Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
2.    NO restrictions warranted at initial time of filing for patent.

Information Disclosure Statement
3.    The information disclosure statement (IDS) submitted on 06/26/2020, the submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Oath/Declaration
4.    Applicant’s Oath was filed on 12/20/2018.

Drawings
5.    Applicant’s drawings filed on 12/20/2018 has been inspected and is in compliance with MPEP 608.01.
Specification
6.    Applicant’s specification filed on 12/20/2018 has been inspected and is in compliance with MPEP 608.02.
Claim Objections
7.    NO objections warranted at initial time of filing for patent.

Remarks
8.	Examiner request Applicant review relevant prior art under the conclusion of this office action.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

9.	Claim 1, 2, 4-7, and 9-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 8260914 hereinafter Ranjan in view of U.S. Publication No. 20170295196 hereinafter Arnell.

	As per claim 1, Ranjan discloses:
A non-transitory machine-readable storage medium comprising instructions to defend against a Domain Name System (DNS)-based attack (Col. 2 Lines 51-54 “In general, in one aspect, the invention relates to a non-transitory computer readable medium storing instructions for detecting automatically 
receive, over a network, DNS queries containing domain names (Col. 5 Lines 31-34 “In one or more embodiments, certain device(s) (e.g., DNS filters (115)) within the computer network (110) may be configured to sanction (e.g., passing or blocking) DNS traffic (e.g., DNS queries, not shown) based on information from the malicious domain name detecting tool (120).”); 
extract a common domain name shared by the domain names (Fig. 2, Col. 10 Lines 26-43 “As shown in FIG. 2, initially in Step 201, DNS queries sharing a common attribute in the computer network are identified. In one or more embodiments, the DNS queries sharing a common attribute are identified and/or extracted from the network trace under investigation described above for analysis to detect malicious domain names. In one or more embodiments, the DNS queries sharing a common attribute are identified and/or extracted from the reference dataset described above to fine tune the malicious domain name detection. In either scenario, the common attribute may be (1) a top level domain name corresponding to the DNS queries, (2) an IP address that each of the DNS queries is mapped to, (3) a connected component that each of the DNS queries belongs to, or (4) other suitable attributes. Typically, a DSN query includes a domain name preceded by a string "DNS query". Accordingly, the terms "DNS query" and "domain name" may be used interchangeably throughout this document based on the context.” Col. 12 Lines 15-16 “In Step 203, the set of 
determine whether a measure of an amount of data relating to the DNS queries containing the common domain name exceeds a threshold (Col. 9 Lines 55-60 “In one or more embodiments, the network trace is analyzed in a training phase, and referred to as a reference dataset, to fine tune pre-determined parameters (e.g., based distribution, pre-determined threshold, weights, regularization parameter, etc. described below) used in detecting malicious domain names. Example reference dataset includes the non-malicious ISP dataset, non-malicious DNS dataset, and malicious datasets described below.” Col. 12 Lines 19-27 “In Step 204, an alert is generated based on the distribution metric according to a pre-determined criterion. In one or more embodiment, the pre-determined criterion includes pre-determined parameters that are fine-tuned during a training phase such that the alert represents, with acceptable (based on a pre-defined level) false positive rates, detection of malicious domain names indicating malicious activities (e.g., domain fluxing from botnet or spam activities) in the computer network.”); 
trigger a countermeasure action to address a threat associated with the DNS queries (Col. 16 Lines 45-47 “Returning to FIG. 2, in STEP 205, a source node of DNS queries labeled as malicious is identified in the computer network in response to generating the alert in Step 204.” Col. 16 Line 57- Col. 17 Line 3 “In Step 206, a network security operation with respect to the source node is performed with the facilitation based on the alert identifying the grouped test 

	Ranjan does not disclose:
in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, trigger countermeasure

	Arnell discloses:
in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, trigger countermeasure (para 0017 “Characteristics that may be indicative of an anomaly include, by way of example, a change in the DNS configuration of a client device, the volume of DNS query traffic being sent from a particular client computing device, the length of DNS events toward a specific destination, pseudo-randomly generated domain names being queried, unrecognized domain Para 0031 “For example, if DNS query traffic from one or more client computing device(s) 210 is too high--which may be indicative of client computing device(s) 210 being used for a denial of service ( DoS) attack, even DNS queries having characteristics included in a whitelist may be kept for further analysis.” Para 0048 “Data specifying the DNS anomaly is provided to a user device (308). In some implementations, the user device is internal to the private network, e.g., a computing device of a private network administrator.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan to including in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, trigger countermeasure, as taught by Arnell.
The motivation would have been to determine the amount of data relating to the DNS queries to properly identify potential attacks.
	
