DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The disclosure is objected to because of the following informalities:
In paragraph 0027, lines 5-6, “the apparatus 100 analyze the target domain name” should read “the apparatus 100 analyzes the target domain name”.
In paragraph 0027, line 11, the acronym “DNS” is used without being defined.
In paragraph 0031, line 8, the meaning of “COMCOST” is not clear.
In paragraph 0031, line 9, the trademarks RAPID7® is used without being cited as a registered trademark.
In paragraph 0043, line 8, “an example of receiver operating characteristic (ROC) curve” should read “an example of a receiver operating characteristic (ROC) curve”.
Appropriate correction is required.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1 – 2, 6 – 8, 11, and 17 are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Highnam et al. (US Patent No. 10,496,924), hereinafter Highnam.
Regarding claim 1, Highnam discloses an apparatus comprising:
a processor (Column 2, lines 54-56, "The system may comprise a memory storing instructions and one or more processors.");
and a non-transitory machine-readable storage medium (Column 2, lines 54-56, "The system may comprise a memory storing instructions and one or more processors.") on which is stored instructions that when executed by the processor, cause the processor to:
access a plurality of known domain names (Column 2, lines 56-59, "The one or more processors may be configured to execute the stored instructions to receive a plurality of training domain names, each comprising a corresponding sequence of characters.");
determine a character embedding based on the plurality of known domain names, the character embedding mapping each character of a known domain name to a respective vector (Column 3, lines 35-38, "Each dense embedding vector may correspond to one of the training domain names and be based on a sequence of characters corresponding to the training domain name."; Column 7, lines 41-46, "In some embodiments, at step 404, consistent with the below discussion with respect to FIG. 5, for each character in the standardized domain name, the embedding layer transforms an unencoded character into a numeric value.  In some embodiments, the embedding layer further transforms the numeric value into a one-hot encoding vector");
input the character embedding to a deep learning layer of a neural network (Column 7, lines 20-23, "At step 404, input data are embedded by an embedding model layer. That is, at step 404, embed data are generated that encode strings of characters in a domain name as a sequence of vectors."; Column 7, lines 57-59, "Referring to FIG. 4, at step 406, embed data created at step 404 may be provided to an LSTM network. An LSTM network is a gated recurrent neural network.");
access a target domain name to be classified (Column 3, lines 23-26, " In some embodiments, the method comprises receiving a suspect domain name and providing a dictionary domain generation algorithm score based on the plurality of MLP node outputs and the suspect domain name.");
and classify the target domain name based on an output of the deep learning layer (Column 4, lines 43-55, "In particular, disclosed systems and methods comprise an unconventional deep learning model for real time malware detection by providing a dictionary DGA score suspect domain names. Deep learning models use networks to learn relationships among features to classify data points. Deep learning models are highly flexible, do not require manually selected features, and may generate predictions in real time. In the embodiments, the deep learning model may comprise the combination of a Long Short-Term Memory (LSTM) network, a Convolutional Neural Network (CNN) model, and an multilayer perceptron (basic neural network) model to score suspect domain names in real time.").
Regarding claim 2, Highnam discloses the apparatus as claimed in claim 1, wherein to determine the character embedding, the processor is further caused to: for each character of the known domain name, identify N continuous characters that neighbor the character in the known domain name, wherein N represents a number of continuous characters (Column 8, lines 37-41, "Domain names may be represented as a one-dimensional grid of characters and embedded as multi-dimensional vectors, with one vector per character. CNNs involve sliding multiple convolutional filter over vector sequences to find patterns in characters and extract features."; Column 8, lines 54-57, "In some embodiments, step 408 may comprise creating a plurality of convolution filters, each convolution filter having a sliding window of a different fixed character length.").
Regarding claim 6, Highnam discloses the apparatus as claimed in claim 1, wherein the deep learning layer comprises a Long Short-Term Memory (LSTM) layer (Column 7, lines 57-59, "Referring to FIG. 4, at step 406, embed data created at step 404 may be provided to an LSTM network. An LSTM network is a gated recurrent neural network.").
Regarding claim 7, Highnam discloses the apparatus as claimed in claim 1, wherein the processor is further caused to: provide the output of the deep learning layer to a classifier layer that classifies the target domain name (Column 8, lines 37-44, "Domain names may be represented as a one-dimensional grid of characters and embedded as multi-dimensional vectors, with one vector per character. CNNs involve sliding multiple convolutional filter over vector sequences to find patterns in characters and extract features. The results of each filter are pooled and fed into fully connected layers to give an estimate or score indicating the likelihood that a given domain name was produced using a DGA.").
