DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Status of Claims
  Claims 1 and 18 have been amended by Applicant. No claims have been currently cancelled or added. Claims 1-13, 15-18, and 20-21 are pending.

Response to Arguments
The rejection of claims 1-2, 6-7, 9, 12-18, and 20, under 35 U.S.C. 103, has been maintained herein. See claim rejections under 35 U.S.C. 103 section further below.
 The rejection of claims 3-5 and 10-11, under 35 U.S.C. 103, has been maintained herein. See claim rejections under 35 U.S.C. 103 section further below.
The rejection of claim 8, under 35 U.S.C. 103, has been maintained herein. See claim rejections under 35 U.S.C. 103 section further below.
The rejection of claim 21, under 35 U.S.C. 103 has been maintained herein. See claim rejections under 35 U.S.C. 103 section further below.

Applicant's arguments filed 11/28/2021 have been fully considered but they are not persuasive. 



	Examiner respectfully disagrees with Applicant’s argument as it is directly contradicted by the combination in view of Stemm. 

As set forth in the Office Action dated 09/08/2021, Stemm, Col. 1, lines 29-46, and [claim 1] teach system and methods for determining suspicious hostnames and determining if they are malicious or not. Receiving strings from various sources, including but not limited to DNS query feeds and reducing the input set into a smaller subset of strings that are determine to be of interest. A string can be identified as being of interest if the string corresponds to a hostname that was first encountered by the system within a threshold time period; Stemm, Paragraph Col. 4, lines 20-38, teaches receiving a set of strings and applying one or more filters to the set of strings to generate a subset of strings determined to correspond to hostnames of interest. Retrieving DNS information associated with the string(s) of the subset and determining whether to add the strings to a set of “bad” strings.


Examiner further maintains and clarifies that Stemm, Col. 2, lines 56-67, Col. 3, lines 1-3, and Col. 3, lines 24-26 further teaches that the computing device may receive data from a plurality of sources including a hostname encounter feed which provides strings corresponding to hostnames that are encountered during sending, receiving, and/or processing of Internet traffic. Furthermore, the computing device may also receive strings from a DNS query feed which provides strings corresponding to hostnames that are processed by a DNS server such as during processing of DNS queries.

As set forth herein and in the Office Action dated 09/08/2021 Stemm, Col. 5, lines 53-63 teaches an encounter recency threshold may be applied such that strings corresponding to hostnames that were first encountered by the computing device within threshold time period may be added to the subset.; and Stemm, [claim 1], further teaches retrieving at least one domain name system (DNS) record associated with the particular string, wherein at least one DNS record identifies a network accessible entity associated with the particular hostname. As noted in the Office Action, the disclosure at [claim 1] of Stemm was understood to read on the limitation as claimed. To this effect, Examiner clarifies that “retrieving at least one domain name system (DNS) record associated with the particular string, wherein at least one DNS record identifies a network accessible entity associated with the particular hostname” has been particularly understood [in view of the rest of the disclosure of Stemm] to read on the claim which remained active after said predetermined time frame. [Note: network accessible as disclosed in Stemm teaching and/or reading on the domain name remaining reachable and/or otherwise active after the threshold time period].

	Applicants have amended claim 1 to recite, inter alia, “instructions for detecting domain names appearing in a network in a first appearance during a predetermined time frame and remaining active until after an end of said predetermined time frame, by identifying, at the end of said predetermined time frame, among said detected domain names appearing in the first appearance in the network during the predetermined time frame, a sub-group of said detected domain names, which remained active from the first appearance until after said predetermined time frame;”.

	For the same reasons stated above, Examiner respectfully maintains that the combination of Antonakakis in view of Stemm in further view of Bilge (and/or alternatively in further view of O’Leary) still reads on claim 1 (as amended). Hence, the rejection of claim 1 (as amended) and its dependent claims, under 35 U.S.C. 103, has been maintained.

	Claim 18 (as amended) recites the same and/or analogous limitations as claim 1 (as amended). For the at least same reasons set forth as to claim 1 (as amended), the rejection of claim 18 (as amended), under 35 U.S.C. 103, is also maintained.
 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly 


11.	Claims 1-2, 6-7, 9, 12-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Antonakakis et al. (US 20140157414 A1), in view of Stemm et al. (U.S. Patent No. 9560074), in further view of Bilge et al., “EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis”. Alternatively, claims 1-2, 6-7, 9, and 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Antonakakis in view of Stemm and Bilge, and in further view of O’Leary et al. (US 20160065535 A1).

