Prosecution Insights
Last updated: July 15, 2026
Application No. 18/785,068

HIGHLY EFFICIENT WEBPAGE CODE-PATTERNS MATCHING FOR MALICIOUS WEBSITES DETECTION

Non-Final OA §101§103§112
Filed
Jul 26, 2024
Examiner
ABYANEH, ALI S
Art Unit
2437
Tech Center
2400 — Computer Networks
Assignee
Palo Alto Networks Inc.
OA Round
1 (Non-Final)
78%
Grant Probability
Favorable
1-2
OA Rounds
1y 3m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
488 granted / 628 resolved
+19.7% vs TC avg
Strong +56% interview lift
Without
With
+56.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
19 currently pending
Career history
654
Total Applications
across all art units

Statute-Specific Performance

§101
3.3%
-36.7% vs TC avg
§103
89.4%
+49.4% vs TC avg
§102
2.5%
-37.5% vs TC avg
§112
1.9%
-38.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 628 resolved cases

Office Action

§101 §103 §112
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1-8, 14-25 are pending. Claims 9-13 have been canceled. Claims 9-13 have been canceled. Election/Restriction Applicant’s election without travers of group I, claims 1-8 and 14-25 in the reply filed on 02-11-2026 is acknowledged. Information Disclosure Statement PTO-1449 The Information Disclosure Statement submitted by applicant on 07-26-2024 have been considered. Please see attached PTO-1449. Claim Rejections - 35 USC § 101 835 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-25 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims when analyzed under 2019 Revised Patent Subject Matter Eligibility Guidance, are directed to abstract idea. Claim 1 for example, recites a method and, therefore, is a process. The claim recites the limitation of “…determining whether a webpage include malicious content based on pattern matching…extracting a first code pattern from the webpage…performing a lookup in each index of a plurality of malware code pattern based on a different code pattern until a successful lookup…of the plurality of malware code pattern has been accessed…determining positional indexing of the index…selecting the code in the first code pattern according to optional indexing …looking up the selected code in the index…based on successful lookup, determining webpage include malicious content; and based on a determination…indicating the one of the plurality of malware code patterns returned …”. These limitations, under broadest reasonable interpretation are directed performance of the limitation in a human mind. That is, nothing in the claim element precludes the step from practically being performed in the mind. For example, the claim encompasses a human simply by looking at a webpage could extract a first code pattern form the webpage and compare different codes of the first code with a plurality of malware code pattern displayed or written on a piece of paper until a successful match is detected. A human by looking at an index or table displayed or written on a piece of paper that includes positional data of index could determine positional indexing, selecting a code form the first code pattern according to the positional indexing, comparing it to the index, determining malicious webpage based on comparison, and indicating the malware code patterns detected from the successful lookup. Claim is further analyzed in step 2A prong 2, to evaluate whether the claim as a whole integrates the recited judicial exception into a practical application of the exception. This evaluation is performed by identifying whether there are any additional elements recited in the claim beyond the judicial exception, and evaluating those additional elements individually and in combination to determine whether the claim as a whole integrates the exception into a practical application. However, each of the remaining limitation appears to be generic computer functions which do not constitute meaningful limitations that would amount to significantly more than the abstract idea. The combination of these additional element is no more than generic computer functions. Thus, even in combination, additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limitations on practicing the abstract idea. Claim is additionally analyzed under Step 2B to evaluates whether the claim as a whole amount to significantly more than the recited exception, whether any additional element, or combination of additional elements, adds an inventive concept to the claim. When claims evaluated under step 2B, it is no more than what is well-understood, routine, conventional activity in the field. The specification does not provide any indication anything other than a generic computer component. The mere …extracting a first code pattern from the webpage…performing a lookup in each index of a plurality of malware code pattern…determining positional indexing of the index…selecting the code in the first code pattern…looking up the selected code in the index…based on successful lookup, determining webpage include malicious content…indicating the one of the plurality of malware code patterns returned…is a well-understood, routing and conventional function when it is claimed in a merely generic manner as it is here. Independent claims 14 and 21 include limitations similar to the limitations of claim 1 and are rejected under 35 U.S.C. 101 as being directed to abstract idea for the same reasons discussed above with respect to claim 1. In claims 2, 15 and 22, recite an alignment include left, right, and middle with respect to code in a code pattern, which is considered as extra solution activity of gathering data for use in the claimed process. Insignificant extra-solution activity does not amount to an inventive concept. