Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed on 03/09/2021, with respect to the 35 U.S.C 103 rejections of claims 1, 2, 4-7 and 9-20 as being obvious over U.S. Patent No. 8,260,914 to Ranjan (“Ranjan”) in view of U.S. Patent Application Publication No. 2017/0295196 to Arnell et al. (“Arnell”), claim 3 stands rejected as being obvious over Ranjan in view of Amell and further in view of U.S. Patent No. 9,325,735 to Xie et al. (“Xie”), and claim 8 stands rejected as being obvious over Ranjan in view of Arnell and further in view of U.S. Patent Application Publication No. 2018/0351972 to Yu et al. (“Yu”) have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of arguments.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1, 2, 4-7, and 9-11 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 8260914 hereinafter Ranjan in view of U.S. Publication No. 20120084860 hereinafter Cao.

As per claim 1, Ranjan discloses:
A non-transitory machine-readable storage medium comprising instructions to defend against a Domain Name System (DNS)-based attack (Col. 2 Lines 51-54 “In general, in one aspect, the invention relates to a non-transitory computer readable medium storing instructions for detecting automatically generated malicious domain names in a network.”), the instructions upon execution causing a DNS server to:
receive, over a network, DNS queries containing domain names (Col. 5 Lines 31-34 “In one or more embodiments, certain device(s) (e.g., DNS filters (115)) within the computer network (110) may be configured to sanction (e.g., passing or blocking) DNS traffic (e.g., DNS queries, not shown) based on information from the malicious domain name detecting tool (120).”);
extract a common domain name shared by the domain names (Fig. 2, Col. 10 Lines 26-43 “As shown in FIG. 2, initially in Step 201, DNS queries sharing a common attribute in the computer network are identified. In one or more embodiments, the DNS queries sharing a common attribute are identified and/or extracted from the network trace under investigation described above for analysis to detect malicious domain names. In one or more embodiments, the DNS queries sharing a common attribute are identified and/or extracted from Col. 12 Lines 15-16 “In Step 203, the set of alphanumeric elements is analyzed to determine a distribution metric of the set of domain names.”);
determine whether a measure of an amount of data relating to the DNS queries containing the common domain name exceeds a threshold (Col. 9 Lines 55-60 “In one or more embodiments, the network trace is analyzed in a training phase, and referred to as a reference dataset, to fine tune pre-determined parameters (e.g., based distribution, pre-determined threshold, weights, regularization parameter, etc. described below) used in detecting malicious domain names. Example reference dataset includes the non-malicious ISP dataset, non-malicious DNS dataset, and malicious datasets described below.” Col. 12 Lines 19-27 “In Step 204, an alert is generated based on the distribution metric according to a pre-determined criterion. In one or more embodiment, the pre-determined criterion includes pre-determined parameters that are fine-tuned during a training phase such that the alert represents, with acceptable (based on a pre-defined level) false positive rates, detection of 
trigger a countermeasure action to address a threat associated with the DNS queries (Col. 16 Lines 45-47 “Returning to FIG. 2, in STEP 205, a source node of DNS queries labeled as malicious is identified in the computer network in response to generating the alert in Step 204.” Col. 16 Line 57- Col. 17 Line 3 “In Step 206, a network security operation with respect to the source node is performed with the facilitation based on the alert identifying the grouped testdomain as containing domain names automatically generated for malicious activities. For example, a DNS server may be configured to block certain domain names by specifying the blocked domain names in the DNS server policy, referred to as domain blacklisting. Further, a network router may be configured to intercept and selectively block DNS traffic (e.g., DNS queries and/or replies) passing over the computer network or a portion thereof. In particular, one or more network router(s) located logically between the DNS server and the source node (e.g., a bot) sending the malicious DNS queries may be configured to block such bot-generated DNS queries.”).

Ranjan does not disclose:
in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, trigger countermeasure

Cao discloses:
in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, trigger countermeasure (para 0014 “In another embodiment, the invention provides a computer-implemented method for detecting malicious software agents. The method includes: (a) constructing a graph based on a plurality of failed queries for domain names sent to one or more domain-name servers by a plurality of hosts during a time period; (b) deriving, from the graph, one or more candidate clusters of hosts, wherein step (b) includes: (b1) generating multi-level hierarchical groupings of Internet Protocol (IP) addresses in the graph based on similarities between at least first and second levels of domain names in failed domain-name queries made by hosts corresponding to the IP addresses; (b2) determining, for each hierarchical grouping, a highest percentage of failed domain-name queries for which a most recently added IP address in the hierarchical grouping has at least first and second levels of domain names in common with another IP address in the hierarchical grouping; and (b3) identifying each highest-level hierarchical grouping having its determined percentage more than a specified percentage threshold as a candidate cluster of hosts; and (c) determining that one or more of the candidate clusters correspond to malicious software agents.” Para 0100 “Next, at step 1003, one or more malicious software agents are detected based on the proportion of new domain names appearing in the failed domain-name queries of the candidate clusters of hosts. Finally, at step 1004, one or more reports are 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan to including in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, trigger countermeasure, as taught by Cao.
The motivation would have been to determine the amount of data relating to the DNS queries to properly identify potential attacks.

