DETAILED ACTION

1.	Claims 1-22 are presented for consideration.

Claim Rejections - 35 USC § 112

The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

2.	Claims 2, 10, 21, and 22 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention.  The subject matter which was not described in the specification such as removal of the corresponding tentative entry as in claims 10, and 20, and remove source address as in claims 11 and 21, in fact, the specification, page 7, lines 1-8, discloses the opposite of the claimed not be removed during an infected host repository cleaning procedure.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

3.	Claims 1-4, 6, 11-15, 17, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Hentunen [ US Patent Application No 2014/0310811 ], in view of Rodriguez et al. [ US Patent No 10,652,260 ].

4.	As per claim 1, Hentunen discloses the invention as claimed including a computer network monitoring system for managing botnet attacks to the computer network [ i.e. identifying client devices that are infected with malware, e.g. recruited into a botnet or spyware ] [ paragraph 0017 ], the computer network monitoring system comprising a name server [ i.e. DNS server ] [ 108, Figure 1 ], the name server comprising:
	a memory configured to store instructions;
	a processor disposed in communication with the memory, wherein the processor, upon execution of the instructions is configured to:

	compare the domain name of the DNS request to a botnet domain repository [ i.e. for each received DNS query, was the DNS query message to a malware domain name, and database 107 is used to store data representation of each malware domain name ] [ Figure 3a; and paragraphs 0070, and 0175 ], the botnet domain repository including one or more entries, each entry having a confirmation indicator that indicates whether the entry corresponds to a confirmed botnet [ i.e. malware domain names ] [ paragraphs 0071-0074 ];
	if determined by the comparison that the domain name of the DNS request is included in the botnet domain repository [ i.e. if the DNS query message to a malware domain is a Yes ] [ Figure 3a; and paragraph 0175 ], then:
	store or update the source address of the DNS request in an infected host repository [ i.e. the identify of the client device is determined and stored in a database ] [ paragraph 0011 ], wherein each source address stored in the infected host repository identifies a host known to be infected [ i.e. used as an indication that certain IP addresses in the ISP network have been infected ] [ paragraphs 0006, and 0344 ]; and
	output a control signal to cause any future network traffic from the source address to be diverted to an administrator configured address [ i.e. DNS record includes a marker domain that points to a marker IP address corresponding to a controlled website or server ] [ paragraphs 0051 0056, and 0079 ].

	Rodriguez discloses identifying a source address of a source host, wherein the translation of the domain name, if translated, provides an IP address to the source host that requested the translation [ i.e. identify a requestor client IP address ] [ col 3, lines 1-4; and col 6, lines 26-29 ].
	It would have been obvious to a person skill in the art at the time the invention was made to combine the teaching of Hentunen and Rodriguez because the teaching of Rodriguez would enable to provide network security to client devices.

5.	As per claim 2, Hentunen discloses wherein if determined by the comparison that the domain name of the DNS request is included in the botnet domain repository, then the processor, upon execution of the instructions is further configured to send a DNS response to the DNS request indicating an administrator configured address which will cause the source host to send future network traffic associated with the target host to the administrator configured address by using the administrator configured address as the destination address of the future network traffic [ i.e. infected client device is redirect to wall garden system ] [ paragraphs 0167, and 0168 ].

6.	As per claim 3, Hentunen discloses wherein the processor, upon execution of the instructions is further configured to:
	if determined by the comparison that the domain name is not included in the botnet domain repository, then determine by a second comparison whether the source address of the

	if determined by the second comparison that the source address of the DNS request is included in the infected host repository then tentatively store the domain of the DNS request in the botnet domain repository having an associated confirmation indicator set to indicate that the source address is not confirmed, after which the DNS request is allowed to be handled for further processing as intended by the DNS request [ i.e. quarantined due to suspected infection ] [ paragraphs 0337, 0342, and 0343 ].

7,	As per claim 4, Hentunen discloses wherein the processor, upon execution of the instructions is further configured to, if determined by the second comparison that the source address is not included in the infected host repository, then allow the DNS request to be handled for the further processing as intended by the DNS request [ i.e. free from infection, e.g. clean client device, may be granted access to use the communication network ] [ paragraphs 0016, and 0062 ].

