DETAILED ACTION
This Office Action is in response to the communication filed on 12/30/2020.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Terminal Disclaimer
The terminal disclaimer filed on 06/13/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of Patent number 11,025,670 has been reviewed and is accepted. The terminal disclaimer has been recorded.
Examiner's Amendment
An Examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicants, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner's amendment was given in a discussion with Matthew Nicholson (Reg. No. 62,889) on 06/15/2022.
The application has been amended as follows:
1. 	(Currently Amended) A method comprising:
receiving, at a first compute server of a plurality of compute servers, a first request from a first client device; and
responsive to determining that the first request is destined to a malicious domain, running a malicious node emulator in one of a plurality of isolated execution environments of a single process in the first compute server, wherein the malicious node emulator emulates an expected behavior of a server that hosts the malicious domain, wherein the one of a plurality of isolated execution environments is not a container or a virtual machine , and wherein the single process switches between the plurality of isolated execution environments in which a first code in a first isolated execution environment of the plurality of isolated execution environments does not interfere with a second code running in a second isolated execution environment of the plurality of isolated execution environments despite being in a same process; and
transmitting by the first compute server to the first client device a first response that is consistent with the expected behavior of the server that hosts the malicious domain.
2.	(Currently Amended) The method of claim 1, wherein the malicious domain is registered with a proxy service causing requests for the malicious domain to be received to compute servers from the plurality of compute servers instead of [[a]] the server that hosts the malicious domain. 
4.	(Cancelled). 
8. 	(Currently Amended) A non-transitory machine-readable storage medium of a first
receiving, at a first compute server of a plurality of compute servers, a first request from a first client device; and
responsive to determining that the first request is destined to a malicious domain, running a malicious node emulator in one of a plurality of isolated execution environments of a single process in the first compute server, wherein the malicious node emulator emulates an expected behavior of a server that hosts the malicious domain, wherein the one of a plurality of isolated execution environments is not a container or a virtual machine , and wherein the single process switches between the plurality of isolated execution environments in which a first code in a first isolated execution environment of the plurality of isolated execution environments does not interfere with a second code running in a second isolated execution environment of the plurality of isolated execution environments despite being in a same process; and
transmitting by the first compute server to the first client device a first response that is consistent with the expected behavior of the server that hosts the malicious domain.
9.	(Currently Amended) The non-transitory machine-readable storage medium of claim 8, wherein the malicious domain is registered with a proxy service causing requests for the malicious domain to be received to compute servers from the plurality of compute servers instead of [[a]] the server that hosts the malicious domain. 
11.	(Cancelled).
15. 	(Currently Amended) A first compute server comprising:
a set of one or more processors; and
a non-transitory machine-readable storage medium that provides instructions that, when executed by the set of one or more processors, cause the set of one or more processors to perform operations comprising:
receiving, at [[a]] the first compute server of a plurality of compute servers, a first request from a first client device; and
responsive to determining that the first request is destined to a malicious domain, running a malicious node emulator in one of a plurality of isolated execution environments of a single process in the first compute server, wherein the malicious node emulator emulates an expected behavior of a server that hosts the malicious domain, wherein the one of a plurality of isolated execution environments is not a container or a virtual machine , and wherein the single process switches between the plurality of isolated execution environments in which a first code in a first isolated execution environment of the plurality of isolated execution environments does not interfere with a second code running in a second isolated execution environment of the plurality of isolated execution environments despite being in a same process; and
transmitting by the first compute server to the first client device a first response that is consistent with the expected behavior of the server that hosts the malicious domain.
16.	(Currently Amended) The first compute server of claim 15, wherein the malicious domain is registered with a proxy service causing requests for the malicious domain to be received to compute servers from the plurality of compute servers instead of [[a]] the server that hosts the malicious domain. 
18.	(Cancelled).
Allowable Subject Matter
Claims 1-3, 5-10, 12-17, and 19-21 are allowed.
