Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
	This Application claims priority to an Indian Patent Application # IN201911054124 filed 12/27/2019.
Priority under 35 U.S.C. § 119(a)-(d)
	Acknowledgement is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d), however, applicant has not submitted Copies of the certified copies of the priority documents in this National Stage application from the International Bureau (PCT Rule 17.2(a)). Submission of certified copies of the priority documents is requested in the next response. 
Drawing
Applicant’s submitted drawings have been reviewed and accepted.
Specification
Applicant’s submitted specification on 02/03/2020 has been reviewed and accepted.
DETAILED ACTION
This Office Action is in response to a non-provisional patent application received on
02/13/2020. In the application, claims 1-20 have been received for consideration and have
been examined.



Claim Objection
Claim 19 objected to because of the following informalities:  
Claim 19 preamble recites “The non-transitory computer readable storage medium of claim 1”. 
Claim 19 is a dependent of claim 17, however, the preamble recites that it is dependent of claim 1. Examiner notes this as a typographical and drafting error and request applicant to amend it to properly make it dependent of claim 17.  Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2, 4-10, 12-18 and 20 rejected under 35 U.S.C. 102(a)(2) as being anticipated by Meshi et al., (US20180069883A1) w.e.f.d. of 09/04/2016 hereinafter referred as “Meshi”.
Regarding claim 1, Meshi discloses:
A computer-implemented method to manage threats to a protected network having a plurality of internal production systems, the method comprising:
monitoring (i.e. collection step 120 where data is collected [monitored] and transmitted to anomaly detection system 22 for further processing; See FIG. 2-3) network traffic from the plurality of internal production systems of a protected network for domain names ([0036] FIG. 1 is a block diagram that schematically shows a computing facility 20 comprising an anomaly detection system 22 that monitors transmissions from multiple workstations 24 (also referred to as endpoints) to multiple Internet sites 26 in order to determine if any of the Internet sites are hosting malicious Command and Control (CnC) channels; [0054] In a collection step 120, processor collects, during a training period, information on data transmitted from workstations 24 to Internet sites 26, and stores the collected information to analysis records 90. Using embodiments described supra, processor 70 can collect the information from log data 54 or from data packets transmitted over network 30 (e.g., collect from probe 78 in real-time), and store the information to analysis records 90);
determining, for each internal production system of the plurality of internal production systems over the course of a long time interval (i.e. domain name data collected over a single month (e.g., 30 days) is construed as long time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a first collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain … Information that can be used to define the malicious artifact profiles include: [0063] Total number of connections to a given domain 44 during a specific time period (e.g., 30 days); [0086] In order to consider periodicity, embodiments of the present invention may aggregate the data collected over (for example) a single month, and only consider the destination (i.e., a given domain 94));
determining, for each internal production system over the course of a short time interval (i.e. domain name data collected over ‘daily or hourly’ is construed as short time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a second collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain; [0064] Average volume of all the connections to the given domain during a specific time period (e.g., daily or hourly); [0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel);
comparing domain names (i.e. generating ‘access time profile’; See Abstract) in the first and second collections associated with the plurality of internal production systems to determine suspicious domain names that meet a predetermined condition (See FIG. 7; i.e. See [0072] for predetermined conditions [having longer domain names, having younger domain ages, having hidden registrant information] to detect malicious domain names) ([0072] Examples of how the one or more malicious domain profiles can be used to analyze the information in records 90 include, but are not limited to, assigning higher malicious domain suspiciousness to domains 90 having longer domain names, having younger domain ages, having hidden registrant information (i.e., these are only a few examples); [0073] In a first model generation step 126, processor 70 uses profiles 110, 112 and 114 to generate CnC model 82. In embodiments of the present invention, model 82 analyzes, using the features in profiles 110, 112, and 114, the data transmissions in the collected data to predict if a given domain 44 hosts a CnC channel; [0077] In a model application step 132, processor 70 (e.g., executing classification application 80) applies the CnC model (comprising profiles 110, 112 and 114) and the malicious domain model (comprising profile 116) to the information collected in step 130, and in a prediction step 134, the processor predicts (i.e., determines), suspiciousness (i.e., if any of the domains are hosting malicious CnC channels) based on respective predictions from models 82 and 84; Also See [0160-0163] for multiple comparison steps for comparing domain information for detecting suspicious); and
requesting to treat the suspicious domain names as suspicious ([0074] Finally, in a second model generation step 128, processor 70 uses profile(s) 116 to generate malicious domain model 84. In embodiments of the present invention, model 84 analyzes, using the features in profile(s) 116, the data transmissions in the collected data to predict if a given domain 44 is malicious; [0078] Finally, in an alert step 136, processor 70 generates alerts for the one or more identified domains; [0079] processor 70 can create a single malicious CnC model that can predict if a given domain 44 hosts a malicious CnC channel. In this embodiment, processor 70 can apply the malicious CnC model to the collected data (i.e., step 134) and predict, using the malicious CnC model, if a given domain 44 is suspected of hosting a malicious CnC channel (i.e., step 136)).
