Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 2, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Antonakakis et al (US Pub. No. 2012/0042381), hereafter, “Antonakakis,” in view of Zhang et al (US Pat. 9,749,336), hereafter, “Zhang.”

As to claim 1, Antonakakis discloses a method for detecting a malicious domain comprising: 
providing data to a machine learning module (Fig. 1, labels 125, 130 and Fig. 5, label 515), wherein the machine learning module was previously trained on a plurality of Internet Protocol ("IP") address attributes and a plurality of domain attributes and a list of known malicious domains (Fig. 5, labels 505, 510, and [0015]-[0016], particularly, “Then, the pDNS database 125 may retrieve the related historic IP address (RHIP) information and the related historic domain name (RHDN) information. The RHIP address information may comprise the set of IP addresses ever pointed to by the domain name, the set of IP addresses ever pointed to the 3LD of the domain name, and the set of IP addresses ever pointed to the 2LD of the domain name…In 510, the pDNS query information may be utilized to measure statistical features of known malicious domain names and known legitimate domain names.”), and wherein the data comprises a plurality of domains and a plurality of IP addresses (Fig. 5 and [0033], particularly, “Referring back to FIG. 5, in 515, the information compiled using the statistical features may be utilized by the reputation engine 130 to compute a reputation score for a new domain name, where the reputation score indicates whether the new domain name is likely to be for malicious or legitimate uses.” With [0015], “For example, information about the set of IP addresses to which the domain name points may be obtained.” Discloses IP addresses are provided and processed alongside domain names); 

associating each of the plurality of domains and the plurality of IP addresses within the data based on the corresponding classification ([0033], particularly, “Referring back to FIG. 5, in 515, the information compiled using the statistical features may be utilized by the reputation engine 130 to compute a reputation score for a new domain name, where the reputation score indicates whether the new domain name is likely to be for malicious or legitimate uses.”); 
assessing the maliciousness of a domain ([0033], particularly, “Referring back to FIG. 5, in 515, the information compiled using the statistical features may be utilized by the reputation engine 130 to compute a reputation score for a new domain name, where the reputation score indicates whether the new domain name is likely to be for malicious or legitimate uses.”).
However, Antonakakis does not disclose building a weighted domain graph based on the classification and association of each of the plurality of domains and the plurality of IP addresses within the data and 
wherein the assessing the maliciousness of a domain is based on the weighted domain graph.
But, Zhang discloses building a weighted domain graph based on the classification and association of each of the plurality of domains and the plurality of IP addresses within the data (Figs. 3, 10 and column 19, lines 1-29, particularly, “FIG. 10 is a directed graph diagram 
assessing the maliciousness of a domain based on the weighted domain graph (Figs. 3, 10 and column 19, lines 1-29, particularly, “If the domain MNO.ORG 1002 is determined to be a malware domain (e.g., reputation score for the domain exceeds a threshold using various techniques described herein), then the malware group or cluster 450 can be extended to include the domain MNO.ORG 1002.”).
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Antonakakis and Zhang in order to provide a known reliable means of classifying domain names as malicious in a more robust and efficient manner.

As to claims 19 and 20, they are rejected by a similar rationale to that set forth in claim 1’s rejection.
 
As to claim 2, the teaching so Antonakakis and Zhang as combined for the same reasons as set forth in claim 1’s rejection further disclose the plurality of IP address attributes comprises a plurality of IP address attribute sets ([0016]-[0032], particularly, “Given an IP address a, BGP(a) is the set of all IPs within the BGP prefix of a, and AS(a) is the set of IPs located in the AS in which a resides. In addition, these functions may extend to take as input a set of IPs: given IP set A=a.sub.l, a.sub.2, . . . , a.sub.N, BGP(A)=.orgate..sub.K=1 . . . N BGP(a.sub.k); AS(a) may be similarly extended.”).
 
Allowable Subject Matter
Claims 3-18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US Pat. 8,813,228 (Magee et al ) - The system has a threat intelligence information parser for parsing threat intelligence information into common format and storing the threat intelligence information into a database. A threat intelligence information scoring engine receives the threat intelligence information from the database and calculates a threat score for the threat intelligence information. A threat intelligence information distributor distributes the threat intelligence information and the threat scores to a set of consumers of the threat intelligence information.
US Pat. 9,531,738 (Zoldi et al) - The method involves monitoring network messages with client computers that communicates with a server with an IP address. A real-time entity profile with a variable is generated for client computers. A variance is determined whether the real-time entity profile contains cyber threat features. A real time calibration profile is generated for client computers. The scores representing a probability of the cyber-security threat risk is generated, by using the real-time calibration profiles, real time entity profile, variables and scores.
US Pat. 8,762,298 (Ranjan et al) - The method involves analyzing historical network data to determine values of connectivity graph. The ground truth data set having labels is obtained to identify known malicious nodes in network. The network data and data set are analyzed to generate model representing labels as function of values of graph based feature. The real-time network data is analyzed to determine feature value for data unit. The label is assigned to data unit such that data unit is categorized as associated with botnet based on label.
US Pat. 8,521,667 (Zhu et al) - The method involves receiving a URL and extracting features associated with the URL. The features include at least one link popularity feature of the URL. A binary classification model is employed through one or more processors to determine that the URL is a malicious URL based at least in portion on the extracted features. The malicious URL is categorized as one of a benign URL, a spam URL, a phishing URL, a malware URL, or a multi-type attack URL.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246.  The examiner can normally be reached on 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Thomas J Dailey/
Primary Examiner, Art Unit 2452