Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office action is responsive to communications filed on 10/25/2021. Claims 1, 2, 4-7, 9 and 10 are pending.

Response to Arguments
Applicant's arguments filed 10/25/2021 have been fully considered but they are not persuasive.
Applicant argues that none of the cited references teach “the DNS data further specifying a time-to-live (TTL) during which the mapping between the domain name and the IP address is guaranteed to be valid and, on the expiration of which, the mapping between the domain name and the IP address is no longer guaranteed to be valid, the mapping including mapping the TTL value with the domain name and the IP address in the DNS entry.” Remarks pp. 8-13. Applicant’s argument is not persuasive because it is merely a conclusory statement without any supporting reasoning or evidence. Furthermore, the limitations in question were previously presented as claims 3 and 8. The previous office action dated 07/26/2021 cited Fujimoto as teaching said limitations. Applicant has failed to address the cited portions of Fujimoto.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1 and 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pub. No. 2012/0096261 (“Ko”), in view of U.S. Pub. No. 2012/0267023 .

Regarding claim 1, Ko teaches a network-connection attestation process comprising: 
extracting, by an agent (Fig. 2, 202 and/or 204), domain-name service (DNS) data from a DNS reply to a DNS query, the DNS data mapping an IP address to a domain name (“At 302, a name resolution function is performed to resolve the domain name into an IP address,” ¶ [0024]; Fig. 3, 302); 
mapping the domain name to the IP address in a DNS entry of an agent DNS cache (“At 303, the name resolution cache may be updated with each of the name-address resolutions,” ¶ [0024]; Fig. 3, 303); 
determining the domain name mapped to the IP address in the agent DNS cache (“If an entry associated with the IP address exists, determined at 403, then at 404, the domain name associated with the IP address is identified,” ¶ [0026]; Fig. 4, 401-404); and
attesting to and allowing the connection in an event the domain name in a domain-name whitelist, wherein said domain name is thereby used instead of said IP address to perform said network-connection attestation process (“At 405, a determination is made as to whether the domain name retrieved from the cache is whitelisted…if the domain name is on the whitelist, then at 406, the Internet transaction is allowed,” ¶ [0027]; Fig. 4, 405-406).

Ko-Fujimoto fails to teach configuring domain-name entries configured by an administrator using a cloud-based manager user interface; pushing said domain-name entries from said cloud-based manager to an agent. Bach teaches configuring domain-name entries configured by an administrator using a cloud-based (¶ [0021]) manager user interface (“the security administrator may select an icon 226 for assigning hostname or IP address 228 to blacklists 210 or select an icon 224 for assigning hostname or IP address 228 to whitelists 212,” ¶ [0062]); pushing said domain-name entries from said cloud-based manager to an agent (“User interface 250 then sends an update message 232 to threat detection manager 208 assigning hostname or IP address 228 to blacklists 210 or whitelists 212,” ¶ [0064]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate an administrator interface, as taught by Bach, into Ko-Fujimoto, in order to allow an enterprise security administrator to asynchronously update the blacklists and whitelists based on the threat reports received from the enterprise users, thereby improving the security of the enterprise network. 
Ko-Fujimoto-Bach fails to teach populating an Internet protocol whitelist by watching domain-name service (DNS) responses to DNS queries and by examining the domain-name whitelist. McGleenon teaches populating an Internet protocol whitelist by watching domain-name service (DNS) responses to DNS queries (“a client device issues a DNS lookup request to resolve a domain name to an IP address and the DNS lookup request is intercepted by the DNS proxy. In this embodiment, the DNS proxy 

Regarding claim 6, Ko teaches a system comprising non-transitory media encoded with code that, when executed by a processor (¶ [0045]), implements a network-connection attestation process including:
extracting, by an agent (Fig. 2, 202 and/or 204), domain-name service (DNS) data from a DNS reply to a DNS query, the DNS data mapping an IP address to a domain name (“At 302, a name resolution function is performed to resolve the domain name into an IP address,” ¶ [0024]; Fig. 3, 302); 

determining the domain name mapped to the IP address in the agent DNS cache (“If an entry associated with the IP address exists, determined at 403, then at 404, the domain name associated with the IP address is identified,” ¶ [0026]; Fig. 4, 401-404); and
attesting to and allowing the connection in an event the domain name in a domain-name whitelist, wherein said domain name is thereby used instead of said IP address to perform said network-connection attestation process (“At 405, a determination is made as to whether the domain name retrieved from the cache is whitelisted…if the domain name is on the whitelist, then at 406, the Internet transaction is allowed,” ¶ [0027]; Fig. 4, 405-406).
Ko fails to teach capturing process data of a process instance of an application process making a network-connection request that specifies the IP address, the process data including a process identity for the application process; mapping a process-instance identifier (PIID) for the process instance with the domain name and IP address in the DNS entry, the process data including the PIID, the DNS data further specifying a time-to-live (TTL) during which the mapping between the domain name and the IP address is guaranteed to be valid and, on the expiration of which, the mapping between the domain name and the IP address is no longer guaranteed to be valid, the mapping including mapping the TTL value with the domain name and the IP address in the DNS entry; and attesting to and allowing the connection in an event the domain name is 
Ko-Fujimoto fails to teach configuring domain-name entries configured by an administrator using a cloud-based manager user interface; pushing said domain-name entries from said cloud-based manager to an agent. Bach teaches configuring domain-name entries configured by an administrator using a cloud-based (¶ [0021]) manager user interface (“the security administrator may select an icon 226 for assigning hostname or IP address 228 to blacklists 210 or select an icon 224 for assigning hostname or IP address 228 to whitelists 212,” ¶ [0062]); pushing said domain-name entries from said cloud-based manager to an agent (“User interface 250 then sends an 
Ko-Fujimoto-Bach fails to teach populating an Internet protocol whitelist by watching domain-name service (DNS) responses to DNS queries and by examining the domain-name whitelist. McGleenon teaches populating an Internet protocol whitelist by watching domain-name service (DNS) responses to DNS queries (“a client device issues a DNS lookup request to resolve a domain name to an IP address and the DNS lookup request is intercepted by the DNS proxy. In this embodiment, the DNS proxy may intercept the DNS response from the DNS server to the client device and obtain the resolved IP address or IP addresses of the domain name from the DNS response,” ¶ [0075]), and by examining the domain-name whitelist (“the DNS proxy 1530 compares the domain name with the domain whitelist and blacklist of each packet modifying entity. Based on the comparison, the DNS proxy may provide feedback to the steering component 1510 to update the IP whitelist and the IP blacklist of a corresponding packet modifying entity. In an embodiment, if a match is made between the domain name and the domain whitelist or the domain blacklist of a packet modifying entity, the resolved IP address or IP addresses of the domain name is/are added into the corresponding IP whitelist or IP blacklist of that packet modifying entity,” ¶ [0077]). It .