Regarding claim 8, Highnam discloses the apparatus as claimed in claim 7, wherein to classify the target domain name, the processor is further caused to: determine, based on an output of the classifier layer, whether or not the target domain name is associated with a malicious class of domain names (Column 5, lines 1-5, "As shown in FIG. 1, the legitimate domains names are not malware-generated domain names, while the malicious domain names are associated with families of dictionary DGA domain names."; Column 7, line 65 - Column 8, line 3, "An LSTM network may be trained to identify DGAs by providing a training dataset comprising known legitimate and known malicious or illegitimate sites. LSTMs may provide an estimate or score indicating the likelihood that a given domain name was produced using a DGA.").
Regarding claim 11, Highnam discloses the apparatus as claimed in claim 1, wherein the deep learning layer is trained without manual feature generation (Column 4, lines 41-50, "The disclosed embodiments are directed to systems and methods for detecting dictionary domain generation algorithm (DGA) domain names. In particular, disclosed systems and methods comprise an unconventional deep learning model for real time malware detection by providing a dictionary DGA score suspect domain names. Deep learning models use networks to learn relationships among features to classify data points. Deep learning models are highly flexible, do not require manually selected features, and may generate predictions in real time.").
Regarding claim 17, Highnam discloses:
a non-transitory machine-readable storage medium on which is stored machine-readable instructions that when executed by a processor (Column 2, lines 54-56, "The system may comprise a memory storing instructions and one or more processors."), cause the processor to:
access a plurality of known domain names (Column 2, lines 56-59, "The one or more processors may be configured to execute the stored instructions to receive a plurality of training domain names, each comprising a corresponding sequence of characters.");
determine a character embedding based on the plurality of known domain names, the character embedding mapping each character of a known domain name to a respective vector (Column 3, lines 35-38, "Each dense embedding vector may correspond to one of the training domain names and be based on a sequence of characters corresponding to the training domain name."; Column 7, lines 41-46, "In some embodiments, at step 404, consistent with the below discussion with respect to FIG. 5, for each character in the standardized domain name, the embedding layer transforms an unencoded character into a numeric value.  In some embodiments, the embedding layer further transforms the numeric value into a one-hot encoding vector");
input the character embedding to a deep learning layer of a neural network (Column 7, lines 20-23, "At step 404, input data are embedded by an embedding model layer. That is, at step 404, embed data are generated that encode strings of characters in a domain name as a sequence of vectors."; Column 7, lines 57-59, "Referring to FIG. 4, at step 406, embed data created at step 404 may be provided to an LSTM network. An LSTM network is a gated recurrent neural network.");
access a target domain name to be classified (Column 3, lines 23-26, " In some embodiments, the method comprises receiving a suspect domain name and providing a dictionary domain generation algorithm score based on the plurality of MLP node outputs and the suspect domain name.");
and provide an output of the deep learning layer to a classifier layer that classifies the target domain name based on the output (Column 4, lines 43-55, "In particular, disclosed systems and methods comprise an unconventional deep learning model for real time malware detection by providing a dictionary DGA score suspect domain names. Deep learning models use networks to learn relationships among features to classify data points. Deep learning models are highly flexible, do not require manually selected features, and may generate predictions in real time. In the embodiments, the deep learning model may comprise the combination of a Long Short-Term Memory (LSTM) network, a Convolutional Neural Network (CNN) model, and an multilayer perceptron (basic neural network) model to score suspect domain names in real time.").
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3 – 5 are rejected under 35 U.S.C. 103 as being unpatentable over Highnam in view of Agranonik et al. (US Patent No. 10,521,587), hereinafter Agranonik.
Regarding claim 3, Highnam discloses the apparatus as claimed in claim 2, but does not specifically disclose: wherein the processor is further caused to: determine similarities among the N continuous characters with other continuous characters in the plurality of known domain names that neighbor other characters in the plurality of known domain names.
Agranonik teaches:
wherein the processor is further caused to: determine similarities among the N continuous characters with other continuous characters in the plurality of known domain names that neighbor other characters in the plurality of known domain names (Column 9, lines 37-46, "In the CLDNN architecture 400, the embedding provided by embedding layer 403 may be considered similar to an n-gram analysis, with characters of the input file 401 as tokens. In the case of an LSTM, however, the “n” value (e.g., then for n-grams) is not static but changes by how much the LSTM is required to remember according to the training set and training procedure of the network. Advantageously, this allows the CLDNN architecture 400 to decide upon training the length of optimal sequences of characters to distinguish between obfuscated and non-obfuscated code."; Column 10, lines 51-61, "The bi-directional LSTM layer 413 provides for sequence identification. The use of bi-directional LSTM cells 415 in the bi-directional LSTM layer 413 is possible since the CLDNN architecture 400 operates in batch mode on a sequence of predefined characters (e.g., a portion of the code in the input file 401). The bi-directional LSTM layer 413 looks at each character, and sees preceding and successive characters to put it into context. If the character in question looks out of place, like it would in an obfuscated file, the probability distribution of the output changes towards an obfuscation classification.").