As per claim 2, Ranjan in view of Arnell discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the measure of the amount of data relating to the DNS queries comprises a count of a number of the DNS queries (Ranjan Col. 14 Lines 46-55).

As per claim 4, Ranjan in view of Arnell discloses:
The non-transitory machine-readable storage medium of claim 2, wherein the count of the number of the DNS queries exceeding the threshold (Ranjan Col. 9 Lines 55-60 and Col. 12 Lines 19-27) 
indicates a denial- of-service attack (Arnell para 0031).

As per claim 5, Ranjan in view of Arnell discloses:
The non-transitory machine-readable storage medium of claim 2, wherein the count of the number of the DNS queries exceeding the threshold (Ranjan Col. 9 Lines 55-60 and Col. 12 Lines 19-27) 
indicates a denial- of-service attack against a name server (Arnell para 0031).

As per claim 6, Ranjan in view of Arnell discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the measure of the amount of data relating to the DNS queries comprises a per-device measure of the amount of data relating to the DNS queries received from an individual electronic device (Ranjan Col. 12 Lines 28-45).

As per claim 7, Ranjan in view of Arnell discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the measure of the amount of data relating to the DNS queries comprises an  Figs. 1 and 2, Col. 5 Lines 4-37).

As per claim 9, Ranjan in view of Arnell discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the DNS server to: in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, indicate a data exfiltration threat (Ranjan Fig. 2).

As per claim 10, Ranjan in view of Arnell discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the countermeasure action is selected from among rate limiting or blocking DNS queries from an electronic device or from a plurality of electronic devices; rate limiting or blocking data communication of an electronic device or a plurality of electronic devices; modifying an electronic device or a plurality of electronic devices; and rate limiting or blocking DNS queries to a domain (Ranjan Col. 16 Line 57- Col. 17 Line 3).

As per claim 11, Ranjan in view of Arnell discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the DNS server to: detect unauthorized  Fig. 2).

As per claim 12, Ranjan discloses:
A method of defending against a Domain Name System (DNS)-based attack (Col. 2 Lines 51-54 “In general, in one aspect, the invention relates to a non-transitory computer readable medium storing instructions for detecting automatically generated malicious domain names in a network.”), comprising:
receiving, by a DNS server, a DNS query from an electronic device over a network (Col. 5 Lines 31-34 “In one or more embodiments, certain device(s) (e.g., DNS filters (115)) within the computer network (110) may be configured to sanction (e.g., passing or blocking) DNS traffic (e.g., DNS queries, not shown) based on information from the malicious domain name detecting tool (120).”);
determining, by the DNS server, whether a network address associated with the DNS query belongs to the network  (Fig. 2, Col. 10 Lines 26-43 “As shown in FIG. 2, initially in Step 201, DNS queries sharing a common attribute in the computer network are identified. In one or more embodiments, the DNS queries sharing a common attribute are identified and/or extracted from the network trace under investigation described above for analysis to detect malicious domain names. In one or more embodiments, the DNS queries sharing a common attribute are identified and/or extracted from the reference dataset described above to fine tune the malicious domain name detection. In either scenario, the common attribute may be (1) a top level domain name 
and in response to determining that the network address associated with the DNS query (Col. 11 Lines 1-15), 
triggering, by the DNS server, a countermeasure action to address a threat associated with the DNS query (Col. 16 Lines 45-47 “Returning to FIG. 2, in STEP 205, a source node of DNS queries labeled as malicious is identified in the computer network in response to generating the alert in Step 204.” Col. 16 Line 57- Col. 17 Line 3 “In Step 206, a network security operation with respect to the source node is performed with the facilitation based on the alert identifying the grouped test domain as containing domain names automatically generated for malicious activities. For example, a DNS server may be configured to block certain domain names by specifying the blocked domain names in the DNS server policy, referred to as domain blacklisting. Further, a network router may be configured to intercept and selectively block DNS traffic (e.g., DNS queries and/or replies) passing over the computer network or a portion thereof. In particular, one or more network router(s) located logically between the DNS server and the source node (e.g., a bot) sending the malicious DNS queries may be configured to block such bot-generated DNS queries.”).

