Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
1.	         In response to amendment filed on 18 January 2021 and Examiner Initiated Interview on 10 February 2021.   
2.	An examiner's amendment to the record is attached.  Please enter entire claim set.LIE PLEASE SCROLL DOWN TO THE END OF DOCUMENT.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  The examiner's amendment was authorized by attorney of record Obert H. Chu in phone interview on 10 February 2021 and confirming email.   
Conclusion
3.	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. 
4.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ELLEN C TRAN whose telephone number is (571) 272-3842.  The examiner can normally be reached from M-F 9 AM to 6PM.
Examiner interviews are available via telephone and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        11 February 2021






Examiner’s Amendment 
This listing of the claims will replace all prior versions and listings of the claims in the application.

Listing of Claims:
(Currently Amended)	A system for Domain Generation Algorithm (DGA) behavior detection, comprising:
a processor of a security device configured to: 
receive passive Domain Name System (DNS) data that comprises a plurality of DNS responses; and 
apply a signature to the passive DNS data to detect DGA behavior, wherein apply the signature to the passive DNS data to detect DGA behavior further comprises:
parse each of the plurality of DNS responses to determine whether one or more of the plurality of DNS responses correspond to a non-existent domain (NXDOMAIN) response; and 
determine whether a threshold number of NXDOMAIN responses is received at the security device within a predetermined period of time, comprising to:
perform one or more of the following:
A)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determine whether a domain name that was queried relating to the DNS response is on a list of known or approved dynamic DNS; and
in response to a determination that the domain name that was queried relating to the DNS response is on the list of known or approved dynamic DNS, omit adding the DNS response to the NXDOMAIN responses;
B)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:

in response to a determination that the host name portion of the domain name that was queried relating to the DNS response can be broken into the plurality of known dictionary words, adding the DNS response to the NXDOMAIN responses; and/or
C)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determine whether a domain name associated with the DNS response only includes two segments, the two segments including a hostname and a top level domain; and
in response to a determination that the domain name associated with the DNS response does not only include two segments, omit adding the DNS response to the NXDOMAIN responses; and 
a memory coupled to the processor and configured to provide the processor with instructions.  
(Original)	The system recited in claim 1, wherein the signature comprises an Intrusion Prevention System (IPS) signature.  
(Original)	The system recited in claim 1, wherein the NXDOMAIN response is in response to a DNS query from a host device for an NXDOMAIN, and wherein the NXDOMAIN response includes a destination IP address that corresponds to the host device.  
(Original)	The system recited in claim 1, wherein a plurality of NXDOMAIN responses are received at the security device, and wherein one or more distinct host devices are determined based on distinct IP addresses associated with one or more of the plurality of NXDOMAIN responses received at the security device.  
(Original)	The system recited in claim 1, wherein the processor is further configured to:

(Original)	The system recited in claim 1, wherein the processor is further configured to:
determine that a first domain name is a DGA generated domain name based on detected DGA behavior using the signature, wherein the first domain name is associated with at least one of the one or more of the plurality of NXDOMAIN responses; and 
sinkhole the first domain name using a sinkholed IP address.  
(Original)	The system recited in claim 1, wherein the processor is further configured to:
determine that a first domain name is a DGA generated domain name based on detected DGA behavior using the signature, wherein the first domain name is associated with at least one of the one or more of the plurality of NXDOMAIN responses; and 
sinkhole the first domain name using the security device to redirect any host device that attempts to connect to the first domain name to a sinkholed IP address.  
(Original)	The system recited in claim 1, wherein the processor is further configured to:
determine that a first domain name is a DGA generated domain name based on detected DGA behavior using the signature, wherein the first domain name is associated with at least one of the one or more of the plurality of NXDOMAIN responses; and 
sinkhole the first domain name using the security device to redirect any host device that attempts to connect to the first domain name to a sinkholed IP address, wherein the sinkholed IP address is associated with the security device.  
(Original)	The system recited in claim 1, wherein the processor is further configured to:
determine that a first domain name is a DGA generated domain name based on detected DGA behavior using the signature, wherein the first domain name is associated with at least one of the one or more of the plurality of NXDOMAIN responses; and 

(Original)	The system recited in claim 1, wherein the processor is further configured to:
determine that a first domain name is a DGA generated domain name based on detected DGA behavior using the signature, wherein the first domain name is associated with at least one of the one or more of the plurality of NXDOMAIN responses; and 
sinkhole the first domain name using the security device to redirect any host device that attempts to connect to the first domain name to a sinkholed IP address, wherein the sinkholed IP address is associated with a server of a cloud security service.  
(Original)	The system recited in claim 1, wherein the processor is further configured to:
determine that a first domain name is a DGA generated domain name based on detected DGA behavior using the signature, wherein the first domain name is associated with at least one of the one or more of the plurality of NXDOMAIN responses; 
sinkhole the first domain name using a sinkholed IP address; and 
monitor network activity redirected to the sinkholed IP address.  
(Original)	The system recited in claim 1, wherein the processor is further configured to:
determine that a first domain name is a DGA generated domain name based on detected DGA behavior using the signature, wherein the first domain name is associated with at least one of the one or more of the plurality of NXDOMAIN responses; 
sinkhole the first domain name using a sinkholed IP address; and 
identify a first host device that is infected with malware based on an attempt by the first host device to connect to the first domain name, wherein the first host device is redirected to the sinkholed IP address in response to the attempt by the first host device to connect to the first domain name.    
(Original)	The system recited in claim 1, wherein the processor is further configured to:

