Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER'S AMENDMENT
2.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

3.	Authorization for this examiner’s amendment was given in an interview with Sterlon Mason on 10/18/2021

The application has been amended as follows: 
1. (Currently Amended) A non-transitory machine-readable storage medium comprising instructions to defend against a Domain Name System (DNS)-based attack, the instructions upon execution causing a DNS server to:
receive, over a network, DNS queries containing domain names; 
extract a common domain name shared by the domain names; 
determine whether a measure of an amount of data relating to the DNS queries containing the common domain name exceeds a threshold; and 
in response to determining that the measure of the amount of data relating to the DNS queries containing the common domain name exceeds the threshold, 
wherein the countermeasure action includes re-imaging an electronic device or a plurality of electronic devices including deleting previous software components and re-installing new software components of the electronic device or the plurality of electronic devices from which DNS queries for the common domain names was received.
.

12. (Currently Amended) A method of defending against a Domain Name System (DNS)-based attack, comprising: 
receiving, by a DNS server, a DNS query from an electronic device over a network; 
determining, by the DNS server, whether a network address associated with the DNS query belongs to the network; and 
in response to determining that the network address associated with the DNS query belongs to a different network, triggering, by the DNS server, a countermeasure action to address a threat associated with the DNS query,
wherein the countermeasure action includes re-imaging an electronic device or a plurality of electronic devices including deleting previous software components and re-installing new software components of the electronic device or the plurality of electronic devices from which DNS queries for the common domain names was received.


receive, over a network, DNS queries containing domain names; extract a top level domain name shared by the domain names; 
determine whether a measure of an amount of data relating to the DNS queries containing the top level domain name exceeds a threshold; and 
in response to determining that the measure of the amount of data relating to the DNS queries containing the top level domain name exceeds the threshold, trigger a countermeasure action to address a threat associated with the DNS queries, 
wherein the countermeasure action includes re-imaging an electronic device or a plurality of electronic devices including deleting previous software components and re-installing new software components of the electronic device or the plurality of electronic devices from which DNS queries for the common domain names was received.


Reasons for Allowance
3.	Claims including all of the limitations of the base claim and any intervening claims are allowed.

Closest Prior Art:
U.S. Publication No. 20160248805 discloses on paragraph 0049 “Enforcement or remediation actions may involve automatic communication between network security computer 110 and external systems. For example, JAMF may be used 

US 20180351976 discloses on paragraph 0045 “In yet another embodiment, the detection engine 310-4 is configured to detect potential DNS recursive attacks based on distributions of common domain names. At peace time, i.e., during a learning period, the distribution of common domain names is determined based on requests previously resolved by DNS resolver 220. In an embodiment, the learnt information can be based on the DNS resolver's contents and/or information collected independently, for example, by the system 210.” Paragraph 0069 “At S570, at least one mitigation action is performed. The mitigation action may include, but is not limited to, filtering out any incoming DNS queries (requests) having domain names that are not designated in a white list.”

U.S. Publication No. 20190052675 discloses on paragraph 0027 “In a first example, an attack may be a DoS attack exploiting either a bug in an application or component thereof, or that tries to overload the network's and infrastructure's capacity. The asset trying to be compromised in this situation may be business or uptime continuity. In such an instance, the operations performed may be to copy the application under attack, either by reinstalling the application and copying the productive (e.g., business or sensitive) data and/or configurations associated with the original application, or by cloning an image or stored version of the application. Using the operations of the lifecycle operations manager, the copied application can be made available at a different endpoint than the original version of the application. For example, at least one of the hostnames, identifiers, and/or IP addresses associated with the copied application can be modified. As the lifecycle operations manager is aware of the existing landscape and the one or more dependencies upon which the attacked 

	The following is an Examiner’s Statement of Reasons for Allowance: 
 	Claims are allowable over prior art references taken individually or in combination fails to particularly disclose, fairly suggests or render obvious are argued by the applicant which examiner considers persuasive as set forth above.
Although the prior art discloses receive, over a network, DNS queries containing domain names, extract a common domain name shared by the domain names and 
determine whether a measure of an amount of data relating to the DNS queries containing the common domain name exceeds a threshold, no one or two references anticipates or obviously suggest wherein the countermeasure action includes re-imaging an electronic device or a plurality of electronic devices including deleting previous software components and re-installing new software components of the electronic device or the plurality of electronic devices from which DNS queries for the common domain names was received.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192. The examiner can normally be reached Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GARY S GRACIA/Primary Examiner, Art Unit 2491