DETAILED ACTION
The following is non-final office action in response to applicant’s RCE filed on 06/28/2021 for response of office action mailed on 04/26/2021. Claim 1, 4, 7-9, 12-19, and 21 are amended. Claim 5 and claim 20 are cancelled previously. No new claim is added.  Claims 1-4, 6-19 and 21-22 are pending.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 06/28/2021 has been entered.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claim 1 is objected because of the following informalities:
In line 20, claim recites “a first user profiling result”. In line 22, claim recites “the first profiling result”. Examiner suggests to replace “a first user profiling result” with - - a first profiling result - - to be consistent with claim 9 and 17.  

Response to Arguments
Applicant’s amendments to independent claims 1, 9 and 17 filed on 06/28/2021, with respect to claim rejection under 35 U.S.C 103 have been considered.
Applicant’s arguments on independent claim 1, filed on 06/28/2021, have been considered and they are not persuasive.
As provided in further detail below, applicant’s arguments regarding that the references fail to show certain features are unpersuasive in view of the grounds of rejection discussed in detail. Please note that during patent examination, the pending claims even when interpreted in view of the specification must be “given their broadest reasonable interpretation.” Phillips v. AWH Corp., 415 F.3d 1303, 1316, 75 USPQ2d 1321, 1329 (Fed. Cir. 2005), In re Am. Acad, of Sci. Tech. Ctr., 367 F.3d 1359, 1364, 70 USPQ2d 1827, 1830] (Fed. Cir. 2004). As such, although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.
Regarding argument on claim 1 on page 9-10, claim 1 is amended with new limitation, receiving content categorization data; determining a first score based on (i) one or more domain names specified in the first data partition, (ii) the content categorization data, and (iii) at least one scoring criteria, wherein the first data partition corresponds to a first user name in the one or more user names. Applicant argues that “none of the cited references, alone or in combination, teaches or suggests” these new limitations. In detail, applicant states that Manadhata does not disclose that infection score generation logic generates an infection score that is based on combination of domain names and content categorization data to generate a score for the user. Examiner carefully reviewed applicant’s argument but respectfully disagree. First, applicant discloses an example for content categorization data is the domain names of social networking websites. Second, Manadhata teaches calculating infection score based on each user’s query profile (Para. 0022). Third, Manadhata teaches the query profile tracks receiving content categorization data; determining a first score based on (i) one or more domain names specified in the first data partition, (ii) the content categorization data, and (iii) at least one scoring criteria, wherein the first data partition corresponds to a first user name in the one or more user names.
Applicant presents no further arguments. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1-3, 6, 8-11, 13-19, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Manadhata (US20170323102) in view of Ramachandran et al. (US20160080212, hereinafter Ram). 
Regarding claim 1, 9 and 17, Manadhata teaches a computer-implemented method for profiling domain name service (DNS) traffic, the method comprising: receiving DNS transaction data that is associated with DNS logging operations performed by a DNS server (Manadhata: claim 1: based on domain name system (DNS) queries sent from the members of the set of client; Para. 0010: System 100 includes an observation logic 130. Observation logic may inspect DNS packets (e.g., DNS request packets 122). DNS packets 122 may be retrieved from a data stream 190 between a client (e.g., client 112) and a DNS server 199. Figure 1 illustrates two data streams 190, including a DNS request stream of DNS request packets sent from clients to DNS server 199 and a DNS response stream of DNS response packets sent from DNS server 99 to clients. To prevent slowdown of traffic in the network, the packet may be copied from a data stream 190 to system 100 by, for example, a network tap 195) (examiner note: copying DNS packets to the system is equivalent to logging); receiving identification data that associates a first set of identification data including multiple Internet Protocol (IP) addresses to second set of identification data including one or more user (Manadhata: Para. 0010: client 112 sent DNS request packets 122 requesting internet protocol (IP) addresses associated with 4 domain names. Additionally, each of these domains may be associated with zero, one, or several internet protocol (IP) addresses. Though DNS request packets having single domain names are shown, there may be situations where a DNS request packet contains several domain names. In this case, data may be tracked for each individual domain contained in a DNS request packet, and for groupings of IP addresses provided in DNS response packets; Para.0017: query profiles (e.g., profile 142) may track numbers of types of IP addresses received by clients (e.g., client 112) from DNS servers (e.g., DNS server 199) in DNS response packets. These types of IP address may include, for example, blacklisted IP addresses, whitelisted IP addresses, grey IP addresses); partitioning, based on the second set of identification data, the DNS transaction data into a plurality of data partitions, wherein a given data partition included in the plurality of data partitions corresponds to a distinct user included in the second set of identification data (Manadhata: Para. 0015: observation