in scanner priority queue 120, classification system 110 can prioritize which domain names should be scanned first, thereby improving the efficiency of scanner system 130 …).” – *** Note that combination of Oprea-Kutt-Mayfield already discloses identifying/classifying higher risk websites.
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Stein into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “By storing the unique identifier that identifies the domain name and the risk priority score for the domain name in scanner priority queue 120, classification system 110 can prioritize which domain names should be scanned first, thereby improving the efficiency of scanner system 130 (Stein, col.10,ln.12-17)”.
Regarding Claim 7. The combination of Oprea-Kutt-Mayfield-Stein discloses the system of claim 6, Kutt further discloses, “wherein the domain classification database is used to detect higher risk website and in response to detection of the higher risk website, enforcing a security policy for handling traffic to or from the higher risk website (Kutt, Abstract: … Techniques for providing deep learning for malicious URL classification (URLC) using the innocent until proven guilty (IUPG) learning framework are disclosed. In some embodiments, a system, process, and/or computer program product includes storing a set comprising one or more innocent until proven guilty (IUPG) models for static analysis of a sample; performing a static analysis of one or more URLs associated with the sample, wherein performing the static analysis includes using at least one stored IUPG model; and determining that the sample is malicious based at least in part on the static analysis of the one or more URLs associated with the sample, and in response to determining that the sample is malicious, performing an action based on a security policy …).”
The motivation to further modify Kutt remains same as in claim 1.
Regarding Claim 8. The combination of Oprea-Kutt-Mayfield-Stein discloses the system of claim 6, Oprea further teaches:
“wherein the one or more processors are further configured to:
obtain a candidate sample to be classified (Oprea, Abstract: … a processor coupled to a memory and is configured to obtain internal log data of a computer network of an enterprise, to extract values of a plurality of designated internal features from the log data, to obtain additional data from one or more external data sources, and to extract values of a plurality of designated external features from the additional data …);
infer a classification for the candidate sample based at least in part on querying the domain classification database (Oprea, co.10,ln.48-64: … The regression model 114 in some embodiments is generated by identifying potential internal and external features indicative of malicious activity, obtaining data indicative of actual malicious activity for respective domains, determining correlations of the data indicative of actual malicious activity with respective ones of the potential malicious activity related internal and external features, selecting a subset of the potential malicious activity related features based on the correlations, and configuring the regression model to incorporate the selected subset of the potential malicious activity related features. The data indicative of actual malicious activity for respective domains can be obtained, for example, from the database 106 or other stored information of the network security system 105 …); and
perform an action based at least in part on the classification for the candidate sample (Oprea, co.11,ln.11-13: … In step 208, one or more proactive security measures are taken to prevent malware infection from the identified subset of domains …).”
Claims 10, 11, 23 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Patent. No.: US 9838407 B1 to Oprea et al. (hereinafter “Oprea”) in view of Pub. No.: US 20220046057 A1 to Kutt et al. (hereinafter “Kutt”) and Pub. No.: US 20250126140 A1 to Mayfield et al. (hereinafter “Mayfield”), as applied to claim 1 above, and further in view of Pub. No.: US 20240333749 A1 to Nabeel et al. (hereinafter “Nabeel”).
Regarding Claim 10. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, however it does not explicitly teach but Nabeel from same or similar field of endeavor teaches, “wherein the classifier is used to provide real-time analysis of a risk level for a candidate domain associated with a uniform resource locator (URL) (Nabeel, Para [0017, 0023]: … The present disclosure provides systems and methods that offer real-time predictions and batched blocklist updates/generation that can be used in various cybersecurity fields and networking concern for improving system reliability, reducing the severity of external threats, and reducing the odds of breach by an external party among other benefits including reduced computational resource usage for greater benefits compared to traditional approaches … The security system 160 is designed to support two key use cases: batch-mode blocklist generation/updates (e.g., daily/weekly blocklist generation) and real-time prediction. On a batch-mode basis, security system 160 first compiles a seed malicious domain list first seen on a given day and identifies other recent domains hosted on the same infrastructure where the seed malicious domains are hosted. Based on these resolutions, security system 160 builds a graph consisting of domains and IP addresses. Then, security system 160 collects lexical and hosting features and ground truth domains to train a machine learning model, such as a Graph Neural Networks (GNN) model. Based on the trained model, security system 160 detects a number of unseen malicious domains per batch periods. An ensemble of batch-period trained models is sued to predict in real-time the malicious domains not present in the training graph to further reduce the false positives …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nabeel into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “The present disclosure provides systems and methods that offer real-time predictions and batched blocklist updates/generation that can be used in various cybersecurity fields and networking concern for improving system reliability, reducing the severity of external threats, and reducing the odds of breach by an external party among other benefits including reduced computational resource usage for greater benefits compared to traditional approaches (Nabeel, Para [0017])”.