	Ranjan does not disclose:
in response to determining that the network address associated with the DNS query belongs to a different network	

	Arnell discloses:
in response to determining that the network address associated with the DNS query belongs to a different network (para 0017 “Characteristics that may be indicative of an anomaly include, by way of example, a change in the DNS configuration of a client device, the volume of DNS query traffic being sent from a particular client computing device, the length of DNS events toward a specific destination, pseudo-randomly generated domain names being queried, unrecognized domain name(s) being queried, and mismatches between externally resolved IP addresses and IP addresses resolved by a trusted DNS source, to name a few.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan to include in response to determining that the network address associated with the DNS query belongs to a different network, trigger countermeasure, as taught by Arnell.

	
As per claim 13, Ranjan in view of Arnell discloses:
The method of claim 12, wherein the network address is a source network address identifying a source of the DNS query (Arnell para 0013).

As per claim 14, Ranjan in view of Arnell discloses:
The method of claim 13, wherein the electronic device is part of the network, and the source network address identifies an entity external of the network (Arnell para 0031).

As per claim 15, Ranjan in view of Arnell discloses:
The method of claim 12, further comprising: in response to determining that the network address associated with the DNS query belongs to a different network, indicate occurrence of a DNS amplification attack (Arnell para 0017 and 0031).

As per claim 16, Ranjan in view of Arnell discloses:
The method of claim 12, wherein the countermeasure action is selected from dropping the DNS query or declining to provide a response to the DNS query.

As per claim 17, Ranjan discloses:
A Domain Name System (DNS) server (Col. 6 Lines 7-16 “For example, the DNS filters (115) may include a DNS server configured to block certain domain names by specifying the blocked domain names in the DNS server policy, i.e., domain blacklisting. Further, the DNS filters (115) may include a network router that intercept and selectively block DNS traffic (e.g., DNS queries and/or replies) passing over the computer network (110) or a portion thereof.”), comprising:
a processor; and a non-transitory machine-readable storage medium storing instructions executable on the processor (Col. 2 Lines 51-65 “In general, in one aspect, the invention relates to a non-transitory computer readable medium storing instructions for detecting automatically generated malicious domain names in a network. The instructions when executed by a processor of a computer includes functionality for identifying a plurality of domain name service (DNS) queries in the network, wherein the plurality of DNS queries share a common attribute, analyzing, using a central processing unit (CPU) of a computer, the plurality of DNS queries to identify a plurality of alphanumeric elements embedded in a set of domain names associated with the plurality of DNS queries, analyzing, using the CPU, the plurality of alphanumeric elements to determine a distribution metric of the set of domain names, and generating an alert based on the distribution metric according to a pre-determined criterion.”) to:
Col. 5 Lines 31-34 “In one or more embodiments, certain device(s) (e.g., DNS filters (115)) within the computer network (110) may be configured to sanction (e.g., passing or blocking) DNS traffic (e.g., DNS queries, not shown) based on information from the malicious domain name detecting tool (120).”); 
extract a top level domain name shared by the domain names (Col. 8 Lines 18-31 “In one or more embodiments, the detection module (122) includes the grouping module (124) that is configured to partition the obtained DNS queries into groups based on common attributes. In one or more embodiments, DNS queries in a partitioned group share a common top level domain name corresponding to the DNS queries. In one or more embodiments, DNS queries in a partitioned group share a common IP address that the DNS queries map to. In one or more embodiments, DNS queries in a partitioned group belong to a common connected component in an IP-domain bipartite graph of the DNS queries. In such embodiments, the connected component is identified by performing connected component analysis of the IP-domain bipartite graph of the DNS queries.”);
determine whether a measure of an amount of data relating to the DNS queries containing the top level domain name exceeds a threshold (Col. 9 Lines 55-60 “In one or more embodiments, the network trace is analyzed in a training phase, and referred to as a reference dataset, to fine tune pre-determined parameters (e.g., based distribution, pre-determined threshold, weights, regularization parameter, etc. described below) used in detecting malicious Col. 12 Lines 19-27 “In Step 204, an alert is generated based on the distribution metric according to a pre-determined criterion. In one or more embodiment, the pre-determined criterion includes pre-determined parameters that are fine-tuned during a training phase such that the alert represents, with acceptable (based on a pre-defined level) false positive rates, detection of malicious domain names indicating malicious activities (e.g., domain fluxing from botnet or spam activities) in the computer network.”); 
and in response to determining that the measure of the amount of data relating to the DNS queries containing the top level domain name exceeds the threshold (Col. 11 Lines 1-15), 
trigger a countermeasure (Col. 16 Lines 45-47)