As per claim 2, Ranjan in view of Cao discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the measure of the amount of data relating to the DNS queries comprises a count of a number of the DNS queries (Ranjan Col. 14 Lines 46-55).

As per claim 4, Ranjan in view of Cao discloses:
The non-transitory machine-readable storage medium of claim 2, wherein the count of the number of the DNS queries exceeding the threshold (Ranjan Col. 9 Lines 55-60 and Col. 12 Lines 19-27)
indicates a denial- of-service attack (Cao para 0005 and 0106).

As per claim 5, Ranjan in view of Cao discloses:
The non-transitory machine-readable storage medium of claim 2, wherein the count of the number of the DNS queries exceeding the threshold (Ranjan Col. 9 Lines 55-60 and Col. 12 Lines 19-27)
indicates a denial- of-service attack against a name server (Cao para 0005, 0014 and 0106).

As per claim 6, Ranjan in view of Cao discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the measure of the amount of data relating to the DNS queries comprises a per-device measure of the amount of data relating to the DNS queries received from an individual electronic device (Ranjan Col. 12 Lines 28-45).

As per claim 7, Ranjan in view of Cao discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the measure of the amount of data relating to the DNS queries comprises an
aggregate measure of the amount of data relating to the DNS queries received from a plurality of electronic devices (Ranjan Figs. 1 and 2, Col. 5 Lines 4-37).

As per claim 9, Ranjan in view of Cao discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the DNS server to: in response to determining that the measure of the amount of data relating to the DNS 

As per claim 10, Ranjan in view of Cao discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the countermeasure action is selected from among rate limiting or blocking DNS queries from an electronic device or from a plurality of electronic devices; rate limiting or blocking data communication of an electronic device or a plurality of electronic devices; modifying an electronic device or a plurality of electronic devices; and rate limiting or blocking DNS queries to a domain (Ranjan Col. 16 Line 57- Col. 17 Line 3).

As per claim 11, Ranjan in view of Cao discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the DNS server to: detect unauthorized
access of a resource by an electronic device in response to a DNS query from the electronic device (Ranjan Fig. 2).

4.	Claim 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ranjan in view of U.S. Publication No. 2017/0295196 hereinafter Arnell

As per claim 12, Ranjan discloses:
Col. 2 Lines 51-54 “In general, in one aspect, the invention relates to a non-transitory computer readable medium storing instructions for detecting automatically generated malicious domain names in a network.”), comprising:
receiving, by a DNS server, a DNS query from an electronic device over a network (Col. 5 Lines 31-34 “In one or more embodiments, certain device(s) (e.g., DNS filters (115)) within the computer network (110) may be configured to sanction (e.g., passing or blocking) DNS traffic (e.g., DNS queries, not shown) based on information from the malicious domain name detecting tool (120).”);
determining, by the DNS server, whether a network address associated with the DNS query belongs to the network (Fig. 2, Col. 10 Lines 26-43 “As shown in FIG. 2, initially in Step 201, DNS queries sharing a common attribute in the computer network are identified. In one or more embodiments, the DNS queries sharing a common attribute are identified and/or extracted from the network trace under investigation described above for analysis to detect malicious domain names. In one or more embodiments, the DNS queries sharing a common attribute are identified and/or extracted from the reference dataset described above to fine tune the malicious domain name detection. In either scenario, the common attribute may be (1) a top level domain name
corresponding to the DNS queries, (2) an IP address that each of the DNS queries is mapped to, (3) a connected component that each of the DNS 
and in response to determining that the network address associated with the DNS query (Col. 11 Lines 1 -15),
triggering, by the DNS server, a countermeasure action to address a threat associated with the DNS query (Col. 16 Lines 45-47 “Returning to FIG. 2, in STEP 205, a source node of DNS queries labeled as malicious is identified in the computer network in response to generating the alert in Step 204.” Col. 16 Line 57- Col. 17 Line 3 “In Step 206, a network security operation with respect to the source node is performed with the facilitation based on the alert identifying the grouped test domain as containing domain names automatically generated for malicious activities. For example, a DNS server may be configured to block certain domain names by specifying the blocked domain names in the DNS server policy, referred to as domain blacklisting. Further, a network router may be configured to intercept and selectively block DNS traffic (e.g., DNS queries and/or replies) passing over the computer network or a portion thereof. In particular, one or more network router(s) located logically between the DNS server and the source node (e.g., a bot) sending the malicious DNS queries may be configured to block such bot-generated DNS queries.”).

