Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
	This Application claims priority to an Indian Patent Application # IN201911054124 filed 12/27/2019.
DETAILED ACTION
This Office Action is in response to an amendment application received on
05/31/2022. In the officially entered amendment, claim 19 is the only amended claim. Claims 21-23 have been added as new claims. Claims 1-18 and 20 remain original. 
For this Office Action, claims 1-23 have been received for consideration and have
been examined.
Claimed Foreign Priority, No Papers Certified Copy Filed
Acknowledgment is made of applicant's claim for foreign priority based on an application filed in India on 12/27/2019. It is noted, however, a certified copy of the IN201911054124 application has not been received as required by 37 CFR 1.55.






Response to Arguments
Claim Objection
	Applicant’s amendment to claim 19 have been reviewed and appear to overcome the objection. Therefore this rejection has been withdrawn.
Claim Rejection
35 USC § 102(a)(2) Rejection
Regarding 35 USC § 102(a)(2) rejection, Applicant has not submitted any substantial remarks, nominally, against the outstanding 35 USC 102 rejections. Applicant has presented remarks pertaining to claims and limitations rejected under 35 USC § 102, but included them under the 35 USC § 103 rejection title in their remarks.  These arguments have been addressed in the 103 rejection section below, since that’s how applicant presented them.
35 USC § 103 Rejection
Initially, it is noted that applicant is arguing limitations that are inconsistent with the set of claims filed with the arguments.  That is, the claims quoted to by applicant are not the same claims presented for examination.
Applicant’s remarks regarding 35 USC § 103 have been reviewed, however, they are unpersuasive. Applicant’s remarks have been summarized as follows:
With regards to claim 1, Meshi does not compare domain names in the first and second collections for determining suspicious domain names (Page # 10).
With regards to claim 2, Meshi does not disclose “wherein a suspicious domain name meets the predetermined condition when the suspicious domain name was included in a predetermined amount of second collections, but not in the first collection, for a threshold number of internal production systems” (Page # 11).
An anticipation rejection is not proper when the prior art is lacking or missing a specific feature (i.e., the aforesaid claimed features of claim 1). Applicant respectfully requests if the Examiner maintains any of the aforesaid 35 U.S.C. § 102 grounds of rejection, he specifically identify in Davis where the corresponding claimed features are specifically disclosed in the claims as amended (Page # 11).
Examiner Response
	Regarding remark # 1, that Meshi does not compare domain in the first [long time interval] and second [short time interval] collections for determining suspicious domain names, the Examiner respectfully disagree. Meshi discloses generating a ‘domain popularity profile’ that can be used to identify patterns of the specific transmissions to the given domain. The domain popularity profile consists of ‘access time profile’, ‘malicious artifact profile’ and ‘malicious domain profile’. Meshi discloses that the access time profile exclusively consists of a total number of connections to a given domain during a specific time period (see Meshi [0010]). The specific time period consists of monitoring the interaction between workstations and domain names for a long period of time (i.e., a single month (e.g., 30 days)) and a short period of time (i.e., ‘daily or hourly’) (see Meshi [0013] for explanation of ‘access time profile’). Meshi further discloses using the access time data for performing comparison between domain name data collected over a single month (e.g., 30 days) and domain name data collected over ‘daily or hourly’ to determine domain suspiciousness (Meshi [0062-0065] discloses Meshi [0077] discloses executing classification application comprising access time profile in combination of other profiles to predict/determine suspiciousness of the domain). 
	Regarding remark # 2, that Meshi does not disclose “wherein a suspicious domain name meets the predetermined condition when the suspicious domain name was included in a predetermined amount of second collections, but not in the first collection, for a threshold number of internal production systems”, examiner respectfully disagree. 
	Meshi discloses various predetermined conditions called “features in profile(s)” throughout the disclosure which are used to determine the maliciousness of the domain. Among different features, access time pattern is also a feature in the ‘access time profile’ which is used to identify patterns or features of the specific times that the given domains were accessed by the workstations, and the one or more malicious domain profiles can be used to help identify one or more domains suspected of being malicious (see [0061]). Meshi further discloses that access to a particular domain, occurring within short duration [distinct hours] of time indicates higher chance of malicious/suspicious domain versus access to a domain name which has not been accessed for given number of times in a long period of time such as in 30 days. Therefore, Meshi’s access to a domain within short duration being indicative of maliciousness is found to meet the claim limitation (see [0062-0067]). 
