DETAILED ACTION
1.	Notice of Pre-AIA  or AIA  Status:  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-30 are presented for examination. 
3.	Claims 3, 4, 5, 13, 14, 15, 18, 19 and 20 have been canceled, and claims 1, 11 and 16 have been amended.

4.	This Office Action is in response to Applicant’s claim amendments and remarks filed on February 16, 2021.

5.	This Office Action is non-final due to a new 35 USC 101 rejection (software per se).  Upon Applicant overcoming the 35 USC 101 rejection (software per se type), then the prior art, either singularly or in combination fails to anticipate or render obvious the present invention

6.	Application 16/399252 was filed on April 20, 2019.

Claim Interpretations

7.	Claim 1 recites “data driven model of the DNS related.”  Instant specification [0024] states “techniques for smart whitelisting for DNS security generate a statistical model that combines a ranking of domains, threat indicators [] and a historical perspective to adjust the whitelist based on threat and customer impact,” [0027] states “techniques for smart whitelisting for DNS security to 

8.	Claim 1 recites “generate a whitelist using [] event data and [] threat data.”  Instant specification [0013] states “a blacklist (e.g., also referred to as a block list) generally refers to an access control mechanism that can be applied to, for example, URLs, domain names, IP addresses, and/or other names/addresses [] 

9.	Claim 1 recites “DNS related threat data.”  Specification [0018] states “threat indicator lists”, [0020] states “smart whitelisting for DNS security”, “data includes Doman Name System (DNS) related event data”, “the whitelist includes [] the DNS related threat data,” [0021] states “the set of network related threat data includes DNS related threat data (e.g., a DNS threat feed, such as a general DNS threat feed, a DNS threat feed that is associated with a first enterprise network, and/or a DNS threat feed that is associated with a first vertical)”, [0083] [0087] state “for example, the set of network related thread data can include DNS related threat data, such as DNS threat feed, including a general DNS threat feed, a DNS threat feed that is associated with a first enterprise network.”  Based on the specification, the recited “DNS related threat data” can be interpreted as any DNS threat and/or DNS-based threat.  And, the recited “DNS related thread data for a first enterprise network” can be interpreted as any DNS threat and/or 

10.	Claim 5 recites “a DNS threat feed that is automatically filtered to determine a popularity of network domains associated with malware.”  Specification [0022] states “the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware; and outputting the smart whitelist to a network device for filtering DNS requests using the smart whitelist,” [0025] states “using active threat indicators as a probabilistic measure of how popular cyber threats may become in DNS by considering the popularity of domains and using the most popular threat domain as a high watermark at a given point in time,” and [0026] states “blocking a domain based on its popularity within the dataset” and “whitelisting a domain that is malicious, based on popularity,” [0034] states “a popularity of the threats is determined based on event data 108 and domain popularity over a time period,” [0040] states “smart whitelists are created from data based on popularity over a period of time,” and  [0042] states “the ranks for popular domains that contain threat indicators are recorded to be used in a future dynamic model for smartlisting.”  Based on the many different specification explanations regarding “determining popularity of network domains,” the explanation stated in [0028] “popular domains that contain threat indicators” best clarifies the broader version of “determining a popularity” and “associated with malware.”  This explanation/interpretation is applied to all the claims.  Typically, a “popular” concept is often applied to goodness and not to 

Claim Rejections - 35 USC § 101
11.         35 U.S.C. § 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.



12.       Claims 16, 17 and 26-30 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. See MPEP § 2106.01.

Claim 16 recites "a computer program product, the computer program product being embodied on a non-stationary tangible computer readable storage medium” and claim 17 recites “the computer program product recited in claim 16.”  Claims 16 and 17 clearly recite that claim 16 is a “program” type claim where the recited “program” is software, per se.  A computer program product, where “program” indicates software is not tangible since it does not fall into the statutory categories of "process", "machine", "manufacture" and "composition of matter".  Applicant to either 1) change claim 17 to a non-transitory tangible 

Claims 17 and 26-30 also fail to recite any language that clearly signify that the recited “computer program product" is a tangible embodiment, and not a transitory signal, per se, and are also rejected under 35 U.S.C. 101.