Agranonik teaches using a trained neural network to determine similarities between continuous characters preceding and following a character in the domain name being evaluated and continuous characters preceding and following a character in the domain names of the training set in order to identify malicious domain names (Column 3, lines 11-17, "Based on an output of the machine learning threat model meeting a predefined criterion, the process can include identifying an artifact (e.g., a data file or a website) associated with the URL as malicious. Further, based on identifying the artifact as a malicious artifact, the process can also include performing a remedial action on the artifact (for example, quarantine the artifact).").
Highnam and Agranonik are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam to incorporate the teachings of Agranonik to use a trained neural network to determine similarities between continuous characters preceding and following a character in the domain name being evaluated and continuous characters preceding and following a character in the domain names of the training set.  Doing so would allow for identifying malicious domain names.
Regarding claim 4, Highnam in view of Agranonik discloses the apparatus as claimed in claim 3.
Agranonik further teaches:
wherein to determine the similarities, the processor is further caused to: for each character, determine similarities among the N continuous characters that precede the character and the other continuous characters that precede the other characters (Column 9, lines 37-46, "In the CLDNN architecture 400, the embedding provided by embedding layer 403 may be considered similar to an n-gram analysis, with characters of the input file 401 as tokens. In the case of an LSTM, however, the “n” value (e.g., then for n-grams) is not static but changes by how much the LSTM is required to remember according to the training set and training procedure of the network. Advantageously, this allows the CLDNN architecture 400 to decide upon training the length of optimal sequences of characters to distinguish between obfuscated and non-obfuscated code."; Column 10, lines 51-61, "The bi-directional LSTM layer 413 provides for sequence identification. The use of bi-directional LSTM cells 415 in the bi-directional LSTM layer 413 is possible since the CLDNN architecture 400 operates in batch mode on a sequence of predefined characters (e.g., a portion of the code in the input file 401). The bi-directional LSTM layer 413 looks at each character, and sees preceding and successive characters to put it into context. If the character in question looks out of place, like it would in an obfuscated file, the probability distribution of the output changes towards an obfuscation classification.").
Agranonik teaches using a trained neural network to determine similarities between continuous characters preceding a character in the domain name being evaluated and continuous characters preceding a character in the domain names of the training set in order to identify malicious domain names (Column 3, lines 11-17, "Based on an output of the machine learning threat model meeting a predefined criterion, the process can include identifying an artifact (e.g., a data file or a website) associated with the URL as malicious. Further, based on identifying the artifact as a malicious artifact, the process can also include performing a remedial action on the artifact (for example, quarantine the artifact).").
Highnam and Agranonik are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam in view of Agranonik to further incorporate the teachings of Agranonik to use a trained neural network to determine similarities between continuous characters preceding a character in the domain name being evaluated and continuous characters preceding a character in the domain names of the training set.  Doing so would allow for identifying malicious domain names.
Regarding claim 5, Highnam in view of Agranonik discloses the apparatus as claimed in claim 3.
Agranonik further teaches:
wherein to determine the similarities, the processor is further caused to: for each character, determine similarities among the N continuous characters that follow the character and the other continuous characters that follow the other characters (Column 9, lines 37-46, "In the CLDNN architecture 400, the embedding provided by embedding layer 403 may be considered similar to an n-gram analysis, with characters of the input file 401 as tokens. In the case of an LSTM, however, the “n” value (e.g., then for n-grams) is not static but changes by how much the LSTM is required to remember according to the training set and training procedure of the network. Advantageously, this allows the CLDNN architecture 400 to decide upon training the length of optimal sequences of characters to distinguish between obfuscated and non-obfuscated code."; Column 10, lines 51-61, "The bi-directional LSTM layer 413 provides for sequence identification. The use of bi-directional LSTM cells 415 in the bi-directional LSTM layer 413 is possible since the CLDNN architecture 400 operates in batch mode on a sequence of predefined characters (e.g., a portion of the code in the input file 401). The bi-directional LSTM layer 413 looks at each character, and sees preceding and successive characters to put it into context. If the character in question looks out of place, like it would in an obfuscated file, the probability distribution of the output changes towards an obfuscation classification.").