Regarding claim 2, Meshi discloses:
	The method of claim 1, wherein a suspicious domain name meets the predetermined condition when the suspicious domain name was included in a predetermined amount of second collections, but not in the first collection, for a threshold number of internal production systems ([0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel.
Examiner notes that access to a particular domain occurred within short duration [distinct hours] indicates high chance of malicious/suspicious domain).
Regarding claim 4, Meshi discloses:
The method of claim 1, further comprising:
determining an attribute (i.e., Domain age according to the WHOIS record; See [0186]/ an age of the given domain; See [0049]) associated with a domain associated with a suspicious domain name of the suspicious domain names ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain);
applying a condition (i.e., checking domain reputation / if domain reputation is malicious / checking domain’s age of registration) to the attribute determined (See FIG. 7; [0160] in a check step 170, processor 70 checks the reputation of the given domain (e.g., using acquired data 88, as described supra); [0161] In a third comparison step 172, if the given domain has a reputation, then in a fourth comparison step 174, processor 70 checks if the given domain's reputation is malicious. If the given domain's reputation is not malicious, then in a fifth comparison step 176, processor 70 checks if the domain is young); and
determining not to treat the suspicious domain name as suspicious when the condition is met (See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 5, Meshi discloses:
The method of claim 4, further comprising accessing information about registration of the domain name to determine the attribute ([0057] In embodiments of the present invention, processor 70 can use information from the external sources described hereinabove to define malicious domain profiles 116. Additional examples of the information from external or internal sources that processor 70 can acquire and use for profiles 116 include: [0059] WHOIS (i.e., domain registration records). A person or organization that registered (i.e., purchased) a given domain 94 tried to hide their identity (e.g., via a 3rd party service) indicates a high suspicion that the given domain is malicious; [0060] Additionally domains 94 that are newer (i.e., age of registration) are more suspicious than domains 94 that are older).
Regarding claim 6, Meshi discloses:
The method of claim 5, wherein the attribute is age of the domain name from a time of registration as indicated by the information about registration and the condition is whether the [0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain; See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 7, Meshi discloses:
The method of claim 1, wherein the method further includes treating the suspicious domain names as suspicious by taking a precautionary action to warn users of internal production systems in the network about the suspicious domain names ([0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain; [0154] The final verdict of the domain is determined by a combination of the domain suspiciousness score and the domain CnC score … Alerts may be presented to a user according to the final score. For example, a “high risk” alert may be presented for domains with a high score).
Regarding claim 8, Meshi discloses:
[0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain).
