DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-21 are pending in this Office Action.

Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/20/2020 filed is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The formal drawings received on 05/20/2020 have been entered.

Claims 18 and 19 are objected to because of the following informalities:  Claims 18 and 19 are object to because each of the dependent claims depend on itself.  Appropriate correction is required.

Contingent Limitation
MPEP 2111.04(II) states: 
The broadest reasonable interpretation of a method (or process) claim having contingent limitations requires only those steps that must be performed and does not include steps that are not required to be performed because the condition(s) precedent are not met. For example, assume a method claim requires step A if a first condition happens and step B if a second condition happens. If the claimed invention may be practiced without either the first or second condition happening, then neither step A or B is required by the broadest reasonable interpretation of the claim. If the claimed invention requires the first condition to occur, then the broadest reasonable interpretation of the claim requires step A. If the claimed invention requires both the first and second conditions to occur, then the broadest reasonable interpretation of the claim requires both steps A and B. 
The broadest reasonable interpretation of a system (or apparatus or product) claim having structure that performs a function, which only needs to occur if a condition precedent is met, requires structure for performing the function should the condition occur. The system claim interpretation differs from a method claim interpretation because the claimed structure must be present in the system regardless of whether the condition is met and the function is actually performed.
In view of MPEP 2111.04(II):
In claims 5, 12, and 19, only the limitation “wherein determining whether there is a potential security threat comprises:” need to be disclosed by the cited prior art because steps recited after the aforementioned limitations are contingent and they are neither required to be executed nor disclosed by the cited prior art. The step of “in response to determination that the first IP address is different from the second IP address, identifying the potential security threat in the form of DNS cache poisoning associated with the virtualized computing instance” are neither required to be executed nor disclosed by the cited prior art.
In claims 6, 13, and 20, only the limitation “wherein determining whether there is a potential security threat comprises:” need to be disclosed by the cited prior art because steps recited after the aforementioned limitations are contingent and they are neither required to be executed nor disclosed by the cited prior art. The step of “in response to identifying the potential security threat, performing one or more of the following remediation actions: generating and sending an alarm to a management entity, isolating the virtualized computing instance and blocking traffic to and from an IP address specified in the second reply” are neither required to be executed nor disclosed by the cited prior art.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3-5, 7, 8, 10-12, 14, 15, 17-19, and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Alharbi et al. (Collaborative Client-Side DNS Cache Poisoning Attack, 17 of June 2019, IEEE, pages 1153-1161, hereinafter, “Alharbi”) in view of Smith et al. (Pub. No.: US 2020/0021618, hereinafter, “Smith”).
Claims 1, 8, 15. Alharbi teaches:
A method for a computer system to perform security threat detection during service query handling, wherein the method comprises: – on pages 1160, 1161 (Verify Response to Interfere with cache poisoning. An additional mechanism we propose is to verify the responses received when an attack signature is detected.)
generating and sending a first service query specifying a query input according to a service protocol; – on pages 1160, 1161 (Repeat request: since the likelihood of attack success in any round is small, we can accept a response only if it stays the same in successive lookups.)
generating and sending, by the security agent,  a second service query specifying the query input in the first service query; – on pages 1160, 1161 (Repeat 
performing, by the security agent, a comparison between (a) a first reply received responsive to the first service query and (b) a second reply received responsive to the second service query; and – on pages 1160, 1161 (Verify by reverse lookup: we verify the IP address in the response DNS packet by sending a Pointer (PTR) DNS query. This query type is used to resolve an IP address to an FQDN. If the FQDN and the query name of the pending query do not match, then we can be more confident that an on-going attack is present (we notice that the PTR reply itself can also be spoofed though).)
determining, by the security agent, whether there is a potential security threat associated with the virtualized computing instance based on the comparison. – on pages 1160, 1161 (Verify by reverse lookup: we verify the IP address in the response DNS packet by sending a Pointer (PTR) DNS query. This query type is used to resolve an IP address to an FQDN. If the FQDN and the query name of the pending query do not match, then we can be more confident that an on-going attack is present (we notice that the PTR reply itself can also be spoofed though).)

