Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the application 16/264,667 filed on 12/24/2020; Claims 1 and 10-11 have been amended; Claims 8 and 17 have been canceled; and Claims 1 and 10 are independent claims.  Claims 1-7 and 9-16, and 18 have been examined and are pending.  This Action is made FINAL.
Response to Arguments
The Applicant held the double patenting matters in abeyance. Therefore, the Examiner is maintained double patenting.
Applicants’ arguments in the instant Amendment, filed on 12/24/2020, with respect to claims 1-18 under 35 U.S.C. § 101 have been fully considered but they are not persuasive. The rejections of claims 1-18 under 35 U.S.C. § 101 are maintained as the following reasons:
Regarding claims 1-18, Claims 1-18 are rejected under U.S.C. 101 because the claimed invention is directed to an abstract idea without significant more. The claims recite “analyze network communication …;” “determine that a length of the domain name …:” and “identify the domain name as a command and control domain” are mental process; therefore, the claims are directed to an abstract idea.

This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element – using a processor to perform both the identifying and determining steps. The processor in both steps is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of identifying and determining steps) such that it amount no more than mere instructions to apply the exception using a generic component. According, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim(s) is/are directed to an abstract idea.

The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform both the identifying and determining steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instruction to apply an exception using a generic computer component cannot provide an inventive concept. The claim(s) is/are not patent eligible.
Applicants’ arguments in the instant Amendment, filed on 12/24/2020, with respect to limitations listed below, have been fully considered but they are not persuasive.
a. Applicants argue: Applicant has not found that the combination of Cao, Anonakakis, and Merza teaches or suggests all the features of amended claims 1 and 10, including the feature “in response to determining that ... a lexical complexity of the domain name satisfies an average lexical complexity threshold for a list of domain names associated with a domain generation algorithm (DGA) ... identify[ing] the domain name as a command and control domain of the DGA” (Remark, pages 6-8).
The Examiner disagrees with the Applicants. The Examiner respectfully submits that Cao, Anonakakis, and Merza does disclose the aforementioned limitations as the following:

analyze network communications on a computer network to detect a communication including a domain name (Cao: pars. 0011, 0013, 0019, 0027, 0030, 0034, 0038, generate lists of domain names corresponding to each day in the dataset…The following Table I provides examples of the domain names generated by the DGA algorithms for the Conficker-A and B and Torpig botnets) associated with a domain generation algorithm (DGA) (Cao: pars. 0009, 0010-0011; 0038-0039,  using  the DGA algorithm, the bot master pre-computes a plurality of domain-name lists  and then randomly registers one or more domain names from the lists through a domain-name registrar)  and
in response to determining that a length of the domain name falls and a lexical complexity of the domain name satisfies an average lexical complexity threshold for a list of domain names (Cao: pars. 0019, 0033, 0069; The malicious software agent detector is adapted to: (i) derive, from the graph, one or more candidate clusters of hosts for each of a plurality of time intervals in the time period; (ii) link candidate clusters in adjacent time intervals based on shared IP addresses to form one or more cluster chains; and (iv) identify one or more cluster chains that are longer than a specified length threshold);
identify the domain name as a command and control domain of the DGA (Cao: pars. 0012-0015. identifying Domain Generated Algorithm malware; pars. 0033-0034, domain-flux bots and their associated domain names are identified; par. 0038, Domain Generated Algorithms (DGAs)).
Merza discloses security threat detection based on indication in big data of access to newly registered domains, wherein
(Merza: pars. 0005, 0040, a query can be sent to a registrar to determine when the domain name was registered.  Domain names with recent registration times and high access counts may suggest a potential security threat is present; See also pars. 0073-0074).
wherein identify the domain name as a command and control domain when the age is less than a second threshold (Merza: pars. 0027, 0075; age assessor 245 detects select domain names having a relatively recent registration time and a relatively high access count.  The detection can be performed based on, e.g., a threshold comparison (e.g., requiring a domain to be associated with an age since registration below a first threshold and an access count above a second threshold in order to be included in the subset;).
Antonakakis discloses From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware, wherein a length of the domain name falls within a specified range (Antonakaki: page 502, 2nd Col., 7.4.1 Zeus.v3, Excluding the top level domains, the length of the domain names generated by the DGA are between 33 and 45 alphanumeric characters).
It is clear that the combination of Cao, Merza, and Antonakakis as a whole does teach the aforementioned limitations. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/08/2021 and 09/14/2020 is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 

