DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
 
2.	Applicant’s response filed on January 27, 2021 have been considered.  Claims 1, 4, 8, 11, 13-14, 17, and 20-21 have been amended. Claims 7, and 16 have been canceled.  New claims 24-25 have been added.  Claims 1, 4-6, 8-11, 13-15, and 17-25 are pending.
Claim Interpretation
3.	This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: 
Referring to claim 11: 
          Claim 11 limitation “a receiving unit used to receive” has been interpreted under pre-AIA  35 U.S.C. § 112, sixth paragraph, because it uses a generic placeholder “unit” coupled with functional language “to receive” without reciting sufficient structure to achieve the function. Furthermore, the generic placeholder is not preceded by a structural modifier.  
              	Claim 11 limitation “a determination unit used to determine” has been interpreted under pre-AIA  35 U.S.C. § 112, sixth paragraph, because it uses a generic placeholder “unit” coupled with functional language “to determine” without reciting sufficient structure to achieve the function. Furthermore, the generic placeholder is not preceded by a structural modifier.
                     Claim 11 limitation “a first discarding unit used to discard” has been interpreted under pre-AIA  35 U.S.C. § 112, sixth paragraph, because it uses a generic placeholder “unit” coupled with functional language “to discard” without reciting 
                    Since the claim limitations invoke pre-AIA  35 U.S.C. § 112, sixth paragraph, Claim 11 has been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.
                   A review of the specification shows that the following appears to be the corresponding structure described in the specification for the pre-AIA  35 U.S.C. § 112, sixth paragraph limitation: 
                  Fig. 6 discloses an apparatus 600 including an input/out interface 604, a determining unit 616, and first discarding unit 618.  Therefore, the specification discloses item 603 as ‘a receiving unit configured to receive’, item 616 is ‘a determination unit configured to determine’, and item 618 as ‘a first discarding unit configured to discard’.
 Referring to claim 13: 
              	Claim 13 limitation “a storage unit configured to store” has been interpreted under pre-AIA  35 U.S.C. § 112, sixth paragraph, because it uses a generic placeholder “unit” coupled with functional language “to store” without reciting sufficient structure to achieve the function. Furthermore, the generic placeholder is not preceded by a structural modifier. 
                    Since the claim limitations invoke pre-AIA  35 U.S.C. § 112, sixth paragraph, Claim 13 has been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.
                   A review of the specification shows that the following appears to be the corresponding structure described in the specification for the pre-AIA  35 U.S.C. § 112, sixth paragraph limitation: 
                   Fig. 6 discloses an apparatus 600 including a memory 608.  Therefore, the specification discloses ‘a storage unit configured to store’ as the memory 608 in an apparatus 600.
Referring to claim 14: 