Regarding Claim 11. The combination of Oprea-Kutt-Mayfield-Nabeel discloses the system of claim 10, Kutt further disclose, “wherein the classifier used to provide real-time analysis is a lightweight inline machine learning model (Kutt, Para [0071]: … In various embodiments, data appliance 102 is configured to work in cooperation with security platform 122. As one example, security platform 122 can provide to data appliance 102 a set of signatures of known-malicious files (e.g., as part of a subscription). If a signature for malware 130 is included in the set (e.g., an MD5 hash of malware 130), data appliance 102 can prevent the transmission of malware 130 to client device 104 accordingly (e.g., by detecting that an MD5 hash of the email attachment sent to client device 104 matches the MD5 hash of malware 130) … As will be described in more detail below, security platform 122 can also provide other types of information to data appliance 102 (e.g., as part of a subscription) such as a set of machine learning models usable by data appliance 102 to perform inline analysis of files …).”
The motivation to further recombine Kutt remains same as in claim 1.
Regarding Claim 23. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, however it does not explicitly teach but Nabeel from same or similar field of endeavor teaches, “wherein the classifier is an offline classifier that performs classifications offline that is asynchronous to an interception of network traffic (Nabeel, Para [0023]: … The security system 160 is designed to support two key use cases: batch-mode blocklist generation/updates (e.g., daily/weekly blocklist generation) and real-time prediction. On a batch-mode basis, security system 160 first compiles a seed malicious domain list first seen on a given day and identifies other recent domains hosted on the same infrastructure where the seed malicious domains are hosted …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nabeel into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “The present disclosure provides systems and methods that offer real-time predictions and batched blocklist updates/generation that can be used in various cybersecurity fields and networking concern for improving system reliability, reducing the severity of external threats, and reducing the odds of breach by an external party among other benefits including reduced computational resource usage for greater benefits compared to traditional approaches (Nabeel, Para [0017])”.
Regarding Claim 26. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, however it does not explicitly teach but Nabeel from same or similar field of endeavor teaches, “wherein the one or more processors are further configured to:
obtain a predicted classification for a candidate website from the classifier (Nabeel, Para [0016, 0023, 0073]: … The present disclosure generally relates to systems, methods, and devices for detecting malicious domains. The present disclosure provides a content-agnostic approach of detecting malicious domains early in their life-cycle We observe that attackers often reuse hosting infrastructures to launch multiple malicious domains due to increased utilization of automation and economies of scale. Thus, it gives defenders the opportunities to monitor such infrastructure to identify newly hosted malicious domains …The security system 160 generates a batch-period (e.g., daily) blocklist based on the newly observed seed malicious domains gathered from a consensus feed every batch period and other data sources 820 via the graph classifier 810, which may operate according to methods 200, 300, 400, 500, and 600 as discussed herein …);
perform a post-filtering to be performed with respect to the predicted classification to determine whether the predicted classification is a false positive classification (Nabeel, Para [0074]: … Before storing batch period predictions in the blocklist database 840, the security system 160 further filters out the likely false positive domains. The false positive detector 830 executes various filtering rules, which include: domains that appear in a popular domain list/feed (e.g., the ALEXA Top 1 million 7-day list), domains registered for more that R time (e.g., more than 2 years), etc. …); and
determining a classification for the candidate website based at least in part on a result of post-filtering the predicted classification (Nabeel, Para [0074]: … Before storing batch period predictions in the blocklist database 840, the security system 160 further filters out the likely false positive domains. The false positive detector 830 executes various filtering rules, which include: domains that appear in a popular domain list/feed (e.g., the ALEXA Top 1 million 7-day list), domains registered for more that R time (e.g., more than 2 years), etc. …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nabeel into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “The present disclosure provides systems and methods that offer real-time predictions and batched blocklist updates/generation that can be used in various cybersecurity fields and networking concern for improving system reliability, reducing the severity of external threats, and reducing the odds of breach by an external party among other benefits including reduced computational resource usage for greater benefits compared to traditional approaches (Nabeel, Para [0017])”.
Claims 12 is rejected under 35 U.S.C. 103 as being unpatentable over Patent. No.: US 9838407 B1 to Oprea et al. (hereinafter “Oprea”) in view of Pub. No.: US 20220046057 A1 to Kutt et al. (hereinafter “Kutt”), Pub. No.: US 20250126140 A1 to Mayfield et al. (hereinafter “Mayfield”) and further in view of Pub. No.: US 20240333749 A1 to Nabeel et al. (hereinafter “Nabeel”), as applied to claim 11 above, and further in view of Pub. No.: US 20200372424 A1 to Zhang et al. (hereinafter “Zhang”).