	Regarding remark # 3, examiner would like to clarify that the name of the prior art reference is Meshi and not Davis. Furthermore, examiner has already described in detail in above mentioned response to arguments as to how Meshi teaches every concept of the claimed invention and therefore rejection to the claims has been maintained. 




Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2, 4-10, 12-18 and 20-23 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Meshi et al., (US20180069883A1).
Regarding claim 1, Meshi discloses:
A computer-implemented method to manage threats to a protected network having a plurality of internal production systems, the method comprising:
monitoring (i.e. collection step 120 where data is collected [monitored] and transmitted to anomaly detection system 22 for further processing; See FIG. 2-3) network traffic from the plurality of internal production systems of a protected network for domain names ([0036] FIG. 1 is a block diagram that schematically shows a computing facility 20 comprising an anomaly detection system 22 that monitors transmissions from multiple workstations 24 (also referred to as endpoints) to multiple Internet sites 26 in order to determine if any of the Internet sites are hosting malicious Command and Control (CnC) channels; [0054] In a collection step 120, processor collects, during a training period, information on data transmitted from workstations 24 to Internet sites 26, and stores the collected information to analysis records 90. Using embodiments described supra, processor 70 can collect the information from log data 54 or from data packets transmitted over network 30 (e.g., collect from probe 78 in real-time), and store the information to analysis records 90);
determining, for each internal production system of the plurality of internal production systems over the course of a long time interval (i.e. domain name data collected over a single month (e.g., 30 days) is construed as long time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a first collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain … Information that can be used to define the malicious artifact profiles include: [0063] Total number of connections to a given domain 44 during a specific time period (e.g., 30 days); [0086] In order to consider periodicity, embodiments of the present invention may aggregate the data collected over (for example) a single month, and only consider the destination (i.e., a given domain 94));
determining, for each internal production system over the course of a short time interval (i.e. domain name data collected over ‘daily or hourly’ is construed as short time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a second collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain; [0064] Average volume of all the connections to the given domain during a specific time period (e.g., daily or hourly); [0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel);
comparing domain names (i.e. generating ‘access time profile’; See Abstract) in the first and second collections associated with the plurality of internal production systems to determine suspicious domain names that meet a predetermined condition (See FIG. 7; i.e. See [0072] for predetermined conditions [having longer domain names, having younger domain ages, having hidden registrant information] to detect malicious domain names) ([0072] Examples of how the one or more malicious domain profiles can be used to analyze the information in records 90 include, but are not limited to, assigning higher malicious domain suspiciousness to domains 90 having longer domain names, having younger domain ages, having hidden registrant information (i.e., these are only a few examples); [0073] In a first model generation step 126, processor 70 uses profiles 110, 112 and 114 to generate CnC model 82. In embodiments of the present invention, model 82 analyzes, using the features in profiles 110, 112, and 114, the data transmissions in the collected data to predict if a given domain 44 hosts a CnC channel; [0077] In a model application step 132, processor 70 (e.g., executing classification application 80) applies the CnC model (comprising profiles 110, 112 and 114) and the malicious domain model (comprising profile 116) to the information collected in step 130, and in a prediction step 134, the processor predicts (i.e., determines), suspiciousness (i.e., if any of the domains are hosting malicious CnC channels) based on respective predictions from models 82 and 84; Also See [0160-0163] for multiple comparison steps for comparing domain information for detecting suspicious); and
requesting to treat the suspicious domain names as suspicious ([0074] Finally, in a second model generation step 128, processor 70 uses profile(s) 116 to generate malicious domain model 84. In embodiments of the present invention, model 84 analyzes, using the features in profile(s) 116, the data transmissions in the collected data to predict if a given domain 44 is malicious; [0078] Finally, in an alert step 136, processor 70 generates alerts for the one or more identified domains; [0079] processor 70 can create a single malicious CnC model that can predict if a given domain 44 hosts a malicious CnC channel. In this embodiment, processor 70 can apply the malicious CnC model to the collected data (i.e., step 134) and predict, using the malicious CnC model, if a given domain 44 is suspected of hosting a malicious CnC channel (i.e., step 136)).
Regarding claim 2, Meshi discloses:
	The method of claim 1, wherein a suspicious domain name meets the predetermined condition when the suspicious domain name was included in a predetermined amount of second collections, but not in the first collection, for a threshold number of internal production systems ([0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel.
Examiner notes that access to a particular domain occurred within short duration [distinct hours] indicates high chance of malicious/suspicious domain).
