Notice of Pre-AIA  or AIA  Status
Claims 1-20 remain for examination.  The amendment filed 12/17/21 amended claims 1, 8, & 15.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 12/17/21 have been fully considered but they are not persuasive. Regarding independent claim 1, Applicant argues:
Manadhata fails to teach or suggest updating that alleged malicious domain and IP database, much less doing so on the basis of calculating a malicious score as recited in amended claim 1. To demonstrate, Manadhata at page 9 (Section 3.4 Result Computation) merely describes the use of K-fold cross validation to compute malicious domain detection performance using the techniques for computing beliefs described in Manadhata (see, e.g., Manadhata at Section 2.1 Belief Propagation for a description of the BP algorithm). Detecting or computing performance in terms of an identification of an unknown domain or host as likely being malicious or benign (relative to whether the unknown domain or host is actually malicious or benign), as fairly set forth in Manadhata, is not the same thing as incorporating that detection/computation into a malicious domain and malicious IP database, much less the same malicious domain and malicious IP database that was accessed to begin with. This distinction of detecting/computing performance versus updating a malicious domain and malicious IP database is made even clearer at Section 4.5 of Manadhata, where Manadhata describes that “Our results show that we can take advantage of the externally sourced blacklists and identify previously unknown malicious domains not present in the lists.” The fact that Manadhata refers to the blacklists as being “externally sourced” suggests that the systems/algorithms of Manadhata might not have access rights to update those blacklists. Stated differently, it is not inherent, implicit, or necessary to (the rest of the disclosure of) Manadhata that such an update is provided for in Manadhata. See, e.g., MPEP 2131 (providing that a claim is anticipated only if each and every element as set forth in the claim is found, either expressly or inherently described, in a single prior art reference) (emphasis added).

	Examiner disagrees, noting that although the original source of Manadhata’s blacklist of malicious domains may be obtained from an external site, the fact remains that Manadhata’s invention retains an internal copy of the blacklist as part of its process to construct its graph with which to identify malicious domains.  Furthermore, note that Manadhata’s technique is not intended to be one-and-done but rather the process is to be iteratively repeated, noting that their invention can identify new malicious domains as 
	Independent claims 8 & 15 are substantially similar to independent claim 1, and Applicant’s arguments are rebutted for substantially similar reasons as discussed supra.  Likewise, dependent claims 2-7, 9-14, & 16-20 follow from independent claims 1, 8, & 15 and are of consequence rejected as discussed supra.



Claim Rejections - 35 USC § 102
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by “Detecting Malicious Domains via Graph Inference” (hereinafter, “Manadhata”).


Manadhata discloses a method, system, and non-transitory computer readable medium for discovering malicious domains and IP addresses (IPs) in a network having a set of domains and a set of IPs comprising: accessing a domain name system query database (page 3, “2 A Graph Inference Approach”, 1st paragraph: “We can construct the graph from multiple enterprise event log datasets, e.g. HTTP proxy logs and DNS request logs”; note that the existence of the DNS log directly implies that the system has accessed a domain name system query database which would consequently populate said DNS request log); building a domain and IP resolution graph for the set of domains based on the accessing of the domain name system query database (Ibid; see also all of page 4); accessing a malicious domain and malicious IP database (page 7, “3.2 BP Parameters”, including “We obtained blacklists of known malicious domains and IP addresses from a commercial blacklist…”); selecting a seed set of known malicious domains and known malicious IPs from the malicious domain and malicious IP database based on the accessing of the malicious domain and malicious IP database (Ibid); generating a graphical probabilistic propagation inference from the domain and IP resolution graph and the seed set of known malicious domains and known malicious IPs (pages 5-6, “2.1 Belief Propagation”); calculating a malicious score for each domain in the set of domains and each IP in the set of IPs based on the generating of the graphical probabilistic propagation inference (Ibid: note that Manadhata calculates at least two different probabilities for each node corresponding to a domain name or IP address, one for the probability that the node is malicious, and the other for the probability that it is benign; the former probability reads on the claimed score); and updating the malicious domain We also examine new malicious domains identified by our approach…”; and page 14, “4.6 Near Real Time Detection”). Further regarding claim 8, Manadhata further discloses the respective storage devices, processor, and memory (page 8, “3.3 Experimental Setup”, including “We implemented the BP algorithm in Java and ran our experiments on a 12-core 2.67GHz desktop with 96GB of RAM”).

Regarding claims 2, 9, and 16:	Manadhata further discloses wherein generating the graphical probabilistic propagation inference comprises generating a graphical inference from each domain in the set of domains and each IP in the set of IPs (page 9, “3.4 Result Computation”). 

Regarding claims 3, 10, and 17:	Manadhata further discloses creating a set of combined inferences by combining each graphical inference from each domain in the set of domains and each IP in the set of IPs (page 9, “3.4 Result Computation”). 

Regarding claims 4, 11, and 18:	Manadhata further discloses wherein computing the malicious score for each domain in the set of domains and each IP in the set of IPs comprises computing the malicious score from each combined inference in the set of combined inferences (Ibid). 



Regarding claims 6 and 13:	Manadhata further discloses wherein computing the malicious score for each domain in the set of domains and the malicious score for each IP in the set of IPs by layers comprises computing the malicious score for each domain in the set of domains and the malicious score for each IP in the set of IPs starting from a layer depth value d, where d is equal to zero (pages 6-7, “3.1 Data Set and Graph Generation”). 

Regarding claims 7 and 14:	Manadhata further discloses: incrementing d by one; computing the malicious score for each domain in the set of domains and each IP in the set of IPs in a layer depth where d is equal to d plus one to create a set of malicious scores; and if d is less than a threshold value repeating incrementing d by one and computing the malicious score for each domain in the set of domains and each IP in the set of IPs if d is equal to the threshold value, returning the set of malicious scores to the malicious domain and malicious IP database (pages 6-8, “3.1 Data Set and Graph Generation” and “3.2 BP Parameters”). 


	The rejections of claims 6 & 7 apply mutatis mutandis to claim 20.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. “DNS Graph Mining for Malicious Domain Detection” (“Tran et al”)
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        3/2/2022


/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436