	Ranjan does not disclose:
trigger a countermeasure action to address a threat associated with the DNS queries

	Arnell discloses:
trigger a countermeasure action to address a threat associated with the DNS queries (para 0048 “Data specifying the DNS anomaly is provided to a user device (308). In some implementations, the user device is internal to the private network, e.g., a computing device of a private network administrator.”)

The motivation would have been to trigger a countermeasure action to properly address a threat within a network.

	As per claim 18, Ranjan in view of Arnell discloses:
The DNS server of claim 17, wherein the instructions are executable on the processor to: in response to determining that the measure of the amount of data relating to the DNS queries containing the top level domain name exceeds the threshold (Ranjan Col. 8 Lines 18-31, Col. 9 Lines 55-60 and Col. 12 Lines 19-27), indicate occurrence of a denial-of-service attack (Arnell para 0031).

As per claim 19, Ranjan in view of Arnell discloses:
The DNS server of claim 17, wherein the instructions are executable on the processor to: in response to determining that the measure of the amount of data relating to the DNS queries containing the top level domain name exceeds the threshold, indicate occurrence of data exfiltration (Ranjan Col. 9 Lines 55-60 and Col. 12 Lines 19-27) and (Arnell para 0031).

As per claim 20, Ranjan in view of Arnell discloses:
.

10.	Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Ranjan in view of Arnell and further in view of U.S. Patent No. 9325735 hereinafter Xie.

As per claim 3, Ranjan in view of Arnell discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the count of the number of the DNS queries comprises a count of the number of the DNS queries (Ranjan Col. 14 Lines 46-55) 
Ranjan in view of Arnell does not disclose:
a count of the number of the DNS queries that resulted in a cache miss at the DNS server

	Xie discloses:
a count of the number of the DNS queries that resulted in a cache miss at the DNS server (Col. 6 Lines 26-48 “In one embodiment, selective sinkholing of 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan in view of Arnell to include a count of the number of the DNS queries that resulted in a cache miss at the DNS server, as taught by Xie.
.

11.	Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Ranjan in view of Arnell and further in view of U.S. Publication No. 20180351972 hereinafter Yu.

As per claim 8, Ranjan in view of Arnell discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the DNS server to: use a Bloom filter to
determine whether a domain name of a DNS query is in a set of domain names received previously by the DNS server (Ranjan Fig. 2, Col. 6 Lines 3-32).
	
Ranjan in view of Arnell does not disclose:
use a Bloom filter to determine whether a domain name of a DNS query
	
