DETAILED ACTION

Response to Arguments

112 Section
The previous 112 rejections are withdrawn in view of applicants amended claim language

Art Section

Applicant's 1st   argument found middle page 9   asserts that Pandrangi does not teach or suggest an 'attack'
To the contrary, Pandrangi [0023] is replete with example embodiments of  'a domain name under attack' including the example cited in the Non-Final Office Action dated 4/15/2021 which maps the claimed 'a domain name under attack'  to [0023] 'domain names misspelled to mimic well-known domain names'.  
And moreover, just as disclosure from the specification may not be imported into the claims as limiting beyond the broadest reasonable interpretation, neither may teachings from the prior art.   If applicant wishes to distinguish the claims from Pandrangi, applicant should consider using language to limit the meaning of the term recursive DNS attack
Consider first
In [0011]-[0012] of applicant specification, applicant describes one embodiment of a DNS attack wherein a blacklist is not an effective defense because the attacker may not use domain names that are known invalid such that the attacker may implement a 'malicious query to resolve a domain name not designated in the list'.  Likewise, an attacker that would purposely use a misspelled domain name might also defeat a blacklist defense in that the misspelling may not be found in the blacklist.
As such, Pandrangi' s teaching of a 'domain name under attack' is compatible with applicant's embodiment describing a DNS attack found [0011]-[0012] of applicant specification.
Consider second
 In [0053] – [0057] of applicant specification, applicant describes a second embodiment using the phrase 'a domain name under attack'.  In this embodiment, the attack is defended using a whitelist defense such that 'any random generated domain names will be blocked as such a domain name is not designated in the list'
As such, applicant's embodiment characterized by the phrase 'a domain name under attack' is related to DNS requests wherein the spelling of a domain name in the request is checked for a match with an entry in a whitelist, again indicating that  Pandrangi' s teaching of a 'domain name under attack' is compatible with applicant's embodiments.




	Consider third
		The claimed phrase 'a domain name under attack' is found described only in [0053] – [0057] of 
applicant specification.  And moreover, nowhere in applicant's specification is found a limiting definition of the claimed phrase 'a domain name under attack'.  Therefore applicant is afforded the broadest reasonable interpretation of the phrase which includes Pandrangi' s teaching of a 'domain name under attack' found Pandrangi [0023] at least because of the aforementioned compatibility between  Pandrangi [0023] and [0053] – [0057] of applicant specification.


Applicant's 2nd    argument found page 10-11   asserts that Pandrangi teaching of a purposely mistyped domain name does not constitute 'an attack on a domain name'.  
However, these arguments do not consist of any substantive evidence.  As previously mentioned, the specification does not provide any limiting definition for various limitations associated with an attack. Therefore, the applicant will be required to detail the intended meaning of these terms in the claims in order to compel the examiner to interpret them more narrowly because the examiner is affording the applicant the broadest reasonable interpretation of the claimed terms.  As such:
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.

For example in the 1st paragraph of page 11, applicant asserts that Pandrangi teaching of a purposely mistyped domain name "is not considered to be an attack on the particular website, as it is well known by ordinary skill in the art, and certainly not as the word "attack".  Here again, applicant is providing generalized arguments about what 'one of ordinary skill in the art' would understand.  However, the issue at hand is addressed by the Broadest Reasonable Interpretation standard.  As such:
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.


Applicant's 3rd     argument found middle page 11, relating to an inadvertent misspelling of an email address is not persuasive because Pandrangi teaches a purposely mistyped domain name which is the basis for considering that Pandrangi teaches an attack.

Applicant's 4th      argument found bottom page 11, admits that a purposely misspelled version of a well-known domain name is intended to profit (i.e. maliciously), but argues that is not an attack.  However, applicant offers no compelling basis as to why the former may not be considered an attack.  As such:
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.