Prior arts found:
Prior art US 2008/0028463 discloses a system and method for detecting a first network of compromised computers in a second network of computers, comprising: collecting Domain Name System data for the second network; examining the collected data relative to DNS data from known comprised and/or uncompromised computers in the second network; and determining the existence of the first network and/or the identity of compromised computers in the second network based on the examination.
Prior art US 2017/0163603 discloses techniques for discovering and selecting candidates for sinkholing of network domains. A process for discovering and selecting candidates for sinkholing of network domains includes collecting passive DNS data from a plurality of security devices to discover candidates for sinkholing of domain names; selecting one or more domain names that are most commonly queried by distinct client devices based on the passive DNS data, wherein each of the one or more domain names is not yet registered; and automatically registering each of the one or more domain names with a domain registry to a sinkholed IP address in order to sinkhole each of the one or more domain names.
Prior art US 2013/0232574 discloses a system and method of DNS grey listing including receiving a domain name system request comprising a hostname; determining if the hostname is in a grey list cache or a white list cache; and if the hostname is not in the grey list cache or the white list cache, then saving the hostname to the grey list cache and sending a false reply to the DNS request.
Prior art US 9,063,748 discloses a system for allowing a plurality of application programming interface versions to interact with a single version of implementation code.
The following is an examiner's statement of reasons for allowance:
Regarding independent claim 1: None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in claim 1: "responsive to determining that the first request is destined to a malicious domain, running a malicious node emulator in one of a plurality of isolated execution environments of a single process in the first compute server, wherein the malicious node emulator emulates an expected behavior of a server that hosts the malicious domain, wherein the one of a plurality of isolated execution environments is not a container or a virtual machine, wherein the plurality of isolated execution environments are managed in user space and not by an operating system and run at a same time within the single process, and wherein the single process switches between the plurality of isolated execution environments in which a first code in a first isolated execution environment of the plurality of isolated execution environments does not interfere with a second code running in a second isolated execution environment of the plurality of isolated execution environments despite being in a same process; and transmitting by the first compute server to the first client device a first response that is consistent with the expected behavior of the server that hosts the malicious domain" in combination with other limitations as a whole and in the context recited in claim 1.
Regarding independent claim 8: None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in claim 8: "responsive to determining that the first request is destined to a malicious domain, running a malicious node emulator in one of a plurality of isolated execution environments of a single process in the first compute server, wherein the malicious node emulator emulates an expected behavior of a server that hosts the malicious domain, wherein the one of a plurality of isolated execution environments is not a container or a virtual machine, wherein the plurality of isolated execution environments are managed in user space and not by an operating system and run at a same time within the single process, and wherein the single process switches between the plurality of isolated execution environments in which a first code in a first isolated execution environment of the plurality of isolated execution environments does not interfere with a second code running in a second isolated execution environment of the plurality of isolated execution environments despite being in a same process; and transmitting by the first compute server to the first client device a first response that is consistent with the expected behavior of the server that hosts the malicious domain" in combination with other limitations as a whole and in the context recited in claim 8.
Regarding independent claim 15: None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in claim 15: "responsive to determining that the first request is destined to a malicious domain, running a malicious node emulator in one of a plurality of isolated execution environments of a single process in the first compute server, wherein the malicious node emulator emulates an expected behavior of a server that hosts the malicious domain, wherein the one of a plurality of isolated execution environments is not a container or a virtual machine, wherein the plurality of isolated execution environments are managed in user space and not by an operating system and run at a same time within the single process, and wherein the single process switches between the plurality of isolated execution environments in which a first code in a first isolated execution environment of the plurality of isolated execution environments does not interfere with a second code running in a second isolated execution environment of the plurality of isolated execution environments despite being in a same process; and transmitting by the first compute server to the first client device a first response that is consistent with the expected behavior of the server that hosts the malicious domain" in combination with other limitations as a whole and in the context recited in claim 15.
Regarding dependent claims: Dependent claims are allowed as they depend from allowable independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIE C LIN whose telephone number is (571)272-7752. The examiner can normally be reached M-F 9:00AM -5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AMIE C. LIN/Primary Examiner, Art Unit 2436