Claims 2 and 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ko-Fujimoto-Bach-McGleenon as applied to claims 1 and 6 above, and further in view of U.S. Pub. No. 2019/0158497 (“Diaz”).

Regarding claims 2 and 7, Ko-Fujimoto-Bach-McGleenon teaches the invention of claims 1 and 6, but fails to teach that the agent DNS cache contains a superset of the information contained in an OS DNS cache maintained by an operating system (OS) on which the application process runs. Diaz teaches an agent DNS cache containing a superset of the information contained in an OS DNS cache maintained by an operating system (OS) on which the application process runs (“an untrusted container operating system may be allowed to use the DNS cache on the host as an underlying cache, but then adds its own unique data to a local DNS cache for the container operating system,” ¶ [0053]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate a read-only DNS cache, as taught by Diaz, into Ko-Fujimoto-Bach-McGleenon, in order to prevent an untrusted container operating system from making changes to the host DNS cache.

Claims 4 and 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ko-Fujimoto-Bach-McGleenon as applied to claims 1 and 6 above, and further in view of U.S. Pub. No. 2013/0124738 (“Lynch”).

Regarding claims 4 and 9, Ko-Fujimoto-Bach-McGleenon teaches the invention of claims 3 and 8, but fails to teach deleting the PIID from the agent DNS cache in response to termination of the application process. Lynch teaches deleting a PIID from a DNS cache in response to termination of the application process (“a Process ID may be included, which is a flag that is set if the entry should be deleted from the table when the corresponding process is ended. Alternately, the process may omit this item and be preprogrammed to delete all entries when their corresponding processes are ended,” ¶ [0100]; “a binding table containing interface-binding entries that associate domain names, IP addresses, and/or URLs with interface types. It also relies on DNS (Domain Name Server) exchanges to associate flows with domain names,” ¶ [0106]; also ¶ [0099]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate a process-id-dependent deletion process, as taught by Lynch, into Ko-Fujimoto-Bach-McGleenon, in order to remove stale entries and keep the size of the table manageable over time.

Claims 5 and 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ko-Fujimoto-Bach-McGleenon as applied to claims 1 and 6 above, in view of Lynch, and further in view of U.S. Pub. No. 2015/0058488 (“Backholm”).

Regarding claims 5 and 10, Ko-Fujimoto-Bach-McGleenon teaches the invention of claims 3 and 8, and further teaches deleting the DNS entry in an event in which: the TTL has expired (Fujimoto: “deletes an expired correspondence relationship from a storage area,” ¶ [0138]), but fails to teach deleting the DNS entry in an event in which a last-remaining PIID has been deleted from the DNS entry. Lynch deleting the DNS entry in an event in which a last-remaining PIID has been deleted from the DNS entry (“a Process ID may be included, which is a flag that is set if the entry should be deleted from the table when the corresponding process is ended. Alternately, the process may omit this item and be preprogrammed to delete all entries when their corresponding processes are ended,” ¶ [0100]; “a binding table containing interface-binding entries that associate domain names, IP addresses, and/or URLs with interface types. It also relies on DNS (Domain Name Server) exchanges to associate flows with domain names,” ¶ [0106]; also ¶ [0099]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate a process-id-dependent deletion process, as taught by Lynch, into Ko-Fujimoto-Bach-McGleenon, in order to remove stale entries and keep the size of the table manageable over time.
Ko-Fujimoto-Bach-McGleenon-Lynch fails to teach keeping a DNS entry past the expiration of the TTL. Backholm teaches keeping a DNS entry past the expiration of the TTL (“enhanced caching maintains and uses the cached DNS entries (e.g., stored in a local cache or harmonization cache 526 of FIG. 5B) for a time period that is longer than the TTL typical of a DNS resolver,” ¶ [0050]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate longer DNS entries, as taught by Backholm, into Ko-Fujimoto-Bach-McGleenon-Lynch, .

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JULIAN CHANG whose telephone number is (571)272-8631.  The examiner can normally be reached on Monday-Friday 9AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel Moise can be reached on (571)272-3865.  The fax phone 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


JULIAN CHANG
Examiner
Art Unit 2455



/Julian Chang/Examiner, Art Unit 2455

/EMMANUEL L MOISE/Supervisory Patent Examiner, Art Unit 2455