DETAILED ACTION
This action is in response to communication(s) filed on 3/12/2020.
Claims 1-20 have been examined and are pending with this action.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-7, 9-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Dymshits et al. (US 2019/0130100) in view of Baughman et al. (US 2018/0063162).

Regarding claim 1, Dymshits discloses a method comprising: 
computing, by a service, a plurality of features of a subdomain for which a Domain Name System (DNS) query was issued (see Dymshits; [0014]; the network traffic analyzer monitors outbound messages that are DNS queries. Each DNS query is parsed to identify the lowest level subdomain string within the query); 
aggregating, by the service, the plurality of computed features into a feature vector (see Dymshits; [0014]; the lowest level subdomain string is then divided into segments that include one or more characters from the lowest level subdomain string. Each of the segments from the lowest level subdomain string is compared to a probability model trained from legitimate lowest level subdomain strings to determine its likelihood of occurrence in a legitimate lowest level subdomain string and the probabilities are then combined to form a composite score for the lowest level subdomain string).
However, the prior art does not explicitly disclose the following:
using, by the service, the feature vector as input to a machine learning classifier, to determine whether the subdomain is a DNS tunneling domain name; and 
providing, by the service, an indication that the subdomain is a DNS tunneling domain name, when the machine learning classifier determines that the subdomain is a DNS tunneling domain name.
Baughman in the field of the same endeavor discloses techniques for domain name service (DNS) tunneling prevention using a computing processor.  In particular, Baughman teaches the following:
using, by the service, the feature vector as input to a machine learning classifier, to determine whether the subdomain is a DNS tunneling domain name (see Baughman; [0058]; the DNS tunneling detection operation may be performed on both sides of a DNS transaction, such as on the request side and the question side of the DNS message (e.g., DNS query and DNS answer). In one aspect, the DNS tunneling detection may include detection analytics and DNS tunneling deep learning. In one aspect, “deep learning model” may refer to classification models that may require longer training times in exchange for more accurate classifications. In some embodiments, deep learning neural network models may be considered a deep learning model. However, other machine learning and/or classification techniques may be employed to generate deep learning model); and 
providing, by the service, an indication that the subdomain is a DNS tunneling domain name, when the machine learning classifier determines that the subdomain is a DNS tunneling domain name (see Baughman; [0060]; he DNS tunneling may be detected for both outbound from infected host as well as inbound from Botnet C&C server. In one aspect, the DNS tunneling detection operation may operate on a request/question side. The DNS tunneling activity detection input feature may be extracted for each DNS session and inputted into the DNS tunneling detection heuristic and machine learning based models employed for detection and classification into one of three categories: 1) benign, 2) suspicious, and/or 3) malicious).
Therefore, it would have been obvious to a person of ordinary skill in the art at the time the invention was effectively filed to modify the prior art with the teaching of Baughman in order to incorporate techniques for domain name service (DNS) tunneling prevention.  One would have been motivated because Baughman teaches enhances network security by preventing DNS tunneling.

Regarding claim 2, Dymshits-Baughman discloses the method as in claim 1, wherein the plurality of features includes at least one of: a hexadecimal character count for the subdomain, an alphabetic character count for the subdomain, a digit count for the subdomain, or a special character count for the subdomain (see Dymshits; [0040]; he DNS query is counted as being suspected of exfiltration. A running count of the number of DNS queries suspected of exfiltration is maintained by incrementing the count).

Regarding claim 3, Dymshits-Baughman discloses the method as in claim 1, wherein the plurality of features includes at least one of: a unigram entropy of the subdomain, a bigram entropy of the subdomain, or a mean ratio of the unigram entropy to the bigram entropy (see Dymshits; [0032]; he distance may be determined using a cross entropy, which indicates a similarity between the probability distribution of the segments in the respective subdomain and the distribution of segments in the legitimate subdomains).

Regarding claim 4, Dymshits-Baughman discloses the method as in claim 1, wherein the plurality of features includes at least one of: a digit run length of the subdomain or an alphabetic character run length of the subdomain (see Dymshits; [0021]; Detecting exfiltration using the lowest level subdomain of domain name strings is difficult because there is no standardized naming convention for subdomains other than to restrict their character or symbol set and number of characters/symbols).

Regarding claim 5, Dymshits-Baughman discloses the method as in claim 1, wherein aggregating the plurality of computed features into a feature vector comprises: 
bucketizing the features by comparing the computed features to ranges of values (see Dymshits; [0031]; each DNS query obtained during process 305 is parsed into segments. Due to the lack of patterns typically found in subdomain names, it is typically impractical to build a probabilistic (or other) model based on subdomains as a whole. During process 310, the subdomain string (e.g., for the lowest level subdomain) is extracted from each of the DNS queries, such as by extracting it from the label field corresponding to the subdomain. The subdomain string is then split into segments); and 
forming the feature vector as a histogram, based on the bucketized features (see Dymshits; [0031]; the probability of each segment occurring may be determined by generating a histogram using each of the segments determined during process 310 and assigning a probability to each segment by the number of times the segment occurs out of the total number of segments).

Regarding claim 6, Dymshits-Baughman discloses the method as in claim 1, wherein the plurality of features includes a character transition count for the subdomain (see Dymshits; [0031]; multiple probability distributions for segments of the same length may be determined based on the pattern by which the segment is extracted from the subdomain string. For example, a probability distribution for segments derived from adjacent pairs of symbols might be determined separately from a probability distribution for segments derived from pairs of symbols selected according to some other approach (e.g., first and last, second and next to last, etc.)).

Regarding claim 7, Dymshits-Baughman discloses the method as in claim 1, wherein the machine learning classifier comprises a random forest classifier (see Baughman; [0062]; The DNS tunneling detection heuristic and machine learning based models may be performed using a wide variety of methods of combinations of methods, such as random forest).

Regarding claim 9, Dymshits-Baughman discloses the method as in claim 1, further comprising: 
using a DNS tunneling tool to generate a plurality of DNS tunneling subdomains (see Baughman; [0058]; the DNS tunneling detection operation may be performed on both sides of a DNS transaction, such as on the request side and the question side of the DNS message (e.g., DNS query and DNS answer)); and 
training the machine learning classifier based on the generated plurality of DNS tunneling subdomains (see Baughman; [0058]; he DNS tunneling detection may include detection analytics and DNS tunneling deep learning. In one aspect, “deep learning model” may refer to classification models that may require longer training times in exchange for more accurate classifications. In some embodiments, deep learning neural network models may be considered a deep learning model).

Regarding claim(s) 10-16, 18 and 19-20 do(es) not teach or further define over the limitation in claim(s) 1-7, 9 and 1, 5 respectively.  Therefore claim(s) 10-16, 18, and 19-20 is/are rejected for the same rationale of rejection as set forth in claim(s) 1-7, 9 and 1, 5 respectively.

Allowable Subject Matter
Claim 8 and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Conclusion
For the reason above, claims 1-7, 9-16, 18-20 have been rejected and remain pending.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JIMMY H TRAN whose telephone number is (571)270-5638. The examiner can normally be reached Monday - Friday 9am-5pm PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

JIMMY H TRAN
Primary Examiner
Art Unit 2456



/JIMMY H TRAN/Primary Examiner, Art Unit 2451