logic 130 may inspect DNS request packets (e.g., DNS request packets 122) and DNS response packets and maintain a query profile associated with the client based on contents of the DNS request packets and DNS response packets. In this example, profile 142 is associated with client 112, profile 144 is associated with client 114, and profile 146 is associated with client 116; Para. 0017: Though profiles 142, 144, and 146 are only illustrated as tracking numbers of whitelisted, blacklisted, and grey domains from DNS request packets, many other metrics may be tracked within the query profiles. In addition to tracking numbers of various types of domains requested in DNS request packets, query profiles (e.g., profile 142) may track numbers of types of IP addresses received by clients (e.g., client 112) from DNS servers (e.g., DNS server 199) in DNS response packets;

    PNG
    media_image1.png
    116
    204
    media_image1.png
    Greyscale
; for a first data partition included in the plurality of data partitions, receiving content categorization data (Manadhata: Para. 0011: the domain names are categorized as being associated with whitelisted domains (e.g., [good1].com, [good2].com), blacklisted domains (e.g., [bad1].com), and grey domains (e.g., [grey1].com). IP addresses may also be similarly categorized; Para.0017: query profiles (e.g., profile 142) may track numbers of types of IP addresses received by clients (e.g., client 112) from DNS servers (e.g., DNS server 199) in DNS response packets. These types of IP address may include, for example, blacklisted IP addresses, whitelisted IP addresses, grey IP addresses; Para. 0022: periodically, the query profiles (e.g., profile 142, profile 144, and profile 146) may be run through an infection score generation logic 150. Infection score generation logic 150 may generate infection scores for each of the clients based on their respective query profiles); determining a first score based on (i) one or more domain names specified in the first data partition, (ii) the content categorization data, and (iii) at least one scoring criteria, wherein the first data partition corresponds to a first user in the one or more users (Manadhata: Para. 0022: periodically, the query profiles (e.g., profile 142, profile 144, and profile 146) may be run through an infection score generation logic 150. Infection score generation logic 150 may generate infection scores for each of the clients based on their respective query profiles. In one example, the scores may be generated based on control data 155. Control data 155 may contain data previously retrieved from a set of machines known to be infected and a set of machines known to be free of malware; Para. 0030: the query profiles may track, for their respective members of the set of clients, quantities of types of domain names requested in DNS queries sent from the members of the set of clients. The types of domain names may include, for example, blacklisted domains, whitelisted domains, grey domains; Para. 0011: the domain names are categorized as being associated with whitelisted domains (e.g., [good1].com, [good2].com), blacklisted domains (e.g., [bad1].com), and grey domains (e.g., [grey1].com); Para. 0023: Knowing what types of malware have infected a client may be used for generating infection scores for clients); evaluating the first score based on profiling criteria to categorize the first user with a first user profiling result (Manadhata: Fig.1: Prioritization logic (160); Para. 0026: Once infection scores have been generated by infection score generation logic 150, the infection scores may then be provided to a prioritization logic 160. Prioritization logic 160 may use the infection scores to rank which client should be prioritized for remediation. The ranking may also be based on how important the various machines are to a company implementing system 100. By way of illustration, a client holding sensitive financial data or belonging to the CEO of the company may be considered more important than a client belonging to a salesperson; Para. 0027: Client 112, which was given an infection score of 30% by infection score generation logic 150, has a value of 100, client 114 has an infection score of 40% and a value of 1000, and client 116 has an infection score of 80% and a value of 300. In this example, the priorities are ranked by multiplying infection scores by client value, and consequently client 114 has the highest priority for remediation, followed by client 116, and client 112. Thus, in this example, where the infection score generation logic is generating a score indicating a likelihood of infection, client 114 is prioritized for remediation over client 116 because client 114 has a higher value than client 116 despite the fact that client 116 is much more likely to be infected than client 114; 
Fig. 1: 
    PNG
    media_image2.png
    151
    277
    media_image2.png
    Greyscale
; and causing one or more operations involving the first profiling result to be performed, wherein the one or more operations relate to at least one of: the priorities are ranked by multiplying infection scores by client value, and consequently client 114 has the highest priority for remediation; Claim 11: The DNS based infection scoring system of claim 10, where the prioritization logic causes the remedial action to be performed by one or more of, initiating a logic to perform the remedial action, and providing an alert to an administrator identifying the member of the set of clients and the remedial action; Para. 0039: The remedial action may be, for example, removing malware from the vulnerable member of the set of clients …..The remedial action may include restoring the vulnerable member of the set of clients to a prior state). 
