Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed on 07/23/2021, with respect to the 35 U.S.C rejection of claim claims 1, 2, 4-7 and 9-11 as being obvious over U.S. Patent No. 8,260,914 to Ranjan (“Ranjan”) in view of U.S. Patent Application Publication No.
2012/0084860 to Cao (“Cao”), claims 12-20 stand rejected obvious over Ranjan in view of U.S. Patent Application Publication No. 2017/0295196 to Arnell (“Arnell”), claim 3 stands rejected as being obvious over Ranjan in view of Cao and further in view of U.S. Patent No. 9,325,735 to Xie et al. (“Xie”), and claim 8 stands rejected as being obvious over Ranjan in view of Cao and further in view of U.S. Patent Application Publication No. 2018/0351972 to Yu et al. (“Yu”) have been fully considered. Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1, 2, 4-7, 9, 11 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 8260914 hereinafter Ranjan in view of U.S. Publication No. 20120084860 hereinafter Cao, and further in view of U.S. Publication No. 20160099967 hereinafter Stemm.

As per claim 1, Ranjan discloses:
A non-transitory machine-readable storage medium comprising instructions to defend against a Domain Name System (DNS)-based attack (Col. 2 Lines 51-54 “In general, in one aspect, the invention relates to a non-transitory computer readable medium storing instructions for detecting automatically generated malicious domain names in a network.”), the instructions upon execution causing a DNS server to: 
receive, over a network, DNS queries containing domain names (Col. 5 Lines 31-34 “In one or more embodiments, certain device(s) (e.g., DNS filters (115)) within the computer network (110) may be configured to sanction (e.g., passing or blocking) DNS traffic (e.g., DNS queries, not shown) based on information from the malicious domain name detecting tool (120).”): 
extract a common domain name shared by the domain names (Fig. 2, Col. 10 Lines 26-43 “As shown in FIG. 2, initially in Step 201, DNS queries sharing a common attribute in the computer network are identified. In one or more embodiments, the DNS queries sharing a common attribute are identified and/or extracted from the network trace under investigation described above for analysis to detect malicious domain names. In one or more embodiments, the 
determine whether a measure of an amount of data relating to the DNS queries containing the common domain name exceeds a threshold (Col. 9 Lines 55-60 “In one or more embodiments, the network trace is analyzed in a training phase, and referred to as a reference dataset, to fine tune pre- determined parameters (e.g., based distribution, pre-determined threshold, weights, regularization parameter, etc. described below) used in detecting malicious domain names. Example reference dataset includes the non-malicious ISP dataset, non-malicious DNS dataset, and malicious datasets described below.” Col. 12 Lines 19-27 “In Step 204, an alert is generated based on the distribution metric according to a pre-determined criterion. In one or more embodiment, the pre-determined criterion includes pre-determined parameters that are fine-tuned during a training phase such that the alert represents, with acceptable (based on 
trigger a countermeasure action to address a threat associated with the DNS queries (Col. 16 Lines 45-47 “Returning to FIG. 2, in STEP 205, a source node of DNS queries labeled as malicious is identified in the computer network in response to generating the alert in Step 204.” Col. 16 Line 57- Col. 17 Line 3 “In Step 206, a network security operation with respect to the source node is performed with the facilitation based on the alert identifying the grouped testdomain as containing domain names automatically generated for malicious activities. For example, a DNS server may be configured to block certain domain names by specifying the blocked domain names in the DNS server policy, referred to as domain blacklisting. Further, a network router may be configured to intercept and selectively block DNS traffic (e.g., DNS queries and/or replies) passing over the computer network or a portion thereof. In particular, one or more network router(s) located logically between the DNS server and the source node (e.g., a bot) sending the malicious DNS queries may be configured to block such bot-generated DNS queries.”). 