Regarding Claim 12. The combination of Oprea-Kutt-Mayfield-Nabeel discloses the system of claim 11, however it does not explicitly teach but Zhang from same or similar field of endeavor teaches, “wherein the lightweight inline machine learning model is trained using a fewer number of features than an offline machine learning model that provides offline detection or classification of websites (Zhang, Para [0041]: … The technology disclosed provides a solution to the training of a URL categorization classifier and the implementation of a trained URL categorization classifier within a production environment. One aspect of the technology disclosed relates to a novel approach for training the classifier with a multi-step process to eliminate noise in the training data, thereby reducing mislabeled data and improving model accuracy. Another aspect of the technology disclosed relates to a set of post-processing rules designed to fine-tune classification results prior to generating a “final verdict” of categories for the website, further reducing the likelihood of a website being incorrectly flagged, or not receiving a flag when one is warranted, within the production environment. Yet another aspect of the technology disclosed relates to the implementation of a offline URL classification mapping database containing hundreds of millions of websites and their corresponding categories and another separate inline URL classification mapping database that only contains a subset of websites that have been selected with the goal of maximizing the match rate, or hit rate, of the inline URL classification mapping database in dependence upon the specific needs of a customer based on their users' online activity and the customer's security policy …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhang into the teachings of Oprea-Kutt-Mayfield-Nabeel, because it discloses that, “In some implementations of the technology disclosed, there may only be one single URLC database rather than two; in many implementations, it is advantageous to maintain an inline URLC database 174 that is separate from offline URLC database 172. Hundreds of millions of categorized URLs may be entered within the offline URLC database 172 in many implementations. Within some production environments, it is not feasible to load that magnitude of entries to be available for website category lookup in real time (i.e., responsive to a user's network activity) by the in-line proxy 144 due to limited storage space and/or memory resources. Accordingly, inline URLC database 174 is distinct from offline URLC database 172 to allow for the selection of a subset of entries from offline URLC database 172 to be accessible by the in-line proxy 144. This enables an enterprise to control the number of entries accessible by the in-line proxy 144 to be suitable for their storage space and memory resources (Zhang, Para [0046])”.
Claims 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Patent. No.: US 9838407 B1 to Oprea et al. (hereinafter “Oprea”) in view of Pub. No.: US 20220046057 A1 to Kutt et al. (hereinafter “Kutt”) and Pub. No.: US 20250126140 A1 to Mayfield et al. (hereinafter “Mayfield”), as applied to claim 1 above, and further in view of Pub. No.: US 20210120034 A1 to Starov et al. (hereinafter “Starov”).
Regarding Claim 13. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, however it does not explicitly teach but Starov from same or similar field of endeavor teaches, “wherein the subset of higher risk websites are periodically crawled at a more frequent rate than websites classified as benign or low or medium risk (Starov, Para [0012, 0019]: … Typical web crawler systems operate by crawling uniform resource locators (URLs) in a URL frontier (i.e., data structure identifying URLs to crawl). Selection of URLs for insertion into the URL frontier is according to selection policy. A selection policy guides selection of URLs to visit based on resource allocation, website query frequency, etc. A selection policy can additionally be defined to cause a web crawler system to select a subset (e.g. 10%) of URLs to recrawl … The current disclosure proposes to recrawl by intelligently selecting URLs for recrawl that have a high likelihood to correspond to malicious cloaking. This intelligent crawler system operates in communication with a web crawler that interacts with the world wide web to download content from URLs via multiple browser profiles and render it similarly to web browsers, detect suspected cloaking, and to update its' URL frontier with recrawl URLs based on suspected cloaking … first, URLs are filtered based on common cloaking behavior and a script is extracted from a known post-factum cloaked website that corresponds to a redirect based on the common cloaking behavior. Second, a signature is extracted from the script that can be matched with a signature corresponding to known cloaking behavior in the known malicious signature database. Scripts and the corresponding URLs that have signatures corresponding to known cloaking behavior are added by the web crawler system to a recrawl URL queue to later be recrawled by the web crawler … The web crawler 125 reads seed URLs 108 from the URL frontier 127 and recrawl URLs 110 from the recrawl URL queue 129. The web crawler 125 can read/dequeue URLs from the URL frontier 127 and the recrawl URL queue 129 based on a schedule indicating a frequency at which the web crawler 125 should fetch web pages in a same domain …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Starov into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “A selection policy can additionally be defined to cause a web crawler system to select a subset (e.g. 10%) of URLs to recrawl. Recrawls can be selected randomly, but random recrawl selection selects a high frequency of benign and non-cloaking URLs which wastes recrawling resources. The current disclosure proposes to recrawl by intelligently selecting URLs for recrawl that have a high likelihood to correspond to malicious cloaking (Starov, Para [0012])”.
Regarding Claim 14. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, however it does not explicitly teach but Starov from same or similar field of endeavor teaches, “wherein the one or more processors are further configured to:
in response to classifying a candidate website as a higher risk website (Starov, Para [0012]: … Prior to normal operations for detecting malicious cloaking (and in parallel with normal operations), the web crawler creates and maintains a database of known malicious signatures …),
causing the candidate website to be crawled (Starov, Para [0012]: … A selection policy can additionally be defined to cause a web crawler system to select a subset (e.g. 10%) of URLs to recrawl. Recrawls can be selected randomly, but random recrawl selection selects a high frequency of benign and non-cloaking URLs which wastes recrawling resources. The current disclosure proposes to recrawl by intelligently selecting URLs for recrawl that have a high likelihood to correspond to malicious cloaking …); and
causing the candidate website to be analyzed for malware based at least in part on results of crawling the candidate website (Starov, Para [0012]: … The web crawler selects a subset of recrawl URLs (e.g., uniformly at random) and verifies malicious cloaking on the recrawl URLs. Signatures are extracted from recrawl URLs with verified malicious cloaking that correspond to the observed cloaking redirect scripts and these signatures populate the database of known malicious signatures …)”.
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Starov into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “A selection policy can additionally be defined to cause a web crawler system to select a subset (e.g. 10%) of URLs to recrawl. Recrawls can be selected randomly, but random recrawl selection selects a high frequency of benign and non-cloaking URLs which wastes recrawling resources. The current disclosure proposes to recrawl by intelligently selecting URLs for recrawl that have a high likelihood to correspond to malicious cloaking (Starov, Para [0012])”.