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing abstract idea. In claim 3, 16 and 23, selecting the code in the first code pattern by determining which code in the first code patten corresponds to the alignment indicated by the positional indexing of the index; and selecting the cod the code at the position indicated by positional indexing of the index relative to the determined alignment code, could be performed by a human. The claims do not recite additional element that amounts to significantly more than the judicial exception. Claims 4, 17 and 24 recite, wherein selecting the code in the first code pattern according to the positional indexing of the index comprises: determining that the alignment for the index is middle, wherein determining which code in the first code pattern corresponds to the alignment comprises determining which code in the first code pattern corresponds to the middle of the first code pattern, and wherein selecting the code at the position indicated by the positional indexing comprises selecting the code at the position relative to the determined middle code of the first code pattern. However, determining that alignment for the index is middle, determining which code in the first code pattern corresponds to the middle of the first code pattern and selecting the code at the position relative to the determined middle code of the code pattern could be performed by a human. Claims do not recite additional element that amounts to significantly more than the judicial exception. In claim 5, 18 and 25, looking up the first code pattern in the index based on the selected code comprises searching the index for the selected code and, if found, determining whether the first code pattern matches the one of the malware code patterns indexed by the index matching the selected code, could be performed by a huma. A human could simply search an index of codes written on a piece of paper and look for the first code pattern and determine if the first code pattern matches one of the malware code patterns. Claims do not recite additional element that amounts to significantly more than the judicial exception. Claim 6 adds that a code of a code pattern corresponds to one of a JavaScript section of a webpage, a form section of a webpage, a title section of a webpage, a cascading style sheet section of a webpage, an iframe section of a webpage, a header section of a hypertext transfer protocol (HTTP) request or response, and an image section of a webpage, which is considered as insignificant extra solution activity of gathering data for use in the claimed process. Insignificant extra-solution activity does not amount to an inventive concept. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing abstract idea. Claim 7, recites, looking up the selected code in the index comprises hashing the selected code and determining whether the hash of the selected code occurs in the index. However, hashing the selected code could be performed by a human through mathematical operation using a pen and paper. The human could look at the hash result on the paper and determine if the hash of the selected code occurs in the index shown on a display or paper. Claim does not recite additional element that amounts to significantly more than the judicial exception. Claim 8, recites, searching a second plurality of malware code patterns for a match with the first code pattern based on failure of the successive lookups, wherein the second plurality of malware code patterns is not covered by the indexes of the plurality of malware code patterns. A human could search a second plurality of malware patterns by looking at a list, for a match with a first code pattern. Additionally, the second plurality of malware code patterns is not covered by the indexes of the plurality of malware code patterns is considered as insignificant extra solution activity of gathering data for use in the claimed process. Insignificant extra-solution activity does not amount to an inventive concept. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose meaningful limits on practicing abstract idea. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 1, 14 and 21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite. Claim 1, in line 18-19 recites “…determining that the webpage includes malicious content”, and in line 20-21 further recites “based on a determination that the webpage includes a malicious content, indicating…”. It is unclear if the “determination” recited in line 20-21 refers to the “determining” step set forth in line 18-19, or to a separate and distinct determination. If the later-recited “determination” is intended to refer to the previously recited “determining” step, the claim should be amended to provide proper antecedent basis, for example, by replacing “a determination” with –the determination--. Claims 14 and 21 include limitations similar to the limitations of claim 1and are rejected under 35 U.S.C. 112(b) for the same reasons discussed above. Dependent claims 2-8, 15-20 and 22-25 are rejected under 35 USC 112 (b) based on their dependencies on the independent claims. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 5-7, 14 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Liu (US Patent No. 11,418,485), hereinafter Liu, in view of Indeck et al. (US 2013/0086096), hereinafter Indeck, further in view of Wang (US Patent No. 10,210,077), hereinafter Wang. As per claims 1, 14 and 21, Liu (US Patent No. 11,418,485) discloses a method comprising: determining whether a webpage includes malicious content based on pattern matching (abstract, when matching malicious URL pattern is identified, the URL is detected as malicious), wherein determining whether the webpage includes malicious content comprises, extracting a first code pattern from the webpage, wherein the first code pattern comprises one or more codes corresponding to structural elements of the webpage (column 7, line 64-column 8, line 14, “[t]he detection system 201 identifies the URL 204…which comprises and HTTP request. [t] detection system 201 analyze header (structural element) of incoming HTTP request to identify URLs indicated in the HTTP request”); successively performing a