Ranjan does not disclose:
in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, trigger countermeasure


Cao discloses:
in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, trigger countermeasure (para 0014 “In another embodiment, the invention provides a computer-implemented method for detecting malicious software agents. The method includes: (a) constructing a graph based on a plurality of failed queries for domain names sent to one or more domain-name servers by a plurality of hosts during a time period; (b) deriving, from the graph, one or more candidate clusters of hosts, wherein step (b) includes: (b1) generating multi-level hierarchical groupings of Internet Protocol (IP) addresses in the graph based on similarities between at least first and second levels of domain names in failed domain-name queries made by hosts corresponding to the IP addresses; (b2) determining, for each hierarchical grouping, a highest percentage of failed domain-name queries for which a most recently added IP address in the hierarchical grouping has at least first and second levels of domain names in common with another IP address in the hierarchical grouping; and (b3) identifying each highest-level hierarchical grouping having its determined percentage more than a specified percentage threshold as a candidate cluster of hosts; and (c) determining that one or more of the candidate clusters correspond to malicious software agents.” Para 0100 “Next, at step 1003, one or more malicious software 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan to including in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, trigger countermeasure, as taught by Cao.
The motivation would have been to determine the amount of data relating to the DNS queries to properly identify potential attacks. 

Ranjan in view of Cao does not disclose:
wherein a countermeasure action includes modifying software components of an electronic device or a plurality of electronic devices

Stemm discloses:
wherein a countermeasure action includes modifying software components of an electronic device or a plurality of electronic devices (para 0041 “The set 123 of "bad" strings may be used to improve computer security. For example, the computing device 110 may provide the set 123 of "bad" strings to a may disable access or modification of records (e.g., the DNS records 131) in a DNS database (e.g., the DNS database 130) based on queries/requests associated with items included in the set 123 of "bad" strings.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan in view of Cao to include a countermeasure action includes modifying software components of an electronic device or a plurality of electronic devices, trigger countermeasure, as taught by Stemm.


As per claim 2, Ranjan in view of Cao and Stemm discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the measure of the amount of data relating to the DNS queries comprises a count of a number of the DNS queries (Ranjan Col. 14 Lines 46-55). 

As per claim 4, Ranjan in view of Cao and Stemm discloses:
The non-transitory machine-readable storage medium of claim 2, wherein the count of the number of the DNS queries exceeding the threshold (Ranjan Col. 9 Lines 55-60 and Col. 12 Lines 19-27)
indicates a denial- of-service attack (Cao para 0005 and 0106).

As per claim 5, Ranjan in view of Cao and Stemm discloses:
The non-transitory machine-readable storage medium of claim 2, wherein the count of the number of the DNS queries exceeding the threshold (Ranjan Col. 9 Lines 55-60 and Col. 12 Lines 19-27)
indicates a denial- of-service attack against a name server (Cao para 0005, 0014 and 0106).

As per claim 6, Ranjan in view of Cao and Stemm discloses:


As per claim 7, Ranjan in view of Cao and Stemm discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the measure of the amount of data relating to the DNS queries comprises an aggregate measure of the amount of data relating to the DNS queries received from a plurality of electronic devices (Ranjan Figs. 1 and 2, Col. 5 Lines 4-37). 

As per claim 9, Ranjan in view of Cao and Stemm discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the DNS server to: in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, indicate a data exfiltration threat (Ranjan Fig. 2). 

As per claim 11, Ranjan in view of Cao and Stemm discloses:
The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the DNS server to: detect unauthorized access of a resource by an electronic device in response to a DNS query from the electronic device (Ranjan Fig. 2).
As per claim 21, Ranjan in view of Cao and Stemm discloses:
The non-transitory machine-readable storage medium of claim 1, wherein modifying software components of the electronic device or the plurality of electronic devices includes deleting previous software components and re-stalling new software components (Stemm para 0041 “As yet another example, the DDoS mitigation application 143 may ignore or otherwise dispose of DNS queries associated with an item included in the set 123 of "bad" strings, which may enable mitigating a DDoS attack caused by receiving a large number of queries associated with "bad" hostnames or servers. As yet another example, the DNS security application 144 may disable access or modification of records (e.g., the DNS records 131) in a DNS database (e.g., the DNS database 130) based on queries/requests associated with items included in the set 123 of "bad" strings.”).  