Although Manadhata teaches receiving identification data for each user/client and partitioning DNS data for each user/client (client could be either IP address or user name). Yet, Manadhata does not explicitly teach user name in each related limitations. 
However, in the same field of endeavor, Ram teaches receiving identification data associates user names, mapping between IP address and user name and user identity is user name (Ram: Para. 0544: running WMI roles using WMI with AD may receive specific AD login security events indicating the IP and AD user string ID and AD user numerical ID, and send a IP-to-user mapping events 912, 914 to the multi-tenant controller 122's IP-to-Site Mapping (ISM) service 903. In an example, a WMI Role on a configurable element may receive an AD security event (login event) from AD using WMI. This event may include the IP address and AD ID and name of the user 168 who has logged into AD. The WMI Role may then form a message using this information, and this message may be called as an IP-to-user mapping, and send the message to the multi-tenant controller 122's ISM service 903….. The ISM 903 may send the enriched IP-to-user mapping event 912, 914 to the correct spoke site and also record this IP as belonging to the user in the multi-tenant controller 122 database; Para. 0894:  identity may be specified using a string-based name. Each identity can specify an individual user 168 or device; Para. 0199: IDENTITY—User name/id or Device id).

Regarding claim 2 and 10, combination of Manadhata and Ram teaches the method of claim 1. In addition, Manadhata teaches selecting one or more DNS transactions included in the DNS transaction data that share a first identifying characteristic in the a set of identifying characteristics; and generating the first data partition based on the one or more DNS transactions (Manadhata: Para. 0015: observation logic 130 may inspect DNS request packets (e.g., DNS request packets 122) and DNS response packets and maintain a query profile associated with the client based on contents of the DNS request packets and DNS response packets. In this example, profile 142 is associated with client 112, profile 144 is associated with client 114, and profile 146 is associated with client 116; Para. 0017: Though profiles 142, 144, and 146 are only illustrated as tracking numbers of whitelisted, blacklisted, and grey domains from DNS request packets, many other metrics may be tracked within the query profiles. In addition to tracking numbers of various types of domains requested in DNS request packets, query profiles (e.g., profile 142) may track numbers of types of IP addresses received by clients (e.g., client 112) from DNS servers (e.g., DNS server 199) in DNS response packets; Fig. 1: 
    PNG
    media_image3.png
    181
    319
    media_image3.png
    Greyscale
) (examiner note: Manadhata only teaches partitioning based on client, could be client’s IP or name, but did not explicitly teach based on client/user name).
running WMI roles using WMI with AD may receive specific AD login security events indicating the IP and AD user string ID and AD user numerical ID, and send a IP-to-user mapping events 912, 914 to the multi-tenant controller 122's IP-to-Site Mapping (ISM) service 903. In an example, a WMI Role on a configurable element may receive an AD security event (login event) from AD using WMI. This event may include the IP address and AD ID and name of the user 168 who has logged into AD. The WMI Role may then form a message using this information, and this message may be called as an IP-to-user mapping, and send the message to the multi-tenant controller 122's ISM service 903….. The ISM 903 may send the enriched IP-to-user mapping event 912, 914 to the correct spoke site and also record this IP as belonging to the user in the multi-tenant controller 122 database) (examiner note: combination of Manadhata and Ram teaches partitioning based on client/user name).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by the combination to include mapping between client’s IP and user name as disclosed by Ram. One of ordinary skill in the art would have been motivated to make this modification in order to manage the network traffic flow based on source DNS queries as suggested by Ram (Ram: Para. 0019).