lookup in each [index] of a plurality of malware code patterns based on a different code selected from the first code pattern until a successful lookup or all of the plurality of malware code patterns has been accessed (column 14, lines 5-66, at 604 the detection system evaluating each of the identified pattern until a partial match is identified, at block 606, determines if the match is a partial or a full match, at block 611, indicating that URL is malicious when match is a full match, or partial match satisfy a matching sub-pattern count threshold. If matching is partial match with matching sub-pattern count not satisfy threshold, continuing to block 604 when additional pattern is indicated in the result and determining if the remaining patterns is at least a partial match which triggers the determination that the URL is malicious), looking up the selected code; based on a successful lookup, determining that the webpage includes malicious content ( column 14, lines 63-66, “determine if at least a first of the remaining patterns is at least a partial match, which triggers a determination that the URL is malicious”); based on a determination that the webpage include malicious content, indicating the one of the plurality of malware code patterns returned for the successful lookup (column 17, lines 25-28, “the pattern generation system inserts the pattern into the pattern repository with an indication that the patten is a malicious URL pattern”). Liu does not explicitly disclose, index and lookup in index, wherein looking up the first code pattern in each index comprises, determining positional indexing of the index, wherein the positional indexing is different for each index and indicates an alignment and a position relative to the alignment; and selecting the code in the first code pattern according to the positional indexing of the index. However, in an analogous art, Indeck discloses, index and lookup in index (paragraph [0022], “ to stream web page content through an appliance configured to perform the metadata generation and index generation techniques... The web search engine can then apply search queries against the generated index( es)”), wherein looking up the first code pattern in each index comprises, determining positional indexing of the index, wherein the positional indexing is different for each index (paragraph [0071], “index 100 that can be built from the metadata...each table entry 102 comprises a term 104 and its associated pointer 106…[e]ach pointer 106 comprises a document [webpage] identifier Di and one or more position identifier pi”. Figure 5(a) depicts the positional identifier is different for each term. Paragraph [0012], examples of documents includes webpages); and selecting the code in the first code pattern according to the positional indexing of the index (paragraph [0071], “the pointer for the term ‘AzKaban’’…establish that ‘AzKaban can be found in Document D12 at position pi”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Liu with Indeck. This would have been obvious because one of ordinary skill in the art would have been motivated to perform pattern matching on data at a high speed to determine whether a pattern is present in the data. Liu in view of Indeck does not explicitly disclose, positional indexing indicates an alignment and a position relative to the alignment. However, in an analogous art, Wang discloses, positional indexing indicates an alignment and a position relative to the alignment (column 12, lines 53-59, “an alignment may be as follows: for each node in those several sequences, the MSA algorithm assigns it position index I, such that for two nodes in two difference sequences, if they have the same position index i, they are aligned together”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Liu with Wang. This would have been obvious because one of ordinary skill in the art would have been motivated to identify entries in alignment result that represent at least one code execution path that multiple traces in the set of traces include (column 2, lines 1-5). Liu furthermore discloses a processor and machine readable medium as claimed in claims 14 and 21 (column 18, lines 11-15 and figure 9). As per claims 5, 18 and 25, Liu in view of Indeck and Wang furthermore discloses, wherein looking up the first code pattern in the index based on the selected code comprises searching the index for the selected code and, if found, determining whether the first code pattern matches the one of the malware code patterns indexed by the index matching the selected code(Liu, column 14, lines 63-66, “determine if at least a first of the remaining patterns is at least a partial match, which triggers a determination that the URL is malicious”; and Indeck, paragraph [0022] apply search queries against the generated indexes ). The motivation is similar to the motivation provided in claim 1. As per claim 6, Liu in view of Indeck and Wang furthermore discloses, wherein a code of a code pattern corresponds to one of a JavaScript section of a webpage, a form section of a webpage, a title section of a webpage, a cascading style sheet section of a webpage, an iframe section of a webpage, a header section of a hypertext transfer protocol (HTTP) request or response, and an image section of a webpage (Liu, column 9, lines 45-48, “identify URL indicated in the HTTP header”, corresponding to a header section of a hypertext transfer protocol (HTTP) request). As per claim 7, Liu in view of Indeck and Wang furthermore discloses, wherein looking up the selected code in the index comprises hashing the selected code and determining whether the hash of the selected code occurs in the index (Indeck, paragraph [0072], “employ technique know in the art as cryptographic hashing to provide the term descriptor and tables to enable the values and list ..to be generated and exploited”). The motivation is similar to the motivation provided in claim 