4. 	Claim 12-15, 17- 20 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Ranjan in view of U.S. Publication No. 2017/0295196 hereinafter Arnell and further in view of Stemm

As per claim 12, Ranjan discloses:
A method of defending against a Domain Name System (DNS)-based attack (Col. 2 Lines 51-54 “In general, in one aspect, the invention relates to a non-transitory computer readable medium storing instructions for detecting automatically generated malicious domain names in a network.”), comprising:
Col. 5 Lines 31-34 “In one or more embodiments, certain device(s) (e.g., DNS filters (115)) within the computer network (110) may be configured to sanction (e.g., passing or blocking) DNS traffic (e.g., DNS queries, not shown) based on information from the malicious domain name detecting tool (120).");
determining, by the DNS server, whether a network address associated with the DNS query belongs to the network (Fig. 2, Col. 10 Lines 26- 43 “As shown in FIG. 2, initially in Step 201, DNS queries sharing a common attribute in the computer network are identified. In one or more embodiments, the DNS queries sharing a common attribute are identified and/or extracted from the network trace under investigation described above for analysis to detect malicious domain names. In one or more embodiments, the DNS queries sharing a common attribute are identified and/or extracted from the reference dataset described above to fine tune the malicious domain name detection. In either scenario, the common attribute may be (1) a top level domain name corresponding to the DNS queries, (2) an IP address that each of the DNS queries is mapped to, (3) a connected component that each of the DNS queries belongs to, or (4) other suitable attributes. Typically, a DSN query includes a domain name preceded by a string "DNS query". Accordingly, the terms "DNS query" and "domain name" may be used interchangeably throughout this document based on the context.”);
and in response to determining that the network address associated with the DNS query (Col. 11 Lines 1 -15), 
Col. 16 Lines 45-47 “Returning to FIG. 2, in STEP 205, a source node of DNS queries labeled as malicious is identified in the computer network in response to generating the alert in Step 204.” Col. 16 Line 57- Col. 17 Line 3 “In Step 206, a network security operation with respect to the source node is performed with the facilitation based on the alert identifying the grouped test domain as containing domain names automatically generated for malicious activities. For example, a DNS server may be configured to block certain domain names by specifying the blocked domain names in the DNS server policy, referred to as domain blacklisting. Further, a network router may be configured to intercept and selectively block DNS traffic (e.g., DNS queries and/or replies) passing over the computer network or a portion thereof. In particular, one or more network router(s) located logically between the DNS server and the source node (e.g., a bot) sending the malicious DNS queries may be configured to block such bot-generated DNS queries.”). 

Ranjan does not disclose:
in response to determining that the network address associated with the DNS query belongs to a different network 
wherein a countermeasure action includes modifying software components of an electronic device or a plurality of electronic devices

Arnell discloses:
para 0017 “Characteristics that may be indicative of an anomaly include, by way of example, a change in the DNS configuration of a client device, the volume of DNS query traffic being sent from a particular client computing device, the length of DNS events toward a specific destination, pseudo-randomly generated domain names being queried, unrecognized domain name(s) being queried, and mismatches between externally resolved IP addresses and IP addresses resolved by a trusted DNS source, to name a few.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan to include in response to determining that the network address associated with the DNS query belongs to a different network, trigger countermeasure, as taught by Arnell.
The motivation would have been to determining that the network address associated with the DNS query belongs to a different network to properly identify potential attacks.