Ranjan does not disclose:


Arnell discloses:
in response to determining that the network address associated with the DNS query belongs to a different network (para 0017 “Characteristics that may be indicative of an anomaly include, by way of example, a change in the DNS configuration of a client device, the volume of DNS query traffic being sent from a particular client computing device, the length of DNS events toward a specific destination, pseudo-randomly generated domain names being queried, unrecognized domain name(s) being queried, and mismatches between externally resolved IP addresses and IP addresses resolved by a trusted DNS source, to name a few.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan to include in response to determining that the network address associated with the DNS query belongs to a different network, trigger countermeasure, as taught by Arnell.
The motivation would have been to determining that the network address associated with the DNS query belongs to a different network to properly identify potential attacks.

As per claim 13, Ranjan in view of Arnell discloses:
The method of claim 12, wherein the network address is a source network address identifying a source of the DNS query (Arnell para 0013).

As per claim 14, Ranjan in view of Arnell discloses:
The method of claim 13, wherein the electronic device is part of the network, and the source network address identifies an entity external of the network (Arnell para 0031).

As per claim 15, Ranjan in view of Arnell discloses:
The method of claim 12, further comprising: in response to determining that the network address associated with the DNS query belongs to a different network, indicate occurrence of a DNS amplification attack (Arnell para 0017 and 0031).

As per claim 16, Ranjan in view of Arnell discloses:
The method of claim 12, wherein the countermeasure action is selected from dropping the DNS query or declining to provide a response to the DNS query (Ranjan Col. 16 Lines 45-47 and Col. 16 Line 57- Col. 17 Line 3).

As per claim 17, Ranjan discloses:
A Domain Name System (DNS) server (Col. 6 Lines 7-16 “For example, the DNS filters (115) may include a DNS server configured to block 
a processor; and a non-transitory machine-readable storage medium storing instructions executable on the processor (Col. 2 Lines 51-65 “In general, in one aspect, the invention relates to a non-transitory computer readable medium storing instructions for detecting automatically generated malicious domain names in a network. The instructions when executed by a processor of a computer includes functionality for identifying a plurality of domain name service (DNS) queries in the network, wherein the plurality of DNS queries share a common attribute, analyzing, using a central processing unit (CPU) of a computer, the plurality of DNS queries to identify a plurality of alphanumeric elements embedded in a set of domain names associated with the plurality of DNS queries, analyzing, using the CPU, the plurality of alphanumeric elements to determine a distribution metric of the set of domain names, and generating an alert based on the distribution metric according to a pre-determined criterion.”) to:
receive, over a network, DNS queries containing domain names (Col. 5 Lines 31-34 “In one or more embodiments, certain device(s) (e.g., DNS filters (115)) within the computer network (110) may be configured to 
extract a top level domain name shared by the domain names (Col. 8 Lines 18-31 “In one or more embodiments, the detection module (122) includes the grouping module (124) that is configured to partition the obtained DNS queries into groups based on common attributes. In one or more embodiments, DNS queries in a partitioned group share a common top level domain name corresponding to the DNS queries. In one or more embodiments, DNS queries in a partitioned group share a common IP address that the DNS queries map to. In one or more embodiments, DNS queries in a partitioned group belong to a common connected component in an IP-domain bipartite graph of the DNS queries. In such embodiments, the connected component is identified by performing connected component analysis of the IP-domain bipartite graph of the DNS queries.”);
determine whether a measure of an amount of data relating to the DNS queries containing the top level domain name exceeds a threshold (Col. 9 Lines 55-60 “In one or more embodiments, the network trace is analyzed in a training phase, and referred to as a reference dataset, to fine tune pre-determined parameters (e.g., based distribution, pre-determined threshold, weights, regularization parameter, etc. described below) used in detecting malicious domain names. Example reference dataset includes the non-malicious ISP dataset, non-malicious DNS dataset, and malicious datasets described below.” Col. 12 Lines 19-27 “In Step 204, an alert is generated based on the 
and in response to determining that the measure of the amount of data relating to the DNS queries containing the top level domain name exceeds the threshold (Col. 11 Lines 1-15),
trigger a countermeasure (Col. 16 Lines 45-47)

Ranjan does not disclose:
trigger a countermeasure action to address a threat associated with the DNS queries

Arnell discloses:
trigger a countermeasure action to address a threat associated with the DNS queries (para 0048 “Data specifying the DNS anomaly is provided to a user device (308). In some implementations, the user device is internal to the private network, e.g., a computing device of a private network administrator.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan 
The motivation would have been to trigger a countermeasure action to properly address a threat within a network.