Claims 1-2 and 10-11 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 and 10 of U.S. Patent 10,198,579, Date of Patent: Feb. 5, 2019, respectively, in view of Cao et al. (“Cao,” US 2012/0084860, Pub. Date: Apr. 5, 2012), further in view of Merza (“Merza,” US 2013/0318603, published Nov. 28, 2013), further in view of Mano Antonakakis et al. (“Antonakakis,” From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware, August 8-10, 2012, pages 491-506).
Regarding claims 1-2 and 10-11; claims 1 and 10 of U.S. Patent 10,198,579, respectively discloses all the limitations except “determine that a length of the domain name falls within a specified range” and “a lexical complexity of the domain name satisfies an average lexical complexity threshold for a list of domain names associated with a domain generation algorithm (DGA)”, “query a domain name registrar server to determine an age of the domain name” and “identify the domain name as command and control domain when the age is less than a second threshold”
However, in an analogous art, Cao disclose system and method for detection of domain-flux botnets and the like, wherein determine that a length of the domain name falls in  specified length threshold and a lexical complexity of the domain name satisfies an average lexical complexity threshold for a list of domain names (Cao: pars. 0019, 0033, 0069; The malicious software agent detector is adapted to: (i) derive, from the graph, one or more candidate clusters of hosts for each of a plurality of time intervals in the time period ; (ii) link candidate clusters in adjacent time intervals based on shared IP addresses to form one or more cluster chains; and (iv) identify one or more cluster chains that are longer than a specified length threshold); 
lexical complexity of the domain name satisfies an average lexical complexity threshold for a list of domain names (Cao: pars. 0019, 0033, 0069; The malicious software agent detector is adapted to: (i) derive, from the graph, one or more candidate clusters of hosts for each of a plurality of time intervals in the time period; (ii) link candidate clusters in adjacent time intervals based on shared IP addresses to form one or more cluster chains; and (iv) identify one or more cluster chains that are longer than a specified length threshold) associated with a domain generation algorithm (DGA) (Cao: pars. 0009, 0010-0011; 0038-0039,  using  the DGA algorithm, the bot master pre-computes a plurality of domain-name lists  and then randomly registers one or more domain names from the lists through a domain-name registrar);
identify the domain name as a command and control domain (Cao: pars. 0012-0015. identifying Domain Generated Algorithm malware; pars. 0033-0034, domain-flux bots and their associated domain names are identified; par. 0038, Domain Generated Algorithms (DGAs)).
Therefore, it would have been obvious to one of ordinary skill in the art time the invention was made before the effective filing date of the claimed invention to combine the teaching of Cao with the method and system of U.S. Patent 10,198,579, determine that a length of the domain name falls in  specified length threshold and a lexical complexity of the domain name satisfies an average lexical complexity threshold for a list of domain  (Cao: abstract).
Cao discloses identify the domain name as a command and control domain but does not explicitly disclose when the age is less than a second threshold.
However, in an analogous art, Merza discloses security threat detection based on indication in big data of access to newly registered domains, wherein query a domain name registrar server to determine an age of the domain name (Merza: pars. 0005, 0040, a query can be sent to a registrar to determine when the domain name was registered.  Domain names with recent registration times and high access counts may suggest a potential security threat is present; See also pars. 0073-0074).
wherein identify the domain name as a command and control domain when the age is less than a second threshold. (Merza: pars. 0027, 0075; age assessor 245 detects select domain names having a relatively recent registration time and a relatively high access count.  The detection can be performed based on, e.g., a threshold comparison (e.g., requiring a domain to be associated with an age since registration below a first threshold and an access count above a second threshold in order to be included in the subset).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Merza with the (Merza: pars. 0005-0006)
Cao discloses determine that a length of the domain name falls in specified length threshold but does not explicitly disclose a length of the domain name falls within a specified range.
However, in an analogous art, Antonakakis discloses From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware, wherein a length of the domain name falls within a specified range (Antonakaki: page 502, 2nd Col., 7.4.1 Zeus.v3, Excluding the top level domains, the length of the domain names generated by the DGA are between 33 and 45 alphanumeric characters).
(Antonakakis: page 491, abstract).
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-7, 9-16, and 18 are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Regarding claims 1-7, 9-16, and 18; claims 1-7, 9-16, and 18 are rejected under U.S.C. 101 because the claimed invention is directed to an abstract idea without significant more. The claims recite “analyze network communication …;” “determine that a length of the domain name …:” “query a domain name register server …;” and “identify the domain name as a command and control domain”.
The limitation of “determine that a length of the domain name ... ;” as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic components. That is, other than reciting “by a processor,” nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the “by a processor” language, 
This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element – using a processor to perform both the identifying and determining steps. The processor in both steps is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of identifying and determining steps) such that it amount no more than mere instructions to apply the exception using a generic component. According, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim(s) is/are directed to an abstract idea.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform both the identifying and determining steps amounts to no more than mere instructions to apply the exception using a generic computer component. Mere 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.