	Alharbi does not explicitly teach:
generating and sending, by a process running on a virtualized computing instance supported by the computer system, a first service query; detecting, by a security agent running on the virtualized computing instance, the first service query, wherein the security agent is configured to operate in a secure enclave that is isolated from the process.
	However, Smith teaches:
generating and sending, by a process running on a virtualized computing instance supported by the computer system, a first service query – in paragraphs [0012], [0038] (Each of the source system 102a and the destination system 102b may be any type of physical or virtual computing device, such as a server computer, or virtual machine. The local security agent that is on the same system as the requesting application, which in this example is the local security agent 106a that is on the same system 102a as the requesting application 104a, detects that the requesting application 104a has made the communication request, intercepts the request.)
detecting, by a security agent running on the virtualized computing instance, the first service query, – in paragraphs [0012], [0038] (Each of the source system 102a and the destination system 102b may be any type of physical or virtual computing device, such as a server computer, or virtual machine. The local security agent that is on the same system as the requesting application, which in this example is the local security agent 106a that is on the same system 102a as the requesting application 104a, detects that the requesting application 104a has made the communication request, intercepts the request.)
wherein the security agent is configured to operate in a secure enclave that is isolated from the process; – in paragraph [0038] (The local security agent that is on the same system as the requesting application, which in this example is the local security agent 106a that is on the same system 102a as the requesting application 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Alharbi with Smith to include generating and sending, by a process running on a virtualized computing instance supported by the computer system, a first service query; detecting, by a security agent running on the virtualized computing instance, the first service query, wherein the security agent is configured to operate in a secure enclave that is isolated from the process, as taught by Alharbi, on page 1161, to practically report, evaluate, and measure client-side OS-wide DNS cache poisoning attack.

Claims 3, 10, 17. Combination of Alharbi and Smith teaches The method of claim 1 – refer to the indicated claim for reference(s).
Alharbi teaches:
wherein generating and sending the first service query and the second service query comprises: generating and sending, by the process, the first service query in the form of a first domain name system (DNS) query to resolve the query input in the form of a domain name associated with a target server; and generating and sending, by the security agent, the second service query in the form of a second DNS query to resolve the domain name. – on pages 1160, 1161 (Verify by reverse lookup: we verify the IP address in the response DNS packet by sending a Pointer (PTR) DNS query. This query type is used to resolve an IP address to an FQDN. If the FQDN and the query name of the pending query do not match, then we  

Claims 4, 11, 18. Combination of Alharbi and Smith teaches The method of claim 3 – refer to the indicated claim for reference(s).
Alharbi teaches:
wherein performing the comparison comprises: detecting, by the security agent, the first reply in the form of a first DNS reply specifying a first Internet Protocol (IP) address mapped to the domain name; and comparing the first IP address with a second IP address specified in the second reply in the form of a second DNS reply. – on pages 1160, 1161 (Verify by reverse lookup: we verify the IP address in the response DNS packet by sending a Pointer (PTR) DNS query. This query type is used to resolve an IP address to an FQDN. If the FQDN and the query name of the pending query do not match, then we can be more confident that an on-going attack is present (we notice that the PTR reply itself can also be spoofed though).)  

Claims 5, 12, 19. Combination of Alharbi and Smith teaches The method of claim 4 – refer to the indicated claim for reference(s). 
Alharbi teaches:
wherein determining whether there is a potential security threat comprises: in response to determination that the first IP address is different from the second IP address, identifying the potential security threat in the form of DNS cache poisoning associated with the virtualized computing instance. – on pages 1160, 1161 (Verify by reverse lookup: we verify the IP address in the response DNS packet by sending a Pointer (PTR) DNS query. This query type is used to resolve an IP address to an FQDN. If the FQDN and the query name of the pending query do not match, then we can be more confident that an on-going attack is present (we notice that the PTR reply itself can also be spoofed though).)  

Claims 7, 14, 21. Combination of Alharbi and Smith teaches The method of claim 1 – refer to the indicated claim for reference(s).

