DETAILED ACTION
1.	Notice of Pre-AIA  or AIA  Status:  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1, 2, 6-12, 16, 17 and 21-30 are presented for allowance. 

3.	Claims 3-5, 13-15, and 18-20 have been canceled, and claims 1, 11, and 16 have been amended as filed on June 10, 2021.

4.	This allowance of application 16/399252 is in response to Applicant’s claim amendments and remarks filed on June 10, 2021.

5.	Application 16/399252 was filed on April 30, 2019.

Claim Interpretation

6.	Claim 1 recites “DNS related threat data.” 

Instant specification [0018] states “threat indicator lists”, [0020] states “smart whitelisting for DNS security”, “the whitelist includes [] the DNS related threat data,” [0021] states “the set of network related threat data includes DNS related threat data (e.g., a DNS threat feed, such as a general DNS threat feed, a DNS threat feed that is associated with a first enterprise network, and/or a DNS threat 

Based on the specification, the recited “DNS related threat data” can be interpreted as any DNS threat and/or DNS-based threat. And, the recited “DNS related thread data for a first enterprise network” can be interpreted as any DNS threat and/or DNS-based threat sent to an enterprise network. These interpretations are applied to all the claims.

7.	Claim 1 recites “data driven model of the DNS related.” 

Instant specification [0024] states “techniques for smart whitelisting for DNS security generate a statistical model that combines a ranking of domains, threat indicators [] and a historical perspective to adjust the whitelist based on threat and customer impact,” [0027] states “techniques for smart whitelisting for DNS security to dynamically model the likelihood that a domain on a whitelist will be malicious,” [0030] states “one or more sources of threat indicator data can be used to model the full likelihood distribution using, for example, TIDE or using a different source of threat indicators,” [0042] states “the ranks for popular domains that contain threat indicators are recorded to be used in a future dynamic model for smartlisting,” [0037] states “in the case of a dynamic threshold is utilized, the 

Since the specification does not explain data driven model, brief Internet search revealed Usu.instructure.com webpage that explains “data-driven model.” 

According to Usu.instructure.com, “a data-driven model is based on the analysis of the data about a specific system. The main concept of data-driven model is to find relationships between the system state variables (input and output).” 

Based on the definition and based on the specification explanations (particularly [0073]), alternative models can be used to determine a threshold. This interpretation is applied to all the claims.

8.	Claim 1 recites “DNS threat feed that is automatically filtered to determine a popularity of network domains associated with malware” and “thread data for a first enterprise network.”  Instant specification [0025] [0026] [0034] [0059] [0068] [0069] [0071] [0078] specifically explain “popularity,” where [0034] connects the popularity to the recited “enterprise network.”  Hence, [0034] explains the popularity feature more to overcome/differentiate from the prior arts for allowance.  This interpretation is applied to all the claims.

9.	Claim 1 recites “generate a whitelist using [] event data and [] threat data.” 

Instant specification [0013] states “a blacklist (e.g., also referred to as a block list) generally refers to an access control mechanism that can be applied to, for example, URLs, domain names, IP addresses, and/or other names/addresses [] to deny access to any such objects included on the blacklist. A whitelist (e.g., also referred to as an allow list) refers to an access control mechanism that can be applied, for example, to URLs, domain names, IP addresses, and/or other names/addresses [] to allow access to any objects included in the whitelist,” [0020] states “new and improved techniques for smart whitelisting for Domain Name System (DNS) security are provided” and “smart whitelisting for DNS security in accordance with some embodiments includes [] and generating a whitelist using the set of network related event data and the set of network related threat data based on a data driven model,” [0021] states “techniques for smart whitelisting for DNS security can be applied to generate context-specific, data-driven whitelists (e.g., also referred to herein as smartlists) that automatically and dynamically adjust to changes in the production data environment” and “techniques for smart whitelisting for DNS security can facilitate identifying issues with a blacklist for DNS security for the production data environment *e.g., by identifying one or more items that should or should not be on the blacklist),“ and “product for smart whitelisting for DNS security in accordance with some embodiments further includes [] periodically updating the 

Based on these specification explanations, “whitelist” is stated in the specification to also describe those features related to “smart whitelist” making the differentiation between a “whitelist” and “smart whitelist” unclear.  A further search revealed Dusane to help differentiate them.