Agranonik teaches using a trained neural network to determine similarities between continuous characters following a character in the domain name being evaluated and continuous characters following a character in the domain names of the training set in order to identify malicious domain names (Column 3, lines 11-17, "Based on an output of the machine learning threat model meeting a predefined criterion, the process can include identifying an artifact (e.g., a data file or a website) associated with the URL as malicious. Further, based on identifying the artifact as a malicious artifact, the process can also include performing a remedial action on the artifact (for example, quarantine the artifact).").
Highnam and Agranonik are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam in view of Agranonik to further incorporate the teachings of Agranonik to use a trained neural network to determine similarities between continuous characters following a character in the domain name being evaluated and continuous characters following a character in the domain names of the training set.  Doing so would allow for identifying malicious domain names.
Claims 12 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Highnam in view of Zhou et al. ("CNN-based DGA Detection with High Coverage"), hereinafter Zhou.
Regarding claim 12, Highnam discloses a method, comprising:
learning, by a processor, a character embedding from a plurality of known domain names (Column 3, lines 35-38, "Each dense embedding vector may correspond to one of the training domain names and be based on a sequence of characters corresponding to the training domain name."; Column 7, lines 41-46, "In some embodiments, at step 404, consistent with the below discussion with respect to FIG. 5, for each character in the standardized domain name, the embedding layer transforms an unencoded character into a numeric value.  In some embodiments, the embedding layer further transforms the numeric value into a one-hot encoding vector");
providing, by the processor, the character embedding as an input to a Long Short-Term Memory (LSTM) layer (Column 7, lines 20-23, "At step 404, input data are embedded by an embedding model layer. That is, at step 404, embed data are generated that encode strings of characters in a domain name as a sequence of vectors."; Column 7, lines 57-59, "Referring to FIG. 4, at step 406, embed data created at step 404 may be provided to an LSTM network. An LSTM network is a gated recurrent neural network.");
accessing, by the processor, a target domain name to be classified (Column 3, lines 23-26, " In some embodiments, the method comprises receiving a suspect domain name and providing a dictionary domain generation algorithm score based on the plurality of MLP node outputs and the suspect domain name.").
Highnam does not specifically disclose: classifying, by the processor, the target domain name via a fully connected softmax layer.
Zhou teaches:
classifying, by the processor, the target domain name via a fully connected softmax layer (Section III, lines 16-20, "The overall network architecture is illustrated in Fig. 1. Our model consists of a embedding layer, six stacked residual blocks and a full-connected layer. In binary classification, the activation function in last layer is sigmoid, while in multi-class classification, the activation function is softmax.").
Zhou teaches classifying domain names using a full-connected softmax layer in order to detect domain names generated using different types of domain generation algorithms and classify the domain names into two or more categories (Abstract, lines 14-23, "We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.").
Highnam and Zhou are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam to incorporate the teachings of Zhou to classify domain names using a full-connected softmax layer.  Doing so would allow for detecting domain names generated using different types of domain generation algorithms and classifying the domain names into two or more categories.
Regarding claim 15, Highnam in view of Zhou discloses the method as claimed in claim 12.
Zhou further teaches:
wherein classifying the target domain name comprises: providing an output of the LSTM to a softmax layer that classifies the target domain name into one or more of a plurality of classes (Section III, lines 16-20, "The overall network architecture is illustrated in Fig. 1. Our model consists of a embedding layer, six stacked residual blocks and a full-connected layer. In binary classification, the activation function in last layer is sigmoid, while in multi-class classification, the activation function is softmax.").
Zhou teaches classifying domain names into two or more classes using a softmax layer in order to detect domain names generated using different types of domain generation algorithms (Abstract, lines 14-23, "We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.").
Highnam and Zhou are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam in view of Zhou to further incorporate the teachings of Zhou to classify domain names into two or more classes using a softmax layer.  Doing so would allow for detecting domain names generated using different types of domain generation algorithms.
Claims 9 – 10, 16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Highnam in view of Zhou and Haddadi et al. ("Malicious Automatically Generated Domain Name Detection Using Stateful-SBB"), hereinafter Haddadi.
Regarding claim 9, Highnam discloses the apparatus as claimed in claim 7, but does not specifically disclose: wherein the classifier layer comprises a softmax layer that determines a first probability that the target domain name is a malicious domain name, a second probability that the target domain name is a non-algorithmically-generated benign domain name, and a third probability that the target domain name is an algorithmically-generated benign domain name.