Smith further teaches:
wherein detecting the first service query comprises: detecting the first service query using one or more event traps that are configured by the security agent to trap service queries and query replies. – in paragraph [0038] (The local security agent that is on the same system as the requesting application, which in this example is the local security agent 106a that is on the same system 102a as the requesting application 104a, detects that the requesting application 104a has made the communication request, intercepts the request.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Alharbi with Smith to include wherein detecting the first service query comprises: detecting the first service query using one or more event traps that are configured by the security agent to trap service queries and .

Claim(s) 2, 9, and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Alharbi et al. (Collaborative Client-Side DNS Cache Poisoning Attack, 17 of June 2019, IEEE, pages 1153-1161, hereinafter, “Alharbi”) in view of Smith et al. (Pub. No.: US 2020/0021618, hereinafter, “Smith”), and further in view of Mathew et al. (Pub. No.: US 2018/0262387, hereinafter, “Mathew”).
Claims 2, 9, 16. Combination of Alharbi and Smith teaches The method of claim 1 – refer to the indicated claim for reference(s).

Combination of Alharbi and Smith does not explicitly teach:
wherein generating and sending the second service query comprises: identifying a reserved port number that is assigned to the security agent operating in the secure enclave and hidden from the process; and sending the second service query from the reserved port number to receive the second reply via the reserved port number.
However, Mathew teaches:
wherein generating and sending the second service query comprises: identifying a reserved port number that is assigned to the security agent operating in the secure enclave and hidden from the process; and sending the second service query from the reserved port number to receive the second reply via the reserved port number. – in paragraph [0047] (This involves proxy LCP agent 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Alharbi and Smith with Mathew to include wherein generating and sending the second service query comprises: identifying a reserved port number that is assigned to the security agent operating in the secure enclave and hidden from the process; and sending the second service query from the reserved port number to receive the second reply via the reserved port number, as taught by Mathew, in paragraph [0002], to allow the abstraction and pooling of hardware resources to support virtual machines in a virtualized computing environment.

Claim(s) 6, 13, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Alharbi et al. (Collaborative Client-Side DNS Cache Poisoning Attack, 17 of June 2019, IEEE, pages 1153-1161, hereinafter, “Alharbi”) in view of Smith et al. (Pub. No.: US 2020/0021618, hereinafter, “Smith”), and further in view of Stolfo et al. (Pub. No.: US 2005/0257264, hereinafter, “Stolfo”).
Claims 6, 13, 20. Combination of Alharbi and Smith teaches The method of claim 1 – refer to the indicated claim for reference(s).

Combination of Alharbi and Smith does not explicitly teach:
wherein determining whether there is a potential security threat comprises: in response to identifying the potential security threat, performing one or more of the following remediation actions: generating and sending an alarm to a management entity, isolating the virtualized computing instance and blocking traffic to and from an IP address specified in the second reply.
However, Stolfo teaches: 
wherein determining whether there is a potential security threat comprises: in response to identifying the potential security threat, performing one or more of the following remediation actions: generating and sending an alarm to a management entity, isolating the virtualized computing instance and blocking traffic to and from an IP address specified in the second reply. – in paragraph [0045] (At step 760, process 700 may attempt to defend its local system (e.g., system 102) from the attack by : alerting a system administrator of an attack; shutting-down firewall 200; blocking all traffic from the corresponding IP address; generating a firewall filter rule based on a datagram of the threat, a signature of the threat, an IP address of threat, the destination port targeted, and/or the datagram length associated with the threat.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Alharbi and Smith with Stolfo to include wherein determining whether there is a potential security threat comprises: in response to identifying the potential security threat, performing one or more of the following remediation actions: generating and sending an alarm to a management entity, isolating the virtualized computing instance and blocking traffic to and from an IP address specified in the second reply, as taught by Stolfo, in paragraph [0002], to provide a technique for correlating and distributing intrusion alert information among collaborating computer systems.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD RAZA whose telephone number is (571)272-7734. The examiner can normally be reached Monday-Friday, 7:00 A.M.-5:00 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUHAMMAD RAZA/Primary Examiner, Art Unit 2449