Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is in response to application filed 10/25/2021.
Claims 1-20 are pending in this application.

Response to Arguments
Applicant’s arguments with respect to the limitation “wherein the correlation between the triggering event and the at least one historical DNS request is configurable with a threshold confidence level associated with the correlation” found on claim(s) 1, 13, and 20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Moreover, applicant's asserts that the prior art of record fails to disclose “an occurrence of a triggering event of the plurality of triggering events by detecting user action on the computing device” (see pg. 12-13 of remarks). Examiner respectfully disagrees. Arunachalam discloses the Layer 4 accelerator engine 410 can be configured to learn behavior patterns of the application once the application is launched (e.g. user action to launch/open application). The frequently triggered DNS queries may be used at the time of launching the application or the time in which the application comes out from background to foreground on the electronic device 402.  An application 1 and an application 2 may be launched (i.e. user action) on the electronic 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-3, 6, 13-15, 18, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Arunachalam et al. (US 2020/0236139 A1) in view of Gupta et al. (US 2010/0191856 A1) in further view of Chan et al. (US 2016/0286001 A1).
Regarding claim 1, Arunachalam discloses a method, comprising: 
storing, in a computing device, historical domain name system (DNS) information from a plurality of sources of DNS information (fig. 10a: multiple application sources. [0064], [0101]:  the DNS caching technique, the DNS yielder unit 502 may create a system DNS cache to store the frequently triggered DNS queries and the DNS responses for the frequently triggered DNS queries), 
wherein the historical DNS information comprises a plurality of historical DNS requests and a plurality of triggering events correlated to the plurality of historical DNS requests ([0109]:  stores the DNS patterns or the domain names associated with the previously triggered DNS queries… once the application is launched, the DNS yielder unit 502 triggers the DNS queries recognized from a feeder for resolving the domain names), 
wherein a triggering event of the plurality of triggering events is correlated to at least one historical DNS request of the plurality of historical DNS requests ([0109]: once the application is launched, the DNS yielder unit 502 triggers the DNS queries (e.g. trigger event).  Recognized from a feeder for resolving the domain names DNS patterns or the domain names associated with the previously triggered DNS queries. [0110]:  monitors the DNS queries triggered by the application during the launch of the application to resolve the domain names and checks whether the DNS queries are present in the application specific DNS cache or not), and 
identifying, by one or more sensors, an occurrence of a triggering event of the plurality of triggering events by detecting user action on the computing device ([0061]:  Layer 4 accelerator engine 410 can be configured to learn behavior patterns of the application once the application is launched.  [0063]:  The frequently triggered DNS queries may be used at the time of launching the application (e.g. trigger event) or the time in which the application comes out from background to foreground on the electronic device 402.), 
wherein the one or more sensors are in the computing device, attached to the computing device, connected to the computing device by a network link, or any combination thereof ([0061]- [0063]:  the Layer 4 accelerator engine 410 for reducing socket setup time for the application installed on the electronic device 402.  The communication unit may include the communication interface unit 508 and be configured to perform communication functions of at least part of the DNS yielder unit 502, the TCP pre-connecting (TPC) unit 504 or the Secure Session Off-loader (SSO) unit 506), 
in response to identifying the occurrence of the triggering event, one or more answers to one or more DNS requests correlated with the triggering event based on the stored historical DNS information ([0063]:  The frequently triggered DNS queries may be used at the time of launching the application or the time in which the application comes out from background to foreground on the electronic device 402. Further, the DNS yielder unit 502 resolves the frequently triggered DNS queries before receiving a request from the application for DNS resolution); 
storing, in the computing device, the one or more answers, such that the one or more answers are useable by requesters making the one or more DNS requests ([0063], [0064]:  the DNS yielder unit 502 may create an application specific DNS cache for each application for storing the DNS responses); and 
([0065]:  the DNS yielder unit 502 provides the DNS responses stored in the application specific DNS cache to the triggered DNS queries. Thus, providing speedy DNS responses to the application).
However, Arunachalam does not disclose wherein the correlation between the triggering event and the at least one historical DNS request is configurable with a threshold confidence level associated with the correlation.
In an analogous art, Gupta discloses wherein the correlation between the triggering event and the at least one historical DNS request is configurable with a threshold confidence level associated with the correlation ([0038]-[0039], [0051]:  The user profile module 355 may store a history of files or websites requested by a given user. A prediction module 360 may be able to make more accurate predictions by consulting a user's browsing history and determining the likelihood that a user's inputs or other interactions (e.g. trigger event)indicate the user's intention to eventually request data…a history of all domains and sub-domains (i.e. history of DNS queries) may be tracked in the user history 400 a, weighting more heavily, visits to sites most recently accessed.  User interactions 805 are entered (e.g. trigger event) and detected during t1. As user inputs and interactions are detected, the browser can predict 810 with a first certainty threshold (e.g., 75% certainty) that a user will request data from a domain name www.example.com after time t2. Here, the browser is permitted to initiate domain name resolution when a prediction meets or exceeds 75% certainty (i.e. confidence threshold) and, as a result of the predicted certainty threshold, sends a DNS request 815 to name servers to initiate resolution of the domain name into an IP address).