Claims 15-18, 22 are rejected under 35 U.S.C. 103 as being unpatentable over Patent. No.: US 9838407 B1 to Oprea et al. (hereinafter “Oprea”) in view of Pub. No.: US 20220046057 A1 to Kutt et al. (hereinafter “Kutt”) and Pub. No.: US 20250126140 A1 to Mayfield et al. (hereinafter “Mayfield”), as applied to claim 4 above, and further in view of Pub. No.: US 20190036930 A1 to Bartik et al. (hereinafter “Bartik”).
Regarding Claim 15. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, however it does not explicitly teach but Bartik from same or similar field of endeavor teaches, “wherein the classifier comprises a rentable domain classifier and a non-rentable domain classifier (Bartik, Para [0051-0052]: … In step 240, whitelist update program 200 classifies candidates. In an embodiment, whitelist update program 200, through classifier 184, determines whether a candidate domain or URL is owned by the same owner of one of the domains and URLs that are in the initial whitelist based upon the information and features derived from step 230. Classifier 184 activates and performs the classification process using static rules. In an example, classifier 184 analyzes email addresses in the WHOIS records for a match … classifier 184 utilizes a machine learning classification algorithm to predict if two URLs, related to an original URL, have the same ownership based on a match probability that is determined by a machine learning algorithm …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bartik into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “Embodiments of the present invention provide a method for automatically creating and maintaining a whitelist. The current invention provides the ability to find new domains and URLs that have the potential to be part of the whitelist, analyze the content in the new domains and URLs, evaluate a correlation with existing domains and URLs, which are in the basic whitelist, and update the whitelist with new domains and URL (Bartik, Para [0015)”.
Regarding Claim 16. The combination of Oprea-Kutt-Mayfield-Bartik discloses the system of claim 15, Bartik further discloses, “wherein the rentable domain classifier is used to classify a candidate website in response to determining that a corresponding domain is a rentable domain (Bartik, Para [0051-0052]: … In step 240, whitelist update program 200 classifies candidates. In an embodiment, whitelist update program 200, through classifier 184, determines whether a candidate domain or URL is owned by the same owner of one of the domains and URLs that are in the initial whitelist based upon the information and features derived from step 230. Classifier 184 activates and performs the classification process using static rules. In an example, classifier 184 analyzes email addresses in the WHOIS records for a match … classifier 184 utilizes a machine learning classification algorithm to predict if two URLs, related to an original URL, have the same ownership based on a match probability that is determined by a machine learning algorithm …).”
The motivation to further combine Bartik remains same as in claim 15.
Regarding Claim 17. The combination of Oprea-Kutt-Mayfield-Bartik discloses the system of claim 15, Bartik further discloses, “wherein the non-rentable domain classifier is used to classify a candidate website in response to determining that a corresponding domain is a non-rentable domain (Bartik, Para [0029-31, 0051]: … Classifier 184 (a subprogram of whitelist update program 200) directs the classification process. In an embodiment, classifier 184 directs the process of defining whether a candidate domain or URL is owned by the same owner of one of the domains and URLs that are in the initial whitelist. Classifier 184 activates and performs the classification process using static rules. In an example, classifier 184 analyzes email addresses in the WHOIS records for a match. In another embodiment, classifier 184 utilizes a machine learning classification algorithm to predict if two sites have the same ownership based on a match probability …).”
The motivation to further combine Bartik remains same as in claim 15.
Regarding Claim 18. The combination of Oprea-Kutt-Mayfield-Bartik discloses system of claim 15, Bartik further discloses, “wherein the rentable domain classifier and the non-rentable domain classifiers comprise machine learning models that are trained using different sets of features (Bartik, Para [0029-31]: … Classifier 184 (a subprogram of whitelist update program 200) directs the classification process. In an embodiment, classifier 184 directs the process of defining whether a candidate domain or URL is owned by the same owner of one of the domains and URLs that are in the initial whitelist. Classifier 184 activates and performs the classification process using static rules. In an example, classifier 184 analyzes email addresses in the WHOIS records for a match. In another embodiment, classifier 184 utilizes a machine learning classification algorithm to predict if two sites have the same ownership based on a match probability …).”.
The motivation to further combine Bartik remains same as in claim 15.
Regarding Claim 22. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, however it does not explicitly teach but Bartik from same or similar field of endeavor teaches, “wherein the classifier comprises one or more of (i) an inline rentable domain classifier, (ii) an offline rentable domain classifier, (iii) an inline non-rentable domain classifier, and (iv) an offline non-rentable domain classifier (Bartik, Para [0029-31]: … Classifier 184 (a subprogram of whitelist update program 200) directs the classification process. In an embodiment, classifier 184 directs the process of defining whether a candidate domain or URL is owned by the same owner of one of the domains and URLs that are in the initial whitelist. Classifier 184 activates and performs the classification process using static rules. In an example, classifier 184 analyzes email addresses in the WHOIS records for a match. In another embodiment, classifier 184 utilizes a machine learning classification algorithm to predict if two sites have the same ownership based on a match probability …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Bartik into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “Embodiments of the present invention provide a method for automatically creating and maintaining a whitelist. The current invention provides the ability to find new domains and URLs that have the potential to be part of the whitelist, analyze the content in the new domains and URLs, evaluate a correlation with existing domains and URLs, which are in the basic whitelist, and update the whitelist with new domains and URL (Bartik, Para [0015)”.
