DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


A broad range or limitation together with a narrow range or limitation that falls within the broad range or limitation (in the same claim) may be considered indefinite if the resulting claim does not clearly set forth the metes and bounds of the patent protection desired. See MPEP § 2173.05(c). In the present instance, claims 9 and 20 recites the broad recitation “wherein when it is determined that there is not an entry in the honeypot library that includes an entry for the pattern of the packet, block any further communication for the paired connection instead of deploying a honeypot”, and the claims 7-8 and 19 recite a requirement for either a honeypot based on a system configuration or a pattern related to the malicious pattern which is the narrower statement of the range/limitation. . The claim(s) are considered indefinite because there is a question or doubt as to whether the feature introduced by such narrower language is (a) merely exemplary of the remainder of the claim, and therefore not required, or (b) a required feature of the claims.
It is noted that the broader limitation is found in Pearson, paragraphs 14-18, “such as refusing to accept a message from the potential malicious source”.

The term “it” in claim 10 is a relative term which renders the claim indefinite. The term “it” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. The term it leaves the claim unclear as to what “it” is referring to..

Claim 11 recites the limitation "the DNS server" in line 1.  There is insufficient antecedent basis for this limitation in the claim.
	
Claim Objections
Claim 13 is objected to because of the following informalities:  the phrase “is further configured to share with at least one other inspection systems of the internal network” should probably be –inspection system--. The term is plural, which does not make grammatical sense in the context of the sentence.  Appropriate correction is required.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-6, 16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Pearson et al., (US Publication 2008/0320095), hereinafter “Pearson”, and further in view of McCorkendale et al., (US Publication No. 2013/0091570), hereinafter “McCorkendale”.

Regarding claim 1, Pearson discloses
a computer network monitoring system for managing botnet attacks to a computer network, the network monitoring system comprising: 
an inspection system associated with monitoring network traffic to or from an internal network having a one or more internal production systems, the inspection system having a memory configured to store instructions and a processor disposed in communication with the first memory [Pearson, paragraph 19], wherein the processor, upon execution of the instructions is configured to: 
receive a packet of network traffic, the packet having an associated source and destination address pair, where this pair constitutes a connection pair [Pearson, paragraph 13, source; recipient]; 
Pearson, paragraphs 14-18, determine if traffic associated with source is malicious or determine if message traffic content is determined to contain the selected portion(s) of a spam message or suspicious behavior is determined].

Pearson does not specifically disclose, however McCorkendale teaches 
upon determining that the packet matches a pattern of the plurality of patterns or the source or destination address of the packet matches a known malicious address of the known malicious addresses, deploy a honeypot in a container for the pattern matching the packet, if not yet deployed [McCorkendale, paragraph 44, module performs an analysis; emulator or virtual machine is used to isolate the malware, code and determine is code try’s to contact an outside computer, paragraph 42, a receiving module periodically receives from the sampling module logged identifying information about files intercepted an quarantined]; and 
forward all network traffic for the connection pair to the honeypot [McCorkendale, paragraph 44, the server 116 can observe the actions of the file to see if it tries to install a Trojan horse or other malicious program. Similarly, if the file is regularly contacting an outside computer (e.g., a botnet or command control system)].  
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to use a honeypot to contain potentially malicious software in order to protect the security of the system.

Regarding claim 3, Pearson-McCorkendale further discloses
apply a security action to an internal production system of the one or more internal production systems based upon a destination address in network traffic to or from the internal production system being a known malicious address or a DNS name of an outbound DNS request from the internal production system being a suspicious DNS name [Pearson, paragraphs 14-18, determine if traffic associated with source is malicious or determine if message traffic content is determined to contain the selected portion(s) of a spam message or suspicious behavior is determined; message traffic associated with the malicious source is analyzed for suspicious behavior].  

Regarding claim 4, Pearson-McCorkendale further discloses
wherein the security action is applied only when the suspicious DNS name is confirmed [Pearson, paragraphs 14-18, information associated with the malicious sender/message is stored in a database or the like].  