Allowable Subject Matter
13.	The present invention is directed towards a Set of Network Related Event Data (SoNRED) is received.  The SoNRED includes Domain Name System (DNS) Related Event Data (ED).  A Set of Network Related Threat Data (SoNRTD) is received.  The SONRTD includes DNS Related Threat Data (RTD).  The DNS RTD includes a DNS thread feed that is automatically filtered to determine a popularity of network domains associated with malware.  The DNS RTD includes DNS RTD for a 1st enterprise network.  A whitelist is generated using the SoNRED and the SoNRTD.  The whitelist includes a subset of network domains included in the DNS RED based on a data driven model of the DNS RED data and the DNS RTD.  Independent claims 1, 11 and 16 each identify the uniquely distinct combination of features:
receiving a set of network related event data
wherein the set of network related event data includes Domain Name System (DNS) related event data
receiving a set of network related threat data
wherein the set of network related threat data includes DNS related threat data 
generating a whitelist using the set of network related event data and the set of network related threat data
wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data.

14.	While the summary is on page 25, and regarding allowable claims 1, 11 and 16 presented above, the closest prior art (Manadhata, US 10474820 (filed on June 17, 2014, as per Justia); Wu, US 10362057; Drihem et al., US Pub 20180343277; Chasin, US Pub 20050015626; Sanghavi et al., US Pub 2020007548; Tewari et al., US Pub 20160315856 [0047]; Kulkarni et al., US Pub 20180039486 [0186]; Dua, US Pub 20060165060 [0184] [0092] [0091]; Wright et al., US Pub 20180063190 [0039] [0040] [0041]; Newman et al., US Pub 20020073157 [0004]; Milov, US Pub 2004004940 [0066]; Helming et al., EP3151511 A1 [0010] [0011] [0012] [0019] [0031] [0032] [0040]; Neystadt et al., US Pub 20200128038 [0054]; Mitchell, US Pub 20150350229 [0074]; Weinberger et al., US Pub 20170142144 [0025]; Atkins et al., “Threat Analysis of the Domain Name System (DNS)”, RFC 3822, 2004; and Lin, US Pub 20040267893 [0007])  disclose Domain Name System (DNS) based Infection Scores (ISs).  In an embodiment, a method includes maintaining Query Profiles (QPs) for members of a Set of Clients (SoC) in a network.  The QPs may be 

15.	Another prior art teach Domain Name System (DNS) Threat Detection Engine (TDE) for analyzing DNS traffic for potential threats.  In various implementations, the DNS TDE can include Threat Profiles (TPs) that include characteristics of network threats associated with DNS.  When a DNS message includes a characteristic associated with a particular TP, a remediation rule associated with the TP can be used to modify the DNS message, including modifying the destination for the DNS message.  When the DNS message is received at the 

16.	And, another prior art teach actively and passively monitoring current network security threats and impacts, to evaluate and maintain Cyber Security (CS) 

17.	In summary, nowhere do the prior art Manadhata, Wu, Drihem, Chasin, Sanghavi, Tewari, Kulkarni, Dua, Wright, Newman, Milov, Helming, Neystadt, Mitchell, Weinberger, Atkins, and Lin disclose the unique combination of elements listed above.  Upon Applicant overcoming the 35 USC 101 rejection (software per se type), then the prior art, either singularly or in combination fails to anticipate or render obvious the present invention.

Conclusion
18.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Applicant is reminded that in amending in response to a rejection of claims, the patentable novelty must be clearly shown in view of the state of the art disclosed by the references cited and the objection made.  Applicant must show how the amendments avoid such references and objections.  See 37 CFR 1.111(c).

19.	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to O. Charlie Vostal whose telephone number is 571-270-3992 (via email:  Ondrej.Vostal@uspto.gov  “without a written authorization by applicant in place, the USPTO will not respond via internet e-mail to an Internet correspondence” MPEP 502.02 II and https://www.uspto.gov/sites/default/files/documents/sb0439.pdf ).  The examiner can normally be reached on 8:30am to 5:00pm EST Monday thru Friday.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-270-4992.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the Public PAIR system, see http://portal.uspto.gov/pair/PublicPair.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


	/ONDREJ C VOSTAL/Primary Examiner, Art Unit 2452                                                                                                                                                                                                        
	March 5, 2021