Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

           DETAILED ACTION

1.	This action is responsive to:  an original application filed on 27 May 2020.	
2.	Claims 1-20 are currently pending and claims 1, 10 and 15 are independent claims. 

Information Disclosure Statement

3.	The information disclosure statement (IDS) submitted are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

   Priority

4.	Priority claimed from its parent application no. 13784720, filed on 4 March 2013.

   Drawings

5.	The drawings filed on 27 May 2020 are accepted by the examiner. 


                                           Claim Rejections - 35 USC § 102

6.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –	
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-20 are rejected 35 U.S.C §102 (a)(2) as being anticipated by Xie Huagang (US Publication No. 20120303808), hereinafter Xie.

Regarding claim 1: 
receiving a domain name resolution request from a requesting process operating on a device (Xie, abstract).
determining that a domain name included in the domain name resolution request is indicative of malicious activity (Xie, ¶10).
and responding to the domain name resolution request with a network address of a monitored server to cause the requesting process to communicate with the monitored server instead of an adversary server (Xie, ¶15-16).
Regarding claim 2: 
wherein the receiving comprises receiving the domain name resolution request as a redirected domain name resolution request redirected from a domain name server (Xie, ¶9).
claim 3:
wherein the determining comprises determining at least one of: that the domain name is included in a list of known malicious or suspicious domains, that the domain name is unfamiliar, that the domain name is associated with a specific geographic location, or that the domain name is associated with a specific entity (Xie, ¶10).
Regarding claim 4: 
wherein the adversary server is an adversary command-and-control system or an adversary exfiltration system, and the monitored server poses as the adversary command-and-control system or the adversary exfiltration system during communications with the requesting process (Xie, ¶18).
Regarding claim 5:
wherein the monitored server decodes communications from the requesting process (Xie, ¶4).
Regarding claim 6: 
wherein the monitored server determines that the requesting process is utilizing a specific protocol to encode communications, and performs at least one of selecting a corresponding communications protocol for decoding the communications, or attempting to learn the specific protocol (Xie, ¶12).
Regarding claim 7:
further comprising sending an alert to at least one of a security agent executing on the device or a client entity associated with the device (Xie, ¶13).
Regarding claim 8: 
further comprising transitioning an attack associated with the requesting process from the device to a monitored device, wherein the monitored device poses as the device originally impacted by the attack (Xie, ¶1).
Regarding claim 9: 

Regarding claim 10:
A system comprising: one or more processors; 
memory storing computer-executable instructions that, when executed by the one or more processors, cause the system to perform operations comprising: receiving a domain name resolution request from a requesting process operating on a device (Xie, abstract, para.7).
determining that a domain name included in the domain name resolution request is indicative of malicious activity (Xie, ¶10).
and responding to the domain name resolution request with a network address of a monitored server to cause the requesting process to communicate with the monitored server instead of an adversary server (Xie, ¶15-16).
Regarding claim 11: 
wherein the determining comprises determining at least one of: that the domain name is included in a list of known malicious or suspicious domains, that the domain name is unfamiliar, that the domain name is associated with a specific geographic location, or that the domain name is associated with a specific entity (Xie, ¶10).
Regarding claim 12:
wherein the operations further comprise sending an alert to at least one of a security agent executing on the device or a client entity associated with the device (Xie, ¶13).
Regarding claim 13:

Regarding claim 14: 
wherein the operations further comprise, in response to the determining, configuring the monitored server with one or more protocols utilized by the requesting process to enable the monitored server to pose as the adversary server during communications with the requesting process (Xie, ¶9).
Regarding claim 15:
a monitored server configured to pose as an adversary server (Xie, ¶12).
and a security system computing device configured to: receive a domain name resolution request from a requesting process operating on a device (Xie, abstract).
determine that a domain name included in the domain name resolution request is indicative of malicious activity (Xie, ¶10).
and respond to the domain name resolution request with a network address of the monitored server to cause the requesting process to communicate with the monitored server instead of the adversary server (Xie, ¶15-16).
Regarding claim 16: 
wherein the monitored server is configured to decode communications from the requesting process (Xie, ¶4).
Regarding claim 17: 
wherein the monitored server is configured to determine that the requesting process is utilizing a specific protocol to encode communications, and to perform at least one of selecting a corresponding communications protocol for decoding the communications, or attempting to learn the specific protocol (Xie, ¶14).
Regarding claim 18:

Regarding claim 19:
wherein the security system computing device is configured to transition an attack associated with the requesting process from the device to a monitored device of the security service system, wherein the monitored device poses as the device originally impacted by the attack (Xie, ¶1).
Regarding claim 20: 
wherein the security system computing device is configured to configured the monitored server with one or more protocols utilized by the requesting process to enable the monitored server to pose as the adversary server during communications with the requesting process (Xie, ¶9).

Conclusion

7.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Monjour Rahim whose telephone number is (571)270-3890. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890