DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Response to Amendments
This communication is in response to the amendments filed on 8 October 2020:
	Claims 1, 10 and 18 are amended.
	Claims 1-20 are pending.


Allowable Subject Matter
Claims 1-20 are allowed. The following is an examiner’s statement of reasons for allowance:

The instant invention is directed towards techniques for detecting particular Domain Name System (DNS) misuse, wherein the method includes obtaining monitored network data. The monitored network data includes respective instances of request traffic. The request traffic is associated with DNS requests that request resolution of a name that belongs to at least one identified domain. Each DNS request is sent from a source address of one or more stub resolver; the source address of the stub resolver may be spoofed. The method further includes detecting a combination of a first condition of the approximation of a first cardinality and a second condition of the approximation of a second cardinality, wherein the combination of the first and second conditions indicates the occurrence of a specific DNS misuse. The method further includes performing an action to at least one of output a notification of and correct a condition associated with the detected occurrence of the specific DNS misuse. 

The closest prior art are as follows:

Mitchell (U.S. PGPub. 2015/0350229) discloses techniques for detecting an abuse to a network environment, comprising real-time name service transaction data to resolve a domain name to a network address being collected from the network environment. The collected transaction information and a historical name service information is analyzed against at least one rule. When the collected transaction information is determined to match at least one rule, the network address is determined to be associated with a potential abuser of the network environment. However, unlike the instant invention, Mitchell does not disclose “wherein the first cardinality is approximated and tracked using a probabilistic algorithm, rather than counting; wherein the second cardinality is approximated and tracked using the probabilistic algorithm, rather than counting.”

Gebremariam et al. (U.S. Patent 10,025,813) discloses techniques for a computing system that transforms variable values in a dataset using a transformation flow definition applied in parallel. The transformation flow definition indicates flow variables and transformation phases to apply to the flow variables. A computation is defined for each variable and for each transformation phase. However, unlike the instant invention, Gebremariam does not disclose “tracking over time an approximation of a first cardinality of names indicated for a selected domain of the at least one identified domain and included in the instances of request traffic, wherein the first cardinality includes a number of unique names of names indicated in instances of the request traffic for the selected domain, the first cardinality being approximated and tracked using a probabilistic algorithm, rather than counting; tracking over time an approximation of a second cardinality of source addresses associated with the selected domain and included in the instances of request traffic, wherein the second cardinality includes a number of unique source addresses of the source addresses indicated in instances of the request traffic for the selected domain, the second cardinality being approximated and tracked using the probabilistic algorithm, rather than counting.”

Ketkar et al. (U.S. PGPub. 2014/0067751) discloses techniques for compressed set representation for sets as measures in OLAP cubes, comprising a cardinality of an incoming data stream being maintained in real time; the cardinality is maintained in a data structure that is represented by an unsorted list at low cardinalities, a linear counter at medium cardinalities, and a PCSA at high 

Dagon et al. (U.S. PGPub. 2008/0028463) discloses techniques for detecting a first network of compromised computers in a second network of computers, comprising: collecting Domain Name System (DNS) data for the second network; examining the collected data relative to DNS data from known compromised and/or uncompromised computers in the second network; and determining the existence of the first network and/or the identity of compromised computers in the second network based on the examination. However, unlike the instant invention, Dagon does not disclose “tracking over time an approximation of a first cardinality of names indicated for a selected domain of the at least one identified domain and included in the instances of request traffic, wherein the first cardinality includes a number of unique names of names indicated in instances of the request traffic for the selected domain, the first cardinality being approximated and tracked using a probabilistic algorithm, rather than counting; tracking over time an approximation of a second cardinality of source addresses associated with the selected domain and included in the instances of request traffic, wherein the second cardinality includes a number of unique source addresses of the source addresses indicated in instances of the request traffic for the selected domain, the second cardinality being approximated and tracked using the probabilistic algorithm, rather than counting.”

Klitenik et al. (U.S. PGPub. 2018/0139171) discloses techniques for tracking the locations of mobile asset(s), comprising a module physically associated with a mobile asset and a remote server that communicates with the module via access point(s) providing access to a communication network including a domain name server. However, unlike the instant invention, Klitenik does not disclose “tracking over time an approximation of a first cardinality of names indicated for a selected domain of the at least one identified domain and included in the instances of request traffic, wherein the first cardinality includes a number of unique names of names indicated in instances of the request traffic for the selected domain, the first cardinality being approximated and tracked using a probabilistic algorithm, rather than counting; tracking over time an approximation of a second cardinality of source addresses associated with the selected domain and included in the instances of request traffic, wherein the second cardinality includes a number of unique source addresses of the source addresses indicated in instances of the request traffic for the selected domain, the second cardinality being approximated and tracked using the probabilistic algorithm, rather than counting.”

The prior art references above, individually or in combination, do not disclose the claimed limitations. For at least these reasons, claims 1-20 are allowed.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODMAN ALEXANDER MAHMOUDI whose telephone number is (571)272-8747.  The examiner can normally be reached on M-F 11:00am – 7:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571) 272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/RODMAN ALEXANDER MAHMOUDI/Examiner, Art Unit 2433                                                                                                                                                                                                        

/ANTHONY D BROWN/Primary Examiner, Art Unit 2433