Zhou teaches:
wherein the classifier layer comprises a softmax layer that determines a first probability that the target domain name is a malicious domain name, a second probability that the target domain name is a non-algorithmically-generated benign domain name (Section III C, lines 3-13, "In this paper, we focus on two task of classification: (1) binary classification, i.e., determine whether the domain is generated by DGAs or not, (2) multi-class classification, i.e., determine which DGA family the domain belongs to. For binary classification, we use sigmoid activation function and output a real value p ∈ [0, 1], which indicates the possibility that the domain is malicious. While for multi-class classification, we use softmax activation function and output a vector [p1, p2, . . . , pn], where n is the number of classes and pi(i = 0, 1, . . . , n) indicates the possibility that the domain belong to class i.").
Zhou teaches using a softmax layer to classify domain names into classes by determining probabilities that a domain name belongs to different classes, with classes for benign domain names not generated with a domain generation algorithm and malicious domain names generated with a domain generation algorithm, in order to improve performance of domain name classifications (Abstract, lines 14-23, "We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.").
Highnam and Zhou are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam to incorporate the teachings of Zhou to use a softmax layer to classify domain names into classes by determining probabilities that a domain name belongs to different classes, with classes for benign domain names not generated with a domain generation algorithm and malicious domain names generated with a domain generation algorithm.  Doing so would allow for improving performance of domain name classifications.
Highnam in view of Zhou does not specifically disclose: a third probability that the target domain name is an algorithmically-generated benign domain name.
Haddadi teaches:
a third probability that the target domain name is an algorithmically-generated benign domain name (Section 3, lines 11-16, "Indeed, one challenge is that automatically generated domain names are also used for legitimate background communications such as software updates and load balancing. Moreover, various well-known websites such as Google and Facebook also use this type of domains. Therefore, the first step to detect the botnet malicious domains is to differentiate legitimate automatically generated domain names from malicious ones.").
Haddadi teaches identifying legitimate automatically generated domain names in order to classify domain names with a high accuracy (Abstract, lines 1-6, "This work investigates the detection of Botnet Command and Control (C&C) activity by monitoring Domain Name System (DNS) traffic. Detection signatures are automatically generated using evolutionary computation technique based on Stateful-SBB. The evaluation performed shows that the proposed system can work on raw variable length domain name strings with very high accuracy.").
Highnam, Zhou, and Haddadi are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam in view of Zhou to incorporate the teachings of Haddadi to identify legitimate automatically generated domain names.  Doing so would allow for classifying domain names with a high accuracy.
Regarding claim 10, Highnam in view of Zhou and Haddadi discloses the apparatus as claimed in claim 9.
Zhou further teaches:
wherein to access the plurality of known domain names, the processor is caused to: access a first plurality of malicious domain names (Section IV A, lines 1-5, "The data for experiments contains benign domains and malicious domains. We collect them from two source: (1) For benign domains, we download Alexa top 1 million domains. (2) For malicious domains, we download the full data until the end of 2017 from DGArchive.");
access a second plurality of non-algorithmically-generated benign domain names (Section IV A, lines 1-5, "The data for experiments contains benign domains and malicious domains. We collect them from two source: (1) For benign domains, we download Alexa top 1 million domains. (2) For malicious domains, we download the full data until the end of 2017 from DGArchive.").
Zhou teaches accessing training data containing malicious domain names generated with a domain generation algorithm and benign domain names not generated with a domain generation in order to improve performance of domain name classifications (Abstract, lines 14-23, "We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.").
Highnam, Zhou, and Haddadi are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam in view of Zhou and Haddadi to further incorporate the teachings of Zhou to access training data containing malicious domain names generated with a domain generation algorithm and benign domain names not generated with a domain generation.  Doing so would allow for improving performance of domain name classifications.
Haddadi further teaches:
and access a third plurality of algorithmically-generated benign domain names (Section III, lines 11-14, "Indeed, one challenge is that automatically generated domain names are also used for legitimate background communications such as software updates and load balancing. Moreover, various well-known websites such as Google and Facebook also use this type of domains."; Section 4, lines 1-5, "In this work, the data set employed is collected from various resources including the publicly available botnet C&C domain lists such as Amada and ZeuS. Additionally, most frequently requested domains from the Alexa list are used as the legitimate domain names. These include known C&C activity as well as social network sites such as Facebook backend and antivirus upload.).