Claims 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Patent. No.: US 9838407 B1 to Oprea et al. (hereinafter “Oprea”) in view of Pub. No.: US 20220046057 A1 to Kutt et al. (hereinafter “Kutt”) and Pub. No.: US 20250126140 A1 to Mayfield et al. (hereinafter “Mayfield”), as applied to claim 4 above, and further in view of Pub. No.: US 20220116411 A1 to Melicher et al. (hereinafter “Melicher”).
Regarding Claim 24. The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, however it does not explicitly teach but Melicher from same or similar field of endeavor teaches, “wherein the classifier is an inline classifier that generates classifications contemporaneous with an interception and handling of network traffic (Melicher, Para [0197]: … We showed our analysis based on abstract interpretation can deobfuscate 86%-98% of obfuscated JavaScript and further showed how this engine can be used to detect malicious JavaScript. We find that it can deobfuscate more JavaScript than an existing static analysis tool [29]. Furthermore, our deobfuscation engine can respond fast enough for inline defenses, within an average of 33 ms, for 58% to 81% of malware. As future work, our analysis can compose well with existing signature-based and machine-learning techniques allowing us, for example, to: run signatures over deobfuscated JavaScript, train and evaluate machine learning models on deobfuscated content, and adding custom behavioral signatures on interpreted code over all code paths …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Melicher into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “In order to improve our implementation's performance, we optimized for the common case when strings are not meaningful; we first filter out irrelevant strings with approximate, but over accepting, regular expressions that operate on a short prefix of the target (Melicher, Para [0133)”.
Regarding Claim 25. The combination of Oprea-Kutt-Mayfield-Melicher discloses the system of claim 24, Melicher further discloses, “wherein the inline classifier generates the classifications in less than 100 milliseconds (ms) (Melicher, Para [0197]: … Furthermore, our deobfuscation engine can respond fast enough for inline defenses, within an average of 33 ms, for 58% to 81% of malware. As future work, our analysis can compose well with existing signature-based and machine-learning techniques allowing us, for example, to: run signatures over deobfuscated JavaScript, train and evaluate machine learning models on deobfuscated content, and adding custom behavioral signatures on interpreted code over all code paths …).”
The motivation to further combine Melicher remains same as in claim 24.
Claims 29 and 31 are rejected under 35 U.S.C. 103 as being unpatentable over Patent. No.: US 10440042 B1 to Stein et al. (hereinafter “Stein”) in view of Pub. No.: US 20240333749 A1 to Nabeel et al. (hereinafter “Nabeel”).
Regarding Claim 29. Stein discloses A system (Stein: FIG. 1, FIG. 8), comprising:
one or more processors (Stein, FIG. 8: … processor(s) 804 …) configured to:
collect a set of features for a set of training sample websites, the set of training sample websites comprising [a subset of] benign or low risk domains, and [a subset of] high risk domains (Stein; FIG. 6; Abstract; col.15.ln.13-23; col.8,9;ln.62-67,1-15: … In an embodiment, a data processing method providing an improvement in computer security, comprises selecting, from a domain name queue comprising a plurality of domain names, a particular domain name to analyze; extracting one or more features of the particular domain name; determining a particular risk priority score of the particular domain name based on analyzing the one or more features of the particular domain name by applying a classifier to the one or more features of the particular domain name … At block 604, classification system 110 obtains training data. For example, classification system 110 may obtain training data from a database, such as training data database 104. The training data retrieved from training data database 104 is a sufficient number of domains on which to perform training. In one embodiment, the training data 104 includes domains that are benign and domains that are malicious. In one embodiment, the training data 104 includes domains that are vulnerable to malicious attacks and domains that are not vulnerable to malicious attacks. The process 600 then passes control to block 606 … Once feature extraction logic 112 has extracted one or more features from a domain name, classifier logic 114 may determine a risk priority score for the domain name. Classifier logic 114 may be implemented as programs that execute one of various known types of classifiers, including a logistic regression classifier, a linear support vector machine classifier, a random forest classifier, a nearest neighbor classifier, a Bayesian classifier, a perceptron, or a neural network … Classifier logic 114 must be initially trained on a set of training data before it can be applied to the extracted features. Classification system 110 may retrieve training data from training data database 104. Training data includes a set of domain names that have previously been assessed to have a risk priority score or risk priority score range. Training data must be sufficiently large and includes domain names that are malicious, domain names that are benign, domain names that have been determined to contain vulnerabilities, and/or domain names that have been determined to not contain vulnerabilities. Classification system 110 may use training data to train the classifier logic 114 …); [wherein the set of features is generated based at least in part on one or more of crawled website content, lexical data, registration hostorical risk scores, passive domain name system (PDNS) data, and Virus Total reports]; and
perform a machine learning process to generate a domain classifier based at least in part on the set of features for the set of training sample websites (Stein; FIG. 6; Abstract; col.15.ln.13-30: … At block 606, classification system 110 uses the training data 104 to train classifier logic 114. Classifier logic 114 may comprise any known classifier type, such as a logistic regression classifier, linear support vector machine classifier, or a random forests classifier. Once classifier logic 114 is sufficiently trained, the process 600 passes control to block 608. …);
deploy the domain classifier in a system to perform detection of malicious domains (Stein; FIG. 6; col.9;ln.63-67: … Once classifier logic 114 is trained, classifier logic 114 can be applied to the one or more features extracted for a particular domain name in order to analyze the one or more features of the particular domain name and determine a risk priority score of the particular domain name based on its analysis of the one or more features .. Fig. 6: steps 608 [Wingdings font/0xE0] 610 [Wingdings font/0xE0] 612 and the related clarifications …); and
a memory coupled to the one or more processors and configured to provide the one or more processors with instructions (Stein, FIG. 8, col.17,ln.35-41: … processor(s) 804 … main memory 806 … Main memory 806, such as a random access memory (RAM) or other dynamic storage device, also may be coupled to bus 802 for storing information and software instructions to be executed by processor(s) 804. Main memory 806 also may be used for storing temporary variables or other intermediate information during execution of software instructions to be executed by processor(s) 804 …).
