DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
 
 2.	The Office action is in response to the patent application filed on October 31, 2018.  The application contains 20 claims.  Claims 1-20 are directed to a method, a system, and a computer-readable storage media for performing server behavioral  profiling. Claims 1-20 are pending.
 
Claim Rejections - 35 USC § 103

3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

4.	Claims 1-20  are rejected under 35 U.S.C. 103 as being unpatentable over Giura et al. (U.S. 2019/0312796 A1), hereinafter “Giura”, in view of Teal (U.S. 2019/0081983 A1).
Referring to claims 1, 11, 17:
	i.	Giura teaches:
                      A computer-implemented method, comprising: 
                      selecting a list of servers in a computer network to perform behavioural profiling, wherein each server from the list of servers is associated with a domain name, wherein the list of servers comprises domain name entries, and wherein the list of servers is prioritized according to a popularity value for each server (see Giura, [0018] ‘generating and associating severity scores [i.e., prioritizing ] for each generated behavior profiling report generated for respective networked server devices.’; [0030] ‘provide details such as domain information’; [0019] ‘depicting the second device on a connected graph [i.e., a popularity value ] of anomalous contacts established by the first device.’); 
                      updating the list of servers based at least in part on a popularity threshold (see Giura, [0032] ‘update a connected graph of anomalous contacts’; [0031] ‘supplemented, augmented’; [0206] ‘This deviation measure or threshold can be a parameter that can be tuned to a certain value’);
                      partitioning the computer network into one of: groups of devices (see Giura, [0016] ‘a collection or network of devices’; [0003] ‘groups of destination devices; claim 4 ‘a grouping of database devices’);
                      establishing a hierarchy along one of: the subnetworks or the subdomains based at least in part on the domain name entries in the list of servers (see Giura, [0025] ‘the behavior profiling report and the associated severity scores…are processed to generate ranked reports’); 
                       updating the popularity value for a server associated with a resolved network address in one of: the subnetworks or the subdomains, wherein the resolved network address is mapped into the domain name for the server and is accessed by a client device in the computer network (see Giura, [0032] ‘update a connected graph of anomalous contacts’; [0031] ‘supplemented, augmented’; [0037] ‘IP address have mapped to the names of the organization’; [0030] ‘provide details such as domain information’); and 
                       updating the hierarchy along one of: the subnetworks or the subdomains based at least in part on the popularity value (see Giura, [0032] ‘update a connected graph of anomalous contacts’; [0031] ‘supplemented, augmented’).
		Giura does not explicitly disclose the subnet or subdomain. 
	ii.	Teal disclose the subnet (see Teal, [0301] ‘partition, network, subnet’)
	iii.	It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Teal into the system of Giura to partition the network into subnet or subdomain.  Giura teaches “The disclosed subject matter relates to the generation of behavior profiling reports for enterprise server devices in a network or collection of enterprise server devices,“ (see 
Referring to claims 2, 12, 18:
		Giura and Teal further disclose:
		determining the popularity value for each server from the list of servers by determining a connectivity for each server in a network graph (see Giura, [0019] ‘depicting the second device on a connected graph of anomalous contacts [i.e., the connectivity ]  established by the first device.’).
Referring to claims 3, 13, 19:
		Giura and Teal further disclose:
		determining the popularity value for each server from the list of servers based at least in part on a frequency of appearance of a domain name for each server in a log of transactions in the computer network (see Giura, [0017] ‘The richness of such varied network logs collected, allows for assessment of suspicious new connections made to and by enterprise server devices and to react better in cases where real and actual security breaches occur.’.
Referring to claims 4, 14, 20:
		Giura and Teal further disclose:
                      updating the popularity value for the server associated with the resolved network address comprises normalizing a behaviour of the server with a frequency of access to the server in the computer network (see Teal, [0160] ‘a normalized IOC (an Indication of Compromise)’).
 		It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Teal into the system of Giura to implement normalizing process.  Giura teaches “The disclosed subject matter relates to the generation of behavior profiling reports for enterprise server devices in a network or collection of enterprise server devices,“ (see Giura, [0002).  Therefore, Teal’s teaching could enhance the system of Giura,  because Giura teaches “techniques for improving endpoint security.” ( see Teal, [0002]). 
Referring to claims 5, 15:
		Giura and Teal further disclose:

Referring to claims 6, 16:
		Giura and Teal further disclose:
                      partitioning the computer network into one of: the subnetworks or the subbomains according to a social network of users of the computer network (see Teal, [0301] ‘partition, network, subnet’; [0073] ‘certain people (e.g. employees, groups of employees, types of employees, guest of the corporation, etc.)’).
 		It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Teal into the system of Giura to partition the network into subnet or subdomain.  Giura teaches “The disclosed subject matter relates to the generation of behavior profiling reports for enterprise server devices in a network or collection of enterprise server devices,“ (see Giura, [0002).  Therefore, Teal’s teaching could enhance the system of Giura,  because Giura teaches “techniques for improving endpoint security.” ( see Teal, [0002]). 
Referring to claim 7:
		Giura and Teal further disclose:
		partitioning the computer network into an internal network comprising internal servers, and an external network comprising external servers, wherein the internal network and the external network are separated by a firewall defined according to an internal network administrator (see Giura, [0031] ‘(internal and/or extern) servers’ And, Teal, [0075] ‘network administrators’). 
 		It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Teal into the system of Giura to have a network administrator.  Giura teaches “The disclosed subject matter relates to the generation of behavior profiling reports for enterprise server devices in a network or collection of enterprise server devices,“ (see Giura, [0002).  Therefore, Teal’s teaching could enhance the system of Giura,  because Giura teaches “techniques for improving endpoint security.” ( see Teal, [0002]). 
Referring to claim 8:

		removing a domain name from the list of servers when the domain name is flagged for a safety compromise (see Giura, [0025] ‘The global graph view provided by the graph structure can enable security analysts to quickly single out and identify problematic internal servers and assess the overall security situation.’). 
Referring to claim 9:
		Giura further discloses:
                     removing a domain name from the list of servers when a request for accessing the domain name violates a timing protocol (see Giura, [0021] ‘determined to have failed to establish a contact with the second device within a defined period of time;’).
Referring to claim 10:
		Giura further discloses:
		flagging a domain name associated with an internal server that has been accessed by an external server (see Giura, [0031] ‘information that profiling engine 102 can employ to determine anomalous contacting devices can also include server lists that can have been generated to include (internal and/or external) server devices’).  
 
Conclusion

5.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	Hwang; Jinho et al.( US 20160337317 A1) disclose Automated Migration Planning for Moving into a Setting of Multiple Firewalls;
(b)	Salgueiro; Gonzalo et al. (US 20180316555 A1) disclose cognitive profiling and sharing of sensor data across iot networks;
(c)	Holloway; Lee Hahn et al. (US 20150281168 A1) disclose domain name system cname record management;
(d)	Holmes; Alexander D. et al. (US 20100257024 A1) disclose Domain Traffic Ranking;
(e)	Uppal; Hardeep Singh et al. (US 10469513 B2) disclose Encrypted network addresses;

(g)	Huang; Yangcheng (US 20160099860 A1) disclose network entity for programmably arranging an intermediate node for serving communications between a source node and a target node.

 	 6.         Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
            If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
            Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/PEILIANG PAN/
Examiner, Art Unit 2492

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492