Regarding claim 4, Meshi discloses:
The method of claim 1, further comprising:
determining an attribute (i.e., Domain age according to the WHOIS record; See [0186]/ an age of the given domain; See [0049]) associated with a domain associated with a suspicious domain name of the suspicious domain names ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain);
applying a condition (i.e., checking domain reputation / if domain reputation is malicious / checking domain’s age of registration) to the attribute determined (See FIG. 7; [0160] in a check step 170, processor 70 checks the reputation of the given domain (e.g., using acquired data 88, as described supra); [0161] In a third comparison step 172, if the given domain has a reputation, then in a fourth comparison step 174, processor 70 checks if the given domain's reputation is malicious. If the given domain's reputation is not malicious, then in a fifth comparison step 176, processor 70 checks if the domain is young); and
determining not to treat the suspicious domain name as suspicious when the condition is met (See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 5, Meshi discloses:
The method of claim 4, further comprising accessing information about registration of the domain name to determine the attribute ([0057] In embodiments of the present invention, processor 70 can use information from the external sources described hereinabove to define malicious domain profiles 116. Additional examples of the information from external or internal sources that processor 70 can acquire and use for profiles 116 include: [0059] WHOIS (i.e., domain registration records). A person or organization that registered (i.e., purchased) a given domain 94 tried to hide their identity (e.g., via a 3rd party service) indicates a high suspicion that the given domain is malicious; [0060] Additionally domains 94 that are newer (i.e., age of registration) are more suspicious than domains 94 that are older).
Regarding claim 6, Meshi discloses:
The method of claim 5, wherein the attribute is age of the domain name from a time of registration as indicated by the information about registration and the condition is whether the age of the domain name is at least a threshold age ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain; See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 7, Meshi discloses:
The method of claim 1, wherein the method further includes treating the suspicious domain names as suspicious by taking a precautionary action to warn users of internal production systems in the network about the suspicious domain names ([0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain; [0154] The final verdict of the domain is determined by a combination of the domain suspiciousness score and the domain CnC score … Alerts may be presented to a user according to the final score. For example, a “high risk” alert may be presented for domains with a high score).
Regarding claim 8, Meshi discloses:
The method of claim 1, wherein the method further includes treating the suspicious domain names as suspicious by taking a blocking action to block packets that include the suspicious domain names ([0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain).
Regarding claim 9, Meshi discloses:
A computer system for managing threats to a network, comprising:
a memory configured to store instructions;
processor disposed in communication with said memory, wherein the processor upon execution of the instructions is configured to:
monitor (i.e. collection step 120 where data is collected [monitored] and transmitted to anomaly detection system 22 for further processing; See FIG. 2) network traffic from the plurality of internal production systems of a protected network for domain names ([0036] FIG. 1 is a block diagram that schematically shows a computing facility 20 comprising an anomaly detection system 22 that monitors transmissions from multiple workstations 24 (also referred to as endpoints) to multiple Internet sites 26 in order to determine if any of the Internet sites are hosting malicious Command and Control (CnC) channels; [0054] In a collection step 120, processor collects, during a training period, information on data transmitted from workstations 24 to Internet sites 26, and stores the collected information to analysis records 90. Using embodiments described supra, processor 70 can collect the information from log data 54 or from data packets transmitted over network 30 (e.g., collect from probe 78 in real-time), and store the information to analysis records 90);
determine, for each internal production system of the plurality of internal production systems over the course of a long time interval (i.e. domain name data collected over a single month (e.g., 30 days) is construed as long time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a first collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain … Information that can be used to define the malicious artifact profiles include: [0063] Total number of connections to a given domain 44 during a specific time period (e.g., 30 days); [0086] In order to consider periodicity, embodiments of the present invention may aggregate the data collected over (for example) a single month, and only consider the destination (i.e., a given domain 94));
determine, for each internal production system over the course of a short time interval (i.e. domain name data collected over ‘daily or hourly’ is construed as short time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a second collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain; [0064] Average volume of all the connections to the given domain during a specific time period (e.g., daily or hourly); [0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel);
