DETAILED ACTION
This is a non-final office action in response to applicant’s communication filed on 12/8/2020.
Claims 1-26 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Applicant’s claim for the benefit of a prior-filed application (No. 63/198,059, filled on 9/25/2020) under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 
Claim Objections
Claims 1-3, 5-6, 17-18 are objected to because of the following informalities:  
Claim 1 last line, “… to access a malicious website …” may read “… to access the malicious website …”. Similarly, for claim 17.
Claim 3 line 2, “the list of … are maintained …” may read “the list of … is maintained …”.
Dependent claims 2, 5, 6, 18 each recites “the users” which may read “the one or more users” according to their respective independent claims.
Claim 5 line 3, “the access requests” mat read “the one or more access requests”.
Claim Interpretation(s) - 35 USC § 112(f)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.


The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  
Such claim limitation(s) is/are: 
"an inspection component configured to …” in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 7, 13-14, 16-17, 23-24, 26 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
a. 	Claim 1 lines 11-12 recites “… without the corresponding domain name of the website or resource”. There is insufficient antecedent basis for limitations underlined in the claim. It is not clear “the website or resource” is one of “certain websites or resources” recited earlier in the claim.
Similarly, claim 17 lines 10-11;
b.	Claim 7 line 4 recites “the top-level domain”. There is insufficient antecedent basis for this limitation in the claim.
c.	Claims 13, 14, 23, 24 each recites “the block database” respectively. There is insufficient antecedent basis for this limitation in the claim.
d.	Claim 16, 26 each recites “the IP address-only access request”. There is insufficient antecedent basis for this limitation in the claim.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-6, 11-12, 14, 17-22, 24 are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al (US20200314064A1, hereinafter, "Lee"), in view of Tazuma (US20050235044A1, hereinafter, “Tazuma”).
Regarding claim 1, Lee teaches:
A system to support Internet traffic inspection (Lee, discloses device and method for determining connection request to target destination with domain name server query identifying a permissible destination instead of malicious destination, see [Abstract]), comprising: 
an inspection component configured to constantly monitor and intercept Internet traffic in form of one or more access requests from one or more users to access certain websites or resources hosted on a server on Internet (Lee, fig. 1A, verification device. And [0028] Verification device 220 includes one or more devices (e.g., one or more traffic transfer devices) capable of processing and/or transferring traffic between user device 210 and target destination server device 230); 
identify a pair of domain name and its corresponding IP address from each of the intercepted one or more access requests and save the pair to a Domain Name System (DNS) cache (Lee, [0018] As further shown in FIG. 1B, and by reference number 166, verification device 104 can store connection establishment information in DNS query cache 168. For example, verification device 104 can store information identifying a domain name, an IP address, and/or the like based on performing the security verification on the domain name and determining the IP address that corresponds to the domain name. And [0042] As further shown in FIG. 4, process 400 can include determining whether information identifying the target destination matches information identifying a permissible destination, included in a set of permissible destinations, identified in connection with a second network connection request, wherein the second network connection request included a prior DNS query and was received prior to the first network connection request being received, and wherein a prior security verification was performed in connection with the second network connection request and the prior DNS query (block 420)); 
look up a domain name of a newly intercepted access request from the DNS cache via an IP address of the newly intercepted access request if the newly intercepted access request contains only the IP address without the corresponding domain name of the website or resource (Lee, [0009] However, some user devices can provide connection requests that do not include DNS queries. For example, a gateway device can receive, from a user device, a connection request that includes an IP address of a target destination, without providing a domain name, ... In this case, if the target destination is a malicious destination, the gateway device could direct the user device to the malicious destination without performing a security verification. And [0041] As shown in FIG. 4, process 400 can include receiving a first network connection request (i.e. newly intercepted access request), that does not include a domain name server (DNS) query, for establishment of a connection to a target destination (block 410)); 
[redirect the newly intercepted access request to a proxy server for further inspection] if no domain name corresponding to the IP address of the newly intercepted access request is found in the DNS cache (Lee, [0010] Some implementations described herein provide domain name server based validation of network connections. For example, a verification device can receive a connection request identifying an IP address or IP addresses, and can determine whether the IP address or IP addresses is/are stored in a DNS query cache that stores information identifying IP addresses corresponding to domain names for which a security verification was performed in connection with fulfilling a previous connection request. Based on an IP address being included in the DNS query cache, the verification device can confirm that a security verification was performed on a domain name corresponding to the IP address and the IP address was determined to not be associated with a malicious destination); [said proxy server ] configured to determine whether the redirected access request is to access a malicious website or resource or not; handle the redirected access request accordingly based on whether the redirected access request is to access a malicious website or resource or not (Lee, See fig. 4, determine whether information identifying the target destination matches information identifying a permissible destination, i.e. malicious website or resource or not, e.g. [0013] For example, verification device 104 can determine whether the target destination is a malicious destination. Establish the connection 430 or block the connection 440 (i.e. handle)).
While Lee teaches the main concept of the invention that redirect the newly intercepted access request to be determined whether the web access request is directed to a permissible destination and handle the request accordingly by the verification device, but does not explicitly teach redirected by proxy server in the following limitation, Tazuma in the same field of endeavor teaches:
redirect the newly intercepted access request to a proxy server for further inspection (Tazuma, discloses method of redirecting a browser in a network by detecting a web request by the browser sent to the fake IP address, and redirecting the browser to a redirect address based on the detecting, see [Abstract]. And fig. 1, Gateway device (i.e. proxy server). And [0005] The present invention, … is directed to a method of redirecting a browser in a network. A fake IP address is provided to the browser in response to an attempt to resolve a non-resolvable DNS query by the browser for a destination address. The method also includes detecting a web request by the browser sent to the fake IP address, and redirecting the browser to a redirect address based on the detecting).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Tazuma in the domain name server based validation of network connections of Lee by using gateway device as proxy server to detect and redirect web request. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect a web request by browser to fake IP address to resolve a non-resolvable DNS query and redirect the web request based on the detecting to reduce redirect delays and block requests that are known to be invalid (Tazuma, [Abstract], [0005], [0061]).