One of ordinary skilled in the art would have been motivated because it would have enabled to decrease latency in retrieving data in response to a user's request by predicting the request and initiating domain name resolution procedures, communication handshaking, and/or other preliminary communication operations prior to receiving a submission of the request by the user (Gupta, [0005]).  
However, Arunachalam-Gupta does not disclose resolving, within a certain configurable time period after the triggering event.
In an analogous art, Chan discloses resolving, within a certain configurable time period after the triggering event ([0047]:  when no DNS response corresponding to the new DNS requests (e.g. trigger) has been received by gateway 101 within a pre-defined time period, gateway 101 transmits a new DNS response with a non-zero RCODE to the sender of the first DNS request. The value of the pre-defined time period may be determined by the manufacturer of the gateway, the administrator of the gateway, and/or by the host).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Arunachalam-Gupta to comprise “resolving, within a certain configurable time period after the triggering event” taught by Chan.
(Chan, [0060]).  

Regarding claim 2, Arunachalam-Gupta-Chan discloses the method of claim 1, wherein: the particular application is a web browser (Arunachalam, [0059]:  a Layer 4 accelerator engine 410 to reduce network protocol latency for an application(s) installed on the electronic device 402. Examples of the application can be, but is not limited to, a web browser), and the one or more answers are answers to the one or more DNS requests that comprise DNS requests for an initial rendering of a website (Arunachalam, [0058]:  DNS server 406 can be configured to operate as part of a DNS to provide IP addresses of webpages and resources to the application installed on the electronic device 402. [0065]:  the DNS yielder unit 502 provides the DNS responses stored in the application specific DNS cache to the triggered DNS queries. Thus, providing speedy DNS responses to the application).

Regarding claim 3, Arunachalam-Gupta-Chan discloses the method of claim 1, wherein: the particular application is a downloadable mobile application (Arunachalam, [0059]:  Further, the electronic device 402 includes a Layer 4 accelerator engine 410 to reduce network protocol latency for an application(s) installed on the electronic device 402. Examples of the application can be, but is not limited to, a web browser, a video streaming application or any application that access content from the content server(s)(i.e. downloadable), and the one or more answers are answers to the one or more DNS requests that comprise DNS requests for an initial rendering of the downloadable mobile application (Arunachalam, [0063], [0065]:  The frequently triggered DNS queries may be used at the time of launching the application or the time in which the application comes out from background to foreground on the electronic device 402. Further, the DNS yielder unit 502 resolves the frequently triggered DNS queries before receiving a request from the application for DNS resolution).