Haddadi teaches accessing training data containing benign domain names generated with a domain generation in order to classify domain names with a high accuracy (Abstract, lines 1-6, "This work investigates the detection of Botnet Command and Control (C&C) activity by monitoring Domain Name System (DNS) traffic. Detection signatures are automatically generated using evolutionary computation technique based on Stateful-SBB. The evaluation performed shows that the proposed system can work on raw variable length domain name strings with very high accuracy.").
Highnam, Zhou, and Haddadi are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam in view of Zhou and Haddadi to further incorporate the teachings of Haddadi to access training data containing benign domain names generated with a domain generation.  Doing so would allow for classifying domain names with a high accuracy.
Regarding claim 16, Highnam in view of Zhou discloses the method as claimed in claim 15.
Zhou further teaches:
wherein the plurality of classes comprises a malicious domain name class, a non-algorithmically-generated benign domain name class (Section III C, lines 3-13, "In this paper, we focus on two task of classification: (1) binary classification, i.e., determine whether the domain is generated by DGAs or not, (2) multi-class classification, i.e., determine which DGA family the domain belongs to. For binary classification, we use sigmoid activation function and output a real value p ∈ [0, 1], which indicates the possibility that the domain is malicious. While for multi-class classification, we use softmax activation function and output a vector [p1, p2, . . . , pn], where n is the number of classes and pi(i = 0, 1, . . . , n) indicates the possibility that the domain belong to class i.").
Zhou teaches classifying domain names into classes with classes for benign domain names not generated with a domain generation algorithm and malicious domain names generated with a domain generation algorithm in order to improve performance of domain name classifications (Abstract, lines 14-23, "We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.").
Highnam and Zhou are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam in view of Zhou to further incorporate the teachings of Zhou to classify domain names into classes with classes for benign domain names not generated with a domain generation algorithm and malicious domain names generated with a domain generation algorithm.  Doing so would allow for improving performance of domain name classifications.
Highnam in view of Zhou does not specifically disclose: an algorithmically-generated benign domain name class.
Haddadi teaches:
an algorithmically-generated benign domain name class (Section 3, lines 11-16, "Indeed, one challenge is that automatically generated domain names are also used for legitimate background communications such as software updates and load balancing. Moreover, various well-known websites such as Google and Facebook also use this type of domains. Therefore, the first step to detect the botnet malicious domains is to differentiate legitimate automatically generated domain names from malicious ones.").
Haddadi teaches identifying legitimate automatically generated domain names in order to classify domain names with a high accuracy (Abstract, lines 1-6, "This work investigates the detection of Botnet Command and Control (C&C) activity by monitoring Domain Name System (DNS) traffic. Detection signatures are automatically generated using evolutionary computation technique based on Stateful-SBB. The evaluation performed shows that the proposed system can work on raw variable length domain name strings with very high accuracy.").
Highnam, Zhou, and Haddadi are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam in view of Zhou to incorporate the teachings of Haddadi to identify legitimate automatically generated domain names.  Doing so would allow for classifying domain names with a high accuracy.
Regarding claim 20, Highnam discloses the non-transitory machine-readable storage medium as claimed in claim 17, but does not specifically disclose: wherein the classifier layer comprises a softmax layer, and wherein the machine-readable instructions further cause the processor to: classify, based on an output of the softmax layer, the target domain name into one or more of at least: a malicious domain name class, a non-algorithmically- generated benign domain name class, or an algorithmically-generated benign domain name class.
Zhou teaches:
wherein the classifier layer comprises a softmax layer, and wherein the machine-readable instructions further cause the processor to: classify, based on an output of the softmax layer, the target domain name into one or more of at least: a malicious domain name class, a non-algorithmically-generated benign domain name class (Section III C, lines 3-13, "In this paper, we focus on two task of classification: (1) binary classification, i.e., determine whether the domain is generated by DGAs or not, (2) multi-class classification, i.e., determine which DGA family the domain belongs to. For binary classification, we use sigmoid activation function and output a real value p ∈ [0, 1], which indicates the possibility that the domain is malicious. While for multi-class classification, we use softmax activation function and output a vector [p1, p2, . . . , pn], where n is the number of classes and pi(i = 0, 1, . . . , n) indicates the possibility that the domain belong to class i.").
Zhou teaches using a softmax layer to classify domain names into classes with classes for benign domain names not generated with a domain generation algorithm and malicious domain names generated with a domain generation algorithm, in order to improve performance of domain name classifications (Abstract, lines 14-23, "We first convey a domain name into a sequence of word-level or character-level components, then design a deep neural network based on temporal convolutional network to extract the implicit pattern and classify the domain into two or more categories. Our experimental results demonstrate that our model outperforms state-of-the-art approaches in both binary classification and multi-class classification, and shows a good performance in detecting different kinds of DGAs. Besides, the high training efficiency of our model makes it adjust to new malicious domains quickly.").