sinkhole the first domain name using a sinkholed IP address; and 
generate a log for each attempted host device connection that is redirected to the sinkholed IP address.  
(Original)	The system recited in claim 1, wherein the processor is further configured to:
determine that a first domain name is a DGA generated domain name based on detected DGA behavior using the signature, wherein the first domain name is associated with at least one of the one or more of the plurality of NXDOMAIN responses; 
sinkhole the first domain name using a sinkholed IP address; and 
report one or more host devices that attempt to connect to the sinkholed IP address.  
(Original)	The system recited in claim 1, wherein the processor is further configured to:
determine that a first domain name is a DGA generated domain name based on detected DGA behavior using the signature, wherein the first domain name is associated with at least one of the one or more of the plurality of NXDOMAIN responses; 
determine one or more host devices that attempted to connect to the first domain name; and
perform an action in response to determining the one or more host devices that attempted to connect to the first domain name.  
(Previously Presented)	A method of Domain Generation Algorithm (DGA) behavior detection, comprising:
receiving passive Domain Name System (DNS) data that comprises a plurality of DNS responses at a security device; and 
applying a signature to the passive DNS data to detect DGA behavior using a processor of the security device, wherein applying the signature to the passive DNS data to detect DGA behavior further comprises:

determining whether a threshold number of NXDOMAIN responses is received at the security device within a predetermined period of time, comprising:
performing one or more of the following:
A)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determining whether a domain name that was queried relating to the DNS response is on a list of known or approved dynamic DNS; and
in response to a determination that the domain name that was queried relating to the DNS response is on the list of known or approved dynamic DNS, omitting to add the DNS response to the NXDOMAIN responses;
B)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determining whether a host name portion of a domain name that was queried relating to the DNS response can be broken into a plurality of known dictionary words; and 
in response to a determination that the host name portion of the domain name that was queried relating to the DNS response can be broken into the plurality of known dictionary words, adding the DNS response to the NXDOMAIN responses; and/or
C)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determining whether a domain name associated with the DNS response only includes two segments, the two segments including a hostname and a top level domain; and
in response to a determination that the domain name associated with the DNS response does not only include two 
(Original)	The method of claim 16, wherein the signature comprises an Intrusion Prevention System (IPS) signature.  
(Original)	The method of claim 16, wherein the NXDOMAIN response is in response to a DNS query from a host device for an NXDOMAIN, and wherein the NXDOMAIN response includes a destination IP address that corresponds to the host device.  
(Original)	The method of claim 16, wherein a plurality of NXDOMAIN responses are received at the security device, and wherein one or more distinct host devices are determined based on distinct IP addresses associated with one or more of the plurality of NXDOMAIN responses received at the security device.  
(Currently Amended)	A computer program product for Domain Generation Algorithm (DGA) behavior detection, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
receiving passive Domain Name System (DNS) data that comprises a plurality of DNS responses at a security device; and 
applying a signature to the passive DNS data to detect DGA behavior, wherein applying the signature to the passive DNS data to detect DGA behavior further comprises:
parsing each of the plurality of DNS responses to determine whether one or more of the plurality of DNS responses correspond to a non-existent domain (NXDOMAIN) response and
determining whether a threshold number of NXDOMAIN responses is received at the security device within a predetermined period of time, comprising:
performing one or more of the following:
A)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determining whether a domain name that was queried relating to the DNS response is on a list of known or approved dynamic DNS; and

B)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determining whether a host name portion of a domain name that was queried relating to the DNS response can be broken into a plurality of known dictionary words; and 
in response to a determination that the host name portion of the domain name that was queried relating to the DNS response can be broken into the plurality of known dictionary words, adding the DNS response to the NXDOMAIN responses; and/or
C)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determining whether a domain name associated with the DNS response only includes two segments, the two segments including a hostname and a top level domain; and
in response to a determination that the domain name associated with the DNS response does not only include two segments, omitting to add the DNS response to the NXDOMAIN responses.
(Previously Presented)	The system recited in claim 1, wherein the determining of whether the threshold number of NXDOMAIN responses is received at the security device within the predetermined period of time comprises to:
perform two or more of the following:
A)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determine whether a domain name that was queried relating to the DNS response is on a list of known or approved dynamic DNS; and

B)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determine whether a host name portion of a domain name that was queried relating to the DNS response can be broken into a plurality of known dictionary words; and 
in response to a determination that the host name portion of the domain name that was queried relating to the DNS response can be broken into the plurality of known dictionary words, adding the DNS response to the NXDOMAIN responses; and/or
C)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determine whether a domain name associated with the DNS response only includes two segments, the two segments including a hostname and a top level domain; and
in response to a determination that the domain name associated with the DNS response does not only include two segments, omit adding the DNS response to the NXDOMAIN responses.
(Previously Presented)	The system recited in claim 1, wherein the determining of whether the threshold number of NXDOMAIN responses is received at the security device within the predetermined period of time comprises to:
perform the following:
A)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determine whether a domain name that was queried relating to the DNS response is on a list of known or approved dynamic DNS; and
in response to a determination that the domain name that was queried relating to the DNS response is on the list of known or approved dynamic DNS, omit adding the DNS response to the NXDOMAIN responses;
B)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:

in response to a determination that the host name portion of the domain name that was queried relating to the DNS response can be broken into the plurality of known dictionary words, adding the DNS response to the NXDOMAIN responses; and
C)	in response to a determination that a DNS response corresponds to a NXDOMAIN response:
determine whether a domain name associated with the DNS response only includes two segments, the two segments including a hostname and a top level domain; and
in response to a determination that the domain name associated with the DNS response does not only include two segments, omit adding the DNS response to the NXDOMAIN responses.
















/ELLEN TRAN/Primary Examiner, Art Unit 2433