However, Stein does not explicitly teach, but Nabeel from same or similar field of endeavor teaches:
“a subset of benign or low risk domains, and a subset of high risk domains (Nabeel, Abstract, Para [0048-0050]: Proactively detecting malicious domains using graph representation learning may be provided by extracting seed domains from a uniform resource locator (URL) feed of observed requests for access to domains; expanding the seed domains to a via a passive domain name service (PDNS) crawl to include additional domains with the seed domains; collecting a ground truth, including labeling a first set of the seed domains as benign and a second set of the seed domains as malicious; constructing a graph neural network (GNN) of the additional domains and the seed domains, wherein each domain of the additional domains and the seed domains are represented as a node in the GNN that includes feature values associated that domain; training the GNN to classify unseen domains not associated with a node as either benign or malicious; and classifying, via the GNN, a queried domain as either benign or malicious … FIG. 5 is a flowchart of a method 500 for malicious ground truth generation, according to embodiments of the present disclosure. In addition to the output of the seed selection pipeline (e.g., per method 400 discussed in relation to FIG. 4), the security system 160 at block also actively queries a sample set of newly observed domains (e.g., a randomly or otherwise selected subset thereof) to enrich and diversify the batch-period list of malicious domains …);
wherein the set of features is generated based at least in part on one or more of crawled website content, lexical data, registration hostorical risk scores, passive domain name system (PDNS) data (Nabeel, Abstract, Para [0029]: … The security system 160 then executes a PDNS crawl, using the second set of daily malicious domains. The PDNS crawl is executed to further identify domains with the same IP address as the malicious domains of the second set. Because multiple malicious domains are usually hosted on the same set of IPs, there is an intrinsic association among such domains. Thus, after the PDNS crawl is executed, the security system 160 expands a graph in the neighborhood of seed malicious domains to likely discover additional, malicious domains that were not identified in step one …), and Virus Total reports”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nabeel into the teachings of Stein, because it discloses that, “The present disclosure provides systems and methods that offer real-time predictions and batched blocklist updates/generation that can be used in various cybersecurity fields and networking concern for improving system reliability, reducing the severity of external threats, and reducing the odds of breach by an external party among other benefits including reduced computational resource usage for greater benefits compared to traditional approaches (Nabeel, Para [0017])”.
Regarding Claim 31. The combination of Stein-Nabeel discloses the system of claim 29, Nabeel further discloses, “wherein the machine learning process comprises one or more of a random forest technique (Nabeel, Para [0078]: … In model training for the real-time classifier, it has been identified that semi-supervised graph learning followed by supervised classification yields more favorable results compared to the models used for blocklist generation. Further, instead of using the training data for a longer period (e.g. one month vs. one week) to train a single model, having multiple models for different time slices and ensembling those models yields superior results (see FIG. 3). In various embodiments, four GNN encoders are ensembled in the model stack, although other numbers of GNN encoders are contemplated. In various embodiments, a Random Forest algorithm is ued by the meta-learner classifier, although other algorithms are contemplated …) or an XGBoost technique.”
The motivation to further modify Stein remains same as in claim 29.
Claim 32 is rejected under 35 U.S.C. 103 as being unpatentable over Patent. No.: US 10440042 B1 to Stein et al. (hereinafter “Stein”) in view of Pub. No.: US 20240333749 A1 to Nabeel et al. (hereinafter “Nabeel”), as applied to claim 29 above, and further in view of Pub. No.: US 20210120034 A1 to Starov et al. (hereinafter “Starov”).