As per claim 18, Ranjan in view of Arnell discloses:
The DNS server of claim 17, wherein the instructions are executable on the processor to: in response to determining that the measure of the amount of data relating to the DNS queries containing the top level domain name exceeds the threshold (Ranjan Col. 8 Lines 18-31, Col. 9 Lines 55-60 and Col. 12 Lines 19-27), 
indicate occurrence of a denial-of-service attack (Arnell para 0031).

As per claim 19, Ranjan in view of Arnell discloses:
The DNS server of claim 17, wherein the instructions are executable on the processor to: in response to determining that the measure of the amount of data relating to the DNS queries containing the top level domain name exceeds the threshold, indicate occurrence of data exfiltration (Ranjan Col. 9 Lines 55-60 and Col. 12 Lines 19-27) and (Arnell para 0031).

As per claim 20, Ranjan in view of Arnell discloses:
The DNS server of claim 17, wherein the instructions are executable on the processor to: receive a DNS query from an electronic device over 
and (Arnell para 0017).

5. 	Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Ranjan in view of Cao, and further in view of U.S. Patent No. 9325735 hereinafter Xie.

As per claim 3, Ranjan in view of Cao discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the count of the number of the DNS queries comprises a count of the number of the DNS queries (Ranjan Col. 14 Lines 46-55)

Ranjan in view of Cao does not disclose:
a count of the number of the DNS queries that resulted in a cache miss at the DNS server

Xie discloses:
a count of the number of the DNS queries that resulted in a cache miss at the DNS server (Col. 6 Lines 26-48 “In one embodiment, selective sinkholing of

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan in view of Cao to include a count of the number of the DNS queries that resulted in a cache miss at the DNS server, as taught by Xie.
.

6. 	Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Ranjan in view of Cao, and further in view of U.S. Publication No. 20180351972 hereinafter Yu.

As per claim 8, Ranjan in view of Cao discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the DNS server to: use a Bloom filter to determine whether a domain name of a DNS query is in a set of domain names received previously by the DNS server (Ranjan Fig. 2, Col. 6 Lines 3-32).

Ranjan in view of Cao does not disclose:
use a Bloom filter to determine whether a domain name of a DNS query

Yu discloses:
use a Bloom filter to determine whether a domain name of a DNS query (para 0055 “FIG. 1A depicts how a classifier 104 can be deployed for inline DGA detection, showing a transaction with an infected client host or client host 106. Client host 106 performs a DNS query as shown at 112. If the DNS query is not resolved by a DNS server 102, then DNS server 102 sends an NXDomain response as shown at 114. Domains which resolve at DNS server Para 0056 “FIG. 1B depicts how a classifier can be deployed for providing an inline DGA detection component as shown at 154. Client host 156 is in communication with a DNS server policy engine as shown at 152 for performing DNS queries. For example, if client 156 sends a DNS query (e.g., A/AAAA query) to DNS server policy engine 152, and if not cached, then DNS server policy engine 152 forwards the DNS query to an upper recursion 162 and also to an inline DGA detection component 154. If DNS server policy engine 152 receives a DNS response from upper recursion 162 and inline DGA detection timed out, then the DNS response is sent back to client 156. Inline DGA detection 154 checks a bloom filter 158 to determine if positive (i.e., this particular DNS query is likely in the set of DNS queries maintained by the bloom filter), then return null; otherwise, the bloom filter result is negative (i.e., this particular DNS query is definitely not in the set of DNS queries maintained by the bloom filter) and inline DGA detection is performed to determine whether the DNS query is determined to be associated with DGA malware (i.e., a positive result is a prediction that it is malicious using the inline DGA detection classifier) or not (i.e., a negative result is a prediction that it is not malicious using the inline DGA detection classifier). If the DNS query is resolved and detection is positive from inline DGA detection 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan in view of Cao to include use a Bloom filter to determine whether a domain name of a DNS query, as taught by Yu.
The motivation would have been to use a properly filter to accurately identify a domain name.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192.  The examiner can normally be reached on Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/GARY S GRACIA/Primary Examiner, Art Unit 2491