Applicant's 5th      argument found bottom page 11 – top page 12   asserting that [0011-0012] of applicant's spec should not be considered by the examiner.  To the contrary,  [0055] of applicant's spec "mysite.com" is attacked when a user types "random.mysite.com"  Moreover, in [0011] of applicant's spec, a recursive DNS attack targets the DNS resolver not the website of the domain.   Here again this is similar to the teaching of Pandrangi  who uses a cached modified DNS response to avoid sending intentionally  misspelled or otherwise suspicious DNS queries for processing but rather redirects such queries to a data capture processing.  see  [0024]


As to the 6th argument found 2nd paragraph of page 11 asserting that there does not appear to be any suggestion in Pandrangi of trying to overload the DNS servers or otherwise abuse them, which is required for an attack.  To the contrary, applicant should not expect the examiner to import limitations provided in the arguments into the claims.  Applicant should draft narrowing limitations into the claims if there is a desire for the examiner to interpret the claims any differently.
As such:  In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e.,  overload the DNS servers or otherwise abuse them) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).

As to the 7th  argument bottom page 12 and top of page 13,  here again applicant references elements from the specification that are not found in the claims. 
As such:  In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e.,  using forged sub domain names in an actual attack on a domain name) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).

As to the 8th   argument middle page 13  ,  here again applicant argues elements from the specification that are not found in the claims. 
As such:  In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e.,  distributed denial of service attack) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Moreover,  claim 17 is directed to a DDoS attack.  As per the rejection of claim 17. Wasiq teaches a DDoS attack.

As the 9th argument found bottom of page 13 - bottom page 14,  applicant asserts that Pandrangi does not teach an anomaly.  To the contrary, Pandrangi teaches anomalies in [0023] suspicious DNS queries.  Again applicant's arguments amount to mere allegations as well as demands to import limitations from the specification or arguments into the claims.  Applicant is encouraged to narrow the claims accordingly rather than expect the examiner to interpret the claims more narrowly than they are written according to the BRI standard.



The remaining arguments are redundant.Claim Rejections - 35 USC § 112
The rejections of claim 11 and 12 are maintained.
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  For example:
In claims 1-3:
'a domain name' is introduces more than once
It is unclear how many unique 'attack'(s) are being referenced in the claims.  For example:
a recursive domain name system (DNS) attack
a potential attack upon a domain name
a recursive DNS attack upon a domain name
It is unclear if the claimed 'attack upon a domain name' is different from the claimed 'attack upon a domain'

If the claim is intended that each occurrence of 'attack' refer to the same attack, examiner suggests introducing 'an attack' and subsequently referring to 'the attack'

Claims 4-18 are rejected because they depend from rejected claims.  


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim 1-8, 14 – 16, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pandrangi et al (US 2016/0380960 hereinafter Pandrangi)  in view of Chesla( US 2016/0057166 hereinafter Chesla).




Claims 1 and 2 are rejected on the basis presented in the rejection of claim 3 below.
As to claim 3,   
Pandrangi discloses a system (Fig 1 100) for detecting a recursive domain name system (DNS) attack, comprising: Page 2 of 6Docket: RADW P0789C1 Serial No: 16/846,968 
a processing circuitry;  Fig 5 502   
and a memory, Fig 5 520  
the memory containing instructions    [0046] program instructions in source code
that, when executed by the processing circuitry, configure the system to: 

learn a plurality of baselines 
	[0036] data logs in local storage and augmented DNS data in central storage
	in view of  [0036] aggregate information associated with the client machine's history
[[of at least rates]] [0026] time-stamps indicating tome of origination or transmission
[[and rate invariants]] [0026]  originator identifiers, destination and destination ports and protocol
of DNS features; [0026] attribute values for one or more attributes of redirected network traffic

monitor DNS traffic
 			[0023] 100 performs inter-network monitoring of DNS queries
directed to [0019]  transmit a DNS query to resolver 30
and from, [0019]   local resolver 30 answers with at least one DNS answer
a DNS resolver, [0019]   local resolver 30

wherein the DNS resolver [0019]   local resolver 30
is communicatively connected between Fig 2
at least one client Fig 2 20a-20n
and at least one name server; Fig 2 50