8.	As per claim 6, Hentunen discloses a threat manager, the threat manager comprising:
	a second memory configured to store instructions;
	a second processor disposed in communication with the second memory, wherein the second processor, upon execution of the instructions is configured to:
	when some of the future network traffic is received at the administrator configured address due to the destination address of the future network traffic being the administrator configured address, cause a fingerprint of the future network traffic to be recorded in a fingerprint repository and the future network traffic to be dropped [ i.e. marking or tagging 

9.	As per claim 11, Hentunen discloses wherein the infected host repository is updated periodically to remove each source address that is stale due to nonuse of the source address or due to the source address not having been stored or updated within a selectable time interval [ paragraphs 0141, and 0159 ].

10.	As per claims 12-15, 17, and 22, they are rejected for similar reasons as stated above in claims 1-4, 6, and 11.


11.	Claims 5, 7-10, 16, and 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over Hentunen [ US Patent Application No 2014/0310811 ], in view of Rodriguez et al. [ US Patent No 10,652,260 ], and further in view of Pandrangi et al. [ US Patent No 10,560,422 ].

12.	As per claim 5, Hentunen in view of Rodriguez does not specifically disclose wherein allowing the DNS request to be handled for further processing includes forwarding the first DNS request to a recursive resolver.  Pandrangi discloses wherein allowing the DNS request to be handled for further processing includes forwarding the first DNS request to a recursive resolver [ i.e. recursive name server ] [ Abstract ].  It would have been obvious to a person skill in the art at the time the invention was made to combine the teaching of Hentunen, Rodriguez and Pandrangi because the teaching of Pandrangi would enable to enhanced inter-network monitoring and 

13.	As per claim 7, Hentunen in view of Rodriguez does not specifically disclose wherein when the network traffic or some of the future network traffic is received at the administrator configured address due to a diversion to the administrator configured address, the second processor is further configured to cause to be processed any tentative entry in the botnet domain repository that corresponds to the network traffic or some of the future network traffic diverted to the administrator as a function of a fingerprint of the network traffic or future network traffic.  Pandrangi discloses wherein when the network traffic or some of the future network traffic is received at the administrator configured address due to a diversion to the administrator configured address, the second processor is further configured to cause to be processed any tentative entry in the botnet domain repository that corresponds to the network traffic or some of the future network traffic diverted to the administrator as a function of a fingerprint of the network traffic or future network traffic [ i.e. questionable or suspicious domains ] [ col 5, lines 31-61 ].  It would have been obvious to a person skill in the art at the time the invention was made to combine the teaching of Hentunen, Rodriguez and Pandrangi because the teaching of Pandrangi would enable to enhanced inter-network monitoring and selective redirection of network traffic, intra-network capture of information associated with the redirected network traffic, and adaptive management of the redirected network traffic based on the captured information [ Pandrangi, col 1, lines 17-21 ].



15.	As per claim 9, Hentunen discloses wherein the second processor is further configured to cause network traffic or the future network traffic diverted to the administrator configured address to be dropped [ i.e. blocking of access to the communication network ] [ paragraphs 0336, and 0349 ].

16.	As per claim 10, Hentunen discloses wherein when the fingerprint of the network traffic or the future network traffic diverted to the administrator configured address does not match fingerprints of network traffic that are recorded in the fingerprint repository a predetermined amount of times, causing the tentative entry in the botnet domain repository to be processed includes causing removal of the corresponding tentative entry from the botnet domain repository, and causing the future network traffic diverted to the administrator configured address to be handled for further processing as intended by the respective request or future request [ paragraphs 0141, and 0159 ].

17.	As per claims 16, and 18-21, they are rejected for similar reasons as stated above in claims 5, and 7-10.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUSTIN NGUYEN whose telephone number is (571)272-3971. The examiner can normally be reached Monday-Friday 9-6 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Gillis can be reached on 571-2727952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/DUSTIN NGUYEN/Primary Examiner, Art Unit 2446