Regarding claim 9, Meshi discloses:
A computer system for managing threats to a network, comprising:
a memory configured to store instructions;
processor disposed in communication with said memory, wherein the processor upon execution of the instructions is configured to:
monitor (i.e. collection step 120 where data is collected [monitored] and transmitted to anomaly detection system 22 for further processing; See FIG. 2) network traffic from the plurality of internal production systems of a protected network for domain names ([0036] FIG. 1 is a block diagram that schematically shows a computing facility 20 comprising an anomaly detection system 22 that monitors transmissions from multiple workstations 24 (also referred to as endpoints) to multiple Internet sites 26 in order to determine if any of the Internet sites are hosting malicious Command and Control (CnC) channels; [0054] In a collection step 120, processor collects, during a training period, information on data transmitted from workstations 24 to Internet sites 26, and stores the collected information to analysis records 90. Using embodiments described supra, processor 70 can collect the information from log data 54 or from data packets transmitted over network 30 (e.g., collect from probe 78 in real-time), and store the information to analysis records 90);
determine, for each internal production system of the plurality of internal production systems over the course of a long time interval (i.e. domain name data collected over a single month (e.g., 30 days) is construed as long time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a first collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain … Information that can be used to define the malicious artifact profiles include: [0063] Total number of connections to a given domain 44 during a specific time period (e.g., 30 days); [0086] In order to consider periodicity, embodiments of the present invention may aggregate the data collected over (for example) a single month, and only consider the destination (i.e., a given domain 94));
determine, for each internal production system over the course of a short time interval (i.e. domain name data collected over ‘daily or hourly’ is construed as short time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a second collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain; [0064] Average volume of all the connections to the given domain during a specific time period (e.g., daily or hourly); [0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel);
compare domain names (i.e. generating ‘access time profile’; See Abstract) in the first and second collections associated with the plurality of internal production systems to determine suspicious domain names that meet a predetermined condition (See FIG. 7; i.e. See [0072] for predetermined conditions to detect malicious domain names) ([0072] Examples of how the one or more malicious domain profiles can be used to analyze the information in records 90 include, but are not limited to, assigning higher malicious domain suspiciousness to domains 90 having longer domain names, having younger domain ages, having hidden registrant information (i.e., these are only a few examples); [0073] In a first model generation step 126, processor 70 uses profiles 110, 112 and 114 to generate CnC model 82. In embodiments of the present invention, model 82 analyzes, using the features in profiles 110, 112, and 114, the data transmissions in the collected data to predict if a given domain 44 hosts a CnC channel; [0077] In a model application step 132, processor 70 (e.g., executing classification application 80) applies the CnC model (comprising profiles 110, 112 and 114) and the malicious domain model (comprising profile 116) to the information collected in step 130, and in a prediction step 134, the processor predicts (i.e., determines), suspiciousness (i.e., if any of the domains are hosting malicious CnC channels) based on respective predictions from models 82 and 84; Also See [0160-0163] for multiple comparison steps for comparing domain information for detecting suspicious); and
[0074] Finally, in a second model generation step 128, processor 70 uses profile(s) 116 to generate malicious domain model 84. In embodiments of the present invention, model 84 analyzes, using the features in profile(s) 116, the data transmissions in the collected data to predict if a given domain 44 is malicious; [0078] Finally, in an alert step 136, processor 70 generates alerts for the one or more identified domains; [0079] processor 70 can create a single malicious CnC model that can predict if a given domain 44 hosts a malicious CnC channel. In this embodiment, processor 70 can apply the malicious CnC model to the collected data (i.e., step 134) and predict, using the malicious CnC model, if a given domain 44 is suspected of hosting a malicious CnC channel (i.e., step 136)).
Regarding claim 10, Meshi discloses:
The computer system of claim 9, wherein a suspicious domain name meets the predetermined condition when the suspicious domain name was included in a predetermined amount of second collections, but not in the first collection, for a threshold number of internal production systems ([0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel.
Examiner notes that access to a particular domain occurred within short duration [distinct hours] indicates high chance of malicious/suspicious domain).
Regarding claim 12, Meshi discloses:

determine an attribute (i.e., Domain age according to the WHOIS record; See [0186]/ an age of the given domain; See [0049]) associated with a domain associated with a suspicious domain name of the suspicious domain names ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain);
apply a condition (i.e., checking domain reputation / if domain reputation is malicious / checking domain’s age of registration) to the attribute determined (See FIG. 7; [0160] in a check step 170, processor 70 checks the reputation of the given domain (e.g., using acquired data 88, as described supra); [0161] In a third comparison step 172, if the given domain has a reputation, then in a fourth comparison step 174, processor 70 checks if the given domain's reputation is malicious. If the given domain's reputation is not malicious, then in a fifth comparison step 176, processor 70 checks if the domain is young); and
determine not to treat the suspicious domain name as suspicious when the condition is met (See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 13, Meshi discloses:
[0057] In embodiments of the present invention, processor 70 can use information from the external sources described hereinabove to define malicious domain profiles 116. Additional examples of the information from external or internal sources that processor 70 can acquire and use for profiles 116 include: [0059] WHOIS (i.e., domain registration records). A person or organization that registered (i.e., purchased) a given domain 94 tried to hide their identity (e.g., via a 3rd party service) indicates a high suspicion that the given domain is malicious; [0060] Additionally domains 94 that are newer (i.e., age of registration) are more suspicious than domains 94 that are older).