Regarding claim 6, Arunachalam-Gupta-Chan discloses the method of claim 1, wherein: the historical DNS information further comprises a plurality of DNS answers, a group of the plurality of triggering events are further correlated to the plurality of historical DNS answers, a triggering event of the group is correlated to at least one historical DNS answer of the plurality of historical DNS answers (Arunachalam, [0063]-[0064]:  Further, the DNS yielder unit 502 receives DNS responses for the frequently triggered DNS queries from the DNS server 406. The frequently triggered DNS queries may be used at the time of launching the application or the time in which the application comes out from background to foreground on the electronic device 402 …the DNS yielder unit 502 may create a system DNS cache to store the frequently triggered DNS queries and the DNS responses for the frequently triggered DNS queries. The DNS responses can provide the IP addresses for the domain names. In an embodiment, the DNS yielder unit 502 may create an application specific DNS cache for each application for storing the DNS responses and the frequently triggered DNS queries related to each application separately), and the resolving of the one or more answers to the one or more DNS requests is based on one or more historical DNS answers of the plurality of historical DNS answers corresponding to the one or more DNS requests when the one or more historical DNS answers have an unexpired time to live (TTL) (Arunachalam, [0066]:  The DNS yielder unit 502 analyzes the shorter TTL (i.e. unexpired)  valued DNS responses and provides cached DNS responses to the application.

Regarding claim 13, Arunachalam discloses a system, comprising: 
first computing device, comprising a processor and a non-transitory computer-readable storage medium for tangibly storing thereon program logic for execution by the processor of the first computing device, the program logic of the first computing device comprising: executable logic for storing historical domain name system (DNS) information from a plurality of sources of DNS information (fig. 10a: multiple application sources. [0064], [0101]:  the DNS caching technique, the DNS yielder unit 502 may create a system DNS cache  to store the frequently triggered DNS queries and the DNS responses for the frequently triggered DNS queries), wherein the historical DNS information comprises a plurality of historical DNS requests and a plurality of triggering events correlated to the plurality of historical DNS requests ([0109]:  stores the DNS patterns or the domain names associated with the previously triggered DNS queries… once the application is launched, the DNS yielder unit 502 triggers the DNS queries recognized from a feeder for resolving the domain names), wherein a triggering event of the plurality of triggering events is correlated to at least one historical DNS request of the plurality of historical DNS requests([0066]-[0067]: the DNS yielder unit 502 may identify a change in the domain names by monitoring hit count of the application specific DNS cache. The change in the domain names can be monitored to remove unused domain names created in a list of domain names that need to be pre-resolved. Further, the DNS yielder may receive shorter Time to Live (TTL) valued DNS responses which triggers unnecessary DNS queries); and 
([0061]- [0063]:  the Layer 4 accelerator engine 410 for reducing socket setup time for the application installed on the electronic device 402.  The communication unit may include the communication interface unit 508 and be configured to perform communication functions of at least part of the DNS yielder unit 502, the TCP pre-connecting (TPC) unit 504 or the Secure Session Off-loader (SSO) unit 506), executable logic for, in response to identifying the occurrence of the triggering event, one or more answers to one or more DNS requests correlated with the triggering event based on the stored historical DNS information ([0063]:  The frequently triggered DNS queries may be used at the time of launching the application or the time in which the application comes out from background to foreground on the electronic device 402. Further, the DNS yielder unit 502 resolves the frequently triggered DNS queries before receiving a request from the application for DNS resolution); executable logic for storing the one or more answers, such that the one or more answers are useable by requesters making the one or more DNS requests; and executable logic for hosting a particular application, running on the second computing device, that requests the one or more answers ([0065]:  the DNS yielder unit 502 provides the DNS responses stored in the application specific DNS cache to the triggered DNS queries. Thus, providing speedy DNS responses to the application).