Regarding claim 5, Pearson-McCorkendale further discloses
wherein the security action is at least one of isolation of the computing device, blockage of transmissions from the computing device, and transmission of a warning message about a potential infection to the computing device or a recipient of network traffic from the computing device [Pearson, paragraphs 14-18, a system administrator of an enterprise system can receive a message].  

Regarding claim 6, Pearson-McCorkendale further discloses
store as a malicious address in the malicious address database a source address associated with network traffic that matches the pattern [Pearson, paragraphs 14-18, store in database].  

Regarding claim 16, Pearson-McCorkendale further discloses
receiving a packet of network traffic, the packet having an associated source and destination address pair, where this pair constitutes a connection pair [Pearson, paragraph 13, source; recipient]; 
comparing the packet to a plurality of patterns and/or compare a source or destination address of the packet to known malicious addresses [Pearson, paragraphs 14-16, determine if traffic associated with source is malicious or determine if message traffic content is determined to contain the selected portion(s) of a spam message or suspicious behavior is determined]; 
upon determining that the packet matches a pattern of the plurality of patterns or the source or destination address of the packet matches a known malicious address of the known malicious addresses, deploying a honeypot in a container for the pattern matching the packet, if not yet deployed [McCorkendale, paragraph 44, module performs an analysis; emulator or virtual machine is used to isolate the malware, code and determine is code try’s to contact an outside computer, paragraph 42, a receiving module periodically receives from the sampling module logged identifying information about files intercepted an quarantined]; and 
McCorkendale, paragraph 44, the server 116 can observe the actions of the file to see if it tries to install a Trojan horse or other malicious program. Similarly, if the file is regularly contacting an outside computer (e.g., a botnet or command control system)].  

Regarding claim 18, Pearson-McCorkendale further discloses
storing as a malicious address in the malicious address database a source address associated with network traffic that matches the pattern [Pearson, paragraphs 14-18, store in database].  

Claims 2, 11-13 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Pearson-McCorkendale as applied to claims 1 and 16 above, and further in view of Canzanese, JR. et al., (US Publication No. 2015/0295945), hereinafter “Canzanese”.

Regarding claim 2, Pearson-McCorkendale does not specifically disclose, however Canzanese teaches
receive a destination address associated with a resolved domain name system (DNS) name included in a DNS request transmitted by the honeypot, the DNS name being resolved due to having been included in a DNS request transmitted by the honeypot [Canzanese, paragraph 113, DNS server was used as the primary DNS server for the testbed].  


Regarding claim 11, Pearson-McCorkendale-Canzanese further discloses
the DNS server, the DNS server having a second memory configured to store second instructions and a second processor disposed in communication with the second memory [Canzanese, paragraph 113, DNS server was used as the primary DNS server for the testbed], wherein the second processor, upon execution of the second instructions is configured to: 
receive DNS requests exclusively from the plurality of honeypots [Canzanese, paragraph 113, DNS server was used as the primary DNS server for the testbed]; 
resolve each DNS request received to determine a destination address resolved for a DNS name of the DNS request [Canzanese, paragraph 113, DNS server was used as the primary DNS server for the testbed]; 
designate the DNS name to be stored as an unconfirmed suspicious DNS name, if not yet stored [Pearson, paragraphs 14-18, appropriate action is taken]; and 
allow the DNS request to be sent to the resolved address if the DNS name is determined to not be malicious [Pearson, paragraphs 14-18, a system administrator of an enterprise system can receive a message; determine if activity is legitimate].  

Regarding claim 12, Pearson-McCorkendale-Canzanese further discloses

designate the resolved destination address to be stored in a malicious address DB if the DNS name has been confirmed to be malicious [Pearson, paragraphs 14-18, store in database]; and   
reply to the DNS request with an IP address of the first processor as the resolved address [Canzanese, paragraph 113, DNS server was used as the primary DNS server for the testbed].  

