Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Remarks
Applicant writes:
As described in the cited sections of Neou by the Examiner, "DNS data" is received; however, there is no teaching or suggestion that "DNS logs" are received. DNS logs, and logs/log files in generally, are "a computer-generated data file that contains information about usage patterns, activities, and operations within an operating system, application, server or another device." See https://www.sumologic.com/glossary/log-file/.

The claims are interpreted based on their own terms and in light of the specification. The specification provides “A determination is made if the DNS logs are missing any data related to the DNS transactions. The missing DNS data is looked up and the DNS logs are completed.” And “In certain implementations, the described system, method or computer program product can supplement an incomplete DNS log data by actively or periodically querying a DNS server to collect missing information” (emphasis added). 
The claims are interpreted based on the broadest reasonable reading in the light of the specification. Based on the language of the specification, the examiner has interpreted the term “logs” to at least reasonably refer to the underlying data itself (“any data”). The examiner therefore rejects applicant’s suggested dictionary definition and instead relies on the language of the specification itself.
The examiner therefore maintains the rejection.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 USC 102 as described by Neou et al, US 20130014253 A1 (Jan. 10, 2013). All dependent claims incorporate the rejections of the claims on which they depend.

As to claim 1: 
A computer-implemented method to obtain domain name system (DNS) monitoring data comprising:  
collecting DNS logs from one or more sources;  (Neou: paragraph 8, “receiving DNS data related to the DNS name from a plurality of sources”)
determining if the collected DNS logs are missing DNS data; (Neou: paragraph 8, “receiving reputation data related to the plurality of sources”, “determining as to whether the DNS request includes data related to another network protocol”) 
looking up DNS transactions to determine the missing DNS data if the collected DNS logs are missing DNS data;  (Neou: paragraph 8, “aggregating the DNS data related to the DNS name”, wherein “missing DNS data” means “any data related to the DNS transactions” (specification paragraph 5) and “DNS context (information)” (specification paragraph 24), and the related data is information) 
receiving the missing DNS data to create more complete DNS logs; and  (Neou: paragraph 8, “aggregating the DNS data related to the DNS name”)
sending the more complete DNS logs for analysis. (Neou: paragraph 8, “The analysis may also use data based upon the IP address in the answer received by the DNS lookup for the DNS name, and the name, IP address, and the reputation of the authoritative servers used to lookup the answer for the DNS name.  Other aspects of the DNS answer such as the `glue` information, the additional information, or the source IP address of the answer may be used as well.”)

As to claim 2: 
The method of claim 1, wherein the one or more sources include DNS resolvers and aggregators. (Neou: figure 3, paragraph 21, “the intelligent DNS system 124 may include a malicious domain redirection (MDR) module 126 and a threat aggregation server 128”; paragraph 23, “he performance of the NPS 100 may depend on the feed or list of validated bot-related command and control domains that is provided to the 
real-time aggregator 122” paragraph 37, “”the intelligent DNS system 124 may relay the request to a DNS resolver.  At operation 206, a DNS response may be received from the DNS resolver, which may be logged at operation 208”’) 

As to claim 3: 
The method of claim 1, wherein the one or more sources include DNS servers and aggregators. (Neou: figure 3, paragraph 21, “the intelligent DNS system 124 may include a malicious domain redirection (MDR) module 126 and a threat aggregation server 128”; paragraph 23, “he performance of the NPS 100 may depend on the feed or list of validated bot-related command and control domains that is provided to the 
real-time aggregator 122” paragraph 37, “”the intelligent DNS system 124 may relay the request to a DNS resolver.  At operation 206, a DNS response may be received from the DNS resolver, which may be logged at operation 208”’) 

As to claim 4: 
The method of claim 3, wherein the servers include one of a local DNS server or a global DNS server (Neou: figure 3, paragraph 21, “the intelligent DNS system 124 may include a malicious domain redirection (MDR) module 126 and a threat aggregation server 128”; paragraph 23, “he performance of the NPS 100 may depend on the feed or list of validated bot-related command and control domains that is provided to the 
real-time aggregator 122” paragraph 37, “”the intelligent DNS system 124 may relay the request to a DNS resolver.  At operation 206, a DNS response may be received from the DNS resolver, which may be logged at operation 208”’) 

As to claim 5: 
The method of claim 3, wherein the aggregators include one of a local aggregator or global aggregator  (Neou: figure 3, paragraph 21, “the intelligent DNS system 124 may include a malicious domain redirection (MDR) module 126 and a threat aggregation server 128”; paragraph 23, “he performance of the NPS 100 may depend on the feed or list of validated bot-related command and control domains that is provided to the 
real-time aggregator 122” paragraph 37, “”the intelligent DNS system 124 may relay the request to a DNS resolver.  At operation 206, a DNS response may be received from the DNS resolver, which may be logged at operation 208”’) 

 
As to claim 6: 
The method of claim 1, wherein the collecting is performed periodically.  (Neou: paragraph 10, “The method for network protection may also include periodically updating the plurality of sources of the DNS data.”) 


As to claim 7: 
The method of claim 1, further comprising converting the DNS logs and DNS data to a common format. (Neou: paragraph 41-42, wherein the security action and classification is the common format)

As to claim 8: 
The method of claim 1 wherein the DNS transactions comprise a subset of 2 DNS requests. (Neou: paragraph 41-42, wherein the security action and classification is the subset of DNS requests)


Claims 9-20 are parallel to the above noted claims, albeit in a different statutory class, and are likewise rejected for the same reasons as the claims noted above.

 Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Applicant is cautioned to avoid entry of any new matter in any amendment(s) to the claim(s), drawing(s), or specification. Any amendment or correction which enters new matter may trigger a rejection under 35 USC 112 ¶ 1 and / or 35 USC 132(a). See also MPEP 706.03(o). 

For additional art discovered by the examiner and deemed to be relevant, please see form 892. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kurt A Mueller whose telephone number is (571)270-3889.  The examiner can normally be reached during standard business hours, but prefers interviews to be conducted Tues - Thur. The examiner can also be reached by personal fax at (571) 270-4889. Please use this fax number for any written interview requests. Include a written interview agenda with the interview request (form PTOL-413A- see MPEP 713.01), and if required, authorization to act in a representative capacity (form PTO/SB/84 – see MPEP 405). The examiner strongly suggests the submission of an agenda in order to facilitate discussion. The examiner also encourages the submission of draft amendments with the interview agenda. Phone interviews will not be granted to attorneys not of record without submission of form PTO/SB/84.
Please note that any document submitted by applicant in connection with this or any other matter must be made part of the official record as required by the Federal Records Act, 44 U.S.C. 3101 et seq. Any instruction contained in any submission requesting the examiner not to enter a document into the record will be disregarded.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, James Trujillo can be reached at 571-272-3677.  The central fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications 

Tuesday, January 11, 2022
/K. A. M./
Examiner, Art Unit 2157

/James Trujillo/            Supervisory Patent Examiner, Art Unit 2157