DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to communication filed 12/28/2020. Claims 1, 12 and 20 are amended and claim 22 is newly added. Claims 1-22 are pending.

Response to Arguments
35 U.S.C. 101 Rejection:
In response to corrective amendments to claim 12, the 101 rejection of claims 12-19 is withdrawn.

35 U.S.C. 103 Rejection:
Applicant’s arguments with respect to claim(s) 1-22 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Examiner’s Note
After reviewing the new prior art(s) (both relied upon in the rejection as follows and suggested as pertinent in the conclusion paragraph), Applicant is encouraged to request an interview if they believe a proposed amendment, such as amending to include limitations from specifications, combined features from dependent claims or a combination of the two, would overcome the outstanding rejection and would further render the scope of the claims non-obvious 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-22 are rejected under 35 U.S.C. 103 as being unpatentable over Yan, US2014/0215628 A1 in view of Zoldi, US2015/0195299A1.

Per claim 1, Yan discloses a method for monitoring security of a computer network, the method comprising: 
identifying one or more attempted accesses from the computer network to respective Internet-resource identifiers in an external network by respective computing devices comprised within the computer network, each of the Internet-resource identifiers having a respective Internet-resource- identifier rating that reflects a likelihood that one of a plurality of the Internet-resource identifiers is malicious, wherein the Internet-resource-identifier rating is an integer value, and each of the computing devices having a respective device rating that reflects a likelihood that the computing device is infected by malware, wherein the device rating is an integer value (i.e., At step 202, client request log data is accessed.  The log may include a table of DNS requests in one example.  The table may include for each DNS request, the Yan: par. 0021 and Fig. 1 – Note: the rating being an integer value is not grounds for novelty unless it is shown how it is material to the way the instant invention functions. Absent of such emphasis, all security ratings/rankings are read as equivalents); 
updating one or more of the device rating of a respective one of the computing devices when the respective one of the computing devices attempts to access one of the plurality of Internet resources, wherein the updated device rating is based on the Internet-resource-identifier rating associated with the Internet resource identifier (The classification of known domains may be used to generate security rankings for the plurality of clients…At step 406, the security rank engine generates updated client security rankings using the security ranking of each domain associated with the client - Yan: par. 0044 and 0050 – Fig. 3, step 406), and 
updating one or more of the Internet-resource-identifier rating of a respective one of the Internet resource identifiers when a respective one the computing devices attempts to access the respective one of the Internet resource identifiers, wherein the updated Internet resource identifier rating is based on the device rating associated with the respective one of the computing devices (Security rank engine 372 generates security rankings and domain classifications using the log of client DNS requests from subscriber database 350 in one embodiment.  The -Yan: par. 0044 and 0053 - Fig. 3, step 408), although Yan discloses an scale of -10 to 10, wherein the security rankings initialized to -10 indicates the lowest (blacklisted) security ranking, 0 indicates unknown security ranking and 10 indicates the highest (whitelisted) security ranking and therefore implies exclusion of a whitelisted security ranking, Yan is not relied on to explicitly disclose, but Yan in view of Zoldi discloses wherein the Internet-resource identifier rating of the respective one of the Internet resource identifiers is not assigned if the respective Internet-resource identifier is known to be non-malicious (When an internal computer behaves suspiciously, the monitoring system sends alerts to the network administrators within the appropriate organization.  Cases are sets of DNS messages that are grouped by profile entity (e.g., source IP, internet clique, etc.).  Administrators can interact with cases specific to their own organization via a case manager, and can label or designate which query names or resolved IP addresses are potentially part of a botnet and which query names are false positives (legitimate domains or host names that scored high because of behavior similar to botnet behavior). [0039] The labeled and unlabeled data sets collected within the cloud-based monitoring system are periodically processed by a batch processing engine, such as  – Zoldi: par. 0038-0039); and 
Yan in view of Zoldi further discloses in response to at least one of the device ratings and Internet-resource-identifier ratings, ascertaining that the security of the computer network has been compromised, and generating an output in response thereto (Steps 406 and 408 can be performed in any order and apply the recursive definitions to calculate the security rankings based on the reciprocal nature of the client domain connections.  Reciprocal connections are defined between the clients and domains so that the security rankings of the two are correlated.  A first iteration of steps 406 to 408 updates the initial security rankings of each client and domain established at step 404 using these definitions.  In this manner, a client or domain security ranking at time t+1 is based on the security rankings of each associated client or domain at time t - Yan: par. 0056).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Yan in view of Zoldi to include updating one or more of the Internet-resource-identifier rating of a respective one of the Internet resource identifiers when a respective one the computing devices attempts to access the respective one of the Internet resource identifiers, wherein the updated Internet resource identifier rating is based on the device rating associated with the respective one of the computing devices, wherein the Internet-resource identifier rating of the respective one of the Internet resource identifiers is not assigned if the respective Internet-resource identifier is known to be non-malicious.
One of ordinary skill in the art would have been motivated because it would allow improving “model scoring so that suspicious query names score higher, and false positives  – Zoldi: par. 0039.

