Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 16/691,475 filed on 11/21/2019. Claims 1-22 are pending. This Office Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 11/12/2019, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 6 and 21 objected to because of the following informalities:  
Claims 6 and 21 use the term “if” however, “if” may not be positive recitation of a step since “if” leaves a possibility of never happening.  A more appropriate term would be “when” to replace “if”.  Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a 

Claims 16 and 22 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  System/”service infrastructure” claims 16 and 22 rely on method claims 1 and 21, respectively. However, claims 16 and 22 fails to specify a further limitation of the subject matter of claims 1 and 21 to which it refers, because is completely outside the scope of claims 1 and 21. See also Ex parte Gassen (Appeal 2010-009177).
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Allowable Subject Matter
Claim 21 is allowed.
The following is a statement of reasons for the indication of allowable subject matter:  Claim 21 is directed towards a method of predicting potential anomalies.  A thorough search was conducted on 6/8/2021 and the closest prior art Baughmann et al (US 20180077120) in view of Meshi et al. (US 2018/0069883) and of Lim (US 2017/0228658), which a generally directed towards determining malicious strings, fails to teach the claimed limitations of claim 21.  Specifically, they fail to teach “: determining, at the service infrastructure, that an anomaly has occurred at a detection time in relation to an impacted domain; accessing an anomalies table, each entry of the .
Claims 6-15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1, 3, 5 and 16-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Baughmann et al (US 20180077120) in view of Meshi et al. (US 2018/0069883).

	As per claim 1, Baughman teaches a method of detecting potential anomalies at a service infrastructure, comprising: accessing a strings table, each respective entry of the strings table defining a respective character string and a respective anomaly probability for the character string (Baughman, Paragraph 0067 recites “The proxy service 414 may employ the evaluation service 410 to classify the FQDN or the character string related to the URL as benign, malignant, suspicious, or malicious. The proxy service 414 may redirect the URL to a target browser, such as browser 430, upon the degree of trustworthiness being classified as benign. The proxy service 414 may redirect the URL to a warning page related to the target browser 430 upon the degree of trustworthiness being classified as suspicious. The proxy service 414 may redirect the URL to a warning page related to the target browser 430 upon the degree of trustworthiness being classified as anomalous. The proxy service 414 may redirect the URL to a denied assess page related to the target browser 430 upon the degree of trustworthiness being classified as malicious. In short, the proxy service 414 completely eliminates malicious actors as a medium from sending Internet content to a client in a tiered web delivery network.”);
	generating, in a database of the service infrastructure, a log entry related to an event occurring in the service infrastructure, the log entry including a character string designating one of a name of a file and an IP address, the log entry including a domain name hosted by the service infrastructure; searching for the character string in the strings table (Baughman, Paragraph 0068 recites “The proxy may be an agent that delivers to the browser, and/or receives from the browser, web browser pages in the web delivery network. 2) The proxy may send the web request to the server. 3) The server redirects the redirect target to URL (or redirect target or URL) to the proxy. The proxy may apply one or more heuristics in the processing of redirection targets that are present in web pages. 4) The proxy validates the URL. 5) The proxy may send a target URL to the engine. 6) The engine may classify the URL according to a reputation score and may send a notification of the classification to a controller (not depicted for illustrative convenience). 7) The proxy receives the reputation score from the engine.” A log entry, would be read by a request since it will contain the pertinent information of a log entry).
	But fails to teach making the domain name as suspect if the character string is found in the strings table and if an anomaly probability corresponding to the character string exceeds a predetermined threshold. 
	However, in an analogous art Meshi teaches making the domain name as suspect if the character string is found in the strings table and if an anomaly probability corresponding to the character string exceeds a predetermined threshold (Meshi, Paragraph 0192 recites “Now, assume the following thresholds for marking domain as a malicious CnC channel: [0193] final score threshold >0.7 (Computed: 0.8779204763) [0194] CnC score threshold >0.5 (Computed: 0.69) [0195] final score*CnC score threshold>0.6 (ours: 0.605) Since this example meets to these 3 conditions, the domain sales[.]suppoit[.]xyz can be marked as a malicious CnC domain.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Meshi’s Detection of Known and Unknown Malicious Domains with Baughman’s verifying trustworthiness of redirection targets in a tiered web delivery network because the use of a threshold offers the advantage of having more a gray area in case that a string cannot be definitely determined to be malicious or not.

	As per claim 2, Baughman in combination with Meshi teaches the method of claim 1, Baughman further teaches wherein the predetermined threshold is calculated according to: Threshold = argmin x ( string Strings I ( p ( A | Str i ) < x ) m > 0 , 95 ) ( 8 ) ##EQU00006## wherein: l is the indicator function; and m is a number of entries in the strings table (Baughman, Paragraph 0068 recites “The proxy may be an agent that delivers to the browser, and/or receives from the browser, web browser pages in the web delivery network. 2) The proxy may send the web request to the server. 3) The server redirects the redirect target to URL (or redirect target or URL) to the proxy. The proxy may apply one or more heuristics in the processing of redirection targets that are present in web pages. 4) The proxy validates the URL. 5) The proxy may send a target URL to the engine. 6) The engine may classify the URL according to a reputation score and may send a notification of the classification to a controller (not depicted for illustrative convenience). 7) The proxy receives the reputation score from the engine.”).
	
