Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office action is responsive to communications filed on 01/19/2022. Claims 1, 2, 4, 6, 7 and 9 are pending.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/19/2022 has been entered.

Response to Arguments
Applicant’s arguments, see remarks pp. 7-12, filed 01/19/2022, with respect to the rejection(s) of claim(s) 1, 6, and claims dependent therefrom, under section(s) 102 and/or 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Hernacki and/or Shelest.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1 and 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. No. 7,792,994 (“Hernacki”), in view of U.S. Pub. No. 2010/0269174 (“Shelest”), in view of U.S. Pub. No. 2012/0267023 (“Fujimoto”), in view of U.S. Pub. .

Regarding claim 1, Hernacki teaches a network-connection attestation process comprising: 
extracting, by an agent (Fig. 1B, 108 and/or 114), domain-name service (DNS) data from a DNS reply to a DNS query, the DNS data mapping an IP address to a domain name (“At 608, the IP address and, in some embodiments, a TTL value associated with the DNS response received at 606 is captured and stored with the corresponding URI captured at 604,” Col. 7, lines 17-37); 
mapping the domain name to the IP address in a DNS entry of an agent DNS cache ((“At 608, the IP address and, in some embodiments, a TTL value associated with the DNS response received at 606 is captured and stored with the corresponding URI captured at 604,” Col. 7, lines 17-37)); 
determining the domain name mapped to the IP address in the agent DNS cache (“At 704, the IP address associated with the HTTP GET request of 702 is resolved to a URI (or domain name or other identifier) using an associated DNS cache (e.g., DNS cache 312 of FIG. 3),” Col. 7, lines 38-65); and
attesting to and allowing the connection (Fig. 7, 710), wherein said domain name is thereby used instead of said IP address to perform said network-connection attestation process (“At 706, it is determined whether the URI of the resolved IP address is included in the content filter block list,” Col. 7, lines 38-65)

Hernacki fails to teach said TTL applicable to said mapping of said domain name in an IP address in an operating system (OS) DNS cache, upon expiration of said TTL, a DNS library of a guest OS deletes the corresponding entry in said OS DNS cache. Shelest teaches a TTL applicable to said mapping of said domain name in an IP 
Hernacki-Shelest fails to teach capturing process data of a process instance of an application process making a network-connection request that specifies the IP address, the process data including a process identity for the application process; mapping a process-instance identifier (PIID) for the process instance with the domain name and IP address in the DNS entry, the process data including the PIID; and attesting to and allowing the connection in an event the domain name is mapped to the process identity in a domain-name whitelist. Fujimoto teaches capturing process data of a process instance of an application process making a network-connection request that specifies the IP address (“The switch unit 12 receives the SYN packet. This SYN packet is a new packet. That is, control information that matches header information of the SYN 

Hernacki-Shelest-Fujimoto-Bach fails to teach populating an Internet protocol whitelist by watching domain-name service (DNS) responses to DNS queries and by examining the domain-name whitelist. McGleenon teaches populating an Internet protocol whitelist by watching domain-name service (DNS) responses to DNS queries (“a client device issues a DNS lookup request to resolve a domain name to an IP address and the DNS lookup request is intercepted by the DNS proxy. In this embodiment, the DNS proxy may intercept the DNS response from the DNS server to the client device and obtain the resolved IP address or IP addresses of the domain 

Regarding claim 6, Hernacki teaches a system comprising non-transitory media encoded with code that, when executed by a processor (Col. 2, lines 33-46), implements a network-connection attestation process including:
extracting, by an agent (Fig. 1B, 108 and/or 114), domain-name service (DNS) data from a DNS reply to a DNS query, the DNS data mapping an IP address to a domain name (“At 608, the IP address and, in some embodiments, a TTL value associated with the DNS response received at 606 is captured and stored with the corresponding URI captured at 604,” Col. 7, lines 17-37); 
mapping the domain name to the IP address in a DNS entry of an agent DNS cache ((“At 608, the IP address and, in some embodiments, a TTL value associated 
determining the domain name mapped to the IP address in the agent DNS cache (“At 704, the IP address associated with the HTTP GET request of 702 is resolved to a URI (or domain name or other identifier) using an associated DNS cache (e.g., DNS cache 312 of FIG. 3),” Col. 7, lines 38-65); and
attesting to and allowing the connection (Fig. 7, 710), wherein said domain name is thereby used instead of said IP address to perform said network-connection attestation process (“At 706, it is determined whether the URI of the resolved IP address is included in the content filter block list,” Col. 7, lines 38-65)
the DNS data further specifying a time-to-live (TTL) during which the mapping between the domain name and the IP address is guaranteed to be valid and, on expiration of which, the mapping between the domain name and the IP address is no longer guaranteed to be valid (“The corresponding response back to the host is also from a well-known port, unencrypted, etc., and contains the IP address registered for that domain name and, in some embodiments, includes a "time to live" (TTL) value for which the response (i.e. the IP address) is valid,” Col. 3, line 52 – Col. 4, line 9), the mapping including mapping the TTL value with the domain name and the IP address in the DNS entry (“the corresponding IP address associated with each domain name, as learned by intercepting a DNS response to the DNS request associated with the domain name, is stored in a second column, and an associated TTL is recorded in a third column,” Col. 4, lines 10-41; also Fig. 2), said TTL applicable to a mapping of said IP address to said domain name in said agent DNS cache (“In some embodiments, DNS 
Hernacki fails to teach said TTL applicable to said mapping of said domain name in an IP address in an operating system (OS) DNS cache, upon expiration of said TTL, a DNS library of a guest OS deletes the corresponding entry in said OS DNS cache. Shelest teaches a TTL applicable to said mapping of said domain name in an IP address in an operating system (OS) DNS cache (“a time-to-live period,” ¶ [0064]; “if the DNS response message 210 is fully responsive to the DNS resolution request 208, the DNS response generator 207 may record the response in the cache 202,” ¶ [0066]), upon expiration of said TTL, a DNS library of a guest OS (“The DNS resolver 200 may comprise a library…the DNS resolver 200 may operate within a virtual machine and may include or communicate with virtual hardware,” ¶ [0058]) deletes the corresponding entry in said OS DNS cache (“the cache 202 may include logic or functionality for invalidating or removing cached DNS resource records based on the expiration of a time period or upon receipt of an invalidation command from the DNS resolver 200,” ¶ [0061]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate a DNS resolver in a virtual machine (i.e., guest OS), as taught by Shelest, into Hernacki, to allow each virtual machine to handle DNS resolution differently, thereby increasing customizability.