Regarding Claim 32. (New) The combination of Stein-Nabeel discloses the system of claim 29, however it does not explicitly teach but Starov from same or similar field of endeavor teaches, “wherein the one or more processors are further configured to:
in response to classifying a candidate website as a higher risk website, cause the candidate website to be crawled at a more frequent rate than websites classified as benign or low or medium risk (Starov, Para [0012, 0019], FIG. 3-4: … Typical web crawler systems operate by crawling uniform resource locators (URLs) in a URL frontier (i.e., data structure identifying URLs to crawl). Selection of URLs for insertion into the URL frontier is according to selection policy. A selection policy guides selection of URLs to visit based on resource allocation, website query frequency, etc. A selection policy can additionally be defined to cause a web crawler system to select a subset (e.g. 10%) of URLs to recrawl … The current disclosure proposes to recrawl by intelligently selecting URLs for recrawl that have a high likelihood to correspond to malicious cloaking. This intelligent crawler system operates in communication with a web crawler that interacts with the world wide web to download content from URLs via multiple browser profiles and render it similarly to web browsers, detect suspected cloaking, and to update its' URL frontier with recrawl URLs based on suspected cloaking … first, URLs are filtered based on common cloaking behavior and a script is extracted from a known post-factum cloaked website that corresponds to a redirect based on the common cloaking behavior. Second, a signature is extracted from the script that can be matched with a signature corresponding to known cloaking behavior in the known malicious signature database. Scripts and the corresponding URLs that have signatures corresponding to known cloaking behavior are added by the web crawler system to a recrawl URL queue to later be recrawled by the web crawler … The web crawler 125 reads seed URLs 108 from the URL frontier 127 and recrawl URLs 110 from the recrawl URL queue 129. The web crawler 125 can read/dequeue URLs from the URL frontier 127 and the recrawl URL queue 129 based on a schedule indicating a frequency at which the web crawler 125 should fetch web pages in a same domain …); and
cause the candidate website to be analyzed for malware based at least in part on results of crawling the candidate website (Starov, Para [0012, 0019], FIG. 3-4: … This intelligent crawler system operates in communication with a web crawler that interacts with the world wide web to download content from URLs via multiple browser profiles and render it similarly to web browsers, detect suspected cloaking, and to update its' URL frontier with recrawl URLs based on suspected cloaking. Prior to normal operations for detecting malicious cloaking (and in parallel with normal operations), the web crawler creates and maintains a database of known malicious signatures. The web crawler selects a subset of recrawl URLs (e.g., uniformly at random) and verifies malicious cloaking on the recrawl URLs …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Starov into the teachings of Stein-Nabeel, because it discloses that, “A selection policy can additionally be defined to cause a web crawler system to select a subset (e.g. 10%) of URLs to recrawl. Recrawls can be selected randomly, but random recrawl selection selects a high frequency of benign and non-cloaking URLs which wastes recrawling resources. The current disclosure proposes to recrawl by intelligently selecting URLs for recrawl that have a high likelihood to correspond to malicious cloaking (Starov, Para [0012])”.
Claims 33 and 34 are rejected under 35 U.S.C. 103 as being unpatentable over Patent. No.: US 9838407 B1 to Oprea et al. (hereinafter “Oprea”) in view of Pub. No.: US 20220046057 A1 to Kutt et al. (hereinafter “Kutt”) Pub. No.: US 20250126140 A1 to Mayfield et al. (hereinafter “Mayfield”), as applied to claim 1 above, and further in view of Pub. No.: US 20230300151 A1 to Xu et al. et al. (hereinafter “Xu”)
Regarding Claim 33. (New) The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, however it does not explicitly teach but Xu from same or similar field of endeavor teaches, “wherein the candidate domain is deemed expected to become malicious within the predetermined period of time if a predicted likelihood that the candidate domain will become malicious within the predetermined period of time exceeds a predefined threshold (Xu, Abstract, Para [0036], FIG. 3: … In an approach, a processor receives a set of normal domains, a set of suspicious domains, and a set of malicious domains; labels each domain of the set of normal domains as normal producing a labelled set of normal domains and each domain of the set of suspicious domains and the set of malicious domains as malicious producing a labelled set of malicious domains … In an embodiment, after completing the hit size filter and IAT filter, volumetric clustering program 112 filters the domains remaining after the first two filters (the set of semi-filtered domains) using a univariate volumetric filter (UVF) that determines the abnormality of a domain's hit time-series pattern and filters out domains deemed as normal domains (i.e., not abnormal as defined by a confidence interval). In other words, the UVF determines an abnormality of a hit time-series pattern for each domain and filters out domains that fall within a confidence interval for the hit time-series pattern. In an embodiment, the UVF updates a time-series model, e.g., an exponential smoothing state space model with Box-Cox transformation, ARMA errors, and Trend and Seasonal components (BATS), with hit time-series data of each domain remaining after the first two filters to predict the hits along with a confidence interval (i.e., upper and lower bounds of a hit pattern) for a future time step. At any timestamp in a future prediction period, a domain is considered suspicious (i.e., could be a malicious domain) when its actual hits are outside of the confidence interval and considered normal otherwise …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xu into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “Time series analysis is a specific way of analyzing a sequence of data points collected over an interval of time. In time series analysis, analysts record data points at consistent intervals over a set period of time rather than just recording the data points intermittently or randomly. This type of analysis can show how variables change over time, i.e., the time variable shows how the data adjusts over the course of the data points as well as the final results. It provides an additional source of information and a set order of dependencies between the data. Time series analysis typically requires a large number of data points to ensure consistency and reliability. An extensive data set ensures you have a representative sample size and that analysis can cut through noisy data. It also ensures that any trends or patterns discovered are not outliers and can account for seasonal variance. Additionally, time series data can be used for forecasting—predicting future data based on historical data (Xu, Para [0002])”.
