Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed 12/22/2020 has been entered.

Response to Arguments
Applicant’s arguments filed 12/22/2020 have been fully considered. With regard to the generation step, applicant has amended the claims as follows: “generating one or more sets of metrics from among at least one metric associated with the one or more first outliers to reduce a number of metrics used to detect outliers”. The language “to reduce a number of metrics use to detect outliers” is a statement of intended use which does little to distinguish over the prior art and will not be afforded patentable weight as a result. Accordingly, applicant’s arguments that “Roolvink fails to teach or suggest reducing a number of metrics used to detect outliers” is not persuasive since the features which applicant relies upon are couched within an intended use type limitation. Applicant’s further arguments are moot in view of the new grounds of rejection presented herein.
	 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating      obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-3, 5, 11-13, 15 are rejected under 35 U.S.C. 103 as being unpatentable over “Detecting attacks involving DNS servers” to Stephan Roolvink (“Roolvink”) in view of US 20180173110 to Hu.

Regarding claim 1,
Roolvink teaches a method for detecting a predetermined behavior during a domain name registration or a domain resolution activity, the method comprising: 
identifying one or more dimensions to be tracked; identifying one or more metrics for the one or more dimensions to be tracked; generating a first time series for the one or more metrics for the one or more dimensions to be tracked (section 5.1.1-5.1.8, time series analysis of dimensions and metrics for each dimension, e.g. number of requests by host, number of response to host etc., see also 5.2.2-5.2.3); 

detecting one or more first outliers in at least one of the first time series (section 5.1.1-5.1.8, detection of outliers in time series; see also section 5.2.1 regarding standard deviation over time period; standard deviation analysis including detection of deviation above threshold indicating outliers); 

generating one or more sets of metrics from among at least one metric associated with the one or more first outliers to reduce a number of metrics used to detect outliers, each set including two or more metrics; generating a second time series for a metric in the one or more sets of metrics; and detecting one or more second outliers in the second time series (5.1.1-5.1.8, see multiple metrics used, e.g. requests to and responses from DNS servers over a time series and detection of outliers; two or more metrics from set of metrics for which first outliers are detected are used – e.g. metrics used to detect outliers are also used in BotnetDDos attack metric analysis and time series, reflection DDos attacks, Recursive queries, cache poisoning time series; see also section 5.2.1 regarding standard deviation over time period; standard deviation analysis including detection of deviation above threshold indicating outliers; see also 5.2.2-5.2.3), 
Roolvink fails to teach, but Hu teaches: wherein the one or more second outliers comprise fewer outliers than the one or more first outliers (¶ 16, 72, second set of outliers is reduced compared to first set of outliers via outlier reduction processes).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the teachings of Hu. The motivation to do so is that the teachings of Hu would have been advantageous in terms of reducing outliers and via noise reduction in overlay monitoring and control and mitigating the impact of overlay measurement inaccuracies (Hu, ¶ 16).


Regarding claim 2, 12,
Roolvink teaches: 
wherein generating the first time series comprises collecting, processing, and aggregating raw data from domain name registrations to a predetermined time granularity for each of the metrics (section 5.1.1-5.1.8, time series analysis of dimensions and metrics for each dimension, e.g. number of requests by host, number of response to host etc., see also 5.2.2-5.2.3).

Regarding claim 3, 13,
Roolvink teaches: 
prior to detecting the one or more first outliers, filtering the one or more metrics according to a fixed threshold or an adaptive threshold on a most recent value of the one or more metrics (2.2.2, threshold filtering).

Regarding claim 5, 15,
Roolvink teaches: 
wherein, when generating the one or more sets of metrics, each of the metrics is from a different one of the one or more dimensions (section 5.1.1-5.1.8, 5.2.2-5.2.3)

Claim 11 is addressed by similar rationale as claim 1.  

Claim 4, 6-7, 9, 14, 16-17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Roolvink and Hu in view of US 20160359707 to Pang.

Regarding claim 7, 9, 17, 19,
Roolvink fails to teach filtering the one or more second outliers using a fixed filter and displaying the one or more second outliers. However, Pang teaches filtering one or more second outliers using a fixed filter and displaying the one or more second outliers (¶ 14, filtering and displaying outliers).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the teachings of Pang. The motivation to do so is that the teachings of Pang would have been advantageous in terms of analyzing and viewing atypical flows (Pang, ¶ 14, 16).

Regarding claim 4, 14,
Roolvink fails to teach but Pang teaches: 
grouping one or more first outliers by one or more dimensions, by one or more metrics, or by a combination thereof (¶ 14). Motivation to include Pang is the same as presented above.


Regarding claim 6, 16,
Roolvink fails to teach but Pang teaches: 
prior to generating the second time series, filtering the one or more metrics to a smaller subset of metrics based on a predetermined hierarchy of dimension significance (¶ 14-16, filtering typical vs atypical flows). Motivation to include Pang is the same as presented above.



Claim 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Roolvink an Hu in view of US 201901240099 to Matselyukh.

Regarding claim 8, 18,
Roolvink fails to teach filtering the one or more second outliers using an adaptive filter. However, Mateslyekh discloses filtering using adaptive filters (¶ 98). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the teachings of Mateslyekh with the outliers of Roolvink. The motivation to do so is that the teachings of Mateslyekh would have been advantageous in terms of facilitating pre-processing and cleaning of data using rules (Mateslyekh, ¶ 98).


Claim 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Roolvink and Hu in view of US 20150058977 to Thompson.

Regarding claim 10, 20,
Roolvink fails to teaches: implementing a distributed denial of service (DDoS) in response to detecting the one or more second outliers. 
However, Thompson discloses a method of implementing a distributed denial of service (DDoS) in response (Thompson, abstract, ¶ 5-8) that would have bene obvious to use in response to Roolvink’s outlier detection which is indicative of a DDOS attack. The motivation to remediate a DDOS attack is to keep network resources available to users (Thompson, ¶ 2-5).



CONCLUSION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RYAN J JAKOVAC whose telephone number is (571)270-5003.  The examiner can normally be reached on 8-4 PM EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A. Louie can be reached on 572-270-1684.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/RYAN J JAKOVAC/Primary Examiner, Art Unit 2445