DETAILED ACTION
This action is responsive to communications filed 19 November 2021.
Claims 1-15 are subject to examination.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 21 September 2021 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
Applicant’s arguments have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
However, Applicant argues in substance:
the IP address corresponding to the high defense domain name”. See Remarks page 9.
In response to Applicant’s arguments (a), the Examiner respectfully disagrees. The limitations above, under broadest reasonable interpretation, denote requesting access to an IP address corresponding to a high defense domain, therefore Back at least discloses and/or teaches directing identified network communications to blackhole systems, see [0034] and [0048].
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claim 1-2, 6-7 and 11-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over BACK et al. (US-20150207812-A1) hereinafter Back in view of Katrekar et al. (US-20180062923-A1) hereinafter Katrekar further in view of Hu et al. (US-20180020016-A1) hereinafter Hu.
Regarding claim 6, Back discloses:
An apparatus for processing data ([0034] DNS server), the apparatus comprising: 
at least one processor ([0034] DNS server a combination of software and hardware such as implemented by a computer system of FIG. 9 [FIG. 9] comprising a processor, see further [0080]); and 
20a memory storing instructions, wherein the instructions when executed by the at least one processor, cause the at least one processor to perform operations ([0034] DNS server a combination of software and hardware such as implemented by a computer system of FIG. 9 [FIG. 9] comprising a processor, main memory, storage medium [0080-0081] processor for executing instructions and storage devices store data and/or software instructions used by processors), the operations comprising: 
receiving an access request to access a target domain 25name ([0034] receive requests for domain names from client devices); 
converting the target domain name into a preset high defense domain name ([0048] direct a network communication to a different domain name, e.g. a domain name associated with blackhole systems; DNS configured to direct a network communication (e.g. originally intended for a domain name) to a different domain name such as CNAME, e.g. redirect (i.e. converting the domain name to a different domain name)); 
([0034] DNS server may be configured to translate or convert the domain names to numerical IP addresses [0048] e.g. domain name associated with blackhole systems); and 
30sending the access request according to the IP21Attorney Docket No. ISGTP011/19A12895US address corresponding to the high defense domain name ([0034] send a message including the IP address to the client device that requested the domain name [0048] direct identified network communications to blackhole systems (i.e. client receives blackhole address instead of originally intended address, e.g. access request redirected from originally intended address to blackhole)); 
wherein, in a case that the IP address corresponding to the target domain name enables a black hole ([0044] software programs may cause DNS servers to analyze data in received network communications, e.g. to direct network communications meeting certain criteria based on the analysis to blackhole systems (i.e. enabling a black hole) [0058] e.g. when DNS server identified the domain name as being malicious [0043] e.g. IP addresses or domain names that are known to be associated with bad sources), the IP address corresponding to the high defense domain name in the domain 5name system is a preset high defense IP address ([0046] [0058] IP address associated with blackhole systems, e.g. sent client device the IP address of a blackhole system); and in a case that the IP address corresponding to the target domain name closes the black hole ([0044] software programs may cause DNS servers to analyze data in received network communications, e.g. to direct network communications meeting certain criteria based on the analysis to blackhole systems (i.e. not enabling a black hole when network communications do not meet certain criteria) [0043] e.g. IP addresses or domain names that are known to be associated with good sources), the IP address corresponding to the high defense domain name in the domain name system is the IP address of the target domain name ([0045-0046] domain names in network communications that do not meet certain criteria based on the analysis will resolve to the IP address to which it would normally resolve, e.g. when a DNS server identifies a network communication that should be directed to blackhole systems, it may resolve the domain name to an IP address associated with blackhole systems (i.e. when not identified to be directed to blackhole systems, directed to IP address which it would normally resolve)). 
Back does not explicitly disclose:
wherein in a domain name system the target domain name corresponds to an Elastic IP (EIP) address,
a preset high defense IP address used for filtering malicious attack traffic included in the access request at the preset high defense IP address and returning the filtered access request to the EIP address,
However, Katrekar discloses:
wherein in a domain name system the target domain name corresponds to an Elastic IP (EIP) address ([0225] public cloud gateway performs its own NAT using a separate NAT table that maps the various secondary IP addresses to public IP addresses (e.g., to elastic IPs that are dynamically allocable),
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Back in view of Katrekar to utilize EIPs. One of ordinary skill in the art would have been motivated to do so to map various secondary IP addresses to public IP addresses that are dynamically allocable ([0225]).
Back-Katrekar do not explicitly disclose:
a preset high defense IP address used for filtering malicious attack traffic included in the access request at the preset high defense IP address and returning the filtered access request to the EIP address,
However, Hu discloses:
([0034] SDN ensures that legitimate traffic forwarded by the network filtering device and destined for the first public network address is not dropped together with malicious attack traffic sent by attackers [0030] e.g. forward “clean” traffic to protected host (i.e. filtering out bad traffic from forwarding to host)),
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Back-Katrekar in view of Hu to have filtered traffic and forward clean traffic to a protected host. One of ordinary skill in the art would have been motivated to do so to redirect suspicious traffic from the original network routing path to the filtering mechanism, and for recognition and elimination of the malicious traffic without affecting the forwarding path of the legitimate traffic (Hu, [0005]).