Regarding claim 3, 11 and 18, combination of Manadhata and Ram teaches the method of claim 1. In addition, Manadhata teaches performing one or more comparison operations between one or more DNS transactions included in the DNS transaction data and the identification  data to select one or more DNS transactions; and generating the first data partition based on the one or more selected DNS transactions (Manadhata: Para. 0015: observation logic 130 may inspect DNS request packets (e.g., DNS request packets 122) and DNS response packets and maintain a query profile associated with the client based on contents of the DNS request packets and DNS response packets. In this example, profile 142 is associated with client 112, profile 144 is associated with client 114, and profile 146 is associated with client 116; Para. 0017: Though profiles 142, 144, and 146 are only illustrated as tracking numbers of whitelisted, blacklisted, and grey domains from DNS request packets, many other metrics may be tracked within the query profiles. In addition to tracking numbers of various types of domains requested in DNS request packets, query profiles (e.g., profile 142) may track numbers of types of IP addresses received by clients (e.g., client 112) from DNS servers (e.g., DNS server 199) in DNS response packets) (examiner note: Manadhata only teaches partitioning based on client, did not explicitly teach based on client/user name).
In addition, Ram teaches the mapping between client’s IP and user name (Ram: Para. 0544: running WMI roles using WMI with AD may receive specific AD login security events indicating the IP and AD user string ID and AD user numerical ID, and send a IP-to-user mapping events 912, 914 to the multi-tenant controller 122's IP-to-Site Mapping (ISM) service 903. In an example, a WMI Role on a configurable element may receive an AD security event (login event) from AD using WMI. This event may include the IP address and AD ID and name of the user 168 who has logged into AD. The WMI Role may then form a message using this information, and this message may be called as an IP-to-user mapping, and send the message to the multi-tenant controller 122's ISM service 903….. The ISM 903 may send the enriched IP-to-user mapping event 912, 914 to the correct spoke site and also record this IP as belonging to the user in the multi-tenant controller 122 database) (examiner note: combination of Manadhata and Ram teaches partitioning based on client/user name).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by the combination to include mapping between client’s IP and user name as disclosed by Ram. One of ordinary skill in the art would have been motivated to make this modification in order to manage the network traffic flow based on source DNS queries as suggested by Ram (Ram: Para. 0019).
Regarding claim 6, the rejection of claim 1 is incorporated herein. In addition, Manadhata teaches wherein the DNS transaction data comprises at least one of a DNS query or a DNS response (Manadhata: Para. 0010: “System 100 includes an observation logic 130. Observation logic may inspect DNS packets (e.g., DNS request packets 122). DNS packets 122 may be retrieved from a data stream 190 between a client (e.g., client 112) and a DNS server 199. Figure 1 illustrates two data streams 190, including a DNS request stream of DNS request packets sent from clients to DNS server 199 and a DNS response stream of DNS response packets sent from DNS server 99 to clients”).
Regarding claim 8, the rejection of claim 1 is incorporated herein. In addition, Manadhata teaches wherein evaluating the first score comprises applying the profiling criteria to the first score to generate a profile of network activities (Manadhata: Fig.1: Prioritization logic (160); Para. 0027: “a prioritization logic 160 may be illustrated. Client 112, which was given an infection score of 30% by infection score generation logic 150, has a value of 100, client 114 has an infection score of 40% and a value of 1000, and client 116 has an infection score of 80% and a value of 300. In this example, the priorities are ranked by multiplying infection scores by client value, and consequently client 114 has the highest priority for remediation, followed by client 116, and client 112”).
