DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This Office action is in response to the amendment filed on 03/15/2021. New claims 21 and 22 are added.

Claims 1-22 are presented for examination.

35 U.S.C. 101 rejection is withdrawn in view of the amendment.

Claims 21 and 22 are objected to under 37 CFR 1.75 as being a substantial duplicate of claim 1. When two claims in an application are duplicates or else are so close in content that they both cover the same thing, despite a slight difference in wording, it is proper after allowing one claim to object to the other as being a substantial duplicate of the allowed claim. See MPEP § 608.01(m). 
Applicant states on page 15 of the Remarks that “claims 21 and 22 depend from claim 1 and for the addition features they recite”. However, Claims 21 and 22 do not have the addition features. The only difference is that claim 1 recites the steps (A), (B), (C) and/or (D), and claims 21 and 22 recite the steps (A), (B), (C) and (D). The “and/or” means it could be “and” or “or” (i.e., (A), (B), (C) and (D), or (A), (B), (C) or (D)
Claims 21 and 22 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over 
Mahjoub et al. (US 2017/0041332), in view of Rand et al. (US 2007/0118669), Fakeri-Tabrizi et al. (US 2016/0065611).

As to claims 1 and 11, Mahjoub discloses the invention as claimed including a system, comprising:
a processor configured to (1102, Fig. 11): 
receive DNS log files, wherein the DNS log files include a DNS query and a DNS response for resolution of the DNS query (72, 74, Fig. 1; ¶0040, “The log can include a client identifier such as the source IP address of each request, a domain identifier such as the target domain or hostname of the request, and time information associated with the request”; ¶0041, “A querylog entry may include an IP address of the client issuing a query and a hostname requested by the query, among other information”; ¶0048, “this analysis involves accessing a stream of query logs (querylogs). A querylog entry may include an IP address of the client issuing a query and a hostname requested by the query”; ¶0053, “authoritative logs include DNS information such as an IP address for a hostname submitted in a query”; ¶0054); 
generating a graph based on the DNS log files (Fig. 6; Fig. 9; ¶0091, “The system builds an AS graph”; ¶0126, “In the chart 900 shown in FIG. 9A, a spike in DNS traffic is caused by a DNS amplification attack…the queries included in the spike to detect this attack and flag the associated domains as malicious. Additionally or alternatively, the techniques herein can map the IP space associated with the attack to determine the true source, eventually pivoting about hosting infrastructure to detect and map the malicious attack”); 
identify a plurality of communities using the graph based on DNS querying patterns (¶0091, “The system builds an AS graph and then investigates its topology to uncover hotspots of malicious or suspicious activities and monitor our DNS traffic for new domains hosted on these malicious IP ranges”; ¶0126, “In the chart 900 shown in FIG. 9A, a spike in DNS traffic is caused by a DNS amplification attack. In an amplification attack, the attacker spoofs DNS requests to hide the source of an attack”; ¶0127); and 
detect an anomaly in DNS activity associated with one or more of the communities based on a DNS querying (Abstract; ¶0088, “if five IP addresses found in an IP range are hosting similar pattern exploit kit domains, the IP addresses may be analyzed to determine a fingerprint”; ¶0100, “performed by the SD subsystem to detect and potentially block malicious domains or IP addresses… the SD subsystem analyzes DNS query patterns to identify domains hosting malicious activity”; ¶0103, “the data included in a detected spike (e.g., queries) must be analyzed to detect clusters, groups, and/or patterns of similar data in the spike”; ¶0112); and 
a memory coupled to the processor and configured to provide the processor with instructions (1102, 1104, 1106, Fig. 11; ¶0133, “Memory 1104 stores instructions and data for programming processor 112 to implement the technology described herein… mass storage device 1106 stores the system software that programs processor 112 to implement the technology described herein”). 

Although Mahjoub discloses detecting an anomaly in DNS activity associated with one or more of the communities based on a DNS querying (Abstract; ¶0100; ¶0103; ¶0112), and detecting malicious domains that can be performed by filtering the domains (¶0060), Mahjoub does not specifically disclose a DNS querying rule. However, Rand discloses a DNS querying rule (381, Fig. 1; Fig. 4; ¶0007, “security policies may be used by the DNS appliances to determine whether a DNS client query is originated by a client computer performing a prohibited activity”; ¶0021, “Such security policies may dictate how to detect and respond to DNS client queries that are part of a prohibited activity, such as activities of malicious sources or activities that are 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Mahjoub to include a DNS querying rule, as taught by Rand because it would enhance DNS security network by efficiently selecting the appropriate security policy for the particular customer (Rand, ¶0007; ¶0034).