	Yu discloses:
use a Bloom filter to determine whether a domain name of a DNS query (para 0055 “FIG. 1A depicts how a classifier 104 can be deployed for inline DGA detection, showing a transaction with an infected client host or client host 106. Client host 106 performs a DNS query as shown at 112. If the DNS query is not resolved by a DNS server 102, then DNS server 102 sends an NXDomain response as shown at 114. Domains which resolve at DNS server 102 are checked as shown at 116 to predict if they are malicious using classifier 104. Para 0056 “FIG. 1B depicts how a classifier can be deployed for providing an inline DGA detection component as shown at 154. Client host 156 is in communication with a DNS server policy engine as shown at 152 for performing DNS queries. For example, if client 156 sends a DNS query (e.g., A/AAAA query) to DNS server policy engine 152, and if not cached, then DNS server policy engine 152 forwards the DNS query to an upper recursion 162 and also to an inline DGA detection component 154. If DNS server policy engine 152 receives a DNS response from upper recursion 162 and inline DGA detection timed out, then the DNS response is sent back to client 156. Inline DGA detection 154 checks a bloom filter 158 to determine if positive (i.e., this particular DNS query is likely in the set of DNS queries maintained by the bloom filter), then return null; otherwise, the bloom filter result is negative (i.e., this particular DNS query is definitely not in the set of DNS queries maintained by the bloom filter) and inline DGA detection is performed to determine whether the DNS query is determined to be associated with DGA malware (i.e., a positive result is a prediction that it is malicious using the inline DGA detection classifier) or not (i.e., a negative result is a prediction that it is not malicious using the inline DGA detection classifier). If the DNS query is resolved and detection is positive from inline DGA detection 154 (e.g., domains which resolve at DNS server 152 are checked against the classifier implemented 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan in view of Arnell to include use a Bloom filter to determine whether a domain name of a DNS query, as taught by Yu.
The motivation would have been to use a properly filter to accurately identify a domain name.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
A. 	U.S. Publication No. 20180183830 discloses on paragraph 0031 “FIG. 1 is a diagram illustrating an example system 100 for detecting and mitigating a DoS attack, according to examples of the present disclosure. In one example, the system 100 is part of an authoritative DNS server 115 and is used for detecting spoofed DNS query packets or the like that appear to the receiving entity to originate from a first transmitting entity but actually originate from a second transmitting entity that has falsified data (e.g., used a falsified IP address). The authoritative DNS server 115 receives a plurality of DNS query packets 110 from a plurality of transmitting entities (not shown) at packet processing logic 120. Packet processing logic 120 copies each DNS query packet and provides each packet to a filter logic 125 and a detection logic 130. The detection logic 130 can perform one or more analytic techniques to determine if a DoS attack is occurring. By way of one example, the detection logic 130 can determine and maintain a count of a number of queries over time. On an ongoing basis, periodically (every several of seconds or minutes), or once traffic reaches a predetermined threshold (number of queries exceeds 10 million, 100 million, 500 million, etc.), the detection logic 130 can inspect queries from a sampling of IP addresses to determine if the queries share any common feature that can be used to filter incoming packets.”

B.	U.S. Publication No. 20170163754 discloses on paragraph 0055 “At block 615, the service server 125 queries, or causes a query to be issued to the DNS system 140 for each of a number of common subdomains (e.g., www.example.com, blog.example.com, web.example.com, mail.example.com, ftp.example.com, etc.). For example, in one embodiment, the service server 125 stores a list of subdomains that are ranked into the likelihood that they will appear in a zone for a domain. The subdomains may be tested sequentially or in parallel.” Paragraph 0066 “For example, in an embodiment, the service server 125 compares the DNS configurations of unprotected assets (e.g., domains that will not point to a proxy server of the service) and protected assets (e.g., domains that point to a proxy server of the service). A record that is not protected by the service and is also referring to a record that is protected by the service is considered to be leaking the origin IP address. For instance, FIG. 12 illustrates an exemplary configuration screen 1200 that notifies a customer if their configuration is potentially leaking their origin IP address. For instance, the A record "ejj.io" is pointing to an IP address of a proxy server of the service and is therefore a protected asset. That is, a DNS request for "ejj.io" will return an IP address of the proxy server of the service and therefore traffic directed to the domain "ejj.io" will be received at a proxy server of the service. The MX record "testme", which is not protected by the service, has a value where the mail is handled by the domain "ejj.io" (a protected asset). Thus, the MX record "testme" is itself unprotected but refers to a protected asset. Accordingly, the MX record "testme" is considered to be leaking the IP address of the origin server since a 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192.  The examiner can normally be reached on Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/GARY S GRACIA/Primary Examiner, Art Unit 2491