Highnam and Zhou are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam to incorporate the teachings of Zhou to use a softmax layer to classify domain names into classes with classes for benign domain names not generated with a domain generation algorithm and malicious domain names generated with a domain generation algorithm.  Doing so would allow for improving performance of domain name classifications.
Highnam in view of Zhou does not specifically disclose: an algorithmically-generated benign domain name class.
Haddadi teaches:
an algorithmically-generated benign domain name class (Section 3, lines 11-16, "Indeed, one challenge is that automatically generated domain names are also used for legitimate background communications such as software updates and load balancing. Moreover, various well-known websites such as Google and Facebook also use this type of domains. Therefore, the first step to detect the botnet malicious domains is to differentiate legitimate automatically generated domain names from malicious ones.").
Haddadi teaches identifying legitimate automatically generated domain names in order to classify domain names with a high accuracy (Abstract, lines 1-6, "This work investigates the detection of Botnet Command and Control (C&C) activity by monitoring Domain Name System (DNS) traffic. Detection signatures are automatically generated using evolutionary computation technique based on Stateful-SBB. The evaluation performed shows that the proposed system can work on raw variable length domain name strings with very high accuracy.").
Highnam, Zhou, and Haddadi are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam in view of Zhou to incorporate the teachings of Haddadi to identify legitimate automatically generated domain names.  Doing so would allow for classifying domain names with a high accuracy.
Claims 13 – 14 are rejected under 35 U.S.C. 103 as being unpatentable over Highnam in view of Zhou as applied to claim 12 above, and further in view of Yu et al. ("Character Level based Detection of DGA Domain Names"), hereinafter Yu.
Regarding claim 13, Highnam in view of Zhou discloses the method as claimed in claim 12, but does not specifically disclose: wherein learning the character embedding comprises determining the character embedding in a reverse direction.
Yu teaches:
wherein learning the character embedding comprises determining the character embedding in a reverse direction (Section III A, lines 21-23, "The role of the embedding layer is to learn to represent each character that can occur in a domain name by a 128-dimensional numerical vector."; Section III A, lines 36-40, "Bidirectional RNNs extend regular RNNs by processing the input string in two ways. In a forward layer, the input sequence is processed from the left to the right, as in a traditional RNN, while in a backward layer, the processing happens from the right to the left.").
Yu teaches processing the character embeddings in a reverse direction in order to classify domain names with improved accuracy (Section I, lines 36-49, "To answer this open question, in this paper we compare the performance of five different deep learning architectures for character based text classification (see Table I) for the problem of detecting DGAs. They all rely on character-level embeddings, and they all use a deep learning architecture based on convolutional neural network (CNN) layers, recurrent neural network (RNN) layers, or a combination of both. Our most important finding is that for DGA detection, which can be thought of as classification of short character strings, despite of vast differences in the deep network architectures, there is remarkably little difference among the methods in terms of accuracy and false positive rates, while they all comfortably outperform a random forest trained on human engineered features.").
Highnam, Zhou, and Yu are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam in view of Zhou to incorporate the teachings of Yu to process the character embeddings in a reverse direction.  Doing so would allow for classifying domain names with improved accuracy.
Regarding claim 14, Highnam in view of Zhou discloses the method as claimed in claim 12, but does not specifically disclose: wherein learning the character embedding comprises determining the character embedding in a forward direction.
Yu teaches:
wherein learning the character embedding comprises determining the character embedding in a forward direction (Section III A, lines 21-23, "The role of the embedding layer is to learn to represent each character that can occur in a domain name by a 128-dimensional numerical vector."; Section III A, lines 36-40, "Bidirectional RNNs extend regular RNNs by processing the input string in two ways. In a forward layer, the input sequence is processed from the left to the right, as in a traditional RNN, while in a backward layer, the processing happens from the right to the left.").
Yu teaches processing the character embeddings in a forward direction in order to classify domain names with improved accuracy (Section I, lines 36-49, "To answer this open question, in this paper we compare the performance of five different deep learning architectures for character based text classification (see Table I) for the problem of detecting DGAs. They all rely on character-level embeddings, and they all use a deep learning architecture based on convolutional neural network (CNN) layers, recurrent neural network (RNN) layers, or a combination of both. Our most important finding is that for DGA detection, which can be thought of as classification of short character strings, despite of vast differences in the deep network architectures, there is remarkably little difference among the methods in terms of accuracy and false positive rates, while they all comfortably outperform a random forest trained on human engineered features.").