compare domain names (i.e. generating ‘access time profile’; See Abstract) in the first and second collections associated with the plurality of internal production systems to determine suspicious domain names that meet a predetermined condition (See FIG. 7; i.e. See [0072] for predetermined conditions to detect malicious domain names) ([0072] Examples of how the one or more malicious domain profiles can be used to analyze the information in records 90 include, but are not limited to, assigning higher malicious domain suspiciousness to domains 90 having longer domain names, having younger domain ages, having hidden registrant information (i.e., these are only a few examples); [0073] In a first model generation step 126, processor 70 uses profiles 110, 112 and 114 to generate CnC model 82. In embodiments of the present invention, model 82 analyzes, using the features in profiles 110, 112, and 114, the data transmissions in the collected data to predict if a given domain 44 hosts a CnC channel; [0077] In a model application step 132, processor 70 (e.g., executing classification application 80) applies the CnC model (comprising profiles 110, 112 and 114) and the malicious domain model (comprising profile 116) to the information collected in step 130, and in a prediction step 134, the processor predicts (i.e., determines), suspiciousness (i.e., if any of the domains are hosting malicious CnC channels) based on respective predictions from models 82 and 84; Also See [0160-0163] for multiple comparison steps for comparing domain information for detecting suspicious); and
request to treat the suspicious domain names as suspicious ([0074] Finally, in a second model generation step 128, processor 70 uses profile(s) 116 to generate malicious domain model 84. In embodiments of the present invention, model 84 analyzes, using the features in profile(s) 116, the data transmissions in the collected data to predict if a given domain 44 is malicious; [0078] Finally, in an alert step 136, processor 70 generates alerts for the one or more identified domains; [0079] processor 70 can create a single malicious CnC model that can predict if a given domain 44 hosts a malicious CnC channel. In this embodiment, processor 70 can apply the malicious CnC model to the collected data (i.e., step 134) and predict, using the malicious CnC model, if a given domain 44 is suspected of hosting a malicious CnC channel (i.e., step 136)).
Regarding claim 10, Meshi discloses:
The computer system of claim 9, wherein a suspicious domain name meets the predetermined condition when the suspicious domain name was included in a predetermined amount of second collections, but not in the first collection, for a threshold number of internal production systems ([0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel.
Examiner notes that access to a particular domain occurred within short duration [distinct hours] indicates high chance of malicious/suspicious domain).
Regarding claim 12, Meshi discloses:
The computer system of claim 9, wherein the processor upon execution of the instructions is further configured to:
determine an attribute (i.e., Domain age according to the WHOIS record; See [0186]/ an age of the given domain; See [0049]) associated with a domain associated with a suspicious domain name of the suspicious domain names ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain);
apply a condition (i.e., checking domain reputation / if domain reputation is malicious / checking domain’s age of registration) to the attribute determined (See FIG. 7; [0160] in a check step 170, processor 70 checks the reputation of the given domain (e.g., using acquired data 88, as described supra); [0161] In a third comparison step 172, if the given domain has a reputation, then in a fourth comparison step 174, processor 70 checks if the given domain's reputation is malicious. If the given domain's reputation is not malicious, then in a fifth comparison step 176, processor 70 checks if the domain is young); and
determine not to treat the suspicious domain name as suspicious when the condition is met (See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 13, Meshi discloses:
The computer system of claim 12, wherein the processor upon execution of the instructions is further configured to access information about registration of the domain name to determine the attribute ([0057] In embodiments of the present invention, processor 70 can use information from the external sources described hereinabove to define malicious domain profiles 116. Additional examples of the information from external or internal sources that processor 70 can acquire and use for profiles 116 include: [0059] WHOIS (i.e., domain registration records). A person or organization that registered (i.e., purchased) a given domain 94 tried to hide their identity (e.g., via a 3rd party service) indicates a high suspicion that the given domain is malicious; [0060] Additionally domains 94 that are newer (i.e., age of registration) are more suspicious than domains 94 that are older).
Regarding claim 14, Meshi discloses:
The computer system of claim 13, wherein the attribute is age of the domain name from a time of registration as indicated by the information about registration, and the condition is whether the age of the domain name is at least a threshold age ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain; See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 15, Meshi discloses:
The computer system of claim 9, wherein the processor upon execution of the instructions is further configured to treat the suspicious domain names as suspicious, including taking a precautionary action to warn users of internal production systems in the network about the suspicious domain names ([0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain; [0154] The final verdict of the domain is determined by a combination of the domain suspiciousness score and the domain CnC score … Alerts may be presented to a user according to the final score. For example, a “high risk” alert may be presented for domains with a high score).
Regarding claim 16, Meshi discloses:
The computer system of claim 9, wherein the processor upon execution of the instructions is further configured to treat the suspicious domain names as suspicious, including taking a blocking action to block packets that include the suspicious domain names ([0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain).