Ranjan in view of Arnell does not disclose:
wherein a countermeasure action includes modifying software components of an electronic device or a plurality of electronic devices

Stemm discloses:
wherein a countermeasure action includes modifying software components of an electronic device or a plurality of electronic devices (para 0041 “The set 123 of "bad" strings may be used to improve computer security. For example, the computing device 110 may provide the set 123 of "bad" strings to a mobile security application 141, an e-mail security application 142, a DDoS mitigation application 143, a DNS security application 144, and/or other applications/devices. The applications 141-144 may use the set 123 of "bad" strings to make security decisions regarding Internet traffic processed by the applications 141-144. As an example, the mobile security application 141 may restrict or place increased security measures on traffic that is determined to be associated with an item included in the set 123 of "bad" strings. As another example, the e-mail security application 142 may block incoming e-mails from sources included in the set 123 of "bad" strings. As yet another example, the DDoS mitigation application 143 may ignore or otherwise dispose of DNS queries associated with an item included in the set 123 of "bad" strings, which may enable mitigating a DDoS attack caused by receiving a large number of queries associated with "bad" hostnames or servers. As yet another example, the DNS security application 144 may disable access or modification of records (e.g., the DNS records 131) in a DNS database (e.g., the DNS database 130) based on queries/requests associated with items included in the set 123 of "bad" strings.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of 
The motivation would have been to modify software components to properly mitigate a potential DNS/DDOS attack. 

As per claim 13, Ranjan in view of Arnell and Stemm discloses:
The method of claim 12, wherein the network address is a source network address identifying a source of the DNS query (Arnell para 0013). 

As per claim 14, Ranjan in view of Arnell and Stemm discloses:
The method of claim 13, wherein the electronic device is part of the network, and the source network address identifies an entity external of the network (Arnell para 0031). 

As per claim 15, Ranjan in view of Arnell and Stemm discloses:
The method of claim 12, further comprising: in response to determining that the network address associated with the DNS query belongs to a different network, indicate occurrence of a DNS amplification attack (Arnell para 0017 and 0031). 

As per claim 17, Ranjan discloses:
Col. 6 Lines 7-16 “For example, the DNS filters (115) may include a DNS server configured to block certain domain names by specifying the blocked domain names in the DNS server policy, i.e., domain blacklisting. Further, the DNS filters (115) may include a network router that intercept and selectively block DNS traffic (e.g., DNS queries and/or replies) passing over the computer network (110) or a portion thereof.”), comprising:
a processor; and a non-transitory machine-readable storage medium storing instructions executable on the processor (Col. 2 Lines 51-65 “In general, in one aspect, the invention relates to a non-transitory computer readable medium storing instructions for detecting automatically generated malicious domain names in a network. The instructions when executed by a processor of a computer includes functionality for identifying a plurality of domain name service (DNS) queries in the network, wherein the plurality of DNS queries share a common attribute, analyzing, using a central processing unit (CPU) of a computer, the plurality of DNS queries to identify a plurality of alphanumeric elements embedded in a set of domain names associated with the plurality of DNS queries, analyzing, using the CPU, the plurality of alphanumeric elements to determine a distribution metric of the set of domain names, and generating an alert based on the distribution metric according to a pre- determined criterion.”) to: 
receive, over a network, DNS queries containing domain names (Col. 5 Lines 31-34 “In one or more embodiments, certain device(s) (e.g., DNS filters 
extract a top level domain name shared by the domain names (Col. 8 Lines 18- 31 “In one or more embodiments, the detection module (122) includes the grouping module (124) that is configured to partition the obtained DNS queries into groups based on common attributes. In one or more embodiments, DNS queries in a partitioned group share a common top level domain name corresponding to the DNS queries. In one or more embodiments, DNS queries in a partitioned group share a common IP address that the DNS queries map to. In one or more embodiments, DNS queries in a partitioned group belong to a common connected component in an IP-domain bipartite graph of the DNS queries. In such embodiments, the connected component is identified by performing connected component analysis of the IP-domain bipartite graph of the DNS queries.”)
determine whether a measure of an amount of data relating to the DNS queries containing the top level domain name exceeds a threshold (Col. 9 Lines 55-60 “In one or more embodiments, the network trace is analyzed in a training phase, and referred to as a reference dataset, to fine tune pre- determined parameters (e.g., based distribution, pre-determined threshold, weights, regularization parameter, etc. described below) used in detecting malicious domain names. Example reference dataset includes the non-malicious ISP dataset, non-malicious DNS dataset, and malicious datasets described below.” Col. 12 Lines 19-27 “In Step 204, an alert is generated based on the distribution metric according to a pre-determined criterion. In one or more embodiment, the pre-determined criterion includes pre-determined parameters that are fine-tuned during a training phase such that the alert represents, with acceptable (based on a pre-defined level) false positive rates, detection of malicious domain names indicating malicious activities (e.g., domain fluxing from botnet or spam activities) in the computer network.”);
and in response to determining that the measure of the amount of data relating to the DNS queries containing the top level domain name exceeds the threshold (Col. 11 Lines 1-15),
trigger a countermeasure (Col. 16 Lines 45-47) 