Regarding claim 1, a system for calculating and ascribing reputation scores to Domain Name System (DNS) domain names (Antonakakis, Paragraph [0010] teaches system), the system comprising: 

a memory storing a code (Antonakakis, Paragraph [0010] and Figs. 1 and 3 teaches system comprising servers and detection application 305 [understood as code store in memory – Note: memory not explicitly shown in Figs. 1 and 3]); and 

at least one hardware processor coupled to the memory for executing the code (Antonakakis, Paragraph [0010] and Figs. 1 and 3 teaches system comprising , the code comprising: 

instructions for detecting domain names appearing in a network in a first appearance during a predetermined time frame (Antonakakis, Paragraph [0005] teaches detecting new malicious domain names from analyzing DNS query patterns a the upper DNS hierarchy.; Paragraph [0015] further teaches monitored streams of DNS traffic.; Paragraph [0056] further teaches new domain names.; Paragraph [0010] teaches dividing monitored data streams into epochs, where “an epoch can be one month, one week, several days, one day, one hour, or any other time period” – reading on during a predetermined time frame as claimed. [Note: “new” domain names, as disclosed in Antonakakis, reading on domain names appearing in a network in a first appearance, as claimed].) …
…
instructions for extracting features of each of said detected domain names included in said sub-group (Antonakakis, Paragraphs [0005], [0010], [0015] and [0020] further teach computed statistical features are extracted statistical features) [Note:  Domain name(s) or d’KB mapped into feature vector in Paragraph [0015] and extracted statistical features in Paragraphs [0010] and [0020] reading on extracting features… as claimed.];); and 

instructions for calculating a reputation score for each of the domain names included in said sub-group … based on the domain name features confidence score(s) [reading on reputation score] for given domain observed during an epoch; Paragraph [0056] further teaches dynamic domain name reputation system, and high and low reputation scores for identified new domain names. [Note: confidence score and/or reputation scores as disclosed in Antonakakis use extracted statistical features to arrive to malicious or benign domain name scores – reading on based on the domain name features]).

	However, Antonkakakis, does not distinctly disclose:
… and remaining active until after an end of said predetermined time frame, 
by identifying, at the end of said predetermined time frame, among said detected domain names, appearing in the first appearance in the network during the predetermined time frame, a sub-group of said detected domain names, which remained active from the first appearance until after said predetermined time frame; 
 	…by assessing an expected life duration of each of the identified domain names…

Nevertheless, Stemm teaches … and remaining active until after an end of said predetermined time frame (Stemm, Col. 5, lines 53-63 further teaches an encounter recency threshold may be applied such that strings corresponding to hostnames that were first encountered by the computing device within threshold time period may be added to the subset.; Stemm, [claim 1], further teaches retrieving at least one domain name system (DNS) record associated with the particular string, wherein at network accessible entity associated with the particular hostname; Stemm, Col. 2, lines 56-67, Col. 3, lines 1-3, and Col. 3, lines 24-26 teach the computing device may receive data from a plurality of sources including a hostname encounter feed which provides strings corresponding to hostnames that are encountered during sending, receiving, and/or processing of Internet traffic. The computing device may also receive strings from a DNS query feed which provides strings corresponding to hostnames that are processed by a DNS server such as during processing of DNS queries.), 

by identifying, at the end of said predetermined time frame, among said detected domain names, appearing in the first appearance in the network during the predetermined time frame, a sub-group of said detected domain names, which remained active from the first appearance until after said predetermined time frame (Stemm, Col. 1, lines 29-46, and [claim 1] teach system and methods for determining suspicious hostnames and determining if they are malicious or not. Receiving strings from various sources, including but not limited to DNS query feeds and reducing the input set into a smaller subset of strings that are determine to be of interest. A string can be identified as being of interest if the string corresponds to a hostname that was registered or first encountered by the system within a threshold time period; Stemm, Paragraph Col. 4, lines 20-38, teaches receiving a set of strings and applying one or more filters to the set of strings to generate a subset of strings determined to correspond to hostnames of interest. Retrieving DNS information associated with the string(s) of the subset and determining whether to add the strings to an encounter recency threshold may be applied such that strings corresponding to hostnames that were registered within a threshold time period or first encountered by the computing device within threshold time period may be added to the subset.; Stemm, [claim 1], further teaches retrieving at least one domain name system (DNS) record associated with the particular string, wherein at least one DNS record identifies a network accessible entity associated with the particular hostname [Note: identifying a network accessible entity associated with the particular hostname identified in the substring, as disclosed in Stemm, understood to read on which remained active from the first appearance until after said predetermined time frame]; Stemm, Col. 2, lines 56-67, Col. 3, lines 1-3, and Col. 3, lines 24-26 teach the computing device may receive data from a plurality of sources including a hostname encounter feed which provides strings corresponding to hostnames that are encountered during sending, receiving, and/or processing of Internet traffic. The computing device may also receive strings from a DNS query feed which provides strings corresponding to hostnames that are processed by a DNS server such as during processing of DNS queries.);

Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the methods and system for reputation scoring for new domain names based on extracted statistical features taught by Antonakakis, with the filtering and identification of suspicious hostnames identified in a substring of a DNS query feed, as taught by Stemm, in order to provide a method and system capable automatically and programmatically determine whether a website or an associated 

[EXAMINER NOTE: Stemm, Col. 3, lines 66-67 and Col. 4, lines 1-5 and lines 11-18 teach retrieving DNS information associated with strings of the subset. For example, accessing DNS records and retrieving DNS information associated with a particular hostname. Applying one or more rules to the DNS information associated with string, wherein items included in the set of “bad” strings may include hostnames, IP addresses, name servers, among others - reading on the limitation instructions for extracting features of each of said detected domain names included in said sub-group].

