Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-21 are pending.
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/26/2022 has been entered.
 

Response to Arguments
Applicant's arguments with respect to the prior art rejections of the claims have been considered but are moot in view of the new ground(s) of rejection, particularly the application of the Minea.

Claim Rejections - 35 USC § 103
 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


 This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Harlacher et al (US Pub. No. 2015/0264070), hereafter, “Harlacher,” in view of Minea et al (US Pub. No. 2017/0126706), hereafter, “Minea,” and Qi et al. (BotCensor: Detecting DGA-Based Botnet Using Two-Stage Anomaly Detection, 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/ 12th IEEE International Conference on Big Data Science and Engineering, August 1, 2018, Pages 754-762; cited on IDS dated 3/24/2021), hereafter, “Qi.”.

As to claim 1, Harlacher discloses a system, comprising: a processor configured to (Abstract): 
receive a DNS query in response to a client device making a DNS resolution request (Fig. 1C and [0024], particularly, “An infected host (e.g. network client 160, FIG. 1B) can establish a C&C communication (destined for the C&C server 152) by first using a DNS query to obtain the IP address of a C&C server 152. The detection system 100 (FIG. 1B) may obtain a copy of the DNS request and the matching response through the network switch 154 (FIG. 1B), as according to some embodiments.); 
determine whether the DNS query received in response to the client device making the DNS resolution request implicates an algorithmically generated domain (AGD) based at least in part by performing analysis on a domain included in the received query (Fig. 1C and [0024], particularly, “After extracting the one or more domain names out of the DNS response, a passive classification engine 102 may determine whether the requested domain name is a potential AGD at 104 (FIG. 1C).”); 
in response to determining that the DNS query received from the client device implicates an AGD, cause a remedial action ([0020], particularly, “At 120, a Domain Name AGD Classifier (e.g. classifier module) may process a domain name extracted from a DNS response to determine whether the name is an Algorithm Generated Domain (AGD)…If the domain name is determined to be an AGD, but the domain has not been registered, the process may skip the checking (e.g. 122) and continue to further processing during scoring and reporting at 124.” and [0031], particularly, “In some embodiments, a score module 147 may be implemented to analyze the extracted item memory 199, score the detections in the type-structured data 173, and correlate the detections with host ID data…In some embodiments, the score module may generate the alert data or query responses as reporting output 143.”); 
a memory coupled to the processor and configured to provide the processor with instructions (Abstract).
However, Harlacher does not explicitly disclose in response to determining that the DNS query received from the client device implicates an AGD, cause a remedial action to be taken against the client device.
But, Minea discloses in response to determining that a client device’s activity implicates an AGD, cause a remedial action to be taken against the client device (Fig. 1, label 10, [0026]-[0027], particularly, “Some processes executing on client system 10 may be malicious. In particular, some processes may potentially execute DGAs. In some cases, the malware may be hosted by a virtual machine running on client system 10… When DGA malware is detected, the security application further identifies a set of domain names generated by the DGA, and blacklists the set of domain names. The blacklisted domain names may be transmitted as part of software updates to instances of security applications running on multiple client and/or server computers, to facilitate protecting such systems.”)
	Therefore it would have been obvious to one of ordinary skill in the art prior to the effective to filing date of the application to combine the teachings of Harlacher and Minea in order to provide a means to mitigate the harm that may be caused by clients that are carrying out malicious activities.
However, the combination of Harlacher and Minea does not explicitly disclose the analysis is Markov Chain analysis.
But, Qi discloses a processor configured to (page 754, Abstract): 
receive a DNS query (Fig. 2, and page 756, right column, 3rd paragraph, particularly, “The first-stage anomaly detection mainly analyzes domain names extracted from DNS traffic as seen from the above layer in Figure 2.”); 
perform Markov Chain analysis on a domain included in the received query (page 756, left column, particularly, “For convenience we exploit the First-order Markov chain to model our first-stage anomaly detection. It is well known that a domain name d consists of a set of labels separated by dots, for example, www.domain.com... ”); and 
determine whether the received query implicates an algorithmically generated domain based at least in part on a result of the Markov Chain analysis (page 756, left column last paragraph, “As shown in the lower part of the Figure 2, the second-stage anomaly detection mainly focuses on differentiating DGA-bots from legitimate hosts.” and Abstract, particularly, “In this paper, we present BotCensor, a new system that can determine if a host is infected with certain DGA malware with two-stage anomaly detection.”).
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the application to combine the teachings of Harlacher and Minea with Qi in order to provide a known and reliable means of accurately identifying algorithmically generated domain names.

 As to claims 15 and 21, they are rejected by a similar rationale to that set forth in claim 1’s rejection.