Regarding claim 13 and 19, the rejection of claim 9 is incorporated herein. In addition, Manadhata teaches wherein determining the first score comprises performing one or more comparison operations between the first data partition and at least one additional data feed based on the at least one scoring criteria (Manadhata: Para. 0045: “Control data set 460 may be used by infection score generation logic 440 when infection score generation logic 440 generates infection scores for members of the set of clients. Specifically, infection score generation logic 440 may compare DNS query profiles 420 to control data set 460 to generate infection scores”; Para. 0046: “Learning logic 470 may modify control data set 460 over time based on the infection scores. By way of illustration, over time, learning logic 470 may detect certain patterns in infection scores based on certain trends in query profiles. Consequently, if these patterns are recognized as being associated with benign activity, control data set 460 may be updated to reduce the likelihood that benign activity is prioritized for remedial action. Conversely, if patterns in infection scores and query profiles begin to indicate that a certain type of activity is associated with a malicious event, control data set 460 may be updated to increase the Likelihood that clients performing the certain type of activity are prioritized for remedial action”).
Regarding claim 14, the rejection of claim 13 is incorporated herein. In addition, Manadhata teaches wherein the at least one additional data feed comprises at least one of (i) a threat feed or (ii) a content categorization feed that includes the content categorization data (Manadhata: Fig. 1, Control data (155); Para. 0022: “Control data 155 may contain data previously retrieved from a set of machines known to be infected and a set of machines known to be free of malware”; Para. 0023: “which may be useful when the control data contains information regarding multiple types of malware”).
Regarding claim 15, the rejection of claim 9 is incorporated herein. In addition, Manadhata teaches wherein determining the first score comprises performing a comparison operation between i) a domain name specified in a DNS query included in the first data partition and ii) a domain name specified in a first scoring criterion that is included in the at least one scoring criteria (Manadhata: Para. 0011: the domain names are categorized as being associated with whitelisted domains (e.g., [good1].com, [good2].com), blacklisted domains (e.g., [bad1].com), and grey domains (e.g., [grey1].com); Para. 0015: In evaluating how likely a client is infected with a malware, observation logic 130 may inspect DNS request packets (e.g., DNS request packets 122) and DNS response packets and maintain a query profile associated with the client based on contents of the DNS request packets and DNS response packets…. As mentioned above, DNS request packets 122, which were sent from client 1 12, contain 2 white-listed domains, 1 blacklisted domain, and one grey domain. Consequently, Observation logic 130 may update profile 142 based on the numbers of types domains in DNS request packets 122”). 
Regarding claim 16, the rejection of claim 9 is incorporated herein. In addition, Manadhata teaches wherein performing one or more operations involving the first profiling result comprises transmitting the first profiling result to a network management tool (Manadhata: Claim 11: The DNS based infection scoring system of claim 10, where the prioritization logic causes the remedial action to be performed by one or more of, initiating a logic to perform the remedial action, and providing an alert to an administrator identifying the member of the set of clients and the remedial action). 
Regarding claim 21, the rejection of claim 1 is incorporated herein. In addition, Manadhata teaches wherein determining the first score comprises generating the first score based on a set of DNS queries associated with the DNS transaction first data partition that were initiated to resolve a first domain name of the one or more domain names (Manadhata: Para. 0015: “observation logic 130 may inspect DNS request packets (e.g., DNS request packets 122) and DNS response packets and maintain a query profile associated with the client based on contents of the DNS request packets and DNS response packets”; Para. 0042: “Infection score generation logic 340 may generate weighted infection scores for members of the set of clients 399. The infection scores may be generated for members of the set of clients 399 based on their respective DNS query profiles 320”; Para. 0001:“The domain name system (DNS) is used to translate web addresses (e.g., www.lexamplej.eom) into internet protocol (IP) addresses”; Para. 0010: “DNS request packets having single domain names are shown, there may be situations where a DNS request packet contains several domain names”).