	However, the combination of Antonakakis in view of Stemm does not distinctly disclose …by assessing an expected life duration of each of the included domain names… 

	Nevertheless, Bilge teaches …by assessing an expected life duration of each of the included domain names… (Bilge, page 2, col. 1, ¶ 5-6, teaches system that employs a passive DNS analysis approach and a detection system and further teaches system capable of identifying malicious domains as soon as they appear based on analysis of fifteen (15) domain name features characterizing different properties of DNS names.; Bilge, Table 1, teaches Features, including but not limited to Time-Based Features such as Short-life and TTL Value-Based Features). 

	Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the methods and system for reputation scoring for new domain names based on extracted statistical features taught by Antonakakis, as modified by the filtering and identification of suspicious hostnames identified in a substring of a DNS query feed, as taught by Stemm, to include the techniques for malicious domain name detection and classification using extracted features including Time-Based and TTL-Based features, as taught by Bilge, in order to provide an improved approach for malicious domain name detection that is not dependent on large amounts of historical maliciousness data, requires less training time and is also able to detect malicious domains that are mapped to a new address space each time and never used for other malicious purposes again. (Bilge, page 2, Col. 2, ¶ 2). 

Alternate Rejection – Claim 1 – Antonakakis in view of Stemm and Bilge, and in further view of O’leary

	Examiner believes that the combination of Antonakakis in view of Stemm, in further view of Bilge teaches all of the limitations of claim 1 (as stated above). However, if it is determined that the combination does not distinctly disclose the limitation instructions for detecting domain names appearing in a network in a first appearance, O’leary explicitly teaches the limitation as provided below. 

instructions for detecting domain names appearing in a network in a first appearance (O’leary, Paragraph [0048] teaches “for analysis of ranked domain names… The ranking system 120 can produce basic descriptive statistics per domain name, including a date when a certain domain name was first seen in the DNS data…”.)

Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the methods and system for reputation scoring for new domain names based on extracted statistical features taught by Antonakakis, as modified by the filtering and identification of suspicious hostnames identified in a substring of a DNS query feed, as taught by Stemm, as further modified by the techniques for malicious domain name detection and classification using extracted features including Time-Based and TTL-Based features, taught by Bilge, to explicitly include the domain name statistic extraction features including a date when a certain domain was first seen in the monitored DNS data, as taught by O’Leary, in order to provide a system and method that overcomes drawbacks of prior known methods which may be vulnerable to network security problems and may rank domain names associated with a malicious activity, propagation of malware, and the like. (O’leary, Paragraph [0006] and [0057]). 


	Regarding claim 2, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 1, and Antonakakis further teaches wherein the code further comprises instructions to intercept network messages during the predefined time frame and to capture domain names by identifying domain names in the intercepted messages (Antonakakis, Paragraphs [0010] and [0015] teaches system for detecting malicious domain names, wherein monitored data streams [i.e., of DNS traffic] may be divided into epochs [reading on predefined time frame] and at the end of each epoch the system can summarize the DNS traffic related to a given domain name by computing a number of statistical features.).

	[EXAMINER NOTE: Stemm, Col. 1, lines 29-46, concurrently teaches receiving strings from various sources, including but not limited to DNS query feeds and reducing the input set into a smaller subset of strings that are determine to be of interest. A string can be identified as being of interest if the string corresponds to a hostname that was registered or first encountered by the system within a threshold time period]. 

	Motivation to combine same as stated above for claim 1.

Regarding claim 6, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 1, and Bilge further teaches wherein the domain name features include at least one of a list comprising top level domain (TLD), registrar, list of DNS record types, geographic location of hosting servers, geographic location of name servers, number of name servers, ASN details, similarity of parts of the domain name to popular brands, the length of the domain name and length of its tokens (Stemm, Col. 3, lines 66-67 and Col. 4, lines 1-5 and lines 11-18 teach retrieving DNS information associated with strings of the subset. For example, accessing DNS records and retrieving DNS information associated with a particular hostname. Applying one or more rules to the DNS information associated with string, wherein items included in the set of “bad” strings may include hostnames, IP addresses, name servers, among others [Note: Bilge, Table 1, also teaches Features also reading on at domain name features as claimed.).

	Motivation to combine same as stated above for claim 1.


	Regarding claim 7, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary)  teaches all of the limitations of claim 1, and Bilge further teaches wherein the code further comprises instructions for training a classifier to assess expected life duration of a domain name based on features of the domain name (Bilge, Sections 4.2 and 4.3 teach training a classifier, the classifier using a J48 decision tree algorithm, wherein classifier evaluates features including but not limited to Time-Based Features and TTL Value-Based Features [Note: the Time-Based Features and TTL Value-Based Features used by classifier to separate the malicious and benign domains reading on classifier trained to assess expected life duration of a domain name based on features of the domain name].).

	Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the methods and system for reputation scoring for new domain names based on extracted statistical features taught by Antonakakis, as modified by the filtering and identification of suspicious hostnames identified in a substring of a DNS query feed, as taught by Stemm, to include the techniques for malicious domain name detection and classification using extracted features including Time-Based and TTL-Based features, as taught by Bilge, in order to provide an improved approach for malicious domain name detection that is not dependent on large amounts of historical maliciousness data, requires less training time and is also able to detect malicious domains that are mapped to a new address space each time and never used for other malicious purposes again. Furthermore, decision tree classifiers have shown to be efficient while producing accurate results. As the decision tree classifier builds a tree during the training phase, the features that are best in separating the malicious and the benign domains can be clearly seen. (Bilge, page 2, Col. 2, ¶ 2, and page 9, Col. 2, ¶ 2).



Regarding claim 9, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 7, and Bilge further teaches wherein the instructions for training a classifier to assess an expected life duration include at least one of instructions to train a classifier to assess whether an identified domain name would remain reachable after a certain time period and instructions to train a classifier to assess a probability that an identified domain name would remain reachable after a certain time period (Bilge, Sections 4.2 and 4.3 teach training a classifier, the classifier using a J48 decision tree algorithm, wherein classifier evaluates features including but not limited to Time-Based Features and TTL Value-Based Features.; Bilge, Section 3.1, Col. 2, ¶ 2-3, teaches analyzing the changes in the number of requests for a domain name during a given period of time, including, a global and local scope analysis for detecting domains that tend to have a short life span – short-lived domains - (e.g., DGA generated) [Note: Time-Based analysis described in Bilge reading on assessing ‘reachability’ of an identified domain name]. Bilge, Section 3.3, Col. 2, ¶ 3, further teaches “malicious domains tend to set their TTL values to lower values [further reading on assessing if identified domain name would remain reachable after a certain time period]  [Note: Both, the Time-Based Features and TTL Value-Based Features used by classifier to separate the malicious and benign domains reading on classifier trained to assess expected life duration of a domain name and assess whether an identified domain name would remain reachable after a certain time period.] [Note: decision trees employ and/or otherwise assess probability distributions over the classes – reading on assessing a probability as claimed.]).

	Motivation to combine same as stated above for claim 7.


Regarding claim 12, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 7, and Antonakakis further teaches wherein the code comprises instructions for updating the classifier and repeating calculating of a reputation score once the classifier is updated (Antonakakis, Paragraph [0016] teaches “statistical classifier module 325 can gather the statistical information from any or all of these vectors (or any others), compare it to historical information in knowledge database 310, and assign a label l.sub.d'.j and a confidence score c (l.sub.d'.j), which can express whether the query/response patterns observed for d' during epoch E.sub.j resemble either malicious or benign behavior, and with what probability.”… “an operator may alter the classification probability confidence threshold so he/she can tune the false positive and true positive designations accordingly.” [Note: altering and tuning as disclosed in Antonakakis reading on updating the classifier and repeating the calculation as claimed.]).

	Motivation to combine same as stated above for claim 7.


	Regarding claim 13, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary)  teaches all of the limitations of claim 12, and Antonakakis further teaches wherein the updating of the classifier includes shifting the time frame (Antonakakis, Paragraph [0010] teaches the system can divide the monitored data streams into epochs and at the end of each epoch the system can summarize the DNS traffic related to a given domain d by computing a number of statistical features. [Note: analysis within each ‘epoch’ of the divided data streams as described in Antonakakis, reading on shifting the time frame as claimed.]), and wherein the calculation of reputation score is repeated for domain names having a reputation score below a predetermined threshold (Antonakakis, Paragraph [0016] teaches “statistical classifier module 325 can gather the statistical information from any or all of these vectors (or any others), compare it to historical information in knowledge database 310, and assign a label l.sub.d'.j and a confidence score c (l.sub.d'.j), which can express whether the query/response patterns observed for d' during epoch E.sub.j resemble either malicious or benign behavior, and with what probability.”… “an operator may alter the classification probability confidence threshold so he/she can tune the false positive and true positive designations accordingly.”).

	Motivation to combine same as stated above for claim 7. 


	Regarding claim 15, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary)  teaches all of the limitations of claim 7, and Bilge further teaches wherein the training of a classifier comprises training the classifier to identify the effect of each domain name feature on whether a domain name would still be active after a predefined period of time (Bilge, section 4.3, teaches “as the decision tree classifier builds a tree during the training phase, the features that are best in separating the malicious from the benign domains can be clearly seen…To find the combination of features that produce the minimum error rate, we trained classifiers using different combinations of feature sets and compared the results…”).

	Motivation to combine same as stated above for claim 7. 


	Regarding claim 16, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary)  teaches all of the limitations of claim 7, and Bilge further teaches wherein the training of a classifier comprises training the classifier to calculate a class value reflecting the a length of a time after which the domain name would still be active by combining the effect of each of the extracted features on the length of the time duration (Bilge, section 4.3, teaches the decision tree can be split into smaller subtrees with the information form the attribute values. Section 4.3 further discloses, the fifteen (15) features [shown in Table 1] were divided into four different classes according to the type of information used - “Features that are extracted from the time-series analysis ( F1, Time-Based Features), the DNS answer analysis (F2, DNS Answer-Based Features), the TTL value analysis (F3, TTL Value-Based Features), and the analysis of the domain name (F4, Domain-Based Features).”; Bilge, Section 3.1, teaches Time-Based Features are used in determination of short-lived domains [reading class value reflecting the length of time after which a domain name would still be active...”] . ).