As to claims 2 and 16, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose determining that the received DNS query implicates the AGD includes evaluating historical resolution information (Qi, page 756-757, section B, particularly, “Most of the DGA-generated domains that a bot queries would result in NXdomains responses, hence successfully DNS replies to DNS queries ratio of DGA-bots is smaller than that of legitimate hosts” and Harlacher, [0033], particularly, “In some embodiments, the process of creating such a model depends on substantial quantities of labeled domain names 230, which are large sets of data describing normal (non-AGD) domain names popularly used on the Internet, as well as a smaller set of known bad past AGDs.”).

 As to claims 3 and 17, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose the historical resolution information comprises a count of resolutions (Qi, page 756-757, section B, particularly, “The number of DNS queries sent by DGA-bots is different from that by legitimate users in confined time. Besides, DGA-bots regularly request AGDs e.g., Zeusbots sent a DNS request every five seconds, but in contrast the randomness of legitimate users query a DNS is more strong…Feature 1: the rate of successful DNS responses to DNS queries within limited time.”).

 As to claims 4 and 18, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose the historical resolution information comprises an interval between a first resolution and a last resolution (Qi, page 756-757, section B, particularly, “The number of DNS queries sent by DGA-bots is different from that by legitimate users in confined time. Besides, DGA-bots regularly request AGDs e.g., Zeusbots sent a DNS request every five seconds, but in contrast the randomness of legitimate users query a DNS is more strong…Feature 1: the rate of successful DNS responses to DNS queries within limited time.”).

 As to claims 5 and 19, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose the Markov Chain model is trained at least in part using a set of known algorithmically generated domains (Qi, page 757, section A, particularly, “Hence BotCensor requires a mass of legitimate domain data as training dataset and malicious domain data as testing dataset in the first anomaly detection process.”)

 As to claim 6, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose the Markov Chain model is trained at least in part using a set of known benign domains (Qi, page 757, section A, particularly, “Hence BotCensor requires a mass of legitimate domain data as training dataset and malicious domain data as testing dataset in the first anomaly detection process.”).

 As to claims 7 and 20, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose the processor is further configured to determine whether the domain is associated with a family of algorithmically generated domains (Qi, page 754, right column, particularly, “Besides, it is unreasonable that they employ NXdomain [17] replies alone to infer the families of AGDs.”)

 As to claim 8, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose determining that the domain is associated with the family of algorithmically generated domains includes using a random forest trained using features extracted from algorithmically generated domain families (Qi, page 756-757, section B, particularly, “After the feature extraction, we exploit three novelty detection algorithms (i.e., One-Class SVM with non-linear kernel (RBF) [29], Isolation Forest [30], Multivariate Gaussian [31]) to identify the abnormal hosts i.e., DGA-bots.”)

 As to claim 9, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose at least one feature comprises a domain suffix (Qi, page 756, section A).

 As to claim 10, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose at least one feature comprises a count of hyphens (Qi, page 756-757, section B, particularly, “Note that we only consider the first level of a chosen prefix such as domain.com referring to [28]. Literally, a domain actually consists of 26 English letters, 10 numbers, ’-’ and a period.”).

As to claim 11, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose at least one feature comprises a domain length (Qi, page 756-757, section B, particularly, “Therefore the probability of any domain can be computed according to the Equation 5. It makes sense to do so. Generally speaking, a humanly generated domain is user-friendly and easy to remember, but an AGD is not. Hence, the larger the probability of a domain name, the stronger its legitimacy.”).

As to claim 12, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose at least one feature comprises a distinct number of characters (Qi, page 756-757, section B, particularly, “Literally, a domain actually consists of 26 English letters, 10 numbers, ’-’ and a period. Hence, a shining and intuitive idea is that we can regard 38 elements (i.e., 26 English letters, 10 numbers, ’-’ and a period) as 38 states, and the transition matrix A (as shown in Equation 6) contains the transition probabilities of any two states.”)

As to claim 13, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose at least one feature comprises a ratio of digits to other characters (Qi, page 756-757, section B, particularly, “Literally, a domain actually consists of 26 English letters, 10 numbers, ’-’ and a period. Hence, a shining and intuitive idea is that we can regard 38 elements (i.e., 26 English letters, 10 numbers, ’-’ and a period) as 38 states, and the transition matrix A (as shown in Equation 6) contains the transition probabilities of any two states.”).

As to claim 14, the teachings of Harlacher, Minea, and Qi as combined for the same reasons set forth in claim 1’s rejection further disclose at least one feature comprises whether the first character of a root domain is a digit (Qi, page 756-757, section B, particularly, “Literally, a domain actually consists of 26 English letters, 10 numbers, ’-’ and a period. Hence, a shining and intuitive idea is that we can regard 38 elements (i.e., 26 English letters, 10 numbers, ’-’ and a period) as 38 states, and the transition matrix A (as shown in Equation 6) contains the transition probabilities of any two states.”).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS J DAILEY whose telephone number is (571)270-1246.  The examiner can normally be reached on 9:30am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/Thomas J Dailey/
Examiner, Art Unit 2452