In an analogous art, Gupta discloses wherein the correlation between the triggering event and the at least one historical DNS request is configurable with a threshold confidence level associated with the correlation ([0038]-[0039], [0051]:  The user profile module 355 may store a history of files or websites requested by a given user. A prediction module 360 may be able to make more accurate predictions by consulting a user's browsing history and determining the likelihood that a user's inputs or other interactions (e.g. trigger event)indicate the user's intention to eventually request data…a history of all domains and sub-domains (i.e. history of DNS queries) may be tracked in the user history 400 a, weighting more heavily, visits to sites most recently accessed.  User interactions 805 are entered (e.g. trigger event) and detected during t1. As user inputs and interactions are detected, the browser can predict 810 with a first certainty threshold (e.g., 75% certainty) that a user will request data from a domain name www.example.com after time t2. Here, the browser is permitted to initiate domain name resolution when a prediction meets or exceeds 75% certainty (i.e. confidence threshold) and, as a result of the predicted certainty threshold, sends a DNS request 815 to name servers to initiate resolution of the domain name into an IP address).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Arunachalam to comprise “wherein the correlation between the triggering event and the at least one historical DNS request is configurable with a threshold confidence level associated with the correlation” taught by Gupta.
(Gupta, [0005]).  
However, Arunachalam-Gupta does not disclose a second computing device communicatively coupled to the first computing device, comprising a processor and a non-transitory computer-readable storage medium for tangibly storing thereon program logic for execution by the processor of the second computing device, the program logic of the second computing device comprising: executable logic for resolving, within a certain configurable time period after the triggering event.
 In an analogous art, Chan discloses second computing device communicatively coupled to the first computing device, comprising a processor and a non-transitory computer-readable storage medium for tangibly storing thereon program logic for execution by the processor of the second computing device, the program logic of the second computing device comprising: executable logic for resolving, within a certain configurable time period after the triggering event ([0022]:  When gateway 101 receives a first DNS request (e.g. trigger) from a sender via LAN network interface 102, it selects at least one DNS server, such as DNS Server 131 or 132, and at least one access network for transmitting a plurality of new DNS requests [0047]:  when no DNS response corresponding to the new DNS requests  has been received by gateway 101 within a pre-defined time period, gateway 101 transmits a new DNS response with a non-zero RCODE to the sender of the first DNS request. The value of the pre-defined time period may be determined by the manufacturer of the gateway, the administrator of the gateway, and/or by the host).

One of ordinary skilled in the art would have been motivated because it would have enabled to store DNS responses corresponding to a new DNS request until a pre-defined time expires (Chan, [0060]).  

  Regarding claim 14; the claim is interpreted and rejected for the same reason as set forth in claim 2.

  Regarding claim 15; the claim is interpreted and rejected for the same reason as set forth in claim 3.

  Regarding claim 18; the claim is interpreted and rejected for the same reason as set forth in claim 6.

Regarding claim 20; the claim is interpreted and rejected for the same reason as set forth in claim 1.