1. Claims 2-4 , 15-17 and 22-24 are rejected under 35 U.S.C. 103 as being unpatentable over Liu, in view of Indeck and Wang, further in view of Chess et al. (US Patent No. 5,485,575), hereinafter Chess. As per claims 2, 15 and 22, Liu as modified does not explicitly disclose, but in an analogous art, Chess disclose , wherein an alignment indicated by positional indexing for an index comprises one of left, right, and middle with respect to a set of codes in a code pattern (column 8, lines 11-30, “Each section of AttachInfo includes four locs[location descriptors]….The first two locs describe the section’s beginning and end locations in the original host, and last two describe the location in the infected host…marker include the file’s beginnings [left], end[right] and apparent entry point (the recognizable target of a branch instruction near the beginning of the file)…”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Liu with Chess. This would have been obvious because one of ordinary skill in the art would have been motivated to extract from viruses information that is necessary for their detection and eradication. As per claims 3, 16 and 23, Chase furthermore discloses, wherein selecting the code in the first code pattern according to the positional indexing of the index comprises: determining which code in the first code pattern corresponds to the alignment indicated by the positional indexing of the index; and selecting the code at the position indicated by the positional indexing of the index relative to the determined alignment code (column 8, lines 25-40, “location are measured with respect to judiciously chosen marker…So marker takes one of the value [“begin”, “end” “entry”, < “string”, character string>]…where in the last case, extra information consisting of the character string serving as reference point”). The motivation is similar to the motivation provided in claim 2. As per claims 4, 17 and 24, Chase furthermore discloses, wherein selecting the code in the first code pattern according to the positional indexing of the index comprises: determining that the alignment for the index is middle, wherein determining which code in the first code pattern corresponds to the alignment comprises determining which code in the first code pattern corresponds to the middle of the first code pattern, and wherein selecting the code at the position indicated by the positional indexing comprises selecting the code at the position relative to the determined middle code of the first code pattern (column 8, lines 25-45, “location are measured with respect to judiciously chosen marker…marker include the file’s beginning, end, and an apparent entry point ( the recognizable target of a branch instruction near the beginning of the file) and location of a specified character string [middle] within the file. So marker takes one of the values”). The motivation is similar to the motivation provided in claim 2 Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Liu, in view of Indeck and Wang, further in view of Mushtaq et al. (US Patent No. 9,430,646), hereinafter Mushtaq. As per claim 8, Liu as modified does not explicitly disclose, but in an analogous art, Mushtaq discloses, searching a second plurality of malware code patterns for a match with the first code pattern based on failure of the successive lookups, wherein the second plurality of malware code patterns is not covered by the indexes of the plurality of malware code patterns (column 16, line 67-column 17, line 19, “If the signature associated with the event is not in the local cache, i.e. a cache miss…in step 522, logic checks with the central analyzer. In so doing, the local analyzer makes the entry in the event/anomaly database available to the central analyzer… Proceeding with the central analysis portion 504, in step 524, logic checks whether results corresponding to the event are in the global cache. If they are, that is, if a cache hit, in step 526, logic sends an update to the local cache to reflect the cache hit in the global cache, for example, indicating or marking a header signature as malicious”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Liu with Mushtaq. This would have been obvious because one of ordinary skill in the art would have been motivated to do a second phase of anomaly detection using a global cache if signature associated with an event is not found in the local cache in order to provide protection against new malicious activities. References Cited, Not Used The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Grobman et al. (US Publication No. 2025/0117476) discloses an example apparatus includes interface circuitry; machine readable instructions; and programmable circuitry to at least one of instantiate or execute the machine readable instructions to: remove content data from a file corresponding to a first webpage, the file to include structure determiners after the removal of the content data; normalize data within the structure determiners; group the normalized structure determiners into tiles; compute a first output of a hashing algorithm using the tiles; and compare the first output to a second output of the hashing algorithm to generate a similarity value, the second output corresponding to a second webpage, the similarity value representing a structural similarity between the first webpage and the second webpage. Hu et al. (US Patent No. 9,516,051) discloses, a method of detecting exploit kits includes receiving, at an input port of a computer, indication of HTTP (Hypertext Transfer Protocol) traffic. The HTTP traffic is clustered into a web session tree according to a client IP (Internet Protocol. A client tree structure of the web session tree is generated. The client tree structure is compared with tree structures of exploit kit samples). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). /ALI S ABYANEH/Primary Examiner, Art Unit 2437
Read full office action