Regarding claim 13, Pearson-McCorkendale-Canzanese further discloses
share with at least one other inspection systems of the internal network, each of the inspection system and the respective at least one other inspection system processing different portions of the network traffic at least one of patterns of the plurality of patterns, addresses stored in the database of malicious addresses [Pearson, paragraphs 14-18, store in database], and DNS names that were resolved [Canzanese, paragraph 113, DNS server was used as the primary DNS server for the testbed].  

Regarding claim 17, Pearson-McCorkendale-Canzanese further discloses
applying a security action to an internal production system of the one or more internal production systems based upon a source or destination address in network traffic to or from the internal production system being a known malicious address [Pearson, paragraphs 14-18, malicious addresses, store in database] or a DNS name of an Canzanese, paragraph 113].  

Claims 14, 15, 21 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Pearson, and further in view of Canzanese and Krishnamurthy, (US Publication No. 2005/0210534).

Regarding claim 14, Pearson discloses
a DNS server for processing DNS requests for managing botnet attacks to a computer network, the DNS server comprising a memory configured to store instructions and a processor disposed in communication with the memory, wherein the processor, upon execution of the instructions is configured to: 
designate the DNS name to be stored as an unconfirmed suspicious DNS name, if not yet stored [Pearson, paragraphs 14-18, malicious addresses, store in database]; and 
allow the DNS request to be sent to the resolved destination address if the DNS name is determined to not be malicious [Pearson, paragraphs 14-18, administrator can determine, by analyzing the message content…].  

Pearson does not specifically disclose, however Canzanese teaches
receive DNS requests [Canzanese, paragraph 113, DNS server was used as the primary DNS server for the testbed] exclusively from a 
Canzanese, paragraph 113, DNS server was used as the primary DNS server for the testbed].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to use receive DNS requests from a honeypot to resolve where potential malicious attacks may be coming from in order to protect the security of the network.

Pearson-Canzanese does not specifically disclose, however Krishnamurthy teaches
plurality of honeypots [Krishnamurthy, paragraph 18, a plurality of honeypots are established].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to use multiple honeypots in order to attract an attacker from various access points to the network for the security of the network from all access points.

Regarding claim 15, Pearson-Canzanese-Krishnamurthy further discloses
designate the resolved destination address to be stored in a malicious address DB if the DNS name has been confirmed to be malicious [Pearson, paragraphs 14-18, malicious addresses, store in database]; and 
Canzanese, paragraph 112-113, DNS server was used as the primary DNS server for the testbed; phoning home].  

Regarding claim 21, Pearson-Canzanese-Krishnamurthy further discloses
receiving DNS requests exclusively from a plurality of honeypots [Krishnamurthy, paragraph 18, a plurality of honeypots are established] operating as decoys for network traffic detected as being malicious [Canzanese, paragraph 113, DNS server was used as the primary DNS server for the testbed]; 
resolving each DNS request received to determine a destination address resolved for a DNS name of the DNS request [Canzanese, paragraph 113, DNS server was used as the primary DNS server for the testbed]; 
designating the DNS name to be stored as an unconfirmed suspicious DNS name, if not yet stored [Pearson, paragraphs 14-18, malicious addresses, store in database]; and 
allowing the DNS request to be sent to the resolved destination address if the DNS name is determined to not be malicious [Pearson, paragraphs 14-18, administrator can determine, by analyzing the message content…].  

Regarding claim 22, Pearson-Canzanese-Krishnamurthy further discloses
designating the resolved destination address to be stored in a malicious address DB if the DNS name has been confirmed to be malicious [Pearson, paragraphs 14-18, malicious addresses, store in database]; and 

replying to the DNS request with an IP address of an inspection device that inspects traffic of the network as the resolved address [Canzanese, paragraph 112-113, DNS server was used as the primary DNS server for the testbed; phoning home].  

Allowable Subject Matter
Claims 7, 8 and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM J GOODCHILD whose telephone number is (571)270-1589. The examiner can normally be reached M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/William J. Goodchild/Primary Examiner, Art Unit 2433