	Motivation to combine same as stated above for claim 7. 



	Regarding claim 17, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 7, and Bilge further teaches, wherein the training of a classifier comprises training the classifier to map each domain name into a multi-dimensional space of features, wherein each feature affects the probability of a domain name to remain active after a predetermined time, and to calculate a class value based on the location of the domain name in the multi-dimensional space of features (Bilge, Section 4.3, page 8, teaches “the J48 algorithm [decision tree algorithm] leverages the fact the tree can be split into smaller subtrees with the information obtained from the attribute values. Whenever the algorithm encounters a set of items that can clearly be separated from the other class by a specific attribute, it branches out a new leaf according to the value of the attribute.; Bilge, Section 4.3, page 9, further teaches ‘features’ include the features extracted from the time series analysis (see Time-Base-Features in Section 3.1) and features extracted from the TTL value analysis see TTL Value-Based Features in Section 3.3. [Note: decision tree reading on multi-dimensional space of features].). 


[EXAMINER NOTE: Regarding claim 17, Antonakakis concurrently teaches, at Paragraph [0013], feature computation module 320 can comprise a function that can map the DNS traffic in the epoch related to d into a feature vector. The statistical classifier module 310 can utilize the feature vector to classify…; Paragraph [0005] teaches analysis of domain name system (DNS) query patterns at the upper DNS hierarchy for the purpose of detecting new malicious domain names and further teaches DNS operators would be able to detect and remediate malicious domain names within their name space.; Paragraph [0012] further teaches “each domain name in the knowledge database 310, and in turn each feature vector in a set of training vectors V.sub.train can be associated with a malicious or benign label.”].

	Motivation to combine same as stated above for claim 7.


	Regarding claim 18, Antonakakis teaches a method for calculating and ascribing reputation scores to DNS domain names (Antonakakis, Abstract and Paragraph [0014] teaches method), the method comprising: 

detecting domain names appearing in a network in a first appearance during a predetermined time frame (Antonakakis, Paragraph [0005] teaches detecting new malicious domain names from analyzing DNS query patterns a the upper DNS hierarchy.; Paragraph [0015] further teaches monitored streams of DNS traffic.; Paragraph [0056] further teaches new domain names.; Paragraph [0010] teaches during a predetermined time frame as claimed. [Note: “new” domain names, as disclosed in Antonakakis, reading on domain names appearing in a first appearance in a network, as claimed].) …
…
extracting features of each of said detected domain names included in said sub-group (Antonakakis, Paragraphs [0005], [0010], [0015] and [0020] further teach computed statistical features are extracted statistical features) [Note:  Domain name(s) or d’KB mapped into feature vector in Paragraph [0015] and extracted statistical features in Paragraphs [0010] and [0020] reading on extracting features… as claimed.];); and 

calculating a reputation score for each of the domain names included in said sub-group … based on the domain name features (Antonakakis, Paragraph [0016] teaches calculating confidence score(s) [reading on reputation score] for given domain observed during an epoch; Paragraph [0056] further teaches dynamic domain name reputation system, and high and low reputation scores for identified new domain names. [Note: confidence score and/or reputation scores as disclosed in Antonakakis use extracted statistical features to arrive to malicious or benign domain name scores – reading on based on the domain name features]).

	However, Antonkakakis, does not distinctly disclose:
… and remaining active until after an end of said predetermined time frame, 
by identifying, at the end of said predetermined time frame, among said detected domain names, appearing in the first appearance in the network during the predetermined time frame, a sub-group of said detected domain names, which remained active from the first appearance until after said predetermined time frame; 
 	…by assessing an expected life duration of each of the identified domain names…

Nevertheless, Stemm teaches … and remaining active until after an end of said predetermined time frame (Stemm, Col. 5, lines 53-63 further teaches an encounter recency threshold may be applied such that strings corresponding to hostnames that were first encountered by the computing device within threshold time period may be added to the subset.; Stemm, [claim 1], further teaches retrieving at least one domain name system (DNS) record associated with the particular string, wherein at least one DNS record identifies a network accessible entity associated with the particular hostname; Stemm, Col. 2, lines 56-67, Col. 3, lines 1-3, and Col. 3, lines 24-26 teach the computing device may receive data from a plurality of sources including a hostname encounter feed which provides strings corresponding to hostnames that are encountered during sending, receiving, and/or processing of Internet traffic. The computing device may also receive strings from a DNS query feed which provides strings corresponding to hostnames that are processed by a DNS server such as during processing of DNS queries.), 