Per claim 12, it recites an apparatus for monitoring security of a computer network, the apparatus comprising: a network interface; and a processor (Network(s) 302 and 310 can include any combination of local area networks, wide area networks (WAN), the Internet, and/or any other network.  The recursive DNS clusters can vary by implementation and include any suitable computing system such as a server, group, grid, or distributed platform of computer systems configured to respond to requests for domain name information.  While the cluster in FIG. 2 is depicted with multiple recursive DNS nameservers, other embodiments may include a single computing system within a cluster such as a single server.  The individual recursive nameservers in a cluster can be formed of hardware and/or software configured as described for domain name resolution.  By way of non-limiting example, the various nameservers can include personal computers, servers, workstations, mainframes, etc. - Yan: par. 0030 and 0083).
Therefore, claim 12 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1.

Per claim 20, it recites a computer software product comprising a tangible non-transitory computer-readable medium in which program instructions are stored (Processor 80 may contain a single microprocessor, or may contain a plurality of microprocessors for configuring the Yan: par. 0083).
Therefore, claim 20 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1.

Per claim 2, Yan in view of Zoldi discloses features according to claim 1, wherein the Internet-resource identifiers include one or more domain names, each of the domain names having a respective domain-name rating that reflects a likelihood that the domain name is malicious (If a domain's security ranking is below a threshold, it can be classified as a domain associated with malware, a so-called bad domain.  If the domain's security ranking is above a threshold, it can be classified as a clean or trusted domain.  If a domain's security ranking does not exceed any defined threshold, it can remain unclassified or unknown - Yan: 0019 and Fig. 5 showing the mapped output value for domains).

Per claims 3 and 13, Yan in view of Zoldi discloses features according to claims 1 and 12, wherein ascertaining that the security of the computer network has been compromised (Steps 406 and 408 can be performed in any order and apply the recursive definitions to calculate the security rankings based on the reciprocal nature of the client domain connections.  Reciprocal connections are defined between the clients and domains so that the security rankings of the two are correlated.  A first iteration of steps 406 to 408 updates the initial security rankings of each client and domain established at step 404 using these definitions.  In this manner, a client or domain security ranking at time t+1 is based on the security rankings of each associated client or domain at time t -Yan: par. 0056).

Per claims 4 and 14, Yan in view of Zoldi discloses features according to claims 3 and 13, wherein the output inhibits access from the computer network to the malicious Internet-resource identifier (If the domain name information contains a flag indicating that the requested domain should be proxied or blocked, the DNS nameserver issues a DNS response at step 514 with domain name information for the block page service 336 at web server 334.  If the domain is not to be blocked or proxied for the subscriber's network, the DNS nameserver issues a DNS response at step 516 with domain name information for the requested domain -Yan: par. 0078-0079 – Fig. 6).

(FIG. 6 includes using the domain classifications generated at step 216 of FIG. 1.  At step 502, a DNS nameserver 332 receives a request for domain name information from a client device 312.  In this example, it is assumed that the client device 312 is part of a subscriber network, and thus, that a unique IP address distinguishing the client device from another client device cannot be obtained.  At step 504, the DNS nameserver determines a subscriber identifier associated with the DNS request.  In one example, the DNS nameserver parses the DNS request for the source IP address which is used as the subscriber identifier.  At step 506, the DNS nameserver uses the subscriber identifier to obtain a corresponding network record from database 350.  At step 508, the DNS nameserver obtains the requested domain name information.  Step 508 may include determining the domain in the request for domain name information and checking cache 340 for a domain name record corresponding to the requested domain.  If the cache contains a domain name record for the requested domain and the record is not expired, the DNS nameserver obtains the cached domain name record…After obtaining the domain name information, the DNS nameserver determines whether there are any flags associated with the requested domain and if so, correlates the flags with the preferences in the network record 352 at step 510.  Step 510 can include determining if the domain information includes a flag indicating that a domain is associated with malware as determined by security rank engine 372 in one embodiment.  Step 510 includes determining  - Yan: par. 0076-0078 – Note: correlation at step 510 is dependent on both updated subscriber information and updated domain information).   