Claims 1-3, 5-7, 9-12, 14-16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Cao et al. (“Cao,” US 2012/0084860, Pub. Date: Apr. 5, 2012) in view of Merza (“Merza,” US 2013/0318603, published Nov. 28, 2013), further in view of Mano Antonakakis et al. (“Antonakakis,” From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware, August 8-10, 2012, pages 491-506). 
Regarding claim 1, Cao discloses a computer readable storage disk or storage device comprising instructions that, when executed, cause a machine to at least:
 analyze network communications on a computer network to detect a communication including a domain name (Cao: pars. 0011, 0013, 0019, 0027, 0030, 0034, 0038, generate lists of domain names corresponding to each day in the dataset…The following Table I provides examples of the domain names generated by the DGA algorithms for the Conficker-A and B and Torpig botnets) associated with a domain generation algorithm (DGA) (Cao: pars. 0009, 0010-0011; 0038-0039,  using  the DGA algorithm, the bot master pre-computes a plurality of domain-name lists  and then randomly registers one or more domain names from the lists through a domain-name registrar)  and
in response to determining that a length of the domain name falls and a lexical complexity of the domain name satisfies an average lexical complexity threshold for a list of domain names (Cao: pars. 0019, 0033, 0069; The malicious software agent detector is adapted to: (i) derive, from the graph, one or more candidate clusters of hosts for each of a plurality of time intervals in the time period; (ii) link candidate clusters in adjacent time intervals based on shared IP addresses to form one or more cluster chains; and (iv) identify one or more cluster chains that are longer than a specified length threshold);
identify the domain name as a command and control domain of the DGA (Cao: pars. 0012-0015. identifying Domain Generated Algorithm malware; pars. 0033-0034, domain-flux bots and their associated domain names are identified; par. 0038, Domain Generated Algorithms (DGAs)).
Cao discloses identify the domain name as a command and control domain but does not explicitly disclose when the age is less than a second threshold.
However, in an analogous art, Merza discloses security threat detection based on indication in big data of access to newly registered domains, wherein
query a domain name registrar server to determine an age of the domain name (Merza: pars. 0005, 0040, a query can be sent to a registrar to determine when the domain name was registered.  Domain names with recent registration times and high access counts may suggest a potential security threat is present; See also pars. 0073-0074).
(Merza: pars. 0027, 0075; age assessor 245 detects select domain names having a relatively recent registration time and a relatively high access count.  The detection can be performed based on, e.g., a threshold comparison (e.g., requiring a domain to be associated with an age since registration below a first threshold and an access count above a second threshold in order to be included in the subset;).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Merza with the method and system of Cao, wherein query a domain name registrar server to determine an age of the domain name; identify the domain name as a command and control domain when the age is less than a second threshold to provide users with means for the query can be sent to a registrar to determine when the domain name was registered.  Domain names with recent registration times and high access counts can suggest a potential security threat is present. The client viewing the object can detect domain names departing from the normal patterns between the variables.  The client can select an individual domain-name representation, which can cause more detail to be shown regarding events tied to the domain name.  The client can also initiate generation of a rule that can block access to the domain name.  Thus the large number of computational events and webpage-access data to identify domain names associated with unusual access patterns can be processed.  The strict rules subject to malware adaptability can be avoided in favor of providing clients with the power to easily view access data and identify appropriate reactions (Merza: pars. 0005-0006)

