DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on 4/27/2021, for application 15/917,908 has been entered. 
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 4/7/2021.

Examiner’s Amendment
An Examiner’s Amendment to the record appears below.  Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Mr. Christopher Ma (Reg. No. 60,767) on June 22, 2021.  During the telephone conference, Mr. Ma has agreed and authorized the Examiner to amend Claims 1, 13, and 20, and to cancel claim 22.
Claims
Replacing Claims 1, 13, and 20 and canceling claim 22 as following:
Claim 1:	 (Currently Amended) A computer-implemented method executed by one or more processors, the method comprising:	
generating a bipartite graph based on network log data, wherein nodes of the bipartite graph represent host computers of a plurality of host computers and a plurality of domains that are accessed by the plurality of host computers, and wherein edges of the bipartite graph represent connections that the network log data indicates have occurred between particular host computers and particular domains;	
setting an initial numerical reputation score for (i) each of the plurality of host computers that are identified in the bipartite graph using a classification category from two or more first classification categories, and (ii) each of the plurality of domains that are identified in the bipartite graph and that are accessed by the plurality of host computers using a classification category from two or more second classification categories, wherein the initial numerical reputation scores of host computers not associated with known malicious behavior are set to positive values and the initial numerical reputation scores of host computers associated with known malicious behavior are set to negative values;	
until a predefined condition is satisfied, iteratively, for a plurality of iterations: 
calculating, for the iteration and before calculating any new numerical reputation scores for the domains in the plurality of domains for the iteration, a new numerical reputation score for each of the host computers in the plurality of host computers by rescoring the prior numerical reputation score for the host computer based on an aggregation of the respective numerical reputation scores of the plurality of domains that are connected to the host computer in the bipartite graph, then 
,
wherein nodes that represent domains or host computers are not added to the bipartite graph during the plurality of iterations; 
after the predefined condition is satisfied, determining, based upon the new numerical reputation scores for each of the plurality of host computers and the new numerical reputation scores for each of the plurality of domains, that one or more domains amongst the plurality of domains have numerical reputation scores that are negative; and
performing one or more corrective actions, upon determining that one of more domains amongst the plurality of domains have numerical reputation scores that are negative, wherein the one or more corrective actions comprise: rescoring a blacklist of known malicious domains to include the one or more domains; ranking the one or more domains as potentially malicious domains in an order corresponding to the rescored numerical reputation scores for each of the plurality of domains respectively; and redirecting network traffic attempting to access the one or more domains. 

Claim 13:	(Currently Amended) A system comprising one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising:	

setting an initial numerical reputation score for (i) each of the plurality of host computers that are identified in the bipartite graph using a classification category from two or more first classification categories, and (ii) each of the plurality of domains that are identified in the bipartite graph and that are accessed by the plurality of host computers using a classification category from two or more second classification categories, wherein the initial numerical reputation scores of host computers not associated with known malicious behavior are set to positive values and the initial numerical reputation scores of host computers associated with known malicious behavior are set to negative values;
	until a predefined condition is satisfied, iteratively, for a plurality of iterations: 
calculating, for the iteration and before calculating any new numerical reputation scores for the domains in the plurality of domains for the iteration, a new numerical reputation score for each of the host computers in the plurality of host computers by rescoring the prior numerical reputation score for the host computer based on an aggregation of the respective numerical reputation scores of the plurality of domains that are connected to the host computer in the bipartite graph, then 
after calculating, for the iteration, all of the new numerical reputation scores for each of the host computers in the plurality of host computers, calculating the new numerical reputation score for each of the domains in the plurality of domains by rescoring the prior numerical reputation score for the domain based on an aggregation of the respective numerical reputation ,
wherein nodes that represent domains or host computers are not added to the bipartite graph during the plurality of iterations; 	
after the predefined condition is satisfied, determining, based upon the new numerical reputation scores for each of the plurality of host computers and the new numerical reputation scores for each of the plurality of domains, that one or more domains amongst the plurality of domains have numerical reputation scores that are negative; and
performing one or more corrective actions, upon determining that one of more domains amongst the plurality of domains have numerical reputation scores that are negative, wherein the one or more corrective actions comprise: rescoring a blacklist of known malicious domains to include the one or more domains; ranking the one or more domains as potentially malicious domains in an order corresponding to the rescored numerical reputation scores for each of the plurality of domains respectively; and redirecting network traffic attempting to access the one or more domains. 