Claims 4-5, 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Arunachalam in view of Gupta in view of Chan, as applied to claim 1, in view of Fleischman et al. (US 2013/0198269 A1).
Regarding claim 4, Arunachalam-Gupta-Chan discloses the method of claim 1, further comprising: retrieving, by [engine] connected to or running on the computing device, DNS information used in an initial rendering of a website; and storing with the stored historical DNS information, the retrieved DNS information used in the initial rendering of the website (Arunachalam, [0058]-[0059], [0064]:  the DNS yielder unit 502 may create a system DNS cache to store the frequently triggered DNS queries and the DNS responses for the frequently triggered DNS queries. The DNS responses can provide the IP addresses for the domain names. In an embodiment, the DNS yielder unit 502 may create an application specific DNS cache for each application for storing the DNS responses and the frequently triggered DNS queries. [0101]:  an application 1 and an application 2 may be launched on the electronic device 402. During launching of the application 1 and the application 2, the DNS yielder unit 502 may create an application 1 specific DNS cache for the application 1 and an application 2 specific DNS cache for the application 2. The DNS yielder unit 502 may store the DNS responses and the frequently triggered DNS queries associated with the application 1 in the application 1 specific DNS cache. Similarly, the DNS yielder unit 502 may store the DNS responses and the frequently triggered DNS queries associated with the application 2 in the application 2 specific DNS cache).
However, Arunachalam-Gupta-Chan does not discloses retrieving, by a transparent proxy connected to or running on the computing device, DNS information; and storing with the stored historical DNS information, the retrieved DNS information.
by a transparent proxy connected to or running on the computing device, DNS information; and storing with the stored historical DNS information, the retrieved DNS information ([0035]:  In some cases the DNS proxy server system 120 can include a local cache 116 for storing answers to the most common DNS queries from clients. In such a case the proxy DNS server system 120 is able to answer high volume and frequent DNS queries, thus removing load from the DNS server system 104).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Arunachalam-Gupta-Chan to comprise “retrieving, by a transparent proxy connected to or running on the computing device, DNS information; and storing with the stored historical DNS information, the retrieved DNS information” taught by Fleischman.
One of ordinary skilled in the art would have been motivated because it would have enabled to remove load from the DNS server system (Fleischman, [0035]).  

Regarding claim 5, Arunachalam-Gupta-Chan discloses the method of claim 1, further comprising: retrieving, by [engine] connected to or running on the computing device, DNS information used in a startup process of a downloaded mobile application; and storing with the stored historical DNS information, the retrieved DNS information used in the startup process of the downloaded mobile application (Arunachalam, [0101]:  an application 1 and an application 2 may be launched on the electronic device 402. During launching of the application 1 and the application 2, the DNS yielder unit 502 may create an application 1 specific DNS cache for the application 1 and an application 2 specific DNS cache for the application 2. The DNS yielder unit 502 may store the DNS responses and the frequently triggered DNS queries associated with the application 1 in the application 1 specific DNS cache. Similarly, the DNS yielder unit 502 may store the DNS responses and the frequently triggered DNS queries associated with the application 2 in the application 2 specific DNS cache).
In an analogous art, Fleischman discloses retrieving, by a transparent proxy connected to or running on the computing device, DNS information; and storing with the stored historical DNS information, the retrieved DNS information ([0035]:  In some cases the DNS proxy server system 120 can include a local cache 116 for storing answers to the most common DNS queries from clients. In such a case the proxy DNS server system 120 is able to answer high volume and frequent DNS queries, thus removing load from the DNS server system 104).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Arunachalam-Gupta-Chan to comprise “retrieving, by a transparent proxy connected to or running on the computing device, DNS information; and storing with the stored historical DNS information, the retrieved DNS information” taught by Fleischman.
One of ordinary skilled in the art would have been motivated because it would have enabled to remove load from the DNS server system (Fleischman, [0035]).  

  Regarding claim 16; the claim is interpreted and rejected for the same reason as set forth in claim 4.

  Regarding claim 17; the claim is interpreted and rejected for the same reason as set forth in claim 5.