Prosecution Timeline

Jul 26, 2024
Application Filed
Apr 09, 2026
Non-Final Rejection mailed — §101, §103, §112
Jun 17, 2026
Interview Requested
Jul 07, 2026
Applicant Interview (Telephonic)
Jul 08, 2026
Response Filed
Jul 11, 2026
Examiner Interview Summary

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12651063
OBTAINING IMMUTABLE SNAPSHOTS IN STORAGE SYSTEMS FOR RECOVERY AFTER CORRUPTED DATA DETECTION
2y 4m to grant Granted Jun 09, 2026
Patent 12645794
METHOD, ELECTRONIC DEVICE, AND COMPUTER PROGRAM PRODUCT FOR SNAPSHOT CLASSIFICATION
3y 2m to grant Granted Jun 02, 2026
Patent 12647462
Systems and methods for intelligent application definition and protection
2y 6m to grant Granted Jun 02, 2026
Patent 12627697
CYBER THREAT INFORMATION PROCESSING APPARATUS, CYBER THREAT INFORMATION PROCESSING METHOD, AND STORAGE MEDIUM STORING CYBER THREAT INFORMATION PROCESSING PROGRAM
3y 1m to grant Granted May 12, 2026
Patent 12615283
Systems and Methods for Network Security
2y 3m to grant Granted Apr 28, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
78%
Grant Probability
99%
With Interview (+56.0%)
3y 3m (~1y 3m remaining)
Median Time to Grant
Low
PTA Risk
Based on 628 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month