           Claim 14 limitation “a first deletion unit used for deleting” has been interpreted under pre-AIA  35 U.S.C. § 112, sixth paragraph, because it uses a generic placeholder “unit” coupled with functional language “for deleting” without reciting sufficient structure to achieve the function. Furthermore, the generic placeholder is not preceded by a structural modifier. 
          Claim 14 limitation “an first addition unit configured to add” has been interpreted under pre-AIA  35 U.S.C. § 112, sixth paragraph, because it uses a generic placeholder “unit” coupled with functional language “to add” without reciting sufficient structure to achieve the function. Furthermore, the generic placeholder is not preceded by a structural modifier. 
                    Since the claim limitations invoke pre-AIA  35 U.S.C. § 112, sixth paragraph, Claim 14 has been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.
                   A review of the specification shows that the following appears to be the corresponding structure described in the specification for the pre-AIA  35 U.S.C. § 112, sixth paragraph limitation: 
                   Fig. 7 discloses an apparatus 600 including a radio calculation unit 706.  Therefore, the specification discloses ‘a ratio calculation unit configured to calculate’ as the radio calculation unit 706 in an apparatus 600.
                   Fig. 7 discloses an apparatus 600 including a first deletion unit 708.  Therefore, the specification discloses ‘a first deletion unit used for deleting’ as the first deletion unit 708 in an apparatus 600.
                   Fig. 7 discloses an apparatus 600 including a first addition unit 710.  Therefore, the specification discloses ‘an first addition unit configured to add’ as the first addition unit 710 in an apparatus 600.
Referring to claim 15: 
              	Claim 15 limitation “a hit rate calculation unit configured to find” has been interpreted under pre-AIA  35 U.S.C. § 112, sixth paragraph, because it uses a generic placeholder “unit” coupled with functional language “to find” without reciting sufficient structure to achieve the function. Furthermore, the generic placeholder is not preceded by a structural modifier. 
                    Since the claim limitations invoke pre-AIA  35 U.S.C. § 112, sixth paragraph, Claim 15 has been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.
                   A review of the specification shows that the following appears to be the corresponding structure described in the specification for the pre-AIA  35 U.S.C. § 112, sixth paragraph limitation: 
                   Fig. 7 discloses an apparatus 600 including a hit rate calculation unit 712.  Therefore, the specification discloses ‘a hit rate calculation unit configured to find’ as the hit rate calculation unit 712 in an apparatus 600.
Referring to claim 17: 
              	Claim 17 limitation “a second deletion unit configured to delete” has been interpreted under pre-AIA  35 U.S.C. § 112, sixth paragraph, because it uses a generic placeholder “unit” coupled with functional language “to delete” without reciting sufficient structure to achieve the function. Furthermore, the generic placeholder is not preceded by a structural modifier. 
                     Claim 17 limitation “a second addition unit configured to add” has been interpreted under pre-AIA  35 U.S.C. § 112, sixth paragraph, because it uses a generic placeholder “unit” coupled with functional language “to add” without reciting sufficient structure to achieve the function. Furthermore, the generic placeholder is not preceded by a structural modifier.  
                    Since the claim limitations invoke pre-AIA  35 U.S.C. § 112, sixth paragraph, Claim 17 has been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.

                   Fig. 8 discloses an apparatus 600 including a second deletion unit 804, a second addition unit 806  Therefore, the specification discloses ‘a second deletion unit used for deleting’ as the second deletion unit 804 in an apparatus 600, and item 806 as ‘a second unit configured to add’.
Referring to claim 18: 
              	Claim 18 limitation “a throughput calculation unit configured to add” has been interpreted under pre-AIA  35 U.S.C. § 112, sixth paragraph, because it uses a generic placeholder “unit” coupled with functional language “to add” without reciting sufficient structure to achieve the function. Furthermore, the generic placeholder is not preceded by a structural modifier. 
                    Since the claim limitations invoke pre-AIA  35 U.S.C. § 112, sixth paragraph, Claim 18 has been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.
                   A review of the specification shows that the following appears to be the corresponding structure described in the specification for the pre-AIA  35 U.S.C. § 112, sixth paragraph limitation: 
                   Fig. 8 discloses an apparatus 600 including a throughput calculation unit 802.  Therefore, the specification discloses ‘a throughput calculation unit configured to add’ as the throughput calculation unit 802 in an apparatus 600.
Referring to claim 19: 
              	Claim 19 limitation “a second discarding unit configured to discard” has been interpreted under pre-AIA  35 U.S.C. § 112, sixth paragraph, because it uses a generic placeholder “unit” coupled with functional language “to discard” without reciting sufficient structure to achieve the function. Furthermore, the generic placeholder is not preceded by a structural modifier. 
                    Since the claim limitations invoke pre-AIA  35 U.S.C. § 112, sixth paragraph, Claim 19 has been interpreted to cover the corresponding structure 
                   A review of the specification shows that the following appears to be the corresponding structure described in the specification for the pre-AIA  35 U.S.C. § 112, sixth paragraph limitation: 
                   Fig. 8 discloses an apparatus 600 including a second discarding unit 808.  Therefore, the specification discloses ‘a second discarding unit configured to discard’ as the second discarding unit 808 in an apparatus 600. 

