Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
IN THE CLAIMS
Please AMEND claims 2, 12, 17, and 22 without prejudice or disclaimer.  
Please AMEND claims 2, 12, 17, and 22 as follow:
2.	(Currently Amended)	A system for monitoring and analysis of interactions between network endpoints, comprising:
a processor configured to:
collect Domain Name System (DNS) response data from a network device, comprising to:
identify DNS responses from the network device that match User Datagram Protocol (UDP) port 53;
determine network endpoint interactions based on an analysis of the DNS response data;
generate a graph corresponding to the network endpoint interactions; 
group, using the graph, the network endpoint interactions over a period of time to obtain a group of endpoint interactions;
determine whether anomalous network activity has occurred based on an analysis of the generated graph, comprising to: 

in response to a determination that a difference between the first number and the second number meets or exceeds a threshold, determine that the anomalous network activity has occurred; and
in response to a determination that the anomalous network activity has occurred, perform a remedial action; and
a memory coupled to the processor and configured to provide the processor with instructions. 

(Currently Amended)	A method for monitoring and analysis of interactions between network endpoints, comprising:
collecting Domain Name System (DNS) response data from a network device, comprising:
identifying DNS responses from the network device that match User Datagram Protocol (UDP) port 53;
determining network endpoint interactions based on an analysis of the DNS response data; 
generating a graph corresponding to the network endpoint interactions;
grouping, using the graph, the network endpoint interactions over a period of time to obtain a group of endpoint interactions;
determining whether anomalous network activity has occurred based on an analysis of the generated graph, comprising: 
comparing a first number of a first group of endpoint interactions over a current period of time with a second number of a second group of endpoint interactions over a previous period of time; and
in response to a determination that a difference between the first number and the second number meets or exceeds a threshold, determining that the anomalous network activity has occurred; and



(Currently Amended)	A computer program product for monitoring and analysis of interactions between network endpoints, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for:
collecting Domain Name System (DNS) response data from a network device, comprising:
identifying DNS responses from the network device that match User Datagram Protocol (UDP) port 53; 
determining network endpoint interactions based on an analysis of the DNS response data; 
generating a graph corresponding to the network endpoint interactions;
grouping, using the graph, the network endpoint interactions over a period of time to obtain a group of endpoint interactions;
determining whether anomalous network activity has occurred based on an analysis of the generated graph, comprising: 
comparing a first number of a first group of endpoint interactions over a current period of time with a second number of a second group of endpoint interactions over a previous period of time; and
in response to a determination that a difference between the first number and the second number meets or exceeds a threshold, determining that the anomalous network activity has occurred; and
in response to a determination that the anomalous network activity has occurred, performing a remedial action.

(Currently Amended)	A system for monitoring and analysis of interactions between network endpoints, comprising:
a controller for collecting network data from a plurality of network devices in an enterprise network, wherein the collecting of the network data comprises identifying DNS responses from the plurality of network devices that match User Datagram Protocol (UDP) port 53;
a data store in communication with the controller for storing the network data; 
an analyzer in communication with the data store for performing an analysis of the network data to determine interactions between network endpoints; 
a graphics visualizer in communication with the analyzer for generating a graph based on the interactions between network endpoints, and grouping, using the graph, the network endpoint interactions over a period of time to obtain a group of endpoint interactions; and 
a determiner in communication with the graphics visualize for determining whether anomalous network activity has occurred based on an analysis of the generated graph, comprising: 
comparing a first number of a first group of endpoint interactions over a current period of time with a second number of a second group of endpoint interactions over a previous period of time; and
in response to a determination that a difference between the first number and the second number meets or exceeds a threshold, determining that the anomalous network activity has occurred; and 
in response to a determination that the anomalous network activity has occurred, performing a remedial action.


Allowable Subject Matter
Claims 2-26  are allowed in view of the cited prior art of record and the prosecution history of the instant application, from which the reasons for allowance are clear. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance." 
Reason for Allowance

The following is an examiner’s statement of reasons for allowance: the prior art of record fails to disclose or suggest systems, method, and computer program product for monitoring and analysis of interaction between network endpoints comprising collecting DNS response data from a network device to identify DNS responses from the network device that match UDP port 53 and determine network endpoint interactions based on an analysis of the DNS response data in combination with other claim limitations.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Claims 2-26 are allowed.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BARBARA BURGESS ANYAN whose telephone number is (571)272-3996.  The examiner can normally be reached on IFP M-F 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ario Etienne can be reached on 571-272-4001.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BARBARA B Anyan/Primary Examiner, Art Unit 2457                                                                                                                                                                                                        
May 8, 2021