Regarding claim 107, Back-Katrekar-Hu disclose:
The apparatus according to claim 6, set forth above, wherein, before converting the target domain name into a preset high defense domain name, the operations further comprise: 
Back discloses:
generating a high defense domain name before converting the target domain name into a preset high defense domain 15name ([0048] direct a network communication to a different domain name, e.g. a domain name associated with blackhole systems; DNS configured to direct a network communication (e.g. originally intended for a domain name) to a different domain name such as CNAME (i.e. name generated prior to direct/redirect), e.g. redirect (i.e. converting the domain name to a different domain name));
configuring the IP address corresponding to the target domain name ([0034] configured to translate or convert the domain names (from the request for domain names from a client device) to numerical IP addresses), an area to which the IP address belongs ([0034] IP addresses associated with computing devices that are connected over one of networks (i.e. the network, e.g. area, that device connects)), and health checking a port based on a Transmission Control Protocol (TCP) service ([0076] information, e.g. for an infection, may include a port used by the connection (i.e. checking the port’s information on infection, e.g. health check)); 
creating a record that the high defense domain name resolves to the IP address ([0045-0046] domain names in network communications that do not meet certain criteria based on the analysis will resolve to the IP address to which it would normally resolve, e.g. when a DNS server identifies a network communication that should be directed to blackhole systems, it may resolve the domain name to an IP address associated with blackhole systems (i.e. when not identified to be directed to blackhole systems, directed to IP address which it would normally resolve); wherein DNS requires mapping of domain names to IP addresses (i.e. a record of what the domain name translates to)); and
creating a record that the target domain name resolves to the high defense domain name ([0048] direct a network communication to a different domain name, e.g. a domain name associated with blackhole systems; DNS configured to direct a network communication (e.g. originally intended for a domain name) to a different domain name such as CNAME, e.g. redirect (i.e. mapping/routing of communication, i.e. a record of where to map/route the communication to) [0076] list of domains that have been routed to blackhole systems).
Regarding claims 1 and 11, they do not further define nor teach over the limitations of claim 6, therefore, claims 1 and 11 are rejected for at least the same reasons set forth above as in claim 6.
Regarding claims 2 and 12, they do not further define nor teach over the limitations of claim 7, therefore, claims 2 and 12 are rejected for at least the same reasons set forth above as in claim 7.
Claim 3-4, 8-9 and 13-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Back-Katrekar-Hu in view of Mizik et al. (US-10033691-B1) hereinafter Mizik.

The apparatus according to claim 7, set forth above, wherein the operations 25further comprise: 
Back discloses:
creating a high defense IP address in response to detecting that the EIP address is attacked and the black hole is enabled ([0044] software programs may cause DNS servers to analyze data in received network communications, e.g. to direct network communications meeting certain criteria based on the analysis to blackhole systems (i.e. enabling a black hole) [0058] e.g. when DNS server identified the domain name as being malicious [0043] e.g. IP addresses or domain names that are known to be associated with bad sources) [0046] [0058] IP address associated with blackhole systems, e.g. sent client device the IP address of a blackhole system); and 
30calling the domain name system to resolve the high defense domain name to switch to the high defense IP address ([0044] software programs may cause DNS servers to analyze data in received network communications, e.g. to direct network communications meeting certain criteria based on the analysis to blackhole systems (i.e. enabling a black hole) [0046] [0058] IP address associated with blackhole systems, e.g. sent client device the IP address of a blackhole system).  
Back does not explicitly disclose:
creating a forwarding rule of returning from the high defense IP address back to the IP address;
However, Mizik discloses:
creating a forwarding rule of returning from the high defense IP address back to the IP address ([col. 12, ls. 6-52] in addition to forwarding, rules may specify that a DNS request be handled directly by DNS resolver, e.g. by returning a specific address (i.e. back to IP) or no address (e.g. blackhole; i.e. forwarding rule for blackhole or returning to a specific address));
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Back-Katrekar-Hu in view of Mizik to have 
Regarding claim 9, Back-Katrekar-Hu-Mizik disclose:
The apparatus according to claim 8, set forth above, wherein the operations further comprise: 
Back discloses:
calling the domain name system to resolve the high defense domain name to switch to the EIP address, in response to 5detecting that the EIP address ends the black hole  ([0044] software programs may cause DNS servers to analyze data in received network communications, e.g. to direct network communications meeting certain criteria based on the analysis to blackhole systems (i.e. not enabling a black hole when network communications do not meet certain criteria) [0043] e.g. IP addresses or domain names that are known to be associated with good sources [0045-0046] domain names in network communications that do not meet certain criteria based on the analysis will resolve to the IP address to which it would normally resolve, e.g. when a DNS server identifies a network communication that should be directed to blackhole systems, it may resolve the domain name to an IP address associated with blackhole systems (i.e. when not identified to be directed to blackhole systems, directed to IP address which it would normally resolve)).
