DETAILED ACTION
 	Claims 1-9 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-9 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-19 of U.S. Patent No. 10,728,266. Although the claims at issue are not identical, they are not patentably distinct from each other because claims in the current application are anticipated by the claims of the issued patent.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-9 are rejected under 35 U.S.C. 103 as being unpatentable over Salsamendi et al (US Patent No. 9,805,193) in view of Baradaran et al (US Pub.No.2017/0126718).

Re Claim 1. Salsamandi discloses a method, comprising: obtaining a sample of a malware; executing the sample of the malware in a controlled environment at a first time-instance that emulates execution of the malware on a host computer at a first future time-instance to generate a first generated set of domain names (i.e. the first malware sample is executed in that first virtual machine (e.g., in accordance with portion 408 of process 400). Any external contacts made by the virtual machine instance will be recorded……………) [Salsamendi, col.14, ll.42-62], (i.e.  a specific time/date can be set within the virtual machine instance (i.e., the guest time can be set to a specific date and time). As one example, suppose the actual date and time that process 400 is performed is Jan. 1, 2014 (at one second after midnight). One reason to perform process 400 is to determine which domains a malicious sample will (when executed on a compromised client device) generate, at a future time, so that remedial actions (described in more detail below) can be taken before that future time arrives. So for example, while the analysis is performed on Jan. 1, 2014, one of the initializations that could be made (e.g., at 406) could be to set the guest date/time to Jan. 2, 2014 (or Jan. 3, 2014, etc.)) [Salsamandi, col.11, ll.22-34]; verifying that the first generated set of domain names includes a number of [unique] domain names that is larger than a threshold amount (i.e.  The malware is allowed to continue executing for a set period of time (e.g., one day of guest time having elapsed), until a threshold number of external contact attempts have been made (e.g., ten domain names have been collected), or until another appropriate stopping point is reached) [Salsamendi, col.14]; 
Salsamendi does not explicitly disclose however Baradaran does teach: that the threshold number of domain names is specifically  a threshold number of unique domain names (i.e. Selecting an anomaly explanation can include selecting an anomaly explanation based on a determination that the network traffic satisfies the at least one multivariate rule. In some embodiments, the at least two network traffic features can include at least two of a maximum inter-request arrival time, an average inter-request arrival time, and a minimum inter-request arrival time, or a number of unique uniform resource locator (URL) accesses) [Baradaran, para.0053] and that executing the sample is specifically in response to the verifying (i.e. the anomaly explanation tests can include historical data tests, and the multivariate policy manager 820 can perform multivariate analysis based on historical observations. For example, the received anomalous network traffic can be crosschecked against a second set of network traffic received previously, which is known to correspond to a particular type of anomaly. If the received network traffic and the second set of network traffic have a network traffic feature in common and that network traffic feature was related to the anomaly in the second set of network traffic, the multivariate policy manager 820 can determine that that network traffic feature is the cause of the anomaly in the received network traffic) [Baradaran, para.0312, Interpretation note: the historical data test to determine anomaly in a received network traffic is performed in response to verifying that a previously received traffic is anomalous, such as having a number of unique domain names that exceeds a threshold as in 0053 of Baradaran].
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Salsamendi with Baradaran it the client 102 may be executing a program that attempts to simulate a human user interacting with the server 106. Such programs, sometimes referred to as “bots” or “web scrapers,” can severely strain the computing resources of the server 106, …………………………because anomalous network traffic may indicate an attack or other undesirable behavior, it can be useful to identify anomalous network traffic to improve the security of the system [Baradaran, para.0270].
Salasmendi further discloses: executing the sample of the malware in the controlled environment at a second time-instance that emulates execution of the malware on the host computer at a second future time-instance subsequent to the first future time-instance to generate a second generated set of domain names (i.e. In various embodiments, process 500 is performed using the same malware sample as both the first and second malware samples) [Salsamendi, col.16, ll.6-9], (i.e. At 506, portion 504 of process 500 is repeated, using the same virtual machine initializations, but with the second sample. An example of portion 506 of process 500 is as follows. The second malware sample is executed in a second virtual machine instance that has been configured the same way the first virtual machine instance was configured) [Salsamendi, col.14, ll.42-62], (i.e. one of the initializations that could be made (e.g., at 406) could be to set the guest date/time to Jan. 2, 2014 (or Jan. 3, 2014, etc.) at one second after midnight, or another appropriate time) [Salsamendi, col.11, ll.31-35]; and comparing the first and second generated sets of domain names (i.e. at 508, a determination is made as to whether or not the first and second sample are the same based on a comparison of their respective generated external contacts) [Salsamendi, col.15] to determine whether the malware is enabled by automatically generated domain names (i.e. This can be done, for example, as a quality assurance check—to ensure that two identical samples (namely, two identical copies of a given malware sample) generate identical external contact attempts. In the event the two identical copies generate different external contact attempts, this can be a sign that the domain generation algorithm used by the malware is engaging in anti-virtual machine or other techniques) [Salsamendi, col.16].

Re Claim 2. Salsamendi in view of Baradaran discloses the method of claim 1, Salsamendi further discloses: wherein the obtaining the sample of the malware includes retrieving the sample of the malware from a malware feed (i.e. candidate malware can be received at 402 as part of a batch operation (e.g., where cloud security service 122 receives a variety of malware samples over a period of time and a batch of received samples is provided to virtual machine server 124 for processing) [Salsamandi, col.12, ll.1-6].

Re Claim 3. Salsamendi in view of Baradaran discloses the method of claim 1, Salsamendi in view of Baradaran does not explicitly disclose: wherein the threshold amount is at least 8, however Salsamendi does disclose a threshold of at least 10 (i.e.  until a threshold number of external contact attempts have been made (e.g., ten domain names have been collected), or until another appropriate stopping point is reached) [Salsamendi, col.14] and modifying Salsamandi-Baradaran to select another value such as 8 for the threshold would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention because testing different values for the threshold yields the expected result of determining an optimal value that reduces false positives and/or false negatives.