Regarding claim 14, Meshi discloses:
The computer system of claim 13, wherein the attribute is age of the domain name from a time of registration as indicated by the information about registration, and the condition is whether the age of the domain name is at least a threshold age ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain; See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 15, Meshi discloses:
[0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain; [0154] The final verdict of the domain is determined by a combination of the domain suspiciousness score and the domain CnC score … Alerts may be presented to a user according to the final score. For example, a “high risk” alert may be presented for domains with a high score).
Regarding claim 16, Meshi discloses:
The computer system of claim 9, wherein the processor upon execution of the instructions is further configured to treat the suspicious domain names as suspicious, including taking a blocking action to block packets that include the suspicious domain names ([0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain).
Regarding claim 17, Meshi discloses:

monitor (i.e. collection step 120 where data is collected [monitored] and transmitted to anomaly detection system 22 for further processing; See FIG. 2) network traffic from the plurality of internal production systems of a protected network for domain names ([0036] FIG. 1 is a block diagram that schematically shows a computing facility 20 comprising an anomaly detection system 22 that monitors transmissions from multiple workstations 24 (also referred to as endpoints) to multiple Internet sites 26 in order to determine if any of the Internet sites are hosting malicious Command and Control (CnC) channels; [0054] In a collection step 120, processor collects, during a training period, information on data transmitted from workstations 24 to Internet sites 26, and stores the collected information to analysis records 90. Using embodiments described supra, processor 70 can collect the information from log data 54 or from data packets transmitted over network 30 (e.g., collect from probe 78 in real-time), and store the information to analysis records 90);
determine, for each internal production system of the plurality of internal production systems over the course of a long time interval (i.e. domain name data collected over a single month (e.g., 30 days) is construed as long time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a first collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain … Information that can be used to define the malicious artifact profiles include: [0063] Total number of connections to a given domain 44 during a specific time period (e.g., 30 days); [0086] In order to consider periodicity, embodiments of the present invention may aggregate the data collected over (for example) a single month, and only consider the destination (i.e., a given domain 94));
determine, for each internal production system over the course of a short time interval (i.e. domain name data collected over ‘daily or hourly’ is construed as short time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a second collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain; [0064] Average volume of all the connections to the given domain during a specific time period (e.g., daily or hourly); [0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel);
compare domain names (i.e. generating ‘access time profile’; See Abstract) in the first and second collections associated with the plurality of internal production systems to determine suspicious domain names that meet a predetermined condition (See; FIG. 7; i.e. See [0072] for predetermined conditions to detect malicious domain names) ([0072] Examples of how the one or more malicious domain profiles can be used to analyze the information in records 90 include, but are not limited to, assigning higher malicious domain suspiciousness to domains 90 having longer domain names, having younger domain ages, having hidden registrant information (i.e., these are only a few examples); [0073] In a first model generation step 126, processor 70 uses profiles 110, 112 and 114 to generate CnC model 82. In embodiments of the present invention, model 82 analyzes, using the features in profiles 110, 112, and 114, the data transmissions in the collected data to predict if a given domain 44 hosts a CnC channel; [0077] In a model application step 132, processor 70 (e.g., executing classification application 80) applies the CnC model (comprising profiles 110, 112 and 114) and the malicious domain model (comprising profile 116) to the information collected in step 130, and in a prediction step 134, the processor predicts (i.e., determines), suspiciousness (i.e., if any of the domains are hosting malicious CnC channels) based on respective predictions from models 82 and 84; Also See [0160-0163] for multiple comparison steps for comparing domain information for detecting suspicious); and
request to treat the suspicious domain names as suspicious ([0074] Finally, in a second model generation step 128, processor 70 uses profile(s) 116 to generate malicious domain model 84. In embodiments of the present invention, model 84 analyzes, using the features in profile(s) 116, the data transmissions in the collected data to predict if a given domain 44 is malicious; [0078] Finally, in an alert step 136, processor 70 generates alerts for the one or more identified domains; [0079] processor 70 can create a single malicious CnC model that can predict if a given domain 44 hosts a malicious CnC channel. In this embodiment, processor 70 can apply the malicious CnC model to the collected data (i.e., step 134) and predict, using the malicious CnC model, if a given domain 44 is suspected of hosting a malicious CnC channel (i.e., step 136)).