Hernacki-Shelest-Fujimoto fails to teach configuring domain-name entries configured by an administrator using a cloud-based manager user interface; pushing said domain-name entries from said cloud-based manager to an agent. Bach teaches configuring domain-name entries configured by an administrator using a cloud-based (¶ [0021]) manager user interface (“the security administrator may select an icon 226 for assigning hostname or IP address 228 to blacklists 210 or select an icon 224 for assigning hostname or IP address 228 to whitelists 212,” ¶ [0062]); pushing said domain-name entries from said cloud-based manager to an agent (“User interface 250 then sends an update message 232 to threat detection manager 208 assigning hostname or IP address 228 to blacklists 210 or whitelists 212,” ¶ [0064]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate an administrator interface, as taught by Bach, into Hernacki-Shelest-Fujimoto, to allow an enterprise security administrator to asynchronously 
Hernacki-Shelest-Fujimoto-Bach fails to teach populating an Internet protocol whitelist by watching domain-name service (DNS) responses to DNS queries and by examining the domain-name whitelist. McGleenon teaches populating an Internet protocol whitelist by watching domain-name service (DNS) responses to DNS queries (“a client device issues a DNS lookup request to resolve a domain name to an IP address and the DNS lookup request is intercepted by the DNS proxy. In this embodiment, the DNS proxy may intercept the DNS response from the DNS server to the client device and obtain the resolved IP address or IP addresses of the domain name from the DNS response,” ¶ [0075]), and by examining the domain-name whitelist (“the DNS proxy 1530 compares the domain name with the domain whitelist and blacklist of each packet modifying entity. Based on the comparison, the DNS proxy may provide feedback to the steering component 1510 to update the IP whitelist and the IP blacklist of a corresponding packet modifying entity. In an embodiment, if a match is made between the domain name and the domain whitelist or the domain blacklist of a packet modifying entity, the resolved IP address or IP addresses of the domain name is/are added into the corresponding IP whitelist or IP blacklist of that packet modifying entity,” ¶ [0077]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate an IP address whitelist, as taught by McGleenon, into Hernacki-Shelest-Fujimoto-Bach, to steer more traffic for optimization.

Claims 2 and 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hernacki-Shelest-Fujimoto-Bach-McGleenon as applied to claims 1 and 6 above, and further in view of U.S. Pub. No. 2019/0158497 (“Diaz”).

Regarding claims 2 and 7, Hernacki-Shelest-Fujimoto-Bach-McGleenon teaches the invention of claims 1 and 6, but fails to teach that the agent DNS cache contains a superset of the information contained in an OS DNS cache maintained by an operating system (OS) on which the application process runs. Diaz teaches an agent DNS cache containing a superset of the information contained in an OS DNS cache maintained by an operating system (OS) on which the application process runs (“an untrusted container operating system may be allowed to use the DNS cache on the host as an underlying cache, but then adds its own unique data to a local DNS cache for the container operating system,” ¶ [0053]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate a read-only DNS cache, as taught by Diaz, into Hernacki-Shelest-Fujimoto-Bach-McGleenon, to prevent an untrusted container operating system from making changes to the host DNS cache.

Claims 4 and 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hernacki-Shelest-Fujimoto-Bach-McGleenon as applied to claims 1 and 6 above, and further in view of U.S. Pub. No. 2013/0124738 (“Lynch”).

Regarding claims 4 and 9, Hernacki-Shelest-Fujimoto-Bach-McGleenon teaches the invention of claims 3 and 8, but fails to teach deleting the PIID from the agent DNS cache in response to termination of the application process. Lynch teaches deleting a PIID from a DNS cache in response to termination of the application process (“a Process ID may be included, which is a flag that is set if the entry should be deleted from the table when the corresponding process is ended. Alternately, the process may omit this item and be preprogrammed to delete all entries when their corresponding processes are ended,” ¶ [0100]; “a binding table containing interface-binding entries that associate domain names, IP addresses, and/or URLs with interface types. It also relies on DNS (Domain Name Server) exchanges to associate flows with domain names,” ¶ [0106]; also ¶ [0099]). It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to incorporate a process-id-dependent deletion process, as taught by Lynch, into Hernacki-Shelest-Fujimoto-Bach-McGleenon, to remove stale entries and keep the size of the table manageable over time.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JULIAN CHANG whose telephone number is (571)272-8631.  The examiner can normally be reached on Monday-Friday 9AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


JULIAN CHANG
Examiner
Art Unit 2455



/Julian Chang/Examiner, Art Unit 2455

/EMMANUEL L MOISE/Supervisory Patent Examiner, Art Unit 2455