Regarding claims 3, 4 and 13, 14 they do not further define nor teach over the limitations of claims 8 and 9, therefore, claims 3, 4 and 13, 14 are rejected for at least the same reasons set forth above as in claims 8 and 9.
Claim 5, 10 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Back-Katrekar-Hu-Mizik in view of Carney et al. (US-9197666-B2) hereinafter Carney further in view of Smith (US-9609018-B2).
Regarding claim 10, Back-Katrekar-Hu-Mizik disclose: 

Back-Katrekar-Hu-Mizik do not explicitly disclose:
deleting the high defense IP address and the forwarding rule; and 
10recycling the high defense IP address to an available pool.
However, Carney discloses:
deleting the high defense IP ([col. 13, ls. 37-53] set of temporary network addresses and other sets of temporary network addresses are retired after a configurable number of finite periods, and retire all records associated with a set of temporary network addresses);
recycling the high defense IP to an available pool ([col. 13, ls. 37-53] retired addresses may be returned to the pool of unused public addresses).
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Back-Katrekar-Hu-Mizik in view of Carney to have deleted the high defense IP and recycled it to a pool. One of ordinary skill in the art would have been motivated to do so to allow for reuse of addresses (Carney, [col. 8, ls. 35-54]).
Back-Katrekar-Hu-Mizik-Carney do not explicitly disclose:
deleting the forwarding rule;
However, Smith discloses:
deleting the forwarding rule ([col. 16, ls. 5-20] remove the null route for the target destination prefix);
It would have been obvious to one of ordinary skill in the pertinent art before the effective filing date of the claimed invention to modify the invention of Back-Katrekar-Hu-Mizik-Carney in view of Smith to have deleted the forwarding rule. One of ordinary skill in the art would have been motivated to do so to reset after detecting an error (Smith, [col. 16, ls. 5-20]).
.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
E. Kline, A. Afanasyev and P. Reiher, "Shield: DoS filtering using traffic deflecting," 2011 19th IEEE International Conference on Network Protocols, 2011, pp. 37-42, doi: 10.1109/ICNP.2011.6089077.;
Varner (US-20140173111-A1) DATA USAGE MANAGEMENT SYSTEMS AND METHODS;
Hunt et al. (US-9578048-B1) IDENTIFYING PHISHING WEBSITES USING DOM CHARACTERISTICS;
Radlein et al. (US-9794281-B1) IDENTIFYING SOURCES OF NETWORK ATTACKS;
Yu et al. (US-10798060-B2) NETWORK ATTACK DEFENSE POLICY SENDING METHOD AND APPARATUS, AND NETWORK ATTACK DEFENDING METHOD AND APPARATUS;
Duca et al. (US-20180020002-A1) SYSTEM AND METHOD FOR FILTERING INTERNET TRAFFIC AND OPTIMIZING SAME;
Yang et al. (WO-2017041656-A1) METHOD FOR FACILITATING USER TRAFFIC PROCESSING BY ELEMENTARY DEFENSE DEVICE IN DOMAIN NAME SYSTEM, INVOLVES CONTROLLING TRANSFER OF TRAFFIC, WHICH IS CLEANED TO SERVICE PROCESSING DEVICE FOR PROCESSING BY MANAGEMENT AND CONTROL DEVICE;
Haiyang et al. (CN-107404496-A) DDOS ATTACK DEFENDING AND TRACING METHOD BASED ON HTTP DNS;
Chen et al. (US-11057404-B2) METHOD AND APPARATUS FOR DEFENDING AGAINST DNS ATTACK, AND STORAGE MEDIUM;
DORON et al. (US-20180255095-A1) DISTRIBUTED DENIAL OF SERVICE (DDOS) DEFENSE TECHNIQUES FOR APPLICATIONS HOSTED IN CLOUD COMPUTING PLATFORMS;
ZHANG (US-20180324209-A1) NETWORK ATTACK DEFENSE METHOD, APPARATUS, AND SYSTEM;
Yu et al. (US-20180337888-A1) NETWORK ATTACK DEFENSE POLICY SENDING METHOD AND APPARATUS, AND NETWORK ATTACK DEFENDING METHOD AND APPARATUS;
Ma et al. (US-20180367566-A1) PREVENTION AND CONTROL METHOD, APPARATUS AND SYSTEM FOR NETWORK ATTACK.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Alex H. Tran whose telephone number is (571)272-8173.  The examiner can normally be reached on Monday-Friday 11AM-6PM ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/Alex H. Tran/Examiner, Art Unit 2453                                                                                                                                                                                         
/KAMAL B DIVECHA/Supervisory Patent Examiner, Art Unit 2453