Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Status of Claims:
Claims 1-5 are pending in this application.

Formal Drawings
The formal drawings received on 1/22/2020 have been entered.

Information Disclosure Statement
The information disclosure statement submitted 01/22/2020 and 09/16/2020 has been considered.

Internet Communications
Applicant is encouraged to file an Internet Communications form to authorize correspondence during prosecution.  To facilitate processing of the internet communication authorization or withdraw of authorization, the Office strongly encourages use of Form PTO/SB/439, available at www.uspto.gov/patent/patents-forms. The form may be filed via EFS-Web using the document description Internet Communications Authorized or Internet Communications Authorization Withdrawn to facilitate processing.   
Examiner Comments
Additionally, the following limitations do not make the scope indeterminate, however there seems to be some inconsistencies.  Clarification is requested.  
Claim 2 recites an address associated with the domain information. However, Claim 1 indicates “an address associated with the first domain does not exist” “based on a ratio”.  This may be antecedent issue.  Clarification/correction is requested.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Monrose et al. (US 2016/0026796), herein after Monrose and further in view of Shitrit-Efergan et al. (US 2018 / 0351976), herein after Shitrit-Efergan.


Regarding claims 1 and 5, 
Monrose teaches a cyberattack evaluation method executed by a computer, the method comprising: making, based on first domain information included in input cyberattack information (see paras. 23-25, 48 and 80, Applicants specification discloses use of blacklist for “input cyberattack information” (para. 26).  Here, a system for evaluating compromised (i.e. cyberattack evaluation) host and DNS traffic, based on domain names (i.e. first domain information) included in a blacklist of compromised host and domain names);
a query about whether a first address associated with the first domain information exists to a plurality of first managing servers that manage associations between domain information and addresses (see fig. 1B, paras. 26-27, 43-44, query to determine if IP address (i.e. first address) associated with domain name (i.e. first domain information) (see further, para. 51) exists  (see further, para. 27, wherein DNS NX messages indicate whether domain name exists) to a DNS zone (i.e. plurality of first managing servers) (see further, para. 75, list of DNS zones queried indicative of “plurality”), the DNS zone maintains the domain name associations (see further, para. 12 and 37);
making a query about a response history related to the first domain information to a second managing server that monitors communication of the first managing servers and manages response histories, related to the associations between domain information and addresses, from the first managing servers (see figs. 1A-1B, paras. 44-45, making a query about monitored DNS traffic and response messages (see table 1) (i.e. response history) to a CHD module of data collector (i.e. second managing server) that receives, taps, and monitors DNS traffic and response messages of the DNS servers (see further, para. 25) and stores (i.e. manages) statistics related to the associations between IP address and domain name from the DNS zone and servers (i.e. first managing server)  (see further, para. 51));
Although, Monrose teaches use of a applying a ratio test (para. 33) it fails to teach and outputting a result based on a ratio of the number of responses indicating that an address associated with the first domain information does not exist with respect to the number of responses acquired from each of the first managing servers, and the response histories related to the first domain information.
However, in analogous art Shitrit-Efergan teaches and outputting a result of diagnosing a threat of a cyberattack related to the domain information based on a ratio of the number of responses indicating that an address associated with the first domain information does not exist with respect to the number of responses acquired from each of the first managing servers, and the response histories related to the first domain information. (see paras. 31-37, decision engine outputs a result of diagnosing an attack (i.e. cyberattack) related to DNS query based on a ratio of frequency (i.e. number) of responses indicating an anomaly or NX domain(no response) associated with domain information (i.e. domain information does not exist) (see also, para. 37) with respect to the comparison of frequency of responses received from DNS resolver (i.e. first managing server) and the responses during a learned period (i.e. histories) related to domain name). 
The claimed subject matter as a whole would have been obvious, before the effective filing date of the claimed invention, to one of ordinary skill in the art.  It would have been obvious to one of ordinary skill in the art to include and outputting a result based on a ratio of the number of responses indicating that an address associated with the first see para. 33).    

Regarding claim 2,
Monrose in view of Shitrit-Efergan as described in claim 1 above.
Monrose further teaches wherein the method further comprising executing to diagnose that an address associated with the domain information does not exist when the ratio exceeds a predetermined value (see paras. 33 and 37, wherein executing to diagnose that an IP address associated with the domain name (i.e. domain information) (see further para. 51) does not exist (e.g. DNS NX message) when the ratio exceeds a threshold value).Appl. No.16/232,819 


Regarding claim 3,
Monrose in view of Shitrit-Efergan as described in claim 2 above.
Monrose further teaches wherein the method further comprising executing to output a diagnosis result indicating that an activity of the cyberattack related to the domain information has been terminated, when it is diagnosed that the address associated with the domain information does 19Fujitsu Ref. No.: 18-02436 not exist and there is a time period for which the address based on an answer history related to the address associated with the domain information exists (see paras. 67-68, a probability can be determined for success of a previously compromised host and real-world deployment can  of DNS traffic to the once compromised host can occur (i.e. activity of cyberattack terminated), when it is determined using historical data of responses (i.e. an answer history) that the outcome of the DNS traffic that was once compromised (i.e. does not exist) can be a success (or not compromised (i.e. exist)) during a window of time (i.e. time period)).Appl. No.16/232,819 

Regarding claim 4,
Monrose in view of Shitrit-Efergan as described in claim 2 above.
Monrose further teaches wherein the address is an Internet Protocol (IP) address (see paras. 51, wherein address for domain information is an IP address).Appl. No.16/232,819 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. All references listed on 892 are related to device profile determination.
US 20190132344 A1 – Lem, graph analysis for determining malicious activity.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to EMAD H SIDDIQI whose telephone number is (469)295-9126.  The examiner can normally be reached on M-F 9 am-5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kevin Bates can be reached on 571-272-3980.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/Emad Siddiqi/Examiner, Art Unit 2458  

/KEVIN T BATES/Supervisory Patent Examiner, Art Unit 2458