Regarding claim 18, Meshi discloses:
[0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel.
Examiner notes that access to a particular domain occurred within short duration [distinct hours] indicates high chance of malicious/suspicious domain). 
Regarding claim 20, Meshi discloses:
The non-transitory computer readable storage medium of claim 17, wherein the computer system is further caused to:
determine an attribute (i.e., Domain age according to the WHOIS record; See [0186]/ an age of the given domain; See [0049]) associated with a domain associated with a suspicious domain name of the suspicious domain names ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain);
apply a condition (i.e., checking domain reputation / if domain reputation is malicious / checking domain’s age of registration) to the attribute determined (See FIG. 7; [0160] in a check step 170, processor 70 checks the reputation of the given domain (e.g., using acquired data 88, as described supra); [0161] In a third comparison step 172, if the given domain has a reputation, then in a fourth comparison step 174, processor 70 checks if the given domain's reputation is malicious. If the given domain's reputation is not malicious, then in a fifth comparison step 176, processor 70 checks if the domain is young); and
determine not to treat the suspicious domain name as suspicious when the condition is met (See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

s 3, 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Meshi et al., (US20180069883A1) w.e.f.d. of 09/04/2016 hereinafter referred as “Meshi” in view of Cooley., (US7496634B1) w.e.f.d. of 01/07/2005.
Regarding claim 3, Meshi does not explicitly discloses:
The method of claim 1, further comprising comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious.
However, Cooley discloses:
	comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious (Col. 4, Line # 25-33; Subsequently, the message manager 100 accesses a white list of authorized domains and the comparison module 130 compares the domain pointed to by each link found in the text of the message to the white list of authorized domains. In that embodiment, when each domain associated with each link found in the text of the message matches 240 a domain found in the white list, the message manager determines 255 that the message is not a phishing message, and typically allows the user to access the message).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and have a system which compares the domain names against the databases or source of white list domain names, as disclosed by Cooley.
	The motivation to have a system which compares the domain names against the databases or source of white list domain names is to detect suspicious domain names and See Cooley: Col. 4, Line # 14-47).
Regarding claim 11, Meshi does not explicitly discloses:
The computer system of claim 9, wherein the processor upon execution of the instructions is further configured to compare the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious.
However, Cooley discloses:
	comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious (Col. 4, Line # 25-33; Subsequently, the message manager 100 accesses a white list of authorized domains and the comparison module 130 compares the domain pointed to by each link found in the text of the message to the white list of authorized domains. In that embodiment, when each domain associated with each link found in the text of the message matches 240 a domain found in the white list, the message manager determines 255 that the message is not a phishing message, and typically allows the user to access the message).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and have a system which compares the domain names against the databases or source of white list domain names, as disclosed by Cooley.
	The motivation to have a system which compares the domain names against the databases or source of white list domain names is to detect suspicious domain names and See Cooley: Col. 4, Line # 14-47).
Regarding claim 19, Meshi does not explicitly discloses:
The non-transitory computer readable storage medium of claim 1[7], wherein the computer system is further caused to compare the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious.
However, Cooley discloses:
	comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious (Col. 4, Line # 25-33; Subsequently, the message manager 100 accesses a white list of authorized domains and the comparison module 130 compares the domain pointed to by each link found in the text of the message to the white list of authorized domains. In that embodiment, when each domain associated with each link found in the text of the message matches 240 a domain found in the white list, the message manager determines 255 that the message is not a phishing message, and typically allows the user to access the message).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and have a system which compares the domain names against the databases or source of white list domain names, as disclosed by Cooley.
	The motivation to have a system which compares the domain names against the databases or source of white list domain names is to detect suspicious domain names and See Cooley: Col. 4, Line # 14-47).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SYED A ZAIDI/       Primary Examiner, Art Unit 2432