	As per claim 3, Baughman in combination with Meshi teaches the method of claim 1, Baughman further teaches populating a domains table, each given entry of the domains table containing a given domain name, a given character string associated with the given domain name in a timeframe of interest, and a given association time corresponding to a latest association time among all log entries that associate the given domain with the given character string (Baughman, Paragraph 0027 recites “c) Time Zone Entropy (TZE) anomalies that may result from IP addresses coming from different time zones (fast flux indicator),” And Paragraph 0028 recites “C) A country entropy may be a key signature for identifying a URL as a malicious site where a country registration is not in the same hemisphere or within a next time zone.”).

	As per claim 5, Baughman in combination with Meshi teaches the method of claim 3, Baughman further teaches wherein each respective entry of the strings table further defines (i) a respective number of domains that are associated with the respective character string and in which there has been an anomaly in the timeframe of (Baughman, Paragraph 0027 recites “c) Time Zone Entropy (TZE) anomalies that may result from IP addresses coming from different time zones (fast flux indicator),” And Paragraph 0028 recites “C) A country entropy may be a key signature for identifying a URL as a malicious site where a country registration is not in the same hemisphere or within a next time zone.”).

	Regarding claim 16, claim 16 is directed to a similar system, associated with the method of claim 1 respectively. Claim 16 is similar in scope to claim 1, respectively, and are therefore rejected under similar rationale. 


	As per claim 17, Baughman in combination with Meshi teaches the service infrastructure of claim 16, Baughman further teaches wherein the processor implements a detector configured to detect that an anomaly has occurred in relation to an impacted domain at a corresponding detection time (Baughman, Paragraph 0026 recites “ For example, a DNS response (answer, authority and additional sections) may be captured, extracted and analyzed in real-time where extracted features may be examined via heuristic analysis to classify a domain as either benign, malignant, suspicious, and/or malicious. This is reflective of real-world statistical analytical outcomes which are advantageous to prevent a classifier from confusing the battle space with outliers.” By occurring in real-time, the time of the decision would be the time of the request).

	As per claim 18, Baughman in combination with Meshi teaches the service infrastructure of claim 17, Baughman further teaches a user interface operatively connected to the detector, the detector being configured to cause the user interface to issue a warning to an operator of the service infrastructure when the domain name is marked as suspect (Baughman, Paragraph 0067 recites “The proxy service 414 may redirect the URL to a warning page related to the target browser 430 upon the degree of trustworthiness being classified as suspicious. The proxy service 414 may redirect the URL to a warning page related to the target browser 430 upon the degree of trustworthiness being classified as anomalous. The proxy service 414 may redirect the URL to a denied assess page related to the target browser 430 upon the degree of trustworthiness being classified as malicious. In short, the proxy service 414 completely eliminates malicious actors as a medium from sending Internet content to a client in a tiered web delivery network.”).

	As per claim 19, Baughman in combination with Meshi teaches the service infrastructure of claim 17, Baughman further teaches a signaling interface operatively connected to the detector, the detector being configured to cause the signaling interface to issue a message toward a client related to the domain name when the domain name is marked as suspect (Baughman, Paragraph 0067 recites “The proxy service 414 may redirect the URL to a warning page related to the target browser 430 upon the degree of trustworthiness being classified as suspicious. The proxy service 414 may redirect the URL to a warning page related to the target browser 430 upon the degree of trustworthiness being classified as anomalous. The proxy service 414 may redirect the URL to a denied assess page related to the target browser 430 upon the degree of trustworthiness being classified as malicious. In short, the proxy service 414 completely eliminates malicious actors as a medium from sending Internet content to a client in a tiered web delivery network.”).

	As per claim 20, Baughman in combination with Meshi teaches the service infrastructure of claim 17, Baughman further teaches a blocker operatively connected to the detector, the detector being configured to cause the blocker to issue a command to the server for discarding a received data packet related to the generation of the log entry when the domain name is marked as suspect (Baughman, Paragraph 0067 recites “The proxy service 414 may redirect the URL to a warning page related to the target browser 430 upon the degree of trustworthiness being classified as suspicious. The proxy service 414 may redirect the URL to a warning page related to the target browser 430 upon the degree of trustworthiness being classified as anomalous. The proxy service 414 may redirect the URL to a denied assess page related to the target browser 430 upon the degree of trustworthiness being classified as malicious. In short, the proxy service 414 completely eliminates malicious actors as a medium from sending Internet content to a client in a tiered web delivery network.”).

Claim 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Baughmann et al (US 20180077120) and Meshi et al. (US 2018/0069883) and in further view of Lim (US 2017/0228658).

	As per claim 4, Baughman in combination with Meshi teaches the method of claim 3, but fails to teach wherein populating the domains table comprises parsing a plurality of log entries in the database to extract, from each log entry, a respective domain name, a respective character string and a respective association time.
	However, in an analogous art Lim teaches wherein populating the domains table comprises parsing a plurality of log entries in the database to extract, from each log entry, a respective domain name, a respective character string and a respective association time(Lim, Paragraph 0052 recites “a ZeuS Tracker decoder for parsing the list of ZeuS commands & controls and fake URLs provided by the ZeuS Tracker, a Malware Domain List decoder for parsing the list of malicious IPs and URLs provided by the Malware Domain List;”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Lim’s System and Method for High Speed Threat Intelligence Management Using Unsupervised Machine Learning and Prioritization Algorithms with Baughman’s verifying trustworthiness of redirection targets in a tiered web delivery network because the use parsing data in order to find a match, gives flexibility when performing a search of characters.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439