However, in an analogous art, Antonakakis discloses From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware, wherein a length of the domain name falls within a specified range (Antonakaki: page 502, 2nd Col., 7.4.1 Zeus.v3, Excluding the top level domains, the length of the domain names generated by the DGA are between 33 and 45 alphanumeric characters).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Antonakakis with the method and system of Cao and Merza, wherein a length of the domain name falls within a specified range to provide users with means for a new technique to detect randomly generated domains without reversing (Antonakakis: page 491, abstract).
Regarding claim 2, the combination of Cao, Merza, and Antonakakis discloses the computer readable storage disk or storage device of claim 1. Cao further discloses wherein the instructions, when executed, cause the machine to determine the lexical complexity of the domain name (Cao: pars. 0019, 0033, 0069; and (iv) identify one or more cluster chains that are longer than a specified length threshold).
Regarding claim 3, the combination of Cao, Merza, and Antonakakis discloses the computer readable storage disk or storage device of claim 1. Antonakakis further discloses wherein the specified range is between a smallest domain name length and a largest domain name length of domain names listed in the list of domain names (Antonakaki: page 502, 2nd Col., 7.4.1 Zeus.v3, Excluding the top level domains, the length of the domain names generated by the DGA are between 33 and 45 alphanumeric characters).
Regarding claim 5, the combination of Cao, Merza, and Antonakakis discloses the computer readable storage disk or storage device of claim 1. Merza further discloses wherein the instructions, when executed, cause the machine to determine the age based on a domain creation date identified in a WHOIS database (Merza: par. 0079, Each row identifies registration information for the domain name, including an age since registration, name servers, registrant party, registrar name, expiration date for the registration and a date on which the registration was last updated their WHOIS database).
Regarding claim 6, the combination of Cao, Merza, and Antonakakis discloses the computer readable storage disk or storage device of claim 1. Cao further disclose wherein the instructions, when executed, cause the machine to determine if the domain name is on a source internet protocol (IP) watch list (Cao: pars. 0018, 0037, 0083-0086; The data set from the three-month traffic study mentioned above will now be used to illustrate the behavior of DNS traffic generated by domain-flux botnets. The network studied contains approximately 20,000 hosts, with IP addresses that are either static (e.g., IP addresses of computers in laboratories or servers) or dynamic (e.g., IP addresses of machines connected to dormitory networks or to wireless networks). 
Regarding claim 7, the combination of Cao, Merza, and Antonakakis discloses the computer readable storage disk or storage device of claim 6. Cao further discloses wherein the instructions, when executed, cause the machine to determine the age of the (Cao: pars. 0018, 0037, 0083-0086; The data set from the three-month traffic study mentioned above will now be used to illustrate the behavior of DNS traffic generated by domain-flux botnets. The network studied contains approximately 20,000 hosts, with IP addresses that are either static (e.g., IP addresses of computers in laboratories or servers) or dynamic (e.g., IP addresses of machines connected to dormitory networks or to wireless networks).
Regarding claim 9, the combination of Cao, Merza, and Antonakakis discloses the computer readable storage disk or storage device of claim 1. Cao further discloses wherein the instructions, when executed, cause the machine to determine the second threshold based on an age of command and control domains criterion  (Cao: pars. 0068, 0073;Certain embodiments of the present invention employ co-clustering and linking algorithms to detect domain-flux bots, as follows. First, IP address and domain-name co-clustering is performed on the daily DNS-failure graphs to discover richly-connected host communities and their associated domain names, which host communities are candidates for possibly being domain-flux bots. Next, these host communities, which are discovered by daily co-clustering over time, are linked, and a list of persistent clusters, i.e., clusters lasting longer than a specified number of days, is created. For each persistent cluster, changes in its domain names are then examined. If a high proportion of new domain names is observed, then that cluster is identified as being a domain-flux bot). 
Regarding claim 10, claim 10 is directed to a method associated with a computer readable storage disk or storage device claimed in claim 1; claim 10 is similar in scope to claim 1, and is therefore rejected under similar rationale. 
Regarding claim 11, claim 11 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Regarding claim 12, claim 12 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Regarding claim 14, claim 14 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Regarding claim 15, claim 15 is similar in scope to claim 6, and is therefore rejected under similar rationale.
Regarding claim 16, claim 16 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Regarding claim 18, claim 18 is similar in scope to claim 9, and is therefore rejected under similar rationale.
Claims 4 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Cao et al. (“Cao,” US 2012/0084860, Pub. Date: Apr. 5, 2012), in view of Merza (“Merza,” US 2013/0318603, published Nov. 28, 2013), further in view of Mano Antonakakis et al. (“Antonakakis,” From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware, August 8-10, 2012, pages 491-506), and further in view of Archbold (“Archbold,” US 2014/0068043, Pub. Date: Mar. 6, 2014).
Regarding claim 4, the combination of Cao, Merza, and Antonakakis discloses the computer readable storage disk or storage device of claim 1. Cao does not explicitly 
However, in an analogous art, Archbold discloses risk domain name service, wherein the instructions, when executed, cause the machine to determine if a Domain Name Server (DNS) response indicates the domain name failed resolution (Archbold: par. 0053, DNS resolution failure from the received DNS responses).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Archbold with the method and system of Cao, Merza, and Antonakakis, wherein the instructions, when executed, cause the machine to determine if a Domain Name Server (DNS) response indicates the domain name failed resolution.to provide users with means for the system transmits the zone file to the DNS server, thus effectuating change in TTL associated with particular domain addresses and/or domain names, updating TTL values at the DNS server without generation of zone files, and reducing volume of DNS requests (Archbold: par. 0013).
Regarding claim 13, claim 13 is similar in scope to claim 4, and is therefore rejected under similar rationale.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 




Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Canh Le/
Examiner, Art Unit 2439
January 15th, 2021


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439