Regarding Claim 34. (New) The combination of Oprea-Kutt-Mayfield discloses the system of claim 1, however it does not explicitly teach but Xu from same or similar field of endeavor teaches, “wherein the candidate domain is deemed expected to become malicious within the predetermined period of time if a prediction score output by the classifier exceeds a predefined threshold (Xu, Abstract, Para [0028, 0036], FIG. 3: … volumetric clustering program 112 filters the set of aggregated domain data. In an embodiment in which the normal domains have not yet been removed, volumetric clustering program 112 filters out the domains labeled as normal from the set of aggregated domain data with only the domains labeled as malicious remaining. In an embodiment, volumetric clustering program 112 filters the remaining domains labeled as malicious using, in parallel or sequentially (with either filter being first), a hit size filter and an inter-arrival-time filter. In an embodiment, volumetric clustering program 112 filters the remaining domains labeled as malicious using a hit size filter that filters out the domains with low hit activities (i.e., a low number of hits) based on a preset threshold (e.g., median hits for a given period of time) since low activity domains may not present a clear hit pattern … In an approach, a processor receives a set of normal domains, a set of suspicious domains, and a set of malicious domains; labels each domain of the set of normal domains as normal producing a labelled set of normal domains and each domain of the set of suspicious domains and the set of malicious domains as malicious producing a labelled set of malicious domains … In an embodiment, after completing the hit size filter and IAT filter, volumetric clustering program 112 filters the domains remaining after the first two filters (the set of semi-filtered domains) using a univariate volumetric filter (UVF) that determines the abnormality of a domain's hit time-series pattern and filters out domains deemed as normal domains (i.e., not abnormal as defined by a confidence interval). In other words, the UVF determines an abnormality of a hit time-series pattern for each domain and filters out domains that fall within a confidence interval for the hit time-series pattern. In an embodiment, the UVF updates a time-series model, e.g., an exponential smoothing state space model with Box-Cox transformation, ARMA errors, and Trend and Seasonal components (BATS), with hit time-series data of each domain remaining after the first two filters to predict the hits along with a confidence interval (i.e., upper and lower bounds of a hit pattern) for a future time step. At any timestamp in a future prediction period, a domain is considered suspicious (i.e., could be a malicious domain) when its actual hits are outside of the confidence interval and considered normal otherwise …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Xu into the teachings of Oprea-Kutt-Mayfield, because it discloses that, “Time series analysis is a specific way of analyzing a sequence of data points collected over an interval of time. In time series analysis, analysts record data points at consistent intervals over a set period of time rather than just recording the data points intermittently or randomly. This type of analysis can show how variables change over time, i.e., the time variable shows how the data adjusts over the course of the data points as well as the final results. It provides an additional source of information and a set order of dependencies between the data. Time series analysis typically requires a large number of data points to ensure consistency and reliability. An extensive data set ensures you have a representative sample size and that analysis can cut through noisy data. It also ensures that any trends or patterns discovered are not outliers and can account for seasonal variance. Additionally, time series data can be used for forecasting—predicting future data based on historical data (Xu, Para [0002])”.
Pertinent Prior Arts
The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
US 20170353434 A1; Al-Saber et al.: Al-Saber discloses An anti-cross-site scripting (anti-XSS) feature is provided at an operating system without reliance on higher-level third-party software (e.g., browsers, anti-virus software, etc.). A Uniform Resource Locator (URL) link is intercepted at a kernel level of an operating system of a device. It is then ascertained whether the URL link includes a cross-site script. If so, a determination is also made as to whether the cross-site script is an untrusted script (e.g., potentially harmful, malicious, or non-benign script). Execution of the URL link is terminated if it is determined that the cross-site script is an untrusted script.
The novel aspects disclosed herein generally relate to internet security, and more specifically, though not exclusively, to methods for detecting and inhibiting cross-site scripting attacks at the operating system and/or kernel level.
US 9043894 B1; Dennison et al.: Dennison discloses A computer system identifies malicious Uniform Resource Locator (URL) data items from a plurality of unscreened data items that have not been previously identified as associated with malicious URLs. The system can execute a number of pre-filters to identify a subset of URLs in the plurality of data items that are likely to be malicious. A scoring processor can score the subset of URLs based on a plurality of input vectors using a suitable machine learning model. Optionally, the system can execute one or more post-filters on the score data to identify data items of interest. Such data items can be fed back into the system to improve machine learning or can be used to provide a notification that a particular resource within a local network is infected with malicious software.
US 10547633 B1; Dell'Amico et al.: Dell'Amico discloses computer-implemented method for mapping services utilized by network domains may include (i) receiving a request to perform a risk assessment on a domain, (ii) querying a database for records associated with the domain, where each record links to a network resource that enables functionality of the domain, (iii) generating a service map that matches each network resource to a corresponding service type and service provider, (v) performing the risk assessment of the domain, and (vi) facilitating a security measure for the domain based on a result of the risk assessment. Various other methods, systems, and computer-readable media are also disclosed.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364. The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached on (571)270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MAHABUB S AHMED/Examiner, Art Unit 2434
/TESHOME HAILU/Primary Examiner, Art Unit 2434