Re Claim 4. Salsamendi in view of Baradaran discloses the method of claim 1, Salsamendi in view of Baradaran does not explicitly disclose: wherein the threshold amount is at least 15, however Salsamendi does disclose a threshold of at least 10 (i.e.  until a threshold number of external contact attempts have been made (e.g., ten domain names have been collected), or until another appropriate stopping point is reached) [Salsamendi, col.14] and modifying Salsamandi-Baradaran to select another value such as 15 for the threshold would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention because testing different values for the threshold yields the expected result of determining an optimal value that reduces false positives and/or false negatives.

Re Claim 5. Salsamendi in view of Baradaran discloses the method of claim 1, Salsamendi further discloses: further comprising: monitoring for domain name resolve requests at a DNS server in response to executing the sample of the malware at the first and second time- instances (i.e.  DNS requests made by the virtual machine instance are recorded. The logged external contact attempts represent the domains that will be generated by malware 130 when executing on a compromised client at that future time) [Salsamendi, col.11, ll.55-58].

Re Claim 6. Salsamendi in view of Baradaran discloses the method of claim 1, Salsamendi further discloses: further comprising: storing the first and second generated sets of domain names if, in response to the comparing, the malware is determined to be enabled by automatically generated domain names (i.e. results of analysis performed by the virtual machine servers can be used to generate/maintain blacklists of domains determined (or suspected) to be algorithmically generated by malware) [Salsamendi, col.4, ll.50-55, aslo col.12, ll.42-47].  

Re Claim 7. Salsamendi in view of Baradaran discloses the method of claim 1, Salsamendi further discloses: further comprising: in response to determining that the malware is enabled by automatically generated domain names, executing the sample of the malware in the controlled environment at a series of successive time-instances that emulate execution of the malware on the host computer at a respective series of successive future time-instances to generate a plurality of generated sets of domain names, wherein the series of successive time-instances are subsequent to the second time-instance; and storing the plurality of generated sets of domain names (i.e. the determination of 508 can also be made asynchronously with the processing performed at 504/506. For example, coordinator 304, or another component, such as a deduplicator 318 can periodically query database 316 for generated external contacts (e.g., once an hour or once a day) and determine whether multiple samples (whether a pair of samples, or more than two samples) share generated external contacts) [Salsamendi, col.15, ll.39-46].

Re Claim 8. In a manner similar to the rejection of claim 1, Salsamendi in view of Baradaran discloses a computer system, comprising: a storage medium for storing computer components; and a computerized processor for executing the computer components in a controlled environment comprising: a malware receipt module configured for: obtaining a sample of a malware, and a malware execution and identification agent linked to the malware receipt module configured for: executing the sample of the malware in the controlled environment at a first time-instance that emulates execution of the malware on a host computer at a first future time-instance to generate a first generated set of domain names, verifying that the first generated set of domain names includes a number of unique domain names that is larger than a threshold amount, in response to the verifying, executing the sample of the malware in the controlled environment at a second time- instance that emulates execution of the malware on the host computer at a second future time-instance subsequent to the first future time-instance to generate a second generated set of domain names, and comparing the first and second generated sets of domain names to determine whether the malware is enabled by automatically generated domain names.

Re Claim 9. a manner similar to the rejection of claim 1, Salsamendi in view of Baradaran discloses a computer usable non-transitory storage medium having a computer program embodied thereon for causing a suitable programmed system deployed in a controlled environment to perform the following steps when such program is executed on the system, the steps comprising: obtaining a sample of a malware; executing the sample of the malware in the controlled environment at a first time-instance that emulates execution of the malware on a host computer at a first future time-instance to generate a first generated set of domain names; verifying that the first generated set of domain names includes a number of unique domain names that is larger than a threshold amount; in response to the verifying, executing the sample of the malware in the controlled environment at a second time-instance that emulates execution of the malware on the host computer at a second future time- instance subsequent to the first future time-instance to generate a second generated set of domain names; and comparing the first and second generated sets of domain names to determine whether the malware is enabled by automatically generated domain names.

Pertinent prior art made of record, however not relied upon, includes:

Cao et al (US Patent No.8,516,585) describes a method for detecting malicious software agents, such as domain-flux botnets. The method applies a co-clustering algorithm on a domain-name query failure graph, to generate a hierarchical grouping of hosts based on similarities between domain names queried by those hosts, and divides that hierarchical structure into candidate clusters based on percentages of failed queries having at least first- and second-level domain names in common, thereby identifying hosts having correlated queries as possibly being infected with malicious software agents. A linking algorithm is used to correlate the co-clustering results generated at different time periods to differentiate actual domain-flux bots from other domain-name failure anomalies by identifying candidate clusters that persist for relatively long periods of time. 

Sofka et al (US Pub.No.2017/0026390) describes techniques to identify malware communication with domain generation algorithm (DGA) generated domains. Sample domain names are obtained and labeled as DGA domains, non-DGA domains or suspicious domains. A classifier is trained in a first stage based on the sample domain names. Sample proxy logs including proxy logs of DGA domains and proxy logs of non-DGA domains are obtained to train the classifier in a second stage based on the plurality of sample domain names and the plurality of sample proxy logs. Live traffic proxy logs are obtained and the classifier is tested by classifying the live traffic proxy logs as DGA proxy logs, and the classifier is forwarded to a second computing device to identify network communication of a third computing device as malware network communication with DGA domains via a network interface unit of the third computing device based on the trained and tested classifier.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285. The examiner can normally be reached Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434