Claims 7-10, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Arunachalam in view of Gupta in view of Chan, as applied to claim 1, in view of Bagnall et al. (US 2020/0106790 A1).
Regarding claim 7, Arunachalam-Gupta-Chan discloses a method of claim 1, further comprising: storing, with the historical DNS information, assessments for each of the plurality of historical DNS requests ([0076]:  The memory 510 can be configured to store DNS patterns (DNS queries), secure certificate patterns and TCP patterns (TCP connections) for each application); in response to identifying the occurrence of the triggering event, determining a legitimacy level of the one or more answers to the one or more DNS requests correlated with the triggering event based on the assessments ([0132]-[0133]:  after launching the application, the SSO unit 506 monitors a secure connection request triggered by the application. The SSO unit 506 then checks whether the secure certificates required for securing the TCP connections exist in the certificate pool or not.  The L4 accelerator engine 410 performs the DNS lookup before receiving the DNS queries from the applications for the DNS resolution. Further, the L4 accelerator engine 410 pre-connects the TCP applications with the TCP server(s) 404 before receiving the TCP connection requests from the applications. Further, the L4 accelerator engine 410 exchanges the SSL/TLS certificates with the TCP server).  
However, Arunachalam-Gupta-Chan does not disclose wherein the legitimacy level comprises a probability that the one or more answers include a phishing attack; and acting on the one or more answers according to the determined legitimacy level of the one or more answers.
In an analogous art, Bagnall discloses wherein the legitimacy level comprises a probability that the one or more answers include a phishing attack; and acting on the one or more answers according to the determined legitimacy level of the one or more answers ([0003]:  cyber-attack such as malware and phishing.  [0021]:  DNS monitoring systems for cyber-attack detection, prevention, and mitigation in a computer network. [0070]:  risk assessment rules can compare the monitored DNS traffic information (such as DNS responses received from name servers in response to DNS queries or DNS queries) with historical DNS traffic information stored in the DNS information database and determine a score (e.g. legitimacy level) based upon discrepancies between the two. The score can then be compared to a threshold value to determine whether to trigger a risk mitigation action).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Arunachalam-Gupta-Chan to comprise “wherein the legitimacy level comprises a probability that the one or more answers include a phishing attack; and acting on the one or more answers according to the determined legitimacy level of the one or more answers” taught by Bagnall.
One of ordinary skilled in the art would have been motivated because it would have enabled for DNS monitoring for cyber-attack detection and mitigation (Bagnall, [0021]).  

Regarding claim 8, Arunachalam-Gupta-Chan-Bagnall discloses the method of claim 7, wherein acting on the one or more answers comprises the storing of the one or more answers when the determined legitimacy level of the one or more answers exceeds a predetermined threshold (Bagnall, [0057]:  the cyberattack detector 104 transmits a record update to the database controller 105 that is then passed from the database controller 105 to the DNS information database 106. As discussed previously, the record update includes information that is based on the monitored DNS traffic and is configured to update a DNS metadata record corresponding to the generated record identifier within the DNS information database. [0072]:  If at least one risk score exceeds a corresponding cybersecurity risk threshold, then at step 405 a risk mitigation action is activated on the network communication. Otherwise, at step 406, no risk mitigation action (i.e. risk less than threshold (legit) is implemented on the network communication.  Note:  In other words, the DNS information is stored as long as there is not mitigation action). The same rationale applies as in claim 7.

Regarding claim 9, Arunachalam-Gupta-Chan-Bagnall discloses the method of claim 8, wherein acting on the one or more answers comprises modifying the one or more answers and storing the one or more modified answers, such that the one or more modified answers are useable by requesters making the one or more DNS requests, when the determined legitimacy level of the one or more answers does not exceed the predetermined threshold (Bagnall, [0048], [0050]:  The mitigation actions 107B that are selected for activation can optionally be linked to specific risk assessment rules, such that a risk score greater than a predefined threshold resulting from the application of a specific risk assessment rule results in performance of a corresponding risk mitigation action.  Mitigation actions 107B can include, for example, rejecting the network communication, quarantining the network communication, removing a URL within the network communication, and/or modifying a URL within the network communication. For example, a malicious URL within an email can be replaced with an email that directs the end-user to a soft-landing page that alerts the user of the cybersecurity attack and provides guidance on how to avoid such attacks in the future). The same rationale applies as in claim 7.

(Bagnall, [0050]:  Mitigation actions 107B can include, for example, rejecting the network communication, quarantining the network communication, removing a URL within the network communication, and/or modifying a URL within the network communication. For example, a malicious URL within an email can be replaced with an email that directs the end-user to a soft-landing page that alerts the user of the cybersecurity attack and provides guidance on how to avoid such attacks in the future). The same rationale applies as in claim 7.

  Regarding claim 19; the claim is interpreted and rejected for the same reason as set forth in claim 7.