by identifying, at the end of said predetermined time frame, among said detected domain names, appearing in the first appearance in the network during the predetermined time frame, a sub-group of said detected domain names, which remained active from the first appearance until after said predetermined time frame (Stemm, Col. 1, lines 29-46, and [claim 1] teach system and methods for determining suspicious hostnames and determining if they are malicious or not. Receiving strings from various sources, including but not limited to DNS query feeds and reducing the input set into a smaller subset of strings that are determine to be of interest. A string can be identified as being of interest if the string corresponds to a hostname that was registered or first encountered by the system within a threshold time period; Stemm, Paragraph Col. 4, lines 20-38, teaches receiving a set of strings and applying one or more filters to the set of strings to generate a subset of strings determined to correspond to hostnames of interest. Retrieving DNS information associated with the string(s) of the subset and determining whether to add the strings to a set of “bad” strings; Stemm, Col. 5, lines 53-63 further teaches a recency threshold or an encounter recency threshold may be applied such that strings corresponding to hostnames that were registered within a threshold time period or first encountered by the computing device within threshold time period may be added to the subset.; Stemm, [claim 1], further teaches retrieving at least one domain name system (DNS) record associated with the particular string, wherein at least one DNS record identifies a network accessible entity associated with the particular hostname [Note: identifying a network accessible entity associated with the particular hostname identified in the which remained active from the first appearance until after said predetermined time frame]; Stemm, Col. 2, lines 56-67, Col. 3, lines 1-3, and Col. 3, lines 24-26 teach the computing device may receive data from a plurality of sources including a hostname encounter feed which provides strings corresponding to hostnames that are encountered during sending, receiving, and/or processing of Internet traffic. The computing device may also receive strings from a DNS query feed which provides strings corresponding to hostnames that are processed by a DNS server such as during processing of DNS queries.);

Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the methods and system for reputation scoring for new domain names based on extracted statistical features taught by Antonakakis, with the filtering and identification of suspicious hostnames identified in a substring of a DNS query feed, as taught by Stemm, in order to provide a method and system capable automatically and programmatically determine whether a website or an associated hostname or IP address is malicious given the difficulties presented by the large number of websites on the Internet and the ease with which new websites can be registered. (Stemm, Col. 1, lines 6-62). 

 [EXAMINER NOTE: Stemm, Col. 3, lines 66-67 and Col. 4, lines 1-5 and lines 11-18 teach retrieving DNS information associated with strings of the subset. For example, accessing DNS records and retrieving DNS information associated with a particular hostname. Applying one or more rules to the DNS information associated with instructions for extracting features of each of said detected domain names included in said sub-group].

	However, the combination of Antonakakis in view of Stemm does not distinctly disclose …by assessing an expected life duration of each of the included domain names… 

	Nevertheless, Bilge teaches …by assessing an expected life duration of each of the included domain names… (Bilge, page 2, col. 1, ¶ 5-6, teaches system that employs a passive DNS analysis approach and a detection system and further teaches system capable of identifying malicious domains as soon as they appear based on analysis of fifteen (15) domain name features characterizing different properties of DNS names.; Bilge, Table 1, teaches Features, including but not limited to Time-Based Features such as Short-life and TTL Value-Based Features). 

	Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the methods and system for reputation scoring for new domain names based on extracted statistical features taught by Antonakakis, as modified by the filtering and identification of suspicious hostnames identified in a substring of a DNS query feed, as taught by Stemm, to include the techniques for malicious domain name detection and classification using extracted features including Time-Based and TTL-Based features, as taught by Bilge, in order to provide an 

Alternate Rejection – Claim 18 – Antonakakis in view of Stemm and Bilge, and in further view of O’leary

	Examiner believes that the combination of Antonakakis in view of Stemm, in further view of Bilge teaches all of the limitations of claim 1 (as stated above). However, if it is determined that the combination does not distinctly disclose the limitation detecting domain names appearing in a first appearance in a network, O’leary explicitly teaches the limitation as provided below. 

	O’leary teaches detecting domain names appearing in a first appearance in a network (O’leary, Paragraph [0048] teaches “for analysis of ranked domain names… The ranking system 120 can produce basic descriptive statistics per domain name, including a date when a certain domain name was first seen in the DNS data…”.)

Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the methods and system for reputation scoring for new domain names based on extracted statistical features taught by Antonakakis, as modified by the filtering and identification of suspicious hostnames identified in a 



	Regarding claim 20, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 12, and Antonakakis teaches wherein the code further comprises code instructions to determine, after each of said repeated calculation, when said at least one identified domain name is a malicious domain (Antonakakis, Paragraph [0016] teaches “statistical classifier module 325 can gather the statistical information from any or all of these vectors (or any others), compare it to historical information in knowledge database 310, and assign a label l.sub.d'.j and a confidence score c (l.sub.d'.j), which can express whether the query/response patterns observed for d' during epoch E.sub.j resemble either malicious or benign behavior, and with what probability.”… “an operator may alter the classification probability confidence threshold so he/she can tune the false positive and true positive designations accordingly.”; dynamic domain name reputation system. [Note: altering and tuning and dynamic as disclosed in Antonakakis reading on updating the classifier and repeating the calculation as claimed.]).	

	Motivation to combine same as stated above for claim 7.