Based on various specification paragraphs, a description of the three different lists are as follows: 
1) Whitelist which lists, e.g., domain names that allow access to any objects listed, 
2) Blacklist which lists, e.g., domain names that deny access to such objects listed, and 
3) Smart Whitelist (e.g., a new whitelist, smart whitelist, smartlist, etc.) which lists threat data (i.e., malicious domain names) and event data (i.e., legitimate names).   Instant Specification [0021] states “data-driven whitelists (e.g., also referred to herein as smartlists),” [0024] states “smart whitelisting for 

This interpretation is applied to all the claims.


Examiner’s Amendment
10.	An examiner’s Amendment to the record appears below.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR § 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the Issue Fee.

11.	Authorization for this examiner’s amendment was given by Michael J. Schallop via a telephone interview on August 4, 2021.

12.	Claims 9, 24 and 29 have been amended as follows:

9.	(Currently Amended) The system recited in claim 1, wherein the processor is further configured to:
filter the DNS related event data to generate a smart whitelist, 

periodically update the smart whitelist based on another set of network related event data and another set of network related threat data, 
wherein the smart whitelist is automatically and dynamically adjusted to changes in a production data environment associated with  the first enterprise network.


24.	(Currently Amended) The method of claim 11, further comprising:
filtering the DNS related event data to generate a smart whitelist, 
wherein the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware; and
periodically updating the smart whitelist based on another set of network related event data and another set of network related threat data, 
wherein the smart whitelist is automatically and dynamically adjusted to changes in a production data environment associated with  the first enterprise network.

29.	(Currently Amended) The non-transitory computer readable storage medium recited in claim 16, further storing instructions that when executed by the computer processor performs the following: 
filtering the DNS related event data to generate a smart whitelist, 

periodically updating the smart whitelist based on another set of network related event data and another set of network related threat data, 
wherein the smart whitelist is automatically and dynamically adjusted to changes in a production data environment associated with  the first enterprise network.

Reason for Allowance
13.	Claims 1, 11 and 16 of the present invention are directed towards Network Related Event Data (NRED).  A set of NRED is received.  The set of NRED includes Domain Name System (DNS) Related Event Data (DNSRED).  A set of Network Related Threat Data (NRTD) is received.  The set of NRTD includes DNS Related Threat Data (DNSRTD).  The DNSRTD includes a DNS threat feed that is automatically filtered to determine a popularity of Network Domains (NDs) associated with malware.  The DNSRTD includes DNSRTD for a 1st enterprise network.  A whitelist is generated using the set of NRED and the set of NRTD.  The whitelist includes a subset of NDs included in the DNSRED based on a data driven model of the DNSRED and the DNSRTD.  Independent claims 1, 11 and 16 each identify the uniquely distinct combination of features:
receiving a set of network related event data
wherein the set of network related event data includes Domain Name System (DNS) related event data
receiving a set of network related threat data
wherein the set of network related threat data includes DNS related threat data
wherein the DNS related threat data includes a DNS threat feed that is automatically filtered to determine a popularity of network domains associated with malware
wherein the DNS related threat data includes DNS related threat data for a first enterprise network
generating a whitelist using the set of network related event data and the set of network related threat data 
wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data
(specification [0013]) whitelist (e.g., also referred to as an allow list) refers to an access control mechanism
(specification [0034]) a popularity of the threats is determined based on event data and domain popularity over a time period received
(specification [0034]) distributed over a network (e.g., Internet or an enterprise network) to various products.




Manadhata (US 10474820, filed on June 17, 2014, as per Justia) col 1 lines 26-62, col 2 lines 1-50 and 64-67, col 4 lines 8-20 and 32-53, col 9 lines 10-18  teach “receive”, “receive” and part of “generate” limitations.