Although Mahjoub discloses detecting an anomaly in DNS activity associated with one or more of the communities (Abstract , "classifying domains based on DNS traffic so that domains that are malicious or associated with malicious activity can be identified...detecting a spike in the traffic for a particular domain, and categorizing queries in the spike based on one or more query features"; ¶0021; ¶0049; ¶0102, "the system can extract spiked domains based on two consecutive hours of query log data, ten minutes of query log data, or any other time period. Analyzing the spikes based on a moving average over a predetermined period of time may increase the likelihood that queries for popular domains, such as major search engines, are not considered as spikes"; ¶0103; ¶0112; ¶0113; ¶0126), Mahjoub does not specifically disclose performing one or more of the following: A) determine whether current traffic activity of one or more of the communities exceeds the average observed traffic activity for the one or more of the communities by a predetermined factor; and in response to a performing one or more of the following: A) determine whether current traffic activity of one or more of the communities exceeds the average observed traffic activity for the one or more of the communities by a predetermined factor; and in response to a determination that the current traffic activity of one or more of the communities exceeds the average observed traffic activity for the one or more of the communities by the predetermined factor, determine that the anomaly in the DNS activity has been detected; B) determine whether one or more of the communities starts querying young domains relative to a previous querying pattern of the one or more of the communities, wherein a young domain corresponds to a domain created two days ago or younger; and in response to a determination that the one or more of the communities started querying the young domains relative to the previous querying pattern of the one or more of the communities, determine that the anomaly in the DNS activity has been detected; C) determine whether one or more of the communities starts querying a known indicator of compromise (IOC) relative to a previous monitored pattern of querying of the one or more of the communities; and in response to a determination that the one or more of the communities started querying the known IOC relative to the previous monitored pattern of querying of the one or more of the communities, determine that the anomaly in the DNS activity has been detected; and/or D) determine whether a first DNS querying rate of a current time window for one or more of the communities changes equal to or greater than a preset threshold from a second DNS querying rate of a previous time window for the one or more of the communities; and in response to a determination that the first DNS querying rate of the current time window for the one or more of the communities changes equal to or greater than the preset threshold from the second DNS querying rate of the previous time window for the one or more of the communities, determine that the anomaly in the DNS activity has been detected (120, Fig. 1; ¶0009, “The determination of the anomaly trend can be determined when at least one of the count values exceeds a predetermined threshold value, where the predetermined threshold value can be associated with an average or a median of the count values for the predetermined period”; ¶0020, “detecting unusual patterns in DNS traffic to identify new types of malicious activities”; ¶0022; ¶0024, “an anomaly trend can be determined by analyzing the count values. For example, an anomaly trend or a spike can be determined when at least one of the count values exceeds a predetermined threshold value. However, any other analysis of time-based patterns can be applied to identify anomalies”; ¶0048, “an anomaly trend can be detected if one the count values exceeds a predetermined threshold value. In some embodiments, the predetermined threshold value can be based on an average or a median of all count values”; ¶0050; ¶0059). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Mahjoub to include the limitation above, as taught by Fakeri-Tabrizi because it would more effectively detect malicious anomalies by calculating the current traffic activity using the predetermined threshold value associated with an average (Fakeri-Tabrizi; ¶0020-¶0024).

As to claim 2, Mahjoub discloses the system recited in claim 1, wherein the graph is a weighted undirected graph (Figs. 6C-6D; ¶0093; ¶0094, “In the graph 262 

As to claim 3, Mahjoub discloses the system recited in claim 1, wherein the graph is a weighted undirected graph based on source IP addresses (¶0091, “The system builds an AS graph and then investigates its topology to uncover hotspots of malicious or suspicious activities and monitor our DNS traffic for new domains hosted on these malicious IP ranges”; ¶0126, “In the chart 900 shown in FIG. 9A, a spike in DNS traffic is caused by a DNS amplification attack. In an amplification attack, the attacker spoofs DNS requests to hide the source of an attack”; ¶0127). 

As to claim 4, Mahjoub discloses the system recited in claim 1, wherein the processor is further configured to: perform community detection based on association of the DNS querying patterns and source IP addresses in the graph (Abstract; ¶0100, “performed by the SD subsystem to detect and potentially block malicious domains or IP addresses… the SD subsystem analyzes DNS query patterns to identify domains hosting malicious activity”; ¶0103, “the data included in a detected spike (e.g., queries) must be analyzed to detect clusters, groups, and/or patterns of similar data in the spike”; ¶0112). 