Per claims 6 and 16, Yan in view of Zoldi discloses features according to claims 5 and 15, wherein the output reports the malware to anti-malware software (In one example, the DNS nameserver provides the client device with domain name information associated with block page service 362 on web server 360.  In response to the client device's resource request, the block page service can provide a block or landing page to the client device, for example, informing the user that the requested domain is not accessible on their network.  The block or landing page refers generally to any resource or information provided by the block page service in response to a request for a target domain that is not an actual resource provided by the target domain - Yan: par. 0041 – per Fig. 5., block 512 “If the domain name information contains a flag indicating that the requested domain should be proxied or blocked, the DNS nameserver issues a DNS response at step 514 with domain name information for the block page service 336 at web server 334” - par. 0079, wherein block page service 336 at a web server 334 is read as anti-malware software).

(The log may include a table, database or other storage mechanism with entries listing a source IP address or other client identifier of the client issuing a request and a target domain for the client's request… Each entry in the log includes a client identifier and a domain identifier for a DNS request or resource request that was received at DNS cluster 330.  The client identifier CID identifies the source of the request, for example the source IP address.  The domain identifier DID identifies the target of the request, for example the target domain name… in one embodiment, step 404 includes setting all client security rankings to a starting value (e.g., 0 in a scale of -10 to 10).  Step 404 can also include setting all domain security rankings to a starting value.  Step 404 may also include providing an initial security ranking for one or more domains based on an existing or predetermined classification.  For example, domains on a block list associated with malware may be given a starting value equal to the lowest security ranking… At step 406, the security rank engine generates updated client security rankings using the security ranking of each domain associated with the client… At step 408, the security rank engine generates updated domain security rankings using the security ranking of each client associated with the domain - Yan: par. 0047-0050 and 0053).


ascertaining that in a first one of the attempted accesses, a first one of the computing devices attempted to access a particular one of the Internet-resource identifiers, and in response thereto, updating the Internet-resource-identifier rating of the particular one of the Internet-resource identifiers, and wherein updating the one or more of the device ratings comprises: ascertaining that in a second one of the attempted accesses, a second one of the computing devices attempted to access the particular one of the Internet-resource identifiers, and in response thereto, updating the device rating of the second one of the computing devices (Steps 406 and 408 can be performed in any order and apply the recursive definitions to calculate the security rankings based on the reciprocal nature of the client domain connections.  Reciprocal connections are defined between the clients and domains so that the security rankings of the two are correlated.  A first iteration of steps 406 to 408 updates the initial security rankings of each client and domain established at step 404 using these definitions.  In this manner, a client or domain security ranking at time t+1 is based on the security rankings of each associated client or domain at time t - Yan: par. 0056 and Fig. 3 – Note: after a first one of access attempts, clients’ security ranking is labeled based on their association with one or more known bad domain(s), unless the one or more known bad domain(s) is determined as unlabeled as disclosed by Yan in view of Zoldi. Therefore, when clients with labeled security ranking attempt accessing one or more second domain(s) with an unknown security ranking, such attempt will result in updating a security ranking of one or more second domain(s) as also being associated with malware, or are so-called bad domains.  Here, the second 
Also, claims 8 and 18 are rejected based on the same analysis as set forth in the rejection of claim 11 and based on the same motivation to combine set for the in the rejection of claim 1.

