Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 3, 8, 13, and 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
 
Claims 3, 8, 13, and 18 recite, “received from the outside through a communication modem of the computer.” “the outside” lacks clear antecedent basis. Further, the term “outside” is a relative term the renders the limitation indefinite. That is, it is not clear from the claim what would be considered outside vs inside. 

 Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 2, 5, 6, 9-12, 15-16, 19, and 20 are rejected under 35 U.S.C. 102(a)(1)/(2) as being anticipated by Thomas (US Pub. No. 2012/0047173).

As to claim 1, Thomas discloses a malware detection method performed in a computer (Abstract), the malware detection method comprising: 
monitoring, by a processor of the computer, domain name system (DNS) query requests for all processes and replies to the query requests ([0017], particularly, “These embodiments include methods, software and apparatus for tracking or logging requests to resolve unregistered, unresolvable, and/or non-existent domain (NXDomains) and classifying the NXDomains to support a mapping of the domain requestors to a taxonomical set of frequency counts.” And [0046], particularly, “maintain a log of requests to resolve unresolvable domains, where each request made by a requestor”); and 
counting, by the processor, the number of times of failure DNS query requests per unit process and determining, by the processor, malware ([0046], particularly, “maintain a log of requests to resolve unresolvable domains, where each request made by a requestor…maintain a count of the number of requests for each unresolvable domain made by each requestor within each of the taxonomical sets, and apply a set of heuristics to identify requestors exhibiting a threshold level of machine generated traffic based on statistical counts of the taxonomical sets.” And further [0042], disclosing where this is used to determine malware).   

As to claim 6, Thomas discloses a method for detecting a domain generation algorithm, performed by a computer (Abstract), the method comprising: 
monitoring, by a processor of the computer, a domain address translation request according to an Internet protocol ([0046], particularly, “According to another aspect of the invention, a method, apparatus, and computer readable medium may be implemented to maintain a log of requests to resolve unresolvable domains, where each request made by a requestor”); 
determining, by the processor, whether domain address translation is requested over the predetermined number of reference translation requests within a predetermined reference time ([0046], particularly, “identify from among the requests a unique set of unresolvable domains requested within a given time period, classify the domains within the unique set of unresolvable domains into predefined taxonomical sets, maintain a count of the number of requests for each unresolvable domain made by each requestor within each of the taxonomical sets, and apply a set of heuristics to identify requestors exhibiting a threshold level of machine generated traffic based on statistical counts of the taxonomical sets”); and 
determining, by the processor, that the domain generation algorithm is executed, when nonreplies of a reference rate or more occur from the translated domain addresses ([0046], particularly, “identify from among the requests a unique set of unresolvable domains requested within a given time period, classify the domains within the unique set of unresolvable domains into predefined taxonomical sets, maintain a count of the number of requests for each unresolvable domain made by each requestor within each of the taxonomical sets, and apply a set of heuristics to identify requestors exhibiting a threshold level of machine generated traffic based on statistical counts of the taxonomical sets”).

As to claim 11, it is rejected by a similar rationale to that set forth in claim 1’s rejection.

As to claim 16, it is rejected by a similar rationale to that forth in claim 6’s rejection.

As to claims 2 and 12, Thomas discloses determining, by the processor, the malware, when failure DNS query requests are counted per unit process over a predetermined number of times within a predetermined reference time ([0046], particularly, “identify from among the requests a unique set of unresolvable domains requested within a given time period, classify the domains within the unique set of unresolvable domains into predefined taxonomical sets, maintain a count of the number of requests for each unresolvable domain made by each requestor within each of the taxonomical sets, and apply a set of heuristics to identify requestors exhibiting a threshold level of machine generated traffic based on statistical counts of the taxonomical sets”).

As to claims 5 and 15, Thomas discloses isolating or blocking, by the processor, a unit process determined as the malware ([0042] and [0065]).