analyze  [0036] system 100 can analyze the captured information, data logs in 142 and 180
the monitored DNS traffic
 [0036] system 100 can analyze the captured information, data logs in 142 and 180
using at least one detection function 
[0034] deems the query suspicious, for example, based on evaluation of the DNS query
to detect in
[0034] deems the query suspicious, for example, based on evaluation of the DNS query
in view of [0023] to identify DNS queries which are suspicious
the monitored DNS traffic 
[0036] system 100 can analyze the captured information, data logs in 142 and 180
in view of  [0040]  server 50 can deem the DNS query as suspicious
at least one anomaly [0023] suspicious DNS queries
based in part on 
[0023] system 100 relies on various data sources (i.e. 142, 180) to identify suspicious 
DNS queries
at least one baseline of the plurality of learnt baselines; 
	[0036] data logs in local storage and augmented DNS data in central storage

each of the at least one anomaly [0023] suspicious DNS queries
indicating a potential attack 
[0023] domain names misspelled to mimic well-known domain names
upon a domain name[0023] domain names misspelled to mimic well-known domain names


determine based on [0023] system 100 flags the DNS queries identified as suspicious
the detected at least one anomaly 
[0023] suspicious DNS queries  in view of  [0034] deems the query suspicious
that a recursive DNS [0007] – [0008] recursive name servers / recursive resolvers
attack 
[0023] malware, defrauding, violating
in view of  [0008] prevent users from falling victim to malware sites
upon a domain name [0023] domain names misspelled to mimic well-known domain names
is in progress [0024] DNS data augmentation system 100 responds to the suspicious DNS queries

and upon detection 
[0040] server 50 can deem the query suspicious when the originator is flagged or 
exceeded a predetermined threshold of redirect request within a time window
that a recursive DNS [0007] – [0008] recursive name servers / recursive resolvers
attack 
[0023] malware, defrauding, violating
in view of  [0008] prevent users from falling victim to malware sites
upon a domain [0023] domain names misspelled to mimic well-known domain names
is in progress, 
[0024] DNS data augmentation system 100 responds to the suspicious DNS queries
in view of  [0040] 

perform at least one mitigation action to filter out 
[0033] thus selectively modifies the DNS answer to cause the client machine to redirect 
the information capture device
incoming DNS queries 
	[0020] DNS queries
to the particular domain name
[0023] domain names misspelled to mimic well-known domain names
in view of  [0033] domain name
under attack. 
[0023] malware, defrauding, violating
in view of  [0008] prevent users from falling victim to malware sites

wherein performing the mitigation action
[0033] thus selectively modifies the DNS answer to cause the client machine to redirect 
the information capture device
		determines which domain name 
			[0041] server 50 can monitor DNS queries originating in network 15, identify which of 
the DNS queries are suspicious, selectively modify DNS answers, and answer [subsequent] suspicious queries with the modified answer.
`	is the particular domain name
[0023] domain names misspelled to mimic well-known domain names
in view of  [0033] domain name
	under recursive DNS [0007] – [0008] recursive name servers / recursive resolvers
	attack
[0023] malware, defrauding, violating
in view of  [0008] prevent users from falling victim to malware sites


Pandrangi does not particularly disclose
	rate and rate invariants of DNS features

Chesla teaches
rate and rate invariants of DNS features [0075] rate and rate-invariant parameters

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Pandrangi and Chesla as elements known in the prior art combined to yield predictable results.  For example, Pandrangi discloses DNS features including identifiers and time-stamps.  Moreover,  Pandrangi discloses a number of redirect requests that may exceed a threshold within a time window.  However,  Pandrangi does not use the terms " rate and rate invariants " .  Chesla cures Pandrangi' s deficiency by teaching the terms " rate and rate invariants " 