Ranjan does not disclose:
trigger a countermeasure action to address a threat associated with the DNS queries 
wherein a countermeasure action includes modifying software components of an electronic device or a plurality of electronic devices

Arnell discloses:
trigger a countermeasure action to address a threat associated with the DNS queries (para 0048 “Data specifying the DNS anomaly is provided to a user device (308). In some implementations, the user device is internal to the private network, e.g., a computing device of a private network administrator.”)

The motivation would have been to trigger a countermeasure action to properly address a threat within a network. 

Ranjan in view of Arnell does not disclose:
wherein a countermeasure action includes modifying software components of an electronic device or a plurality of electronic devices

Stemm discloses:
wherein a countermeasure action includes modifying software components of an electronic device or a plurality of electronic devices (para 0041 “The set 123 of "bad" strings may be used to improve computer security. For example, the computing device 110 may provide the set 123 of "bad" strings to a mobile security application 141, an e-mail security application 142, a DDoS mitigation application 143, a DNS security application 144, and/or other applications/devices. The applications 141-144 may use the set 123 of "bad" strings to make security decisions regarding Internet traffic processed by the applications 141-144. As an example, the mobile security application 141 may restrict or place increased security measures on traffic that is determined to be may disable access or modification of records (e.g., the DNS records 131) in a DNS database (e.g., the DNS database 130) based on queries/requests associated with items included in the set 123 of "bad" strings.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of defending against a Domain Name System (DNS)-based attack of Ranjan in view of Arnell to include a countermeasure action includes modifying software components of an electronic device or a plurality of electronic devices, trigger countermeasure, as taught by Stemm.
The motivation would have been to modify software components to properly mitigate a potential DNS/DDOS attack. 

As per claim 18, Ranjan in view of Arnell and Stemm discloses:
The DNS server of claim 17, wherein the instructions are executable on the processor to: in response to determining that the measure of the amount of data relating to the DNS queries containing the top level domain name exceeds 
indicate occurrence of a denial-of-service attack (Arnell para 0031).

As per claim 19, Ranjan in view of Arnell and Stemm discloses:
The DNS server of claim 17, wherein the instructions are executable on the processor to: in response to determining that the measure of the amount of data relating to the DNS queries containing the top level domain name exceeds the threshold, indicate occurrence of data exfiltration (Ranjan Col. 9 Lines 55-60 and Col. 12 Lines 19-27) and (Arnell para 0031).

As per claim 20, Ranjan in view of Arnell and Stemm discloses:
The DNS server of claim 17, wherein the instructions are executable on
the processor to: receive a DNS query from an electronic device over the network; determine whether a network address associated with the DNS query belongs to the network; and in response to determining that the network address associated with the DNS query belongs to a different network, trigger a countermeasure action to address a threat associated with the DNS query (Ranjan Fig. 2, Col. 16 Lines 45-47 and Col. 16 Line 57- Col. 17 Line 3) and (Arnell para 0017).

As per claim 22, Ranjan in view of Arnell and Stemm discloses:
Stemm para 0041 “As yet another example, the DDoS mitigation application 143 may ignore or otherwise dispose of DNS queries associated with an item included in the set 123 of "bad" strings, which may enable mitigating a DDoS attack caused by receiving a large number of queries associated with "bad" hostnames or servers. As yet another example, the DNS security application 144 may disable access or modification of records (e.g., the DNS records 131) in a DNS database (e.g., the DNS database 130) based on queries/requests associated with items included in the set 123 of "bad" strings.”).  