Claim 20:	(Currently Amended) A computer-readable storage device storing instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform operations comprising: 	
	generating a bipartite graph based on network log data, wherein nodes of the bipartite graph represent host computers of a plurality of host computers and a plurality of domains that are accessed by the plurality of host computers, and wherein edges of the bipartite graph represent connections that the network log data indicates have occurred between particular host computers and particular domains;

	until a predefined condition is satisfied, iteratively, for a plurality of iterations: 
calculating, for the iteration and before calculating any new numerical reputation scores for the domains in the plurality of domains for the iteration, a new numerical reputation score for each of the host computers in the plurality of host computers by rescoring the prior numerical reputation score for the host computer based on an aggregation of the respective numerical reputation scores of the plurality of domains that are connected to the host computer in the bipartite graph, then 
after calculating, for the iteration, all of the new numerical reputation scores for each of the host computers in the plurality of host computers, calculating the new numerical reputation score for each of the domains in the plurality of domains by rescoring the prior numerical reputation score for the domain based on an aggregation of the respective numerical reputation scores of the plurality of host computers that are connected to the domain in the bipartite graph,
wherein nodes that represent domains or host computers are not added to the bipartite graph during the plurality of iterations; 

performing one or more corrective actions, upon determining that one of more domains amongst the plurality of domains have numerical reputation scores that are negative, wherein the one or more corrective actions comprise: rescoring a blacklist of known malicious domains to include the one or more domains; ranking the one or more domains as potentially malicious domains in an order corresponding to the rescored numerical reputation scores for each of the plurality of domains respectively; and redirecting network traffic attempting to access the one or more domains. 

Claim 22:	(Canceled) 


Examiner's Statement of reason for Allowance
Claims 1-6, 8-10, 12-18, 20, and 21 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is directed to a method, an apparatus and a computer-readable storage device in which identification of malicious network domains through use of links analysis of graph representation of network activity, such as a bipartite 
The closest prior art, as previously recited, Oprea (US9635049), Horne (WO2016/118153), and Turnbull (US20130312097) are also generally directed to various aspects analyzing domains and hosts for malware.  However, none of Oprea, Horne, and Turnbull teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims, claims 1, 13, and 20.  For example, none of the cited prior art teaches or suggest the steps of generating a bipartite graph based on network log data, wherein nodes of the bipartite graph represent host computers of a plurality of host computers and a plurality of domains that are accessed by the plurality of host computers, and wherein edges of the bipartite graph represent connections that the network log data indicates have occurred between particular host computers and particular domains;	setting an initial numerical reputation score for (i) each of the plurality of host computers that are identified in the bipartite graph using a classification category from two or more first classification categories, and (ii) each of the plurality of domains that are identified in the bipartite graph and that are accessed by the plurality of host computers using a classification category from two or more second classification categories, wherein the initial numerical reputation scores of host computers not associated with known malicious behavior are set to positive values and the initial numerical reputation scores of host computers associated with known malicious behavior are set to negative values; wherein nodes that represent domains or host computers are not added to the bipartite graph during the plurality of iterations;  performing one or more corrective actions, upon determining that one of more domains amongst the plurality of domains have numerical reputation scores that are negative, wherein the one or more corrective actions comprise: rescoring a blacklist of known malicious domains to include the one or more domains; ranking the one or more domains as potentially malicious domains in an order corresponding to the rescored numerical reputation scores for each of the plurality of domains respectively; and redirecting network traffic attempting to access the one or more domains. 
Therefore the claims are allowable over the cited prior art.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”






Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368.  The examiner can normally be reached on 8-6:30 MTWH.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/W.J.M/Examiner, Art Unit 2439 


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439