Highnam, Zhou, and Yu are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam in view of Zhou to incorporate the teachings of Yu to process the character embeddings in a forward direction.  Doing so would allow for classifying domain names with improved accuracy.
Claims 18 – 19 are rejected under 35 U.S.C. 103 as being unpatentable over Highnam in view of Yu.
Regarding claim 18, Highnam discloses the non-transitory machine-readable storage medium as claimed in claim 17, but does not specifically disclose: wherein to determine the character embedding, the machine-readable instructions further cause the processor to: determine the character embedding in a reverse direction.
Yu teaches:
wherein to determine the character embedding, the machine-readable instructions further cause the processor to: determine the character embedding in a reverse direction (Section III A, lines 21-23, "The role of the embedding layer is to learn to represent each character that can occur in a domain name by a 128-dimensional numerical vector."; Section III A, lines 36-40, "Bidirectional RNNs extend regular RNNs by processing the input string in two ways. In a forward layer, the input sequence is processed from the left to the right, as in a traditional RNN, while in a backward layer, the processing happens from the right to the left.").
Yu teaches processing the character embeddings in a reverse direction in order to classify domain names with improved accuracy (Section I, lines 36-49, "To answer this open question, in this paper we compare the performance of five different deep learning architectures for character based text classification (see Table I) for the problem of detecting DGAs. They all rely on character-level embeddings, and they all use a deep learning architecture based on convolutional neural network (CNN) layers, recurrent neural network (RNN) layers, or a combination of both. Our most important finding is that for DGA detection, which can be thought of as classification of short character strings, despite of vast differences in the deep network architectures, there is remarkably little difference among the methods in terms of accuracy and false positive rates, while they all comfortably outperform a random forest trained on human engineered features.").
Highnam and Yu are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam to incorporate the teachings of Yu to process the character embeddings in a reverse direction.  Doing so would allow for classifying domain names with improved accuracy.
Regarding claim 19, Highnam discloses the non-transitory machine-readable storage medium as claimed in claim 17, but does not specifically disclose: wherein to determine the character embedding, the machine-readable instructions further cause the processor to: determine the character embedding in a forward direction.
Yu teaches:
wherein to determine the character embedding, the machine-readable instructions further cause the processor to: determine the character embedding in a forward direction (Section III A, lines 21-23, "The role of the embedding layer is to learn to represent each character that can occur in a domain name by a 128-dimensional numerical vector."; Section III A, lines 36-40, "Bidirectional RNNs extend regular RNNs by processing the input string in two ways. In a forward layer, the input sequence is processed from the left to the right, as in a traditional RNN, while in a backward layer, the processing happens from the right to the left.").
Yu teaches processing the character embeddings in a forward direction in order to classify domain names with improved accuracy (Section I, lines 36-49, "To answer this open question, in this paper we compare the performance of five different deep learning architectures for character based text classification (see Table I) for the problem of detecting DGAs. They all rely on character-level embeddings, and they all use a deep learning architecture based on convolutional neural network (CNN) layers, recurrent neural network (RNN) layers, or a combination of both. Our most important finding is that for DGA detection, which can be thought of as classification of short character strings, despite of vast differences in the deep network architectures, there is remarkably little difference among the methods in terms of accuracy and false positive rates, while they all comfortably outperform a random forest trained on human engineered features.").
Highnam and Yu are considered to be analogous to the claimed invention because they are in the same field of domain name evaluation systems.  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Highnam to incorporate the teachings of Yu to process the character embeddings in a forward direction.  Doing so would allow for classifying domain names with improved accuracy.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Saxe (US Patent No. 10,318,735) teaches a system and method that uses machine learning to determine if a string of characters represents malicious activity.
Woodbridge et al. (Woodbridge, Jonathan, Hyrum S. Anderson, Anjum Ahuja, and Daniel Grant, “Predicting Domain Generation Algorithms with Long Short-Term Memory Networks”, 2016, ArXiv abs/1611.00791.) teaches using a Long Short-Term Memory neural network to determine if domain names have been generated with a domain generation algorithm (DGA).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to James Boggs whose telephone number is (571)272-2968. The examiner can normally be reached M-F 8:00 AM - 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Daniel Washburn can be reached on (571)272-5551. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES BOGGS/Examiner, Art Unit 2657                                                                                                                                                                                                        

/DANIEL C WASHBURN/Supervisory Patent Examiner, Art Unit 2657