Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1-21 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

 Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Qi et al. (BotCensor: Detecting DGA-Based Botnet Using Two-Stage Anomaly Detection, 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/ 12th IEEE International Conference on Big Data Science and Engineering, August 1, 2018, Pages 754-762; cited on IDS dated 3/24/2021), hereafter, “Qi.”

As to claim 1, Qi discloses a system, comprising:  a processor configured to (page 754, Abstract): 
receive a DNS query (Fig. 2, and page 756, right column, 3rd paragraph, particularly, “The first-stage anomaly detection mainly analyzes domain names extracted from DNS traffic as seen from the above layer in Figure 2.” ; 
perform Markov Chain analysis on a domain included in the received query (page 756, left column, particularly, “For convenience we exploit the First-order Markov chain to model our first-stage anomaly detection. It is well known that a domain name d consists of a set of labels separated by dots, for example, www.domain.com... ”; and 
determine whether the received query implicates an algorithmically generated domain based at least in part on a result of the Markov Chain analysis (page 756, left column last paragraph, “As shown in the lower part of the Figure 2, the second-stage anomaly detection mainly focuses on differentiating DGA-bots from legitimate hosts.” and Abstract, particularly, “In this paper, we present BotCensor, a new system that can determine if a host is infected with certain DGA malware with two-stage anomaly detection.”); and 
a memory coupled to the processor and configured to provide the processor with instructions (page 754, Abstract).

 As to claims 15 and 21, they are rejected by a similar rationale to that set forth in claim 1’s rejection.

As to claims 2 and 16, Qi discloses determining whether the received query implicates an algorithmically generated domain includes evaluating historical resolution information (page 756-757, section B, particularly, “Most of the DGA-generated domains that a bot queries would 

 As to claims 3 and 17, Qi discloses the historical resolution information comprises a count of resolutions (page 756-757, section B, particularly, “The number of DNS queries sent by DGA-bots is different from that by legitimate users in confined time. Besides, DGA-bots regularly request AGDs e.g., Zeusbots sent a DNS request every five seconds, but in contrast the randomness of legitimate users query a DNS is more strong…Feature 1: the rate of successful DNS responses to DNS queries within limited time.”).

 As to claims 4 and 18, Qi discloses the historical resolution information comprises an interval between a first resolution and a last resolution (page 756-757, section B, particularly, “The number of DNS queries sent by DGA-bots is different from that by legitimate users in confined time. Besides, DGA-bots regularly request AGDs e.g., Zeusbots sent a DNS request every five seconds, but in contrast the randomness of legitimate users query a DNS is more strong…Feature 1: the rate of successful DNS responses to DNS queries within limited time.”).

 As to claims 5 and 19, Qi discloses the Markov Chain model is trained at least in part using a set of known algorithmically generated domains (page 757, section A, particularly, “Hence BotCensor requires a mass of legitimate domain data as training dataset and malicious domain data as testing dataset in the first anomaly detection process.”)

 As to claim 6, Qi discloses the Markov Chain model is trained at least in part using a set of known benign domains (page 757, section A, particularly, “Hence BotCensor requires a mass of 

 As to claims 7 and 20, Qi discloses the processor is further configured to determine whether the domain is associated with a family of algorithmically generated domains (page 754, right column, particularly, “Besides, it is unreasonable that they employ NXdomain [17] replies alone to infer the families of AGDs.”)

 As to claim 8, Qi discloses determining whether the domain is associated with the family of algorithmically generated domains includes using a random forest trained using features extracted from algorithmically generated domain families (page 756-757, section B, particularly, “After the feature extraction, we exploit three novelty detection algorithms (i.e., One-Class SVM with non-linear kernel (RBF) [29], Isolation Forest [30], Multivariate Gaussian [31]) to identify the abnormal hosts i.e., DGA-bots.”)

 As to claim 9, Qi discloses at least one feature comprises a domain suffix (page 756, section A).

 As to claim 10, Qi discloses at least one feature comprises a count of hyphens (page 756-757, section B, particularly, “Note that we only consider the first level of a chosen prefix such as domain.com referring to [28]. Literally, a domain actually consists of 26 English letters, 10 numbers, ’-’ and a period.”).

As to claim 11, Qi discloses at least one feature comprises a domain length (page 756-757, section B, particularly, “Therefore the probability of any domain can be computed according to 

As to claim 12, Qi discloses at least one feature comprises a distinct number of characters (page 756-757, section B, particularly, “Literally, a domain actually consists of 26 English letters, 10 numbers, ’-’ and a period. Hence, a shining and intuitive idea is that we can regard 38 elements (i.e., 26 English letters, 10 numbers, ’-’ and a period) as 38 states, and the transition matrix A (as shown in Equation 6) contains the transition probabilities of any two states.”)

As to claim 13, Qi discloses at least one feature comprises a ratio of digits to other characters (page 756-757, section B, particularly, “Literally, a domain actually consists of 26 English letters, 10 numbers, ’-’ and a period. Hence, a shining and intuitive idea is that we can regard 38 elements (i.e., 26 English letters, 10 numbers, ’-’ and a period) as 38 states, and the transition matrix A (as shown in Equation 6) contains the transition probabilities of any two states.”).

As to claim 14, Qi discloses at least one feature comprises whether the first character of a root domain is a digit (page 756-757, section B, particularly, “Literally, a domain actually consists of 26 English letters, 10 numbers, ’-’ and a period. Hence, a shining and intuitive idea is that we can regard 38 elements (i.e., 26 English letters, 10 numbers, ’-’ and a period) as 38 states, and the transition matrix A (as shown in Equation 6) contains the transition probabilities of any two states.”).
Conclusion
 The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US Pat. 8,260,914 (Ranjan) – The method involves identifying multiple domain name service queries in the network, where the multiple domain name service queries share a common attribute. A central processing unit is provided for analyzing a computer. The central processing unit also analyzes alphanumeric elements to determine a distribution metric of the set domain names.
US Pub. No. 2018/0124020 (Rodriguez et al) –The method involves determining a first set of domain generation algorithm (DGA) predictions for a domain name by analyzing extracted lexical features of the domain name using a first ensemble of decision trees. A second set of DGA predictions is determined for the domain name by analyzing the features of a cluster of related domain names to which the domain name belongs using a second ensemble of decision trees. A DGA associated with the domain name is predicted based on the sets of predictions. Performance of security action is caused based on the DGA associated with the domain name.
US Pub. No. 2016/0065611 (Fakeri-Tabrizi et al) –The method involves receiving first DNS data. A first DNS request is received and is associated with a domain name. Multiple second DNS requests are received from the multiple DNS requests. A count value for each of the DNS data fragments is calculated. An anomaly trend is determined based on the count values of the second DNS requests associated with multiple DNS data fragments.
US Pub. No. 2011/0191423 (Krasser et al) –The device has a reputation server for deriving a reputation for a set of network identifiers, where the reputation of each 
US Pat. 10,848,509 (McNab et al) – The apparatus comprises a processor and memory connected to a processor. The memory storing instructions executed by a processor to receive domain name system (DNS) query event data. The instructions to classify Fully Qualified Domain Name (FQDN) values, which has a instructions to resolve a FQDN values (200). The instructions to identify perplexing labels has a instructions to treat a FQDN label as a Markov chain. The identify perplexing labels has a instructions to apply a probability model to a FQDN label. The anomalous behavior has a instructions to identify excessive traffic from a domain deemed to be associated with a domain generation algorithm.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246.  The examiner can normally be reached on 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Thomas J Dailey/
Primary Examiner, Art Unit 2452