As to claim 5, it is rejected for the same reasons set forth in claim 1 above. In addition, Mahjoub discloses wherein the processor is further configured to: apply the DNS querying to one or more of the plurality of communities for detecting the anomaly in the DNS activity associated with the one or more of the plurality of communities (Abstract; ¶0100, “performed by the SD subsystem to detect and potentially block malicious domains or IP addresses… the SD subsystem analyzes DNS query patterns to identify domains hosting malicious activity”; ¶0103, “the data included in a detected spike (e.g., queries) must be analyzed to detect clusters, groups, and/or patterns of similar data in the spike”; ¶0112). 

As to claim 6, Mahjoub discloses the system recited in claim 1, wherein the processor is further configured to: store the plurality of communities in a community detection table (¶0034, “The DNS nameserver may also provide alternate IP address information based on an IP address being on a block list or otherwise having a record at the cluster indicating that traffic should not be routed to the IP address”; ¶0037; ¶0051; ¶0071). 

As to claim 7, Mahjoub discloses the system recited in claim 1, wherein the processor is further configured to: receive a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query(72, 74, Fig. 1; ¶0040, “The log can include a client identifier such as the source IP address of each request, a domain identifier such as the target domain or hostname of the request, and time information associated with the request”; ¶0041, “A querylog entry may include an IP address of the client issuing a query and a hostname requested by the query, among other information”; ¶0048, “this analysis involves accessing a stream of query logs (querylogs).  A querylog entry may include an IP address of the client issuing a query and a hostname requested by the query”; ¶0053, “authoritative 

As to claim 8 Mahjoub discloses the system recited in claim 1, wherein the processor is further configured to: receive a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; and process domains queried in the DNS data stream (72, 74, Fig. 1; ¶0040, “The log can include a client identifier such as the source IP address of each request, a domain identifier such as the target domain or hostname of the request, and time information associated with the request”; ¶0041, “A querylog entry may include an IP address of the client issuing a query and a hostname requested by the query, among other information”; ¶0048, “this analysis involves accessing a stream of query logs (querylogs).  A querylog entry may include an IP address of the client issuing a query and a hostname requested by the query”; ¶0053, “authoritative logs include DNS information such as an IP address for a hostname submitted in a query”; ¶0054). 

As to claim 9, Mahjoub discloses the system recited in claim 1, wherein the processor is further configured to: receive a DNS data stream, wherein the DNS data stream includes a DNS query and a DNS response for resolution of the DNS query; process domains queried in the DNS data stream; and update a community detection table, wherein the community detection table stores the plurality of communities (72, 74, Fig. 1; ¶0040, “The log can include a client identifier such as the source IP address of each request, a domain identifier such as the target 
 
As to claim 10, it is rejected for the same reasons set forth in claim 1 above. In addition, Mahjoub discloses the system recited in claim 1, wherein the processor is further configured to: detect a compromised community in the plurality of communities based on the DNS querying pattern (¶0040, “Subscriber database 74 includes a log reflecting client DNS request behavior”; ¶0088, “if five IP addresses found in an IP range are hosting similar pattern exploit kit domains, the IP addresses may be analyzed to determine a fingerprint”). 

 As to claim 12, it is rejected for the same reasons set forth in claim 2 above.

As to claim 13, it is rejected for the same reasons set forth in claim 3 above.

As to claim 14, it is rejected for the same reasons set forth in claim 4 above.

As to claim 15, it is rejected for the same reasons set forth in claim 5 above.

As to claim 16, it is rejected for the same reasons set forth in claim 1 above. In addition, Mahjoub discloses a computer program product, the computer program product being embodied in a tangible non-transitory computer readable storage medium (1104, Fig. 11; ¶0133, “Memory 1104 stores instructions and data for programming processor 112 to implement the technology described herein… mass storage device 1106 stores the system software that programs processor 112 to implement the technology described herein”; ¶0100, “the SD subsystem analyzes DNS query patterns to identify domains hosting malicious activity such as exploit kits”). 
 
As to claim 17, it is rejected for the same reasons set forth in claim 2 above.

As to claim 18, it is rejected for the same reasons set forth in claim 3 above.

As to claim 19, it is rejected for the same reasons set forth in claim 4 above.

As to claim 20, it is rejected for the same reasons set forth in claim 5 above.

Conclusion
Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUNGWON CHANG whose telephone number is (571)272-3960.  The examiner can normally be reached on 8-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GLENTON BURGESS can be reached on (571)272-3949.  The fax phone 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/JUNGWON CHANG/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        March 21, 2021