Regarding claim 17, Meshi discloses:
A non-transitory computer readable storage medium and one or more computer programs embedded therein, the computer programs comprising instructions, which when executed by a computer system, cause the computer system to:
monitor (i.e. collection step 120 where data is collected [monitored] and transmitted to anomaly detection system 22 for further processing; See FIG. 2) network traffic from the plurality of internal production systems of a protected network for domain names ([0036] FIG. 1 is a block diagram that schematically shows a computing facility 20 comprising an anomaly detection system 22 that monitors transmissions from multiple workstations 24 (also referred to as endpoints) to multiple Internet sites 26 in order to determine if any of the Internet sites are hosting malicious Command and Control (CnC) channels; [0054] In a collection step 120, processor collects, during a training period, information on data transmitted from workstations 24 to Internet sites 26, and stores the collected information to analysis records 90. Using embodiments described supra, processor 70 can collect the information from log data 54 or from data packets transmitted over network 30 (e.g., collect from probe 78 in real-time), and store the information to analysis records 90);
determine, for each internal production system of the plurality of internal production systems over the course of a long time interval (i.e. domain name data collected over a single month (e.g., 30 days) is construed as long time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a first collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain … Information that can be used to define the malicious artifact profiles include: [0063] Total number of connections to a given domain 44 during a specific time period (e.g., 30 days); [0086] In order to consider periodicity, embodiments of the present invention may aggregate the data collected over (for example) a single month, and only consider the destination (i.e., a given domain 94));
determine, for each internal production system over the course of a short time interval (i.e. domain name data collected over ‘daily or hourly’ is construed as short time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a second collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain; [0064] Average volume of all the connections to the given domain during a specific time period (e.g., daily or hourly); [0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel);
compare domain names (i.e. generating ‘access time profile’; See Abstract) in the first and second collections associated with the plurality of internal production systems to determine suspicious domain names that meet a predetermined condition (See; FIG. 7; i.e. See [0072] for predetermined conditions to detect malicious domain names) ([0072] Examples of how the one or more malicious domain profiles can be used to analyze the information in records 90 include, but are not limited to, assigning higher malicious domain suspiciousness to domains 90 having longer domain names, having younger domain ages, having hidden registrant information (i.e., these are only a few examples); [0073] In a first model generation step 126, processor 70 uses profiles 110, 112 and 114 to generate CnC model 82. In embodiments of the present invention, model 82 analyzes, using the features in profiles 110, 112, and 114, the data transmissions in the collected data to predict if a given domain 44 hosts a CnC channel; [0077] In a model application step 132, processor 70 (e.g., executing classification application 80) applies the CnC model (comprising profiles 110, 112 and 114) and the malicious domain model (comprising profile 116) to the information collected in step 130, and in a prediction step 134, the processor predicts (i.e., determines), suspiciousness (i.e., if any of the domains are hosting malicious CnC channels) based on respective predictions from models 82 and 84; Also See [0160-0163] for multiple comparison steps for comparing domain information for detecting suspicious); and
request to treat the suspicious domain names as suspicious ([0074] Finally, in a second model generation step 128, processor 70 uses profile(s) 116 to generate malicious domain model 84. In embodiments of the present invention, model 84 analyzes, using the features in profile(s) 116, the data transmissions in the collected data to predict if a given domain 44 is malicious; [0078] Finally, in an alert step 136, processor 70 generates alerts for the one or more identified domains; [0079] processor 70 can create a single malicious CnC model that can predict if a given domain 44 hosts a malicious CnC channel. In this embodiment, processor 70 can apply the malicious CnC model to the collected data (i.e., step 134) and predict, using the malicious CnC model, if a given domain 44 is suspected of hosting a malicious CnC channel (i.e., step 136)).
Regarding claim 18, Meshi discloses:
The non-transitory computer readable storage medium of claim 17, wherein a suspicious domain name meets the predetermined condition when the suspicious domain name was included in a predetermined amount of second collections, but not in the first collection, for a threshold number of internal production systems ([0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel.
Examiner notes that access to a particular domain occurred within short duration [distinct hours] indicates high chance of malicious/suspicious domain). 