Claims 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Arunachalam in view of Gupta in view of Chan in view of Bagnall, as applied to claim 7, in further view of Bagnall et al. (herein after Bagnall II, US 2020/0106791 A1)
Regarding claim 11, Arunachalam-Gupta-Chan-Bagnall discloses the method of claim 7.  Arunachalam discloses  further comprising: storing, with the historical DNS information, assessments for each of the plurality of triggering events correlated to the plurality of historical DNS requests; in response to identifying the occurrence of the triggering event, determining a legitimacy level of the triggering event based on the assessments ([0132]-[0133]:  after launching the application, the SSO unit 506 monitors a secure connection request triggered by the application. The SSO unit 506 then checks whether the secure certificates required for securing the TCP connections exist in the certificate pool or not.  The L4 accelerator engine 410 performs the DNS lookup before receiving the DNS queries from the applications for the DNS resolution. Further, the L4 accelerator engine 410 pre-connects the TCP applications with the TCP server(s) 404 before receiving the TCP connection requests from the applications. Further, the L4 accelerator engine 410 exchanges the SSL/TLS certificates with the TCP server).   
However, Arunachalam-Gupta-Chan-Bagnall does not disclose wherein the legitimacy level of the triggering event comprises a probability that the triggering event includes a phishing attack; and acting on the one or more answers according to the determined legitimacy level of the triggering event.
In an analogous art, Bagnall II discloses wherein the legitimacy level of the triggering event comprises a probability that the triggering event includes a phishing attack; and acting on the one or more answers according to the determined legitimacy level of the triggering event ([0057]:  determining phishing attacks  [0060], [0063]:  The maximum rate threshold is useful in identifying cybersecurity risks posed by domains that have not previously been flagged as suspicious (i.e., blacklisted) or that may previously have communicated with the protected system for legitimate purposes but have since been compromised. For example, a spike in the rate of DNS queries associated with a particular domain identifier can indicate suspicious activity, even if the domain identifier would by itself be considered benign (i.e., multiple attempts to propagate malware from an infected domain that would normally not be considered a threat).
Therefore, it would have been obvious before the effective filed date of the claimed invention to a person having ordinary skill in the art to modify Arunachalam-Gupta-Chan-
One of ordinary skilled in the art would have been motivated because it would have enabled to make real-time assessments of cybersecurity risks posed by the network communication (Bagnall II, [0010]).  

Regarding claim 12, Arunachalam-Gupta-Chan-Bagnall-Bagnall II discloses the method of claim 11, wherein acting on the one or more answers comprises the storing of the one or more answers, when the respective determined legitimacy levels of the one or more answers and the triggering event each exceed a predetermined threshold (Bagnall, [0057]:  the cyberattack detector 104 transmits a record update to the database controller 105 that is then passed from the database controller 105 to the DNS information database 106. As discussed previously, the record update includes information that is based on the monitored DNS traffic and is configured to update a DNS metadata record corresponding to the generated record identifier within the DNS information database. [0072]:  If at least one risk score exceeds a corresponding cybersecurity risk threshold, then at step 405 a risk mitigation action is activated on the network communication. Otherwise, at step 406, no risk mitigation action (i.e. risk less than threshold (legit) is implemented on the network communication.  Note:  In other words, the DNS information is stored as long as there is not mitigation action).


Additional References
	The prior art made of record and not relied upon is considered pertinent to applicants disclosure.
Baldwin et al., US 2021/0105251 A1: IP address Access Based on Security Level and Access History. 
Archbold, US 2014/0068043 A1: Risk Aware Domain Name Service.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUAN C TURRIATE GASTULO whose telephone number is (571)272-6707.  The examiner can normally be reached on Monday - Friday 8 am-4 pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian J Gillis can be reached on 571-272-7952.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/J.C.T/Examiner, Art Unit 2446             

/BRIAN J. GILLIS/Supervisory Patent Examiner, Art Unit 2446