12.	Claims 3-5 and 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over Antonakakis et al. (US 20140157414 A1) in view of Stemm et al. and Bilge et al., and in further view of Dixon et al. (US 20060253582 A1). Alternatively, Claims 3-5 and 10-11 are rejected under 35 U.S.C. 103 as being unpatentable over Antonakakis in view of Stemm, Bilge and O’Leary, and in further view of Dixon. 

	Regarding claim 3, the combination of Antonakakis in view of Bilge (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 1, and Antonakakis further teaches wherein the code further comprises instructions to assign an initial reputation score for each of the identified domain names (Antonakakis, Paragraph [0016] teaches assigning a label and confidence score “which can express whether the query/response patterns observed for d’ during epoc E.sub.j resemble either malicious or benign behavior”; Paragraph [0016] further teaches the classification probability confidence threshold may be ‘altered’ in order to ‘tune’ false positive and true positive designations [altering and tuning after assigning a confidence assigning an initial reputation score as claimed.), …

	However, the combination does not distinctly and/or clearly disclose … and instructions to increase the reputation score of a domain name every predetermined time interval in case the domain name is still reachable.

	Nevertheless, Dixon explicitly teaches … and instructions to increase the reputation score of a domain name every predetermined time interval in case the domain name is still reachable (Paragraph [0104] teaches assessing the reputation of a website wherein an algorithm may be adapted to measure the duration of a website’s existence  [as in “reachable”] and compare it against a predetermined period; Paragraph [0104] further teaches if the site has been in existence for a longer period than a predetermined period then the site may be deemed to have acceptable reputation and, thus receives a higher reputation score.; Paragraph [0321] teaches the reputation services may be employed to evaluate a website or a domain [i.e., domain name].).

	Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the methods and system for reputation scoring for new domain names based on extracted statistical features as taught by Antonakakis, as modified by the filtering and identification of suspicious hostnames identified in a substring of a DNS query feed, as taught by Stemm, as further modified by the 



	Regarding claim 4, the combination of Antonakakis in view of Stemm and Bilge in further view of Dixon (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 3, and the combination further teaches wherein the instructions for calculating a reputation score include determining based on the expected life duration a measure in which the reputation score of a domain name increases in each time interval (Dixon, Paragraph [0104] teaches assessing the reputation of a website wherein an algorithm may be adapted to measure the duration of a website’s existence  [as in “reachable”] and compare it against a predetermined period; Dixon, Paragraph [0104] further teaches if the site has been in existence for a longer period than a predetermined period then the site may be deemed to have acceptable reputation and, thus receives a higher reputation score.; Dixon, Paragraph [0321] teaches the reputation services may be employed to evaluate a website or a domain [i.e., domain name].; Bilge, section 3.1, col. 2, teaches determining and/or classifying a new domain name as malicious by assessing Time-Based features, and Bilge, section 3.3 further teaches TTL Value-Based features also used in the DNS classification, wherein assessing maliciousness may also be based on domain name Time to Live (TTL) - further reading on based on the expected life duration.).

	Motivation to combine same as stated above for claim 3.


	Regarding claim 5, the combination of Antonakakis in view of Stemm and Bilge in further view of Dixon (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 4, and the combination further teaches wherein the determining is based on a probability that an identified domain name would remain reachable after a certain time period (Dixon, Paragraph [0104] teaches assessing the reputation of a website wherein an algorithm may be adapted to measure the duration of a website’s existence  [as in “reachable”] and compare it against a predetermined period; Paragraph [0104] further teaches if the site has been in existence for a longer period than a predetermined period then the site may be deemed to have acceptable reputation and, thus receives a higher reputation score.).

	Motivation to combine same as stated above for claim 3.


	Regarding claim 10, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 9, however, the combination does not distinctly disclose wherein the certain time period is one of a predefined series of time period values, and wherein the instructions to train a classifier are for assessing the longest time period of the series of time period values after which the domain name would remain reachable.

	Nevertheless, Dixon teaches wherein the certain time period is one of a predefined series of time period values, and wherein the instructions to train a classifier are for assessing the longest time period of the series of time period values after which the domain name would remain reachable (Dixon, Paragraph [0104] teaches “algorithm may be adapted to measure the duration of a Website's existence and compare it against a predetermined period. If the site has been in existence for a longer period than the predetermined period, the site may be deemed to have an acceptable reputation, or a parameter associated with the duration may be given a favorable value…”; Paragraph [0321] teaches the reputation services may be employed to evaluate a website or a domain [i.e., domain name].; Paragraphs [0155] and [0249] teach analysis employed by machine learning classifier.).