Regarding claim 20, Meshi discloses:
The non-transitory computer readable storage medium of claim 17, wherein the computer system is further caused to:
determine an attribute (i.e., Domain age according to the WHOIS record; See [0186]/ an age of the given domain; See [0049]) associated with a domain associated with a suspicious domain name of the suspicious domain names ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain);
apply a condition (i.e., checking domain reputation / if domain reputation is malicious / checking domain’s age of registration) to the attribute determined (See FIG. 7; [0160] in a check step 170, processor 70 checks the reputation of the given domain (e.g., using acquired data 88, as described supra); [0161] In a third comparison step 172, if the given domain has a reputation, then in a fourth comparison step 174, processor 70 checks if the given domain's reputation is malicious. If the given domain's reputation is not malicious, then in a fifth comparison step 176, processor 70 checks if the domain is young); and
determine not to treat the suspicious domain name as suspicious when the condition is met (See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 21, Meshi discloses:
The method of claim 1, wherein monitoring the network traffic, determining the first collection, determining the second collection, and comparing the domain names are performed in real time, and/or the long term interval is the most recent long time interval completed ([0043] & [0045] discloses ‘a probe’ which collects data in real-time from the network communication between workstations to internet sites and passes that information to processor of anomaly detection system).
Regarding claim 22, Meshi discloses:
The computer system of claim 9, wherein the processor is configured to monitor the network traffic, determine the first collection, determine the second collection, and compare the domain names in real time, and/or the long term interval is the most recent long time interval completed ([0043] & [0045] discloses ‘a probe’ which collects data in real-time from the network communication between workstations to internet sites and passes that information to processor of anomaly detection system).
Regarding claim 23, Meshi discloses:
The non-transitory computer readable storage medium of claim 17, wherein the computer system is caused to monitor the network traffic, determine the first collection, determine the second collection, and compare the domain names in real time, and/or the long term interval is the most recent long time interval completed ([0043] & [0045] discloses ‘a probe’ which collects data in real-time from the network communication between workstations to internet sites and passes that information to processor of anomaly detection system).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3, 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Meshi et al., (US20180069883A1) in view of Cooley., (US7496634B1).
Regarding claim 3, Meshi does not explicitly discloses:
The method of claim 1, further comprising comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious.
However, Cooley discloses:
	comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious (Col. 4, Line # 25-33; Subsequently, the message manager 100 accesses a white list of authorized domains and the comparison module 130 compares the domain pointed to by each link found in the text of the message to the white list of authorized domains. In that embodiment, when each domain associated with each link found in the text of the message matches 240 a domain found in the white list, the message manager determines 255 that the message is not a phishing message, and typically allows the user to access the message).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and have a system which compares the domain names against the databases or source of white list domain names, as disclosed by Cooley.
	The motivation to have a system which compares the domain names against the databases or source of white list domain names is to detect suspicious domain names and protect the endpoint computers from potential malicious attacks (See Cooley: Col. 4, Line # 14-47).
Regarding claim 11, Meshi does not explicitly discloses:
The computer system of claim 9, wherein the processor upon execution of the instructions is further configured to compare the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious.
However, Cooley discloses:
	comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious (Col. 4, Line # 25-33; Subsequently, the message manager 100 accesses a white list of authorized domains and the comparison module 130 compares the domain pointed to by each link found in the text of the message to the white list of authorized domains. In that embodiment, when each domain associated with each link found in the text of the message matches 240 a domain found in the white list, the message manager determines 255 that the message is not a phishing message, and typically allows the user to access the message).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and have a system which compares the domain names against the databases or source of white list domain names, as disclosed by Cooley.
	The motivation to have a system which compares the domain names against the databases or source of white list domain names is to detect suspicious domain names and protect the endpoint computers from potential malicious attacks (See Cooley: Col. 4, Line # 14-47).
Regarding claim 19, Meshi does not explicitly discloses:
The non-transitory computer readable storage medium of claim 17, wherein the computer system is further caused to compare the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious.
However, Cooley discloses:
	comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are treated as suspicious (Col. 4, Line # 25-33; Subsequently, the message manager 100 accesses a white list of authorized domains and the comparison module 130 compares the domain pointed to by each link found in the text of the message to the white list of authorized domains. In that embodiment, when each domain associated with each link found in the text of the message matches 240 a domain found in the white list, the message manager determines 255 that the message is not a phishing message, and typically allows the user to access the message).
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and have a system which compares the domain names against the databases or source of white list domain names, as disclosed by Cooley.
	The motivation to have a system which compares the domain names against the databases or source of white list domain names is to detect suspicious domain names and protect the endpoint computers from potential malicious attacks (See Cooley: Col. 4, Line # 14-47).


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/S.M.A./Patent Examiner, Art Unit 2432