Claim 4 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Manadhata in view of Ram, and further in view of Rolia et al. (US 20170318037, hereinafter Rolia). 
Regarding claim 4 and 12, combination of Manadhata and Ram teach the method of claim 3. In addition, Ram teaches the one or more user names are included in a set of identifying characteristics identity may be specified using a string-based name. Each identity can specify an individual user 168 or device; Para. 0199: IDENTITY—User name/id or Device id). 
Yet, combination does not teach wherein the set of identifying characteristic further comprises a media access control (MAC) address, or a certificate.
However, in the same field of endeavor, Rolia teaches wherein the set of identifying characteristic further comprises a media access control (MAC) address, or a certificate (Rolia: Para. 0048: identifying characteristics, such as an IP or MAC address, are some examples of data). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the set of identifying characteristic further comprises a media access control (MAC) address, or a certificate as disclosed by Rolia. One of ordinary skill in the art would have been motivated to make this modification in order to manage anomalies as suggested by Rolia (Rolia: Para. 0028). 
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Manadhata in view of Ram, and further in view of Raghavan (US20150309918).
Regarding claim 7, combination of Manadhata and Ram teach the computer-implemented method of claim 1. 
Yet, the combination does not teach wherein evaluating the first score comprises performing one or more comparison operations between the first score and a predetermined threshold specified in a first profiling criterion that is included in the profiling criteria to determine whether the first score fits a predetermined profile specified in the first profiling criterion.
However, in the same field of endeavor, Raghavan teaches wherein evaluating the first score comprises performing one or more comparison operations between the first score and a predetermined threshold specified in a first profiling criterion that is included in the profiling criteria to determine whether the first score fits a predetermined profile specified in the first profiling criterion (Raghavan: Para. 0044: “The RA 304 determines the risk profile by comparing the risk profile score …..with one or more risk profile predefined threshold values based on one or more conditions or rules”; Para. 0069-0070: “At block 608, the risk profile score (C) is compared with the High risk profile threshold (HRPT). In one embodiment, a determination is made as to whether the risk profile score exceeds or equals the HRPT. If the determination is TRUE, then the method proceeds to block 610 via "YES"…….At block 610, assign high risk profile”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein evaluating the first score comprises performing one or more comparison operations between the first score and a predetermined threshold specified in a first profiling criterion that is included in the profiling criteria to determine whether the first score fits a predetermined profile specified in the first profiling criterion as disclosed by Raghavan. One of ordinary skill in the art would have been motivated to make this modification in order to profile the risk level dynamically as suggested by Raghavan (Raghavan: Para. 0006).
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Manadhata , in view of Ram and Rolia, and further in view of Ranjan (US8260914). 
Regarding claim 22, combination of Manadhata, Ram, and Rolia teaches the method of claim 4. 
Yet, the combination does not teach wherein each data partition further corresponds to a different identifying characteristic included in the set of identifying characteristics.
However, in the same field of endeavor, Ranjan teaches wherein each data partition further corresponds to a different identifying characteristic included in the set of identifying characteristics (Ranjan: Col. 8, line 18-31: the detection module (122) includes the grouping module (124) that is configured to partition the obtained DNS queries into groups based on common attributes. In one or more embodiments, DNS queries in a partitioned group share a common top level domain name corresponding to the DNS queries. In one or more embodiments, DNS queries in a partitioned group share a common IP address that the DNS queries map to. In one or more embodiments, DNS queries in a partitioned group belong to a common connected component in an IP-domain bipartite graph of the DNS queries. In such embodiments, the connected component is identified by performing connected component analysis of the IP-domain bipartite graph of the DNS queries). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by the combination to include wherein each data partition further corresponds to a different identifying characteristic as disclosed by Ranjan. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious domain name in a network as suggested by Ranjan (Ranjan: abstract).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Weill et al. US20160028607: DNS traffic caching 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIN CHANG whose telephone number is (571)272-9998.  The examiner can normally be reached on Monday-Thursday 9AM-6PM EST Friday: Variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/L.C./Examiner, Art Unit 2438                                                                                                                                                                                             /TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438