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the methods and system for reputation scoring for new domain names based on extracted statistical features as taught by Antonakakis, as 



	Regarding claim 11, the combination of Antonakakis in view of Stemm and Bilge in further view of Dixon (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 10, and the combination further teaches wherein the instructions to train a classifier are for determining a time period value of the series of time period values as the longest time period in case an assessed probability that the domain would remain reachable after the time period value is above a predetermined threshold (Dixon, Paragraph [0104] teaches “algorithm may be adapted to measure the duration of a Website's existence and compare it against a predetermined period. If the site has been in existence for a longer period than the predetermined period, the site may be deemed to have an acceptable reputation, or a parameter associated with the duration may be given a favorable value…”; Paragraph [0321] teaches the reputation services may be employed to evaluate a website or a domain [i.e., domain name].; Bilge, page 5, Col. 1, ¶ 1, teaches “Normally, if a domain is benign… our thesis is that the number of queries it receives should exceed the threshold at least several times during the monitoring period ...”; Bilge, page 6, Col. 1, section 3.1.1, further teaches CUSUM CDP algorithm - comprising a “(local_max)” and a “(cusum_max)”, to detect short-lived domains;  Bilge, Section 3.3, Col. 2, ¶  3, teaches evaluated TTL ranges [Bilge sections 3.1, 3.1.1 and Section 3.3 reading on in case … above or below a predetermined threshold as claimed.]).

	Motivation to combine same as stated above for claim 10. 

13.	Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Antonakakis et al. (US 20140157414 A1) in view of Stemm et al. and Bilge et al.. Alternatively, Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Antonakakis in view of Bilge, in further view of O’Leary, in further view of Dixon et al. (US 20060253582 A1).


	Regarding claim 8, the combination of Antonakakis in view of Stemm and Bilge (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 7. 

wherein the classifier constitutes of a weighted function of domain name features (Antonakakis, Paragraph [0013] teaches “In operation mode, the feature computation module 320 and/or the statistical classifier module 310 can be utilized. The feature computation module 320 can comprise a function F(d, E.sub.i)=v.sup.i.sub.d that can map the DNS traffic in the epoch E.sub.i related to d into a feature vector v.sup.i.sub.d. The statistical classifier module 310 can utilize the feature vector to classify: the diversity of the IP addresses associated with the RDNS servers that queried the domain name d, the relative volume of queries from the set of querying RDNS servers, or historic information related to the IP space pointed to by d, or any combination thereof.”; Antonakakis, Paragraphs [0039], [0040], [0048], [0049], and [0055] teach the features of the feature vector – which are used by the classifier-  may be weighted features – [the weighted features, as described in Antonakakis, reading on weighted function of domain name features]). However if it is determined that the combination of Antonakakis in view of Bilge does not distinctly and/or explicitly teach the limitation, Dixon does explicitly teach the limitation in claim 8, as provided below. 

[EXAMINER NOTE: Regarding the limitation in claim 8, Examiner further notes that Bilge concurrently teaches (in page 9, Col. 1, ¶ 1), classifier built as a decision tree, wherein each time a decision needs to be taken, the attribute with the highest normalized gain is chosen [reading on classifier constituting of a weighted function of domain name features].]

Nevertheless, Dixon does teaches wherein the classifier constitutes of a weighted function of domain name features (Dixon, Paragraph [0249] teaches “machine learning [as in machine learning “classifier”] may provide a means to take a large collection of input information called features… and then determine the relevancy of the features in predicting whether a site is good or bad… In certain embodiments, weights assigned to each feature may determine whether a site is a good site or a bad site…As new sites may be found, the features for that site may be computed and then weighted…”; Paragraph [0321] teaches the reputation services may be employed to evaluate a website or a domain [i.e., domain name].; Paragraph [0250] teaches domain name features, for example age of the domain, registration information, among others.).

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the methods and system for reputation scoring for new domain names based on extracted statistical features as taught by Antonakakis, as modified by the filtering and identification of suspicious hostnames identified in a substring of a DNS query feed, as taught by Stemm, as further modified by the techniques for malicious domain name detection and classification using extracted features including Time-Based and TTL-Based features taught by Bilge, as further modified by the domain name statistic extraction features including a date when a certain domain was first seen in the monitored DNS data, as taught by O’Leary, to include the weighted function of domain name features as taught by Dixon in order optimize the reputation algorithm (by adjusting weights) and to improve the fit between .

14.	Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Antonakakis in view of Stemm et al. and Bilge et al. and O’Leary, and in further view of Dixon (US 20060253582 A1). 

Regarding claim 21, the combination of Antonakakis in view of Bilge (and/or the combination in further view of O’Leary) teaches all of the limitations of claim 9. However the combination does not distinctly disclose wherein said classifier is trained to increase the assessed probability when said identified domain name includes parts similar to names of popular brands. 

	Nevertheless, Dixon teaches wherein said classifier is trained to increase the assessed probability when said identified domain name includes parts similar to names of popular brand (Dixon, Paragraph [0215] teaches assessing Website reputation based at least in part on corporate reputation of a business associated with the website, existence of a trademark, popularity rank, among other attributes and/or features.)

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the methods and system for reputation scoring for new domain names based on extracted statistical features as taught by Antonakakis, as .

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BEATRIZ RAMIREZ BRAVO whose telephone number is 571-272-2156. The examiner can normally be reached Mon. - Fri. 7:30a.m.-5:00p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ALEXEY SHMATOV can be reached on 571-270-3428. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/B.R.B./Examiner, Art Unit 2123                                                                                                                                                                                                        
/ALEXEY SHMATOV/Supervisory Patent Examiner, Art Unit 2123