5. 	Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Ranjan in view of Cao, and further in view of Stemm, and further in view of U.S. Patent No. 9325735 hereinafter Xie. 

As per claim 3, Ranjan in view of Cao and Stemm discloses: 
The non-transitory machine-readable storage medium of claim 1, wherein the count of the number of the DNS queries comprises a count of the number of the DNS queries (Ranjan Col. 14 Lines 46-55) 

Ranjan in view of Cao and Stemm does not disclose: 


Xie discloses: 
a count of the number of the DNS queries that resulted in a cache miss at the DNS server (Col. 6 Lines 26-48 “In one embodiment, selective sinkholing of malware domains by a security device via DNS poisoning further includes generating a spoofed DNS query response, in which a local DNS server cache is polluted with the designated sinkholed IP address for the bad network domain. In particular, sinkholing DNS queries can include forging responses to select DNS queries so that clients on the network connect to a specified host rather than the actual host pointed to by DNS. For example, the security device can be configured to generate a spoofed DNS query response (e.g., using a predetermined IP address for a bad network domain, such as www. botnet- malware-domain.com) to the DNS query as a mechanism to pollute a cache of a local DNS server. In some implementations, the time to live (TTL) for the DNS query response (e.g., a spoofed DNS query response) can be set to a predetermined period of time, such as 1 second (TTL=1) in order to require subsequent queries from local hosts to the local DNS server for that bad network domain to have to result in a local DNS server cache miss so that another DNS query is communicated to a public DNS server in order to allow the security device to intercept any such subsequent DNS queries for that bad network domain from that host or other local hosts.”)

The motivation would have been to properly identify a cache miss based on DNS count.

6. 	Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Ranjan in view of Cao, and further in view of Stemm, and further in view of U.S. Publication No. 20180351972 hereinafter Yu. 

As per claim 8, Ranjan in view of Cao and Stemm discloses: 
The non-transitory machine-readable storage medium of claim 1, wherein the instructions upon execution cause the DNS server to: use a Bloom filter to determine whether a domain name of a DNS query is in a set of domain names received previously by the DNS server (Ranjan Fig. 2, Col. 6 Lines 3-32). 

Ranjan in view of Cao and Stemm does not disclose: 
use a Bloom filter to determine whether a domain name of a DNS query 

Yu discloses: 
para 0055 “FIG. 1A depicts how a classifier 104 can be deployed for inline DGA detection, showing a transaction with an infected client host or client host 106. Client host 106 performs a DNS query as shown at 112. If the DNS query is not resolved by a DNS server 102, then DNS server 102 sends an NXDomain response as shown at 114. Domains which resolve at DNS server 102 are checked as shown at 116 to predict if they are malicious using classifier 104. Benign and NXDomain responses can be returned to client host 106 as shown at 118 while potentially malicious responses are blocked as shown at 120 to impede communication with a C&C server (e.g., as a result of the host IP address being predicted to be malicious by classifier 104).” Para 0056 “FIG. 1B depicts how a classifier can be deployed for providing an inline DGA detection component as shown at 154. Client host 156 is in communication with a DNS server policy engine as shown at 152 for performing DNS queries. For example, if client 156 sends a DNS query (e.g., A/AAAA query) to DNS server policy engine 152, and if not cached, then DNS server policy engine 152 forwards the DNS query to an upper recursion 162 and also to an inline DGA detection component 154. If DNS server policy engine 152 receives a DNS response from upper recursion 162 and inline DGA detection timed out, then the DNS response is sent back to client 156. Inline DGA detection 154 checks a bloom filter 158 to determine if positive (i.e., this particular DNS query is likely in the set of DNS queries maintained by the bloom filter), then return null; otherwise, the bloom filter result is negative (i.e., this particular DNS query is definitely not in the set of 

The motivation would have been to use a properly filter to accurately identify a domain name.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.