As to claim 4,   
Pandrangi discloses wherein the method is performed 
at a DNS protection system  Fig 1 100
located between the at least one client Fig 1 20 a-n
and the DNS resolver Fig 1 30
As to claim 5,   
Pandrangi discloses wherein 
the DNS resolver Fig 1 30
is a recursive DNS resolver [0008] recursive resolvers can be configured to redirect DNS queries	
and where the at least one name server Fig 2 50
is an authoritative DNS name server 
           [0021] server 50 can resolve domain names in the .com TLD
          in view of  [0006] authoritative name server
for at least one of a domain and a subdomain. [0006] authoritative name server for each domain

As to claim 6,   
Pandrangi discloses wherein 
	a baseline [0023] list of questionable domains
	of a plurality of baselines
[0036] data logs in local storage and augmented DNS data in central storage
	in view of  [0036] aggregate information associated with the client machine's history

	includes distribution of common domain names
		[0023] suspect domains 94
 in view of  [0023] domain names misspelled to mimic well-known domain names

As to claim 7,   
Pandrangi discloses wherein 
each baseline of the plurality of baselines
[0036] data logs in local storage and augmented DNS data in central storage
	in view of  [0036] aggregate information associated with the client machine's history
is learnt over a predefined period of time [0036] defined timeframe
based on statistics gathered [0036] redirection ratio
 with respect to at least one of: 
 responses received or generated by the DNS resolver, 
	[0036] how often were client machine requests redirected relative to all requests

  As to claim 8,   
Pandrangi discloses wherein
the least one detection function 
[0033] deems the query suspicious, for example, based on evaluation of the DNS query
is a fuzzy logic function set 
	[0036] aggregate information associated with redirected traffic made during one or more 
timeframes
			in view of  [0039] adaptive response  see also 'adaptive answer' in the claims of Pandrangi
			* art applied in view of applicant spec [0051] – [0052] continually average / adaptive algorithm
based on 
[0023] system 100 relies on various data sources (i.e. 142, 180) to identify suspicious 
DNS queries
at least one baseline of the plurality of baselines.
[0036] data logs in local storage and augmented DNS data in central storage
	in view of  [0036] aggregate information associated with the client machine's history
 
  As to claim 14,   
Pandrangi discloses 
sending the incoming DNS query [0020] forward the DNS query
to the [[DNS resolver  ]]   
[0020] forward the DNS query  to a DSN name server
in view of  [0006] an authoritative name server are responsible for resolving the domain 
name
when the identified domain name does not match 
[0020] if the DNS query cannot be fully answered locally
any generated footprint.
	[0003] ".example.com"

Before the effective filing date it would be obvious to one of ordinary skill in the art that the authoritative name server may be for resolving any DNS queries when the local resolver 30 is unable to resolve.  Moreover, resolver 30 works off a cached results provided from recursive name servers see [0006] – [0007]  and [0020].  Moreover, Pandrangi teaches in [0022] that local resolver 30 and name server 50 may be embodied in multiple configurations distributed, cloud based, pc based, etc., thereby rendering obvious any particular claimed physical arrangement of the functionalities.

  As to claim 15,   
Pandrangi discloses  
adding [0023] example suspect domains 94 include domains with domain names misspelled to 
mimic well known domain names
the identified domain name [0033] domain name
to a black list, [0023] list of questionable domain names including suspect domains 94

when the identified domain name [0033] domain name
is not designated in the white list. [0023] well known domain names

  As to claim 16,   
Pandrangi discloses  
the white list. [0023] well known domain names
includes a list of legitimate fully qualified domain names [0023] well known domain names


  As to claim 18,   
Pandrangi discloses  
	fuzzy logic to perform anomaly detection  [0025] adaptive response in view of [0051] logic

Claims 9 and 17   are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Pandrangi  in view of Chesla in further view of Wasiq ( US 10911483 hereinafter Wasiq)  .

As to claims 9 and 17, Pandrangi and Chesla teach all the subject matter pointed out in the above 103 rejection of parent claim 1. 