As to claims 9 and 19, Thomas discloses the predetermined reference time, the number of the reference translation requests, and the reference rate are calculated on the basis of an average domain address translation request ([0079], particularly, “For example, a unique (i.e., excluding duplicates) set of unresolvable domains requested within a given time period may be extracted from the log. Each domain within the set may be classified into predefined taxonomical sets, such as machine generated or not machine generated. A count of the number of requests received for each unresolvable domain within each set may be generated for each of a set of requestors. Finally, a threshold or other heuristic measurement may be applied to determine whether each requestor exhibits a certain level of machine generated traffic. In some cases, the “most requested” NXDomains may be identified.”).

As to claims 10 and 20, Thomas discloses compulsorily ending, by the processor, a process of executing the domain generation algorithm ([0046], describes a starting and ending of the process).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3, 4, 7, 8, 13, 14, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Thomas in view of what was well known in the art prior to the effective filing date of the application.

 As to claim 3, 8, 13, and 18, Thomas discloses the parent claim but does not disclose the predetermined reference time and the predetermined number of times are received from the outside through a communication modem of the computer. That is, Thomas does not disclose any specifics with regard to how these predetermined values are received. However, Official Notice is taken (see MPEP 2144.03) that it was a well-known and common practice prior to the effective filing date of the application, in addition to being within the scope of Thomas’s teaching, to receive predetermined values from the outside through a communication modem of the computer. It would have been obvious to one of ordinary skill in the art prior the effective filing date of the application to combine this practice with the teachings of Thomas in order to provide a specific and reliable means of setting values thus allowing flexibility within the system. 

As to claims 4 and 14, Thomas discloses the parent claim but does not disclose the predetermined reference time and the predetermined number of times are learned through artificial intelligence.  That is, Thomas does not disclose any specifics with regard to how these predetermined values are determined.  However, Official Notice is taken (see MPEP 2144.03) that it was a well-known and common practice prior to the effective filing date of the application to learn predetermined values through artificial intelligence. It would have been obvious to one of ordinary skill in the art prior the effective filing date of the application to combine this practice with the teachings of Thomas in order to provide a specific and reliable means of setting values thus allowing flexibility within the system. 
 
As to claims 7 and 17, Thomas discloses the parent claim but does not disclose the predetermined reference time, the number of the reference translation requests, and the reference rate are determined by a user input.  That is, Thomas does not disclose any specifics with regard to how these predetermined values are inputted.  However, Official Notice is taken (see MPEP 2144.03) that it was a well-known and common practice prior to the effective filing date of the application to determine predetermined values by user input. It would have been obvious to one of ordinary skill in the art prior the effective filing date of the application to combine this practice with the teachings of Thomas in order to provide a specific and reliable means of setting values thus allowing flexibility within the system. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
US Pat. 10,198,579 (Thakar et al) – The computer readable medium includes instruction for identifying a domain name by monitoring network activity. A portion of the domain name is identified as a name. A lexical complexity score is calculated for the name. The determination is made to check if the domain name is Doman Generated Algorithm (DGA) generated based on the lexical complexity score.
US Pub. No. 2016/0381065 (Xie at al) – The system has a processor for registering a bad network domain with a domain registry to a valid internet protocol (IP) address to sinkhole the bad network domain, where the valid IP address is associated with a device controlled by a cloud security service provider. The processor identifies a host that is infected with identified malware based on attempt by the host to connect the valid IP address, where the host receives a domain name system (DNS) query response. A memory is coupled to the processor, and provides the processor with instructions.
US Pat. 10,270,806 (Akein) - The method involves resolving a received user input to a search box as a domain name system (DNS) query without using a caching server provided by internal service provider (ISP). Determination is made to check whether the DNS query causes an NXDOMAIN condition under which the DNS query does not include a DNS record in the DNS. An NXDOMAIN response is displayed on a computing device indicating that the input does not include a corresponding internet protocol (IP) address in a DNS in response to determining that the query causes the NXDOMAIN condition.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246.  The examiner can normally be reached on 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Thomas J Dailey/
Primary Examiner, Art Unit 2452