Per claims 9 and 19, Yan in view of Zoldi discloses features according to claims 8 and 18, respectively, wherein updating the device rating of the second one of the computing devices is further in response to the updated Internet- resource-identifier rating of the particular one of the Internet-resource identifiers, and wherein the second one of the attempted accesses is subsequent to the first one of the attempted accesses (Steps 406 and 408 can be performed in any order and apply the recursive definitions to calculate the security rankings based on the reciprocal nature of the client domain connections.  Reciprocal connections are defined between the clients and domains so that the security rankings of the two are correlated.  A first iteration of steps 406 to 408 updates the initial security rankings of each client and domain established at step 404 using these definitions.  In this manner, a client or domain security ranking at time t+1 is based on the security rankings of each associated client or domain at time t - Yan: par. 0056 – Fig. 3, wherein the order of performing 406 and 408 is 

Per claim 10, Yan in view of Zoldi discloses features according to claim 8, wherein the second one of the attempted accesses is prior to the first one of the attempted accesses (the system correlates the security reputations of domains and clients to develop domain classifications for unknown domains.  For example, the system may examine the network request behavior of clients with respect to unknown domains and domains that are known to be associated with malware, for example due to their presence on a block list.  The system develops a security ranking for each client based on its request behavior with respect to the known and unknown domains.  Generally, a client that requests a known bad domain has its security ranking lowered.  Using the security rankings of the clients, the system can determine security rankings of the unknown domains.  For example, a list of clients associated with network requests for a particular domain can be generated.  The security ranking of each client on the list can be used to develop a security ranking for the unknown domain.  If a domain's security ranking is below a threshold, it can be classified as a domain associated with malware, a so-called bad domain - Yan: par. 0019).

Per claim 11, Yan in view of Zoldi discloses features according to claim 1, wherein updating the one or more of the device ratings comprises: 
(the system correlates the security reputations of domains and clients to develop domain classifications for unknown domains.  For example, the system may examine the network request behavior of clients with respect to unknown domains and domains that are known to be associated with malware, for example due to their presence on a block list.  The system develops a security ranking for each client based on its request behavior with respect to the known and unknown domains.  Generally, a client that requests a known bad domain has its security ranking lowered.  Using the security rankings of the clients, the system can determine security rankings of the unknown domains.  For example, a list of clients associated with network requests for a particular domain can be generated.  The security ranking of each client on the list can be used to develop a security ranking for the unknown domain.  If a domain's security ranking is below a threshold, it can be classified as a domain associated with malware, a so-called bad domain - Yan: par. 0019 – Note: after a first one of access attempts, clients’ security ranking is labeled based on their association with one or more known bad domain(s), unless the one or more known bad domain(s) is determined as unlabeled as disclosed by Yan in view of Zoldi. 
Also, claim 11 is rejected based on the same analysis as set forth in the rejection of claims 8 and 18 and based on the same motivation to combine set for the in the rejection of claim 1.

Per claim 21, Yan discloses the method according to claim 1, further comprising updates the device rating and the Internet-resource-identifier rating according to a feedback loop, whereby the device rating is updated in response to the Internet-resource-identifier rating, and whereby the Internet-resource-identifier rating is updated in response to the device rating (Yan: Fig. 3 – blocks 406-410).
Therefore, claim 21 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1.


Per claim 22, Yan discloses the apparatus of claim 12, wherein the hardware processor comprises a programmed digital computing device comprising a central processing unit (CPU), random access memory (RAM), non-volatile secondary storage, and a network interface (Processor 80 may contain a single microprocessor, or may contain a plurality of microprocessors for configuring the computer system as a multiprocessor system.  Memory 82 stores instructions and data for programming processor 80 to implement the technology described herein.  In one embodiment, memory 82 may include banks of dynamic random access memory, high speed cache memory, flash memory, other nonvolatile memory, and/or other storage elements.  Mass storage device 84, which may be implemented with a magnetic disc drive or optical disc drive, is a nonvolatile storage device for storing data and code.  In one embodiment, mass storage device 84 stores the system software that programs processor 80 to implement the technology described herein - Yan: par. 0083).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Bernstein (US9497206B1) discloses building a model of normal behavior from tree data structure nodes assigned respective ripeness scores within a specified range of ripeness scores and excluding from said tree data structure nodes with assigned respective ripeness score outside said specified range.
Mahjoub (US2017/0041333A1) discloses techniques for classifying domains based on DNS traffic so that domains that are malicious or associated with malicious activity can be identified, wherein (activity) spikes are identified that are associated with a legitimate (e.g., benign and uncompromised) domain, i.e., the DNS traffic for this domain includes frequent spikes over time but is not typically associated with malicious domains.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533.  The examiner can normally be reached on Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/AREZOO SHERKAT/            Examiner, Art Unit 2434                                                                                                                                                                                            /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434