DETAILED ACTION
This Office Action is in response to the communication filed on 02/22/2019. 
Claims 1-20 are pending. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claims 5-12, 14-15, 17, and 20 are objected to because of the following informalities: 
"the sample" as recited in claims 5-8 should read "the at least one of the one or more samples."
There is insufficient antecedent basis for the limitation "the one or more bad network domains" and "the one or more of bad network domains" as recited in claims 5-11.
"the security device" as recited in claim 7 should read "the first security device."
"a first security device" as recited in claim 12 should read "the first security device."
"if" as recited in claims 14-15 should read "in response to."

"a host" as recited in claim 17 should read "a particular host" and "the host" as recited in claim 17 should read "the particular host."
"and comprising computer instructions for:" as recited in claim 20 should read "and comprising computer instructions which when executed by a processor cause the processor to perform operations comprising:"
Appropriate correction is required.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal 
Claims 1-3, 17, 19, and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3, 5, 10, and 13 of U.S. Patent No. 9,325,735 in view of Kalle (US 8,826,444) further in view of Chen et al. (US 7,958,555). 
Claims 1, 3, 5, 10, and 13 of U.S. Patent No. 9,325,735 disclose all of the limitations recited in claims 1-3, 17, 19, and 20 except for the limitations "receive one or more DNS signatures from a cloud security service, wherein the first security device is one of a plurality of security devices, and wherein each of the plurality of security devices is subscribed to receive updates from the cloud security service" and "based on a match with at least one of one or more DNS signatures."
Kalle discloses the limitation "receive one or more DNS signatures from a cloud security service, wherein the first security device is one of a plurality of security devices, and wherein each of the plurality of security devices is subscribed to receive updates from the cloud security service" (e.g. col. 13 ll. 63-col. 14 ll. 7, col. 40 ll. 44-51). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the 
Chen discloses the limitation "based on a match with at least one of one or more DNS signatures" (e.g. col. 7 ll. 39-60). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method, system, and medium of U.S. Patent No. 9,325,735 and Kalle with the teachings of Chen for the purpose of replacing web page with a blocking page or display a warning message to protect computer users from online frauds (Chen col. 7 ll. 24-25, ll. 58-60).
Instant Application 16/283,545
Patent No. 9,325,735
1-2
1
3
3
17
5
19
10
20
13


Claims 1, 3-5, and 12-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3-5, and 11-18 of U.S. Patent No. 10,257,221 in view of Kalle (US 8,826,444) further in view of Dagon et al. (US 2008/0028463). 

Kalle discloses the limitation "receive one or more DNS signatures from a cloud security service, wherein the first security device is one of a plurality of security devices, and wherein each of the plurality of security devices is subscribed to receive updates from the cloud security service" (e.g. col. 13 ll. 63-col. 14 ll. 7, col. 40 ll. 44-51). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method, system, and medium of U.S. Patent No. 10,257,221 with the teachings of Kalle for the purpose of determining whether a particular web domain is malicious (Kalle col. 3 ll. 43-44).
Dagon discloses the limitation "a cache of the local DNS server is polluted with the designated sinkholed IP address for the bad network domain as a result 
Instant Application 16/283,545
Patent No. 10,257,221
1
1, 12
3-5
3-5
12-15
11-14
16
1
17-20
15-18