  As to claim 9,   
Pandrangi discloses 
determining a rate anomaly [0036] useful patterns
a learnt query-to-response ratio baseline 
[0036] aggregate information associated with redirected traffic during a the defined 
timeframe
a current measured query-to-response ratio 
[0036] redirected traffic during one or more other timeframes

Neither Pandrangi nor  Chesla disclose
determining a rate anomaly when a learnt query-to-response ratio baseline is higher than a current measured query-to-response ratio 

Wasiq teaches
determining a rate anomaly C7 36 potential issue
when a learnt query-to-response ratio baseline C7 30 baseline request frequency ratio
is higher than C7 32 exceeds a maximum threshold variance
a current measured query-to-response ratio C7 28 newly calculated ratio

 
Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Pandrangi and Chesla with those of  Wasiq as elements known in the prior art combined to yield predictable results.  For example, Pandrangi discloses comparing values in [0036] but is silent with respect to the actual operator used to determine an anomaly.  Wasiq cures Pandrangi' s deficiency by teaching a greater than comparison (i.e. exceed threshold) in C7 line 32 to arrive at the claimed invention.


  As to claim 17,   
Pandrangi does not disclose
wherein the detected and mitigated cyber-attack is at least a DNS-based distributed denial-of-service (DDoS) attack.
Wasiq teaches
wherein the detected and mitigated cyber-attack is at least a DNS-based distributed denial-of-service (DDoS) attack.  Fig 6 step 612

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Pandrangi and Chesla with those of  Wasiq as elements known in the prior art combined to yield predictable results.  For example, Pandrangi discloses detection of 'questionable domains' and 'suspicious behavior' in [0023] by analysis of DNS traffic/traffic logs, but does not specifically disclose detecting a DDoS attack.  Wasiq cures Pandrangi 's deficiency to arrive at the claimed invention and thereby improve the system of Pandrangi.



Claims 10 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Pandrangi in view of Chesla in further view of Manadhata et al ( US 2018/0176241 hereinafter Manadhata)  .

As to claim 10, Pandrangi and Chesla teach all the subject matter pointed out in the above 103 rejection of parent claim 1. 

As to claim 10,   
Pandrangi discloses 
analyzing the monitored DNS traffic 
[0036] system 100 can analyze the captured information, logs in 142 and 180
using at least one detection function
[0033] deems the query suspicious, for example, based on evaluation of the DNS query
Neither Pandrangi nor  Chesla disclose
wherein analyzing the monitored DNS traffic using at least one detection function further comprises: determining an NXDOMAIN response anomaly when a ratio between incoming NXDOMAIN responses and other responses generated by the at least one name server deviates from a respective learnt baseline of the plurality of baselines.


	Manadhata teaches
wherein analyzing the monitored DNS traffic using at least one detection function 
	[0045] count of DNS queries
in view of [0021] – [0022] DNS logs
further comprises: 

determining an NXDOMAIN response anomaly
 [0021] security anomalies
	in view of  TABLE 2 NXDOMAIN responses
when a ratio TABLE 2 Percentage
between incoming NXDOMAIN responses TABLE 2 NXDOMAIN responses
and other responses TABLE 2  all responses  *denominator required for percentage
generated by the at least one name server 
	[0032] prediction engine 108 
	in view of  [0015] system 100 may implement 108 in various ways
	in further view of Fig 2 servers 212-214
in further view of  Claim 2 domain name service
deviates from a respective learnt baseline of the plurality of baselines.
	[0045] deviation criteria on a per-feature basis….exceeds or falls below a predicted value

 
Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Pandrangi and Chesla with those of  Manadhata as elements known in the prior art combined to yield predictable results.  For example, Pandrangi discloses detection of 'questionable domains' and 'suspicious behavior' in [0023] by analysis of DNS traffic/traffic logs, but does not specifically use the term NXDOMAIN anomaly.  However, Pandrangi [0023] is suggestive of NXDOMAIN anomaly in view of  recitation of 'bad domain', 'suspect domain', etc.  Manadhata cures Pandrangi deficiency by disclosing techniques to determine an NXDOMAIN anomaly by a 'Percentage of new top level domain queries that result in NXDOMAIN responses' to arrive at the claimed invention.







Claims 11 and 12 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Pandrangi in view of Chesla in further view of ARNELL et al ( US 2017/0295196 hereinafter Arnell)  .