4.	Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
            If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. 

Claim Rejections - 35 USC § 112
5.	Claims 1, 4-6, 8-11, 13-15, and 17-25 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.  
Referring to claims 1, 11, 20:

          		discarding the target DNS response message; and 
          		transmitting the target DNS response message to the internal network device.” 
                      Fig. 5 of the application discloses upon determining the target DNS response message satisfies the predetermined condition (S520, with ‘YES’ path), discarding the target DNS response message (S524).
                      However, fig. 5 does not disclose transmitting the target DNS response to the internal network device, after discarding the target DNS response message (S524). 
                      Therefore, Claim 1 is rejected for failing to comply with the written description requirement. 
		Claims 11, and 20 recited the similar limitations as Claim 1, and are therefore rejected based on the same rationale.
Referring to claims 4-6, 8-10, 13-15, 17-19, and 21-25:
          Claims 4-6, 8-10, 13-15, 17-19, and 21-25 are dependent from their independent claims 1, 11, and 20 respectively, and are therefore rejected based on the same rationale.   

6.	Claims 1, 4-6, 8-11, 13-15, and 17-25 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Referring to claims 1, 11, 20:
		Claim 1 recites “upon determining that the target DNS response message satisfies the predetermined conditions: 
          		discarding the target DNS response message; and 
          		transmitting the target DNS response message to the internal network device.”
		MPEP states: 
conflict or inconsistency between the claimed subject matter and the specification disclosure renders the scope of the claim uncertain as inconsistency with the specification disclosure.” (see MPEP § 2173.03) 
                      Fig. 5 of the application discloses upon determining the target DNS response message satisfies the predetermined condition (S520, with ‘YES’ path), discarding the target DNS response message (S524).
                      However, fig. 5 does not disclose transmitting the target DNS response to the internal network device, after discarding the target DNS response message (S524). 
                      Therefore, there is a conflict or inconsistency between the claimed subject matter and the specification disclosure, wherein the conflict or inconsistency renders the scope of the claim uncertain as inconsistency with the specification disclosure. 
		Claims 11, and 20 recited the similar limitations as Claim 1, and are therefore rejected based on the same rationale.
Referring to claims 4-6, 8-10, 13-15, 17-19, and 21-25:
          Claims 4-6, 8-10, 13-15, 17-19, and 21-25 are dependent from their independent claims 1, 11, and 20 respectively, and are therefore rejected based on the same rationale.  

Claim Rejections - 35 USC § 103

7.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

8.	Claims 1, 4-6, 8-11, 13-15, and 17-25 are rejected under 35 U.S.C. 103 as being unpatentable over Kim (U.S. 2013/0031626 A1), in view of Wood (U.S. 2015/0326530 A1), further in view of Lyon (U.S. 2006/0075491 A1).
Referring to claims 1, 11, 20:
	i.	Kim teaches:

 		receiving a target DNS response message that is directed to an internal network device and sent from an external network device (see Kim, fig. 4, 431 ‘DNS response ?’; [0020] ‘… an ID, a destination address, and a source address of the DNS packet including the response message...’);
         determining that a source address in the target DNS response message is included in a dynamic management table, the source address representing a device having the source address not being invasive (see Kim, fig. 4, 432 ‘same SIP address [i.e., source IP address ]’; [0020] ‘whether or not there is the previous packet may be determined by comparing an ID, a destination address, and a source address [i.e., under a circumstance that a management table includes a source address in the target DNS response message ] of the DNS packet including the response message to an ID, a source address, and a destination address of the previous packet including a query message.’; [0065] ‘a management table including SIP address [i.e., a dynamic management table including the source IP address ]’);
        determining whether the target DNS response message satisfies predetermined conditions, the predetermined conditions including:
        Kim discloses a method of detecting DNS flood attack according to characteristics of type of attack traffic, wherein Kim uses a predetermined time difference as the predetermined condition to determine whether to discard or transmit the target DNS response message (see Kim, fig. 7; [0012] ‘the present invention provide attack detection methods of selectively dropping only attack traffic of malicious users while protecting traffic of normal users [i.e., dropping only attack traffic (drop only attack packets) of malicious users, while protecting traffic (transmitting non-dropped packets) of normal users ].’; [0109] ‘If there is the entry corresponding to the response message, it is checked whether or not the response message has been generated within a cache time (threshold time) described with reference to FIG. 9 (for example, within 1 sec immediately before the query message of a current packet is received) (1022).  If the response message having the same query content has been received within the threshold time, the packet is dropped and an entry generation time related to the response message is updated to a current time (1025).  If the message has not been the entry generation time related to the response message is updated to the current time (1024).’).
          Kim discloses a dynamic management table includes a source address (see Kim, [0065] ‘a management table including SIP address [i.e., a dynamic management table including the source IP address ]’). However, Kim does not explicitly disclose a dynamic white list.
	           Kim discloses the predetermined condition includes a predetermined time difference (see Kim, [0109] ‘If there is the entry corresponding to the response message, it is checked whether or not the response message has been generated within a cache time (threshold time) described with reference to FIG. 9 (for example, within 1 sec immediately before the query message of a current packet is received) (1022).’).  However, Kim does not explicitly disclose the predetermined condition includes a predetermined throughput value.
	ii.	Wood disclose the dynamic white list (see Wood, [0022] ‘The novel traffic control method operates off a dynamically changing list of blocked and allowed domain names.’)
	iii.	It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Wood into the system of Kim to use a dynamic white list.  Kim teaches "methods of detecting only a type of attack traffic of a malicious user.” (see Kim, [0003]). Therefore, Wood’s teaching could enhance the system of Kim, because Wood teaches “firewalls and systems for providing online security.” (see Wood, [0002]).
	iv.	Lyon discloses using a predetermined total throughput value as a predetermined condition to determine whether to send or not send a DNS message, wherein a total throughput value being greater than a predetermined throughput value, the total throughput value being a total of a throughput value of the target DNS message and a throughput value of historical DNS messages, the historical DNS messages being all DNS messages sent by the external network device before the target DNS message is sent (see Lyon, Claim 44, ‘counting the number of requests for a domain name from the same source to produce a hit count over a period of time [i.e., where the ‘hit count’ corresponding to ‘the total throughput value’, such as a total of a throughput value of the comparing the hit count against a threshold value [i.e. where ‘a threshold value’ corresponding to ‘the predetermined throughput value’ ].’)
v.	It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Lyon into the system of Kim for using a predetermined total throughput value as a predetermined condition to determine whether to send or not send a DNS message.  Kim teaches "methods of detecting only a type of attack traffic of a malicious user.” (see Kim, [0003]). Therefore, Lyon’s teaching could enhance the system of Kim, because Lyon teaches “the invention relates to a data cleaning center having attack detection and/or mitigation modules that provide DDoS attack-free data to back-end servers.” (see Lyon, [0001]). 