Magee et al. (US Pub 20140007238) [0002] [0018] [0020] [0021] [0032] [0036]-to-[0038] [0041]-to-[0044] [0046] [0047] [0049] [0053] [0057] [0058] [0074] [0075] [0088] [0094] [0106] teach the DNS information analysis related to feed of popularity of network domains associate with malware and whitelisted.  Further, a threat impact is matched against a threat category master (template that models a given threat to network security).  In short, Magee teach part of “receive a set of network related threat data” limitation and “generate” limitation.

Wu (US 10362057) col 1 lines 15-23 and 52-53, and col 65 lines 22-25 teach the recited “DNA related thread data includes DNS related threat data for a first enterprise network.”

Osterwell et al. (US Pub 20180139229) [0006] [0038] [0047] [0064] teach DNS related threat data and threat feeds.

Antonakakis et al. (“Building A Dynamic Reputation System for DNS”, 2010) section 3, section 3.3.1, section 3.3.2, section 3.3.5, section 4.1, and section 4.2 teach features that relate to popular domains.  In particular, section 4.2 states “our limited whitelisting was derived from the top 500-alexa.com domain names, as of the 1st August 2009.  We reasoned that, although some malicious domains become popular, they do not stay popular (because of remediation), and never break into the top tier of domain rankings.”  “Finally a list of 464 dynamic DNS second level domains allowed us to identity and label domain name and IPs coming from zones under dynamic DNS providers. We label our evaluation (or testing) data-set by aggregating updated blacklist information for new malicious domain names and IPs from the same lists.”  “To compute the honeypot features [] we need a malware analysis infrastructure that can process as many ‘new’ malware samples as possible.”  “We chose to execute malware and collect DNS evidence through the same period of time in which we aggregate the passive DNS database.”  “After executing all domains names that belong to the top 500 most popular alexz.com zones, we assemble the main corpus of our ‘honeypot data.’  We automated the crawling and collection of black list information and honeypot execution.”

	Drihem et al. (US Pub 20180343277).

Chasin (US Pub 20050015626) [0013] [0038] [0058] teach whitelist and statistical classifier.
	
Tewari et al. (US Pub 20160315856) [0047].

	Kulkarni et al. (US Pub 20180039486) [0186].

Atkins et al., “Threat Analysis of the Domain Name System (DNS)”, RFC 3822, 2004.

	Lin (US Pub 20040267893) [0007].

	Yu et al. (US 9363282)  (79) (100) (108) (114).

According to Wikipedia, “in computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.  A threat can be either a negative ‘intentional’ event (i.e., hacking:  an individual cracker or a criminal organization) or an ‘accidental’ negative event (e.g., the possibility of a computer malfunctioning or the possibility of a natural disaster event such as an earthquake, a fire, or a tornado) or otherwise a circumstance, capability, action, or event.”  “This is differentiated from a threat actor who 

According to Wikipedia, “whitelisting” is “a whitelist (or, less commonly, a passlist or allowlist) is a mechanism which explicitly allows some identified entities to access a particular privilege, service, mobility, or recognition.”

According to Usu.instructure.com, “a data-driven model is based on the analysis of the data about a specific system. The main concept of data-driven model is to find relationships between the system state variables (input and output).”

15.	In summary, nowhere do the prior art disclose the unique combination of steps/elements listed above.  The unique combination of steps/elements listed above are a novel combination.  The definitions provided above and the specification (features highlighted in bold above) provide explanation/clarification to some critical features (e.g., DNS threat feed filtered for popularity of network domains, enterprise network, whitelist, data driven model) overcome/differentiate from the prior arts.  The prior art, either singularly or in combination fails to anticipate or render obvious the present invention.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should 

16.	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to O. Charlie Vostal whose telephone number is 571-270-3992.  The examiner can normally be reached on 8:30am to 5:00pm EST Monday thru Friday.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the Public PAIR system, see http://portal.uspto.gov/pair/PublicPair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


	/ONDREJ C VOSTAL/           Primary Examiner, Art Unit 2452                                                                                                                                                                                             
	August 6, 2021