As to claims 11 and 12, Pandrangi and Chesla teach all the subject matter pointed out in the above 103 rejection of parent claim 1. 

As to claim 11,   
 
Neither Pandrangi nor  Chesla disclose
wherein one of the plurality of baselines is a baseline of distribution of lengths of DNS queries received by the DNS resolver and wherein analyzing the monitored DNS traffic using at least one detection function further comprises: determining a DNS query length anomaly when a distribution of lengths of DNS queries received by the DNS resolver deviates from  the distribution of lengths of DNS queries received by the DNS resolver baseline.
	Arnell teaches
wherein one of the plurality of baselines is a baseline of distribution of lengths of DNS queries received by the DNS resolver 
[0047]average DNS query length exceeds a threshold query length, an anomaly may be 
identified

and wherein analyzing the monitored DNS traffic using at least one detection function further comprises: 
determining a DNS query length anomaly when a distribution of lengths of DNS queries received by the DNS resolver deviates from  the distribution of lengths of DNS queries received by the DNS resolver baseline.
		[0047]average DNS query length exceeds a threshold query length, an anomaly 
may be identified

Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Pandrangi and Chesla with those of  Arnell as elements known in the prior art combined to yield predictable results.  For example, Pandrangi discloses detection of 'questionable domains' and 'suspicious behavior' in [0023] and by analysis of DNS traffic/traffic logs.  

Pandrangi suggest a DNS query length anomaly detection in [0040] 'suspicious when number of redirects are within a predetermined window e.g. period.'

However, Pandrangi  does not  include the term DNS query length as an example of anomaly detection. Arnell cures Pandrangi deficiency to arrive at the claimed invention whereby the combination is able to detected additional anomalous traffic such as the DNS query length using the time stamps disclosed by Pandrangi to arrive at an overall more functional and thereby improved system.


		
		
Claim 12 is rejected on the basis previously provided in the rejection of claim 11 because a DNS query includes a Domain name.
Claims 13 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Pandrangi in view of Chesla in further view of THAKER et al ( US 2018/0115582 hereinafter THAKER)  .

As to claim 13, Pandrangi and Chesla teach all the subject matter pointed out in the above 103 rejection of parent claim 1. 

As to claim 13,   
Neither Pandrangi nor  Chesla disclose
determining a fully qualified domain name (FQDN) anomaly when a distribution of resolved FQDNs deviates from a respective learnt baseline of the plurality of baselines.

THAKER teaches
determining a fully qualified domain name (FQDN) anomaly when a distribution of resolved FQDNs deviates from a respective learnt baseline of the plurality of baselines.
[0074] If the DNS request analysis engine determines that a DNS request is suspicious, based on the characteristics of the DNS request and the associated domain name, then the DNS request analysis engine stores the DNS request and related information in a suspicious domain cache. The DNS request analysis engine computes the distance between FQDNs of successive DNS requests to suspicious domains. The DNS request analysis engine counts the number of times the computed distance exceeds a distance threshold. If the count exceeds a count threshold, then the DNS request analysis engine identifies the domain as potentially engaging in DNS exfiltration and blocks further traffic with the domain.


Before the effective filing date, it would have been obvious to a person having ordinary skill in the art to combine the teachings of Pandrangi and Chesla with those of  THAKER as elements known in the prior art combined to yield predictable results.  For example, Pandrangi discloses detection of 'questionable domains' and 'suspicious behavior' in [0023] and by analysis of DNS traffic/traffic logs.  

However, Pandrangi  does not  include the term FQDN as an example of anomaly detection. THAKER cures Pandrangi deficiency to arrive at the claimed invention whereby the combination is able to detected additional anomalous traffic such as an FQDN anomaly to arrive at an overall more functional and thereby improved system.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD A MCCOY whose telephone number is (313)446-6520.  The examiner can normally be reached on M - F 10 - 6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Cordelia Zecher can be reached on 571 272 7771.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/RICHARD A MCCOY/Examiner, Art Unit 2431