Referring to claims 4, 13:
		Kim, Wood, and Lyon further disclose:
           storing the domain name and a sending time of the target DNS response message into the historical domain name record if the target domain name in the target DNS response message is not included in the historical domain name record (see Kim, [0049] ‘response content of the response message is stored in a response content field 60.’).
Referring to claims 5, 14:
	  	Kim, Wood, and Lyon further disclose:
                     calculating a ratio, and hit rate (see Lyon, [0054] ‘If the ratio exceeds a threshold value, then a network attack is detected’, [0131] ‘checks for whether the recorded hit count [i.e., the hit rate ] for the request exceeds a threshold for the number of requests over a period of time (for example, over the last ten seconds),’). 
                      deleting a source address of the external network device from the dynamic white list if the ratio is greater than a predetermined ratio (see Wood, [0022] ‘The novel traffic control method operates off a dynamically changing list of blocked and allowed domain names.’; [0118] ‘use whitelists and/or blacklists’); and
                      adding the source address of the external network device into a dynamic black list (see Wood, [0022] ‘The novel traffic control method operates off a dynamically changing list of blocked and allowed domain names.’; [0118] ‘use whitelists and/or blacklists’). 
 	It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Lyon into the system of Kim to use ratio, hit rate.  Kim teaches "methods of detecting only a type of attack traffic of a malicious user.” (see Kim, [0003]). Therefore, Lyon’s teaching could enhance the system of Kim, because Lyon teaches “the invention relates to a data cleaning center having attack detection and/or mitigation modules that provide DDoS attack-free data to back-end servers.” (see Lyon, [0001]).
    	         It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Wood into the system of Kim to use a dynamic white list.  Kim teaches "methods of detecting only a type of attack traffic of a malicious user.” (see Kim, [0003]). Therefore, Wood’s teaching could enhance the system of Kim, because Wood teaches “firewalls and systems for providing online security.” (see Wood, [0002]).
Referring to claims 6, 23:
		Kim, Wood, and Lyon further disclose:
                      calculating a hit count of each domain name in the historical domain name record comprises by finding a domain name in a DNS response message in the historical domain name record after receiving the DNS response message; and increasing a hit count of the domain name by one, wherein an initial value of the hit count of each domain name is zero. (see Kim, [0080] ‘same …DNS ID’. Also, Wood, [0095] ‘If the domain name in the DNS reply matches the domain name of a recently sent DNS request’. And,  Lyon, [0054] ‘If the ratio exceeds a threshold value, then a network attack is detected’; [0130] ‘a hit count is kept in the database to count the number of (duplicate) requests for each source address and request.’; [0131] ‘checks for whether the recorded hit count [i.e., the hit rate ] for the request exceeds a threshold for the number of requests over a period of time (for example, over the last ten seconds),’).
                    It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Wood into the system of Kim to use a domain name.  Kim teaches "methods of detecting only a type of 
         It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Lyon into the system of Kim to use ratio, hit rate.  Kim teaches "methods of detecting only a type of attack traffic of a malicious user.” (see Kim, [0003]). Therefore, Lyon’s teaching could enhance the system of Kim, because Lyon teaches “the invention relates to a data cleaning center having attack detection and/or mitigation modules that provide DDoS attack-free data to back-end servers.” (see Lyon, [0001]).
Referring to claims 8, 17:
		Kim, Wood, and Lyon further disclose:
                      deleting the source address from the dynamic white list in response to the total throughput value is greater than the predetermined throughput value (see Wood, [0022] ‘The novel traffic control method operates off a dynamically changing list of blocked and allowed domain names.’; [0118] ‘use whitelists and/or blacklists’); and
                     adding the source address into a dynamic black list (see Wood, [0022] ‘The novel traffic control method operates off a dynamically changing list of blocked and allowed domain names.’; [0118] ‘use whitelists and/or blacklists’).
                    It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Wood into the system of Kim to use a white list, and a black list.  Kim teaches "methods of detecting only a type of attack traffic of a malicious user.” (see Kim, [0003]). Therefore, Wood’s teaching could enhance the system of Kim, because Wood teaches “firewalls and systems for providing online security.” (see Wood, [0002]).
Referring to claims 9, 18:
		Kim, Wood, and Lyon further disclose the calculating, the adding (see Lyon, Claim 44, ‘counting’).