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 20 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 20 recites "A computer program product, the computer program product being embodied in a tangible computer readable storage medium" and the specification is silent regarding the meaning of 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, are 9-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kalle (US 8,826,444) in view of Dagon et al. (US 2008/0028463) further in view of Chen et al. (US 7,958,555).
Claim 1, Kalle teaches: 
A system, comprising:
a processor of a first security device is configured to:
receive one or more DNS signatures from a cloud security service, wherein the first security device is one of a plurality of security devices, and wherein each of the plurality of security devices is subscribed to receive updates from the cloud security service; (e.g. col. 13 ll. 63-col. 14 ll. 7, "web domain classification module 110 may generate intrusion prevention system signatures to block portable executable downloads from the web domains that are identified as malicious…web domain classification module 110 may add the intrusion prevention system signatures generated…to a signature set…web domain classification module 110 may release the signature set compiled…For example, server 206 in FIG. 2 may transmit the signature set to computing devices 202(1)-(N) connected to server 206 via network 204" col. 40 ll. 44-51, "all or a portion of these exemplary systems may represent portions of a cloud-computing or network-based environment. Cloud-computing environments may provide 
a memory coupled to the processor and configured to provide the processor with instructions. (e.g. col. 35 ll. 35-36)
Kalle teaches malware domains (e.g. col. 13 ll. 54-61), the plurality of security devices and the first security device (see above) and does not appear to explicitly teach but Dagon teaches:  
facilitate selective sinkholing via DNS poisoning. (e.g. [0011], "collecting DNS data for the network 250; examining the collected data relative to DNS data from known comprised and/or uncompromised computers 235 in the network 250; and determining the identity of compromised computers in the network 250 based on the examination" [0013], "the Command and Control (C&C) computer 25 of the botnet (network of attacking compromised computers) is identified, as explained below with respect to FIG. 3…the IP address of the C&C computer 25 is replaced with the IP address of the sinkhole computer 20…the bot computers 10 looking up the C&C computer 25 will be told to contact the sinkhole computer 20 instead…when a bot computer 10 contacts the sinkhole computer 20, the sinkhole computer 20 will record the IP address of the bot computer 10…traffic 
intercept a DNS query for a network domain from a local DNS server, wherein the network domain was determined to be a bad network domain; and (e.g. [0011]-[0012], "collecting DNS data for the network 250; examining the collected data relative to DNS data from known comprised and/or uncompromised computers 235 in the network 250; and determining the identity of compromised computers in the network 250 based on the examination")
generate a DNS query response to the DNS query to send to the local DNS server, wherein the DNS query response includes a designated sinkholed IP address for the bad network domain to facilitate identification of an infected host, wherein the DNS query response is a spoofed DNS query response, and wherein a cache of the local DNS server is polluted with the designated sinkholed IP address for the bad network domain as a result of the spoofed DNS query response. (e.g. [0006], "FIGS. 17-22 illustrates methods for detecting and disrupting botnets using DNS cache snooping" [0013]-[0014], "the Command and Control (C&C) computer 25 of the botnet (network of attacking compromised computers) is identified, as explained below with respect to FIG. 3…the IP address of the C&C computer 25 is replaced with the IP address of the sinkhole computer 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Dagon into the invention of Kalle and the motivation for such an implementation would be for the purpose of identifying and attacking botnets, and detecting and disrupting the communication between botnets and their victim bot computers to protect the victim bot computers from further attacks (Dagon [0007], [0013]).
Kalle-Dagon combination teaches the network domain was determined to be a bad network domain, and the one or more DNS signatures (see above) and does not appear to explicitly teach but Chen teaches: 
determined based on a match with at least one of one or more DNS signatures. (e.g. col. 7 ll. 39-60, "The phishing detection request may be in the form of a DNS query…In response to the phishing detection request, the signature server 705 compares the signature of the web page to signatures of phishing 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Chen into the invention of Kalle-Dagon combination and the motivation for such an implementation would be for the purpose of replacing web page with a blocking page or display a warning message to protect computer users from online frauds (Chen col. 7 ll. 24-25, ll. 58-60).
Claim 2, Kalle-Dagon-Chen combination teaches: 
wherein the bad network domain is associated with malware. (e.g. Dagon [0011]-[0013]; same motivation as presented in claim 1 would apply)
Claim 3, Kalle-Dagon-Chen combination teaches:
wherein at least one of the plurality of security devices includes a firewall. (e.g. Dagon [0145]; same motivation as presented in claim 1 would apply)
Claim 4, Kalle-Dagon-Chen combination teaches:

Claim 9, Kalle-Dagon-Chen combination teaches:
wherein a device of the cloud security service is associated with one or more sinkholed IP addresses for the one or more bad network domains by registering the one or more bad network domains to one or more valid IP addresses controlled by the cloud security service and associated with the device of the cloud security service. (e.g. Dagon [0011]-[0013]; same motivation as presented in claim 1 would apply)
Claim 10, Kalle-Dagon-Chen combination teaches:
wherein a device of the cloud security service is associated with one or more sinkholed IP addresses for the one or more bad network domains by registering the one or more bad network domains to one or more valid IP addresses controlled by the cloud security service and associated with the device of the cloud security service, and wherein a processor of the device of the cloud security service is configured to: log each attempted host connection to the one or more sinkholed IP addresses to facilitate identification of infected hosts. (e.g. Dagon [0011]-[0013], [0047]; same motivation as presented in claim 1 would apply)

wherein the bad network domain is associated with malware, wherein the malware includes identified malware, (e.g. Kalle col. 8 ll. 13-14, col. 13 lines 35-36) wherein a device of the cloud security service is associated with one or more sinkholed IP addresses for the one or more bad network domains by registering the one or more bad network domains to one or more valid IP addresses controlled by the cloud security service and associated with the device of the cloud security service, and wherein a processor of the device of the cloud security service is configured to: log each attempted host connection to the one or more sinkholed IP addresses to facilitate identification of hosts infected with the identified malware. (e.g. Dagon [0011]-[0013], [0047]; same motivation as presented in claim 1 would apply)
Claim 12, Kalle-Dagon-Chen combination teaches:
wherein the processor of a first security device of the plurality of security devices is configured to: receive a content update that includes the one or more DNS signatures. (e.g. Kalle col. 12 ll. 14-20, col. 14 ll. 1-6)
Claim 13, Kalle-Dagon-Chen combination teaches:

determine whether a network domain associated with a DNS query matches at least one of the one or more DNS signatures. (e.g. Chen col. 7 ll. 39-60; same motivation as presented in claim 1 would apply)
Claim 14, Kalle-Dagon-Chen combination teaches:
wherein the processor of the first security device of the plurality of security devices is configured to: receive a content update that includes the one or more DNS signatures; (e.g. Kalle col. 12 ll. 14-20, col. 14 ll. 1-6)
determine whether a network domain associated with a DNS query matches at least one of the one or more DNS signatures; and (e.g. Chen col. 7 ll. 39-46)
perform a responsive action if the network domain associated with the DNS query matches at least one of the one or more DNS signatures. (e.g. Chen col. 7 ll. 50-60; same motivation as presented in claim 1 would apply)
Claim 15, Kalle-Dagon-Chen combination teaches:
wherein the processor of the first security device of the plurality of security devices is configured to: receive a content update that includes the one or more 
perform a responsive action if the network domain associated with the DNS query matches at least one of the one or more DNS signatures, wherein the responsive action includes one or more of the following: alert, allow, sinkhole, or block. (e.g. Chen col. 7 ll. 39-60; same motivation as presented in claim 1 would apply)
Claim 16, Kalle-Dagon-Chen combination teaches:
wherein a processor of the cloud security service configured to: 
receive a sample at the cloud security service; (e.g. Kalle col. 12 ll. 23-30)
automatically analyze the sample using the cloud security service to determine whether the sample is associated with malware and to identify one or more bad network domains associated with the malware; and (e.g. Kalle col. 11 ll. 15-20, col. 13 ll. 54-61, col. 25 ll. 26-42)
generate one or more DNS signatures for the one or more bad network domains. (e.g. Kalle col. 13 ll. 63-col. 14 line 2)
Claim 17, Kalle-Dagon-Chen combination teaches:

identify that a host is infected with the identified malware based on a request from the host to connect to the designated sinkholed IP address. (e.g. Dagon [0013]-[0014]; same motivation as presented in claim 1 would apply)
Claim 18, Kalle-Dagon-Chen combination teaches:
wherein the processor of the first security device of the plurality of security devices is configured to: (e.g. Kalle col. 13 ll. 63-col. 14 ll. 7)
generate a log for each attempted host connection to the designated sinkholed IP address. (e.g. Dagon [0011]-[0013], [0047]; same motivation as presented in claim 1 would apply)
Claim 19, this claim is directed to a method containing similar limitations as recited in claim 1 and is rejected using the same rationale to combine the references.
Claim 20, this claim is directed to a medium containing similar limitations as recited in claim 1 and is rejected using the same rationale to combine the references.
Claims 5-8 are rejected under 35 U.S.C. 103 as being unpatentable over Kalle (US 8,826,444) in view of Dagon et al. (US 2008/0028463) in view of Chen et al. (US 7,958,555) further in view of Manni et al. (US 2011/0078794).
Claim 5, Kalle-Dagon-Chen combination teaches wherein the cloud security service receives one or more samples from one or more of the plurality of security devices, and wherein the cloud security service automatically analyzes at least one of the one or more samples by monitoring network activity to identify the one or more bad network domains that the sample attempts to connect to (e.g. Kalle col. 11 ll. 15-20, col. 12 ll. 23-30, col. 13 ll. 54-61, col. 25 ll. 26-42) and does not appear to explicitly teach but Manni teaches: 
during emulation of a sample. (e.g. [0046]-[0048])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Manni into the invention of Kalle-Dagon-Chen combination and the motivation for such an implementation would be for the purpose of detecting and protecting against malicious network content (Manni [0064]).
Claim 6, Kalle-Dagon-Chen combination teaches wherein the cloud security service receives one or more samples from one or more of the plurality of security devices, wherein the cloud security service automatically analyzes at least one of  and wherein the cloud security service sinkholes at least one of the one or more of bad network domains (e.g. Dagon [0011]-[0013]; same motivation as presented in claim 1 would apply) and does not appear to explicit teach but Manni teaches: 
during emulation of a sample. (e.g. [0046]-[0048])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Manni into the invention of Kalle-Dagon-Chen combination and the motivation for such an implementation would be for the purpose of detecting and protecting against malicious network content (Manni [0064]).
Claim 7, Kalle-Dagon-Chen combination teaches wherein the cloud security service receives one or more samples from one or more of the plurality of security devices, wherein the cloud security service automatically analyzes at least one of the one or more samples by monitoring network activity to identify the one or more bad network domains that the sample attempts to connect to (e.g. Kalle col. 11 ll. 15-20, col. 12 ll. 23-30, col. 13 ll. 54-61, col. 25 ll. 26-42), and wherein the first security device of the plurality of security devices is configured to sinkhole at 
during emulation of a sample. (e.g. [0046]-[0048])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Manni into the invention of Kalle-Dagon-Chen combination and the motivation for such an implementation would be for the purpose of detecting and protecting against malicious network content (Manni [0064]).
Claim 8, Kalle-Dagon-Chen combination teaches wherein the cloud security service receives one or more samples from one or more of the plurality of security devices, wherein the cloud security service automatically analyzes at least one of one or more samples by monitoring network activity to identify the one or more bad network domains that the sample attempts to connect to (e.g. Kalle col. 11 ll. 15-20, col. 12 ll. 23-30, col. 13 ll. 54-61, col. 25 ll. 26-42), wherein the first security device of the plurality of security devices is configured to sinkhole at least one of the one or more of bad network domains to implement selective sinkholing of malware domains by the first security device via DNS poisoning, and wherein the 
during emulation of a sample. (e.g. [0046]-[0048])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Manni into the invention of Kalle-Dagon-Chen combination and the motivation for such an implementation would be for the purpose of detecting and protecting against malicious network content (Manni [0064]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: US 2008/0155694 discloses a method for dealing with attacks of malicious BOTs in a network security system includes detecting and analyzing a domain name receiving excessive DNS queries to judge the infection of a malicious BOT, registering the corresponding domain name as normal or abnormal management target, and redirecting an abnormal DNS query for the abnormal management target to a redirection processing & response system. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service 






/AMIE C. LIN/Examiner, Art Unit 2436