         It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Lyon into the system of Kim to use ratio, hit rate.  Kim teaches "methods of detecting only a type of 
Referring to claim 10:
		Kim, Wood, and Lyon further disclose:
                      discarding the target DNS response message when the dynamic black list includes the source address in the target DNS response message (see Wood, [0119] ‘the site is not only blocked [i.e., discarding the message], but it is on the blacklist as well’; [0094] ‘If the status of the displayed domain name is not "allowed" [i.e., blocked ] 608 then 
the packet is discarded 610’). 
                      It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Wood into the system of Kim to use a dynamic white list or blacklist.  Kim teaches "methods of detecting only a type of attack traffic of a malicious user.” (see Kim, [0003]). Therefore, Wood’s teaching could enhance the system of Kim, because Wood teaches “firewalls and systems for providing online security.” (see Wood, [0002]).
Referring to claim 15:
		Kim, Wood, and Lyon further disclose:
                      wherein calculating a hit rate of each domain name in the historical domain name record comprises finding a domain name in a DNS response message in the historical domain name record after receiving the DNS response message; and increasing a hit rate of the domain name by one, wherein an initial value of the hit rate of each domain name is zero (see Kim, [0080] ‘same …DNS ID’. Also, Wood, [0095] ‘If the domain name in the DNS reply matches the domain name of a recently sent DNS request’. And,  Lyon, [0130] ‘a hit count is kept in the database to count the number of (duplicate) requests for each source address and request.’).
             It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Wood into the system of Kim to use a domain name.  Kim teaches "methods of detecting only a type of attack traffic of a malicious user.” (see Kim, [0003]). Therefore, Wood’s teaching could 
         It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Lyon into the system of Kim to use ratio, hit rate.  Kim teaches "methods of detecting only a type of attack traffic of a malicious user.” (see Kim, [0003]). Therefore, Lyon’s teaching could enhance the system of Kim, because Lyon teaches “the invention relates to a data cleaning center having attack detection and/or mitigation modules that provide DDoS attack-free data to back-end servers.” (see Lyon, [0001]).
Referring to claim 19:
		Kim, Wood, and Lyon further disclose the discarding (see Kim, [0081] ‘the packet is dropped’).
Referring to claim 21:
		Kim, Wood, and Lyon further disclose:
                     storing the domain name and a sending time of the target DNS response message into the historical domain name record if the target domain name in the target DNS response message is not included in the historical domain name record (see Kim, [0018] ‘information regarding a previously generated packet and its generation time may be stored in the DB, and the information regarding the packet may include at least one of 
an ID, a source address, a destination address, and query content.’).
  Referring to claim 22:
		Kim, Wood, and Lyon further disclose:
 	           calculating a ratio between a number of domain names having a hit count greater than a predetermined number and a total number of domain names, wherein the historical domain name record includes all domain names and respective hit counts of the domain names in historical DNS response messages sent by the external network device, and the predetermined number is not less than a natural number of three (see Lyon, [0054] ‘If the ratio exceeds a threshold value, then a network attack is detected’, [0131] ‘checks for whether the recorded hit count [i.e., the hit rate ] for the request exceeds a threshold for the number of requests over a period of time (for example, over the last ten seconds),’);
a dynamically changing list of blocked and allowed domain names.’; [0118] ‘use whitelists and/or blacklists’); and
           adding the source address of the external network device into a dynamic black list (see Wood, [0022] ‘The novel traffic control method operates off a dynamically changing list of blocked and allowed domain names.’; [0118] ‘use whitelists and/or blacklists’).
                     It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Wood into the system of Kim to use a white list, a black list.  Kim teaches "methods of detecting only a type of attack traffic of a malicious user.” (see Kim, [0003]). Therefore, Wood’s teaching could enhance the system of Kim, because Wood teaches “firewalls and systems for providing online security.” (see Wood, [0002]).
         It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Lyon into the system of Kim to use ratio, hit rate.  Kim teaches "methods of detecting only a type of attack traffic of a malicious user.” (see Kim, [0003]). Therefore, Lyon’s teaching could enhance the system of Kim, because Lyon teaches “the invention relates to a data cleaning center having attack detection and/or mitigation modules that provide DDoS attack-free data to back-end servers.” (see Lyon, [0001]). 
Referring to claims 24-25:
		Kim, Wood, and Lyon further disclose:
		a target domain in the target DNS response message being not included in a historical domain record (see KIM, fig. 4, 432 ‘same DNS ID? [i.e., checking whether a target domain in the target DNS response message being included in a historical domain record ]’; [0108] ‘it is checked whether or not there is an entry having the same DIP address/query content if the DNS packet includes the response message (1021).’), and
                      a time difference between a first sending time and a second sending time initiated by the external network device for a target domain name being less than a predetermined time difference, wherein the first sending time is a time of sending the response message has been generated within a cache time (threshold time) described with reference to FIG. 9 (for example, within 1 sec immediately before the query message of a current packet is received) 
(1022).’).
Response to Arguments
9.	Applicant's arguments filed January 27, 2021 have been fully considered but they are not persuasive.
(a)	Applicant submits:
“In other words, Kim simply describes determining “whether or not there is the 
previous packet” and fails to describe determining a total number of the previous packets. Kim, therefore, fails to disclose, teach or suggest “the predetermined conditions including a total throughput value being greater than a predetermined throughput value, the total throughput value being a total of a throughput value of the target DNS response message and a throughput value of historical DNS response messages, the historical DNS response messages being all DNS response messages sent by the external network device before the target DNS response message is sent” as amended claim 1 recites.” (see page 15, 2nd par)
Examiner maintains:
Lyon discloses in Claim 44, ‘counting the number of requests for a domain name from the same source to produce a hit count over a period of time [i.e., where the ‘hit count’ corresponding to ‘the total throughput value’, such as a total of a throughput value of the target DNS response message and a throughput value of historical DNS messages ], and comparing the hit count against a threshold value [i.e. the predetermined throughput value ].’.
Therefore, Lyon, in combination of other references, disclose the claimed invention.
 (b)	Applicant submits:
st par)
Examiner maintains:
Lyon discloses in Claim 44, ‘counting the number of requests for a domain name from the same source to produce a hit count over a period of time [i.e., where the ‘hit count’ corresponding to ‘the total throughput value’, such as a total of a throughput value of the target DNS response message and a throughput value of historical DNS messages ], and comparing the hit count against a threshold value [i.e. the predetermined throughput value ].’.
Therefore, Lyon, in combination of other references, disclose the claimed invention.
(c)	Applicant submits;
“Consequently, the combination of Kim, Wood, and Lyon, does not disclose, teach or suggest at least “the predetermined conditions including a total throughput value being greater than a predetermined throughput value, the total throughput value being a total of a throughput value of the target DNS response message and a throughput value of historical DNS response messages, the historical DNS response messages being all DNS response messages sent by the external network device before the target DNS response message is sent” as amended claim 1 recites.” (see page 16, 3rd par)
Examiner maintains:
Lyon discloses in Claim 44, ‘counting the number of requests for a domain name from the same source to produce a hit count over a period of time [i.e., where the ‘hit count’ corresponding to ‘the total throughput value’, such as a total of a throughput value of the target DNS response message and a throughput value of historical DNS messages ], and comparing the hit count against a threshold value [i.e. the predetermined throughput value ].’.
.
Conclusion

10.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	KIM; Heemin et al. (US 20150067764 A1) disclose whitelist-based network switch;
(b)	Wackerly; Shaun et al. (US 20140082693 A1) disclose updating security bindings in a network device;
(c)	Zou; Fei et al. (US 8392357 B1) disclose Trust network to reduce e-mail spam;
(d)	Liao; En-Yi et al. (US 8601064 B1) disclose Techniques for defending an email system against malicious sources;
(e)	Kumar; Srinivas et al. (US 20130298192 A1) disclose systems and methods for using reputation scores in network services and transactions to calculate security risks to computer systems and platforms;
(f)	Evans; G. Edward et al. (US 20130208729 A1) disclose systems and methods for facilitation of communications sessions amongst a plurality of networks;
(g)	Roundy; Kevin et al. (US 9275226 B1) disclose Systems and methods for detecting selective malware attacks.

 11.	 Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
           A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and .  
                       Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571)272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
            If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
            Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/PEILIANG PAN/
Examiner, Art Unit 2492



/TAE K KIM/Primary Examiner, Art Unit 2492