Regarding claim 17, Lee/Tazuma combination teaches:
A method to support Internet traffic inspection (Lee, discloses device and method for determining connection request to target destination with domain name server query identifying a permissible destination instead of malicious destination, see [Abstract]), comprising: method steps substantially similar to the steps performed by the system of claim 1 therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 2, similarly claim 18, Lee/Tazuma combination further teaches:
The system of claim 1, the method of claim 17, further comprising: said DNS cache configured to maintain locally a list of domain name/IP address pairs that the users have requested to access as monitored by the inspection component (Lee, [0010] a verification device can receive a connection request identifying an IP address or IP addresses, and can determine whether the IP address or IP addresses is/are stored in a DNS query cache that stores information identifying IP addresses corresponding to domain names for which a security verification was performed in connection with fulfilling a previous connection request. Based on an IP address being included in the DNS query cache, the verification device can confirm that a security verification was performed on a domain name corresponding to the IP address. And [0018] As further shown in FIG. 1B, and by reference number 166, verification device 104 can store connection establishment information in DNS query cache 168 (i.e. locally)).  

Regarding claim 3, similarly claim 19, Lee/Tazuma combination further teaches:
The system of claim 2, the method of claim 18, wherein: the list of domain name/IP address pairs are maintained in the form of one or more tables (Lee, fig. 1B, DNS Query Cache 168, i.e. list of Destination/IP as table).  

Regarding claim 4, similarly claim 20, Lee/Tazuma combination further teaches:
The system of claim 2, the method of claim 18, wherein: the DNS cache is configured to be searched and looked up via either the IP address or the domain name (Lee, [0020] For example, verification device 104 can search DNS query cache 168 to determine whether the IP address is included in DNS query cache 168).  

Regarding claim 5, Lee/Tazuma combination further teaches:
The system of claim 1, wherein: the inspection component runs on the same device or endpoint used by the users to initiate the access requests (Lee, as shown in fig. 2, User device and Verification device can be implemented within a single device, e.g. [0031] two or more devices shown in FIG. 2 can be implemented within a single device, …).  

Regarding claim 6, Lee/Tazuma combination further teaches:
The system of claim 1, wherein: the inspection component runs at a gateway or firewall of a local area network (LAN) of a business entity to monitor and intercept all Internet traffic originated by the users within the business entity (Lee, [0028] For example, verification device 220 can include a network device that can include a firewall, a router, a gateway, a switch. And [0030] Network 240 includes one or more wired and/or wireless networks. For example, network 240 can include … a local area network (LAN)).  

Regarding claim 11, similarly claim 21, Lee/Tazuma combination further teaches:
The system of claim 1, the method of claim 17, wherein: the inspection component is configured to add a new pair of domain name/IP address into the DNS cache and forward the newly intercepted access request to the server hosting the website or resource if the domain name of the newly intercepted access request is found in the DNS cache (Lee, [0043] if verification device 220 determines that information identifying the target destination matches information identifying the permissible destination (block 420—YES), then process 400 can include establishing the connection to the target destination as a response to the first network connection request (block 430)).  

Regarding claim 12, similarly claim 22, Lee/Tazuma combination further teaches:
The system of claim 1, the method of claim 17, wherein: the proxy server is configured to search a block database via the IP address of the redirected access request to determine if the IP address points to a malicious website or source or not, wherein the block database maintains IP addresses of a list of websites and resources that are known to be malicious and have been put on a block list (Lee, [0013] verification device 104 can determine whether the target destination is on a whitelist of permissible destinations, a blacklist of malicious destinations, and/or the like. In some implementations, verification device 104 may request and may receive a blacklist to enable verification device 104 to determine whether the target destination is on the blacklist. See further Tazuma for proxy server. It is obvious to one ordinary skilled to understand the Verification device of Lee can be replaced with Tazuma’s gateway device as proxy server).  

Regarding claim 14, similarly claim 24, Lee/Tazuma combination further teaches:
The system of claim 1, the method of claim 17, wherein: the proxy server is configured to forward the redirected access request to the server hosting the requested website or resource at the IP address if no entry is found for the IP address of the newly intercepted access request in the block database (Lee, [0013] verification device 104 can determine whether the target destination is a malicious destination based on validating the target destination against a list. For example, verification device 104 can determine whether the target destination is on a whitelist of permissible destinations, … and [0043] if verification device 220 determines that information identifying the target destination matches information identifying the permissible destination (block 420—YES), then process 400 can include establishing the connection to the target destination as a response to the first network connection request (block 430). See Tazuma for proxy server and redirection as shown for claim 1).  

Claims 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over Lee/Tazuma combination as applied above, further in view of Fakeri-Tabrizi et al (US20160065611A1, hereinafter, “Fakeri-Tabrizi”).
Regarding claim 7, Lee/Tazuma combination teaches:
The system of claim 1, 
While the combination of Lee/Tazuma does not explicitly teach the following limitation, Fakeri-Tabrizi in the same field of endeavor teaches:
wherein: the domain name is a fully qualified domain name (FQDN), which is a domain name that specifies its exact location in a DNS tree hierarchy including all domain levels from the top-level domain (Fakeri-Tabrizi, discloses method for detecting anomalies in DNS requests, [Abstract]. And [0027] the term “core domain name” shall mean a parent domain, which is the combination of a second-level domain and a top-level domain, … the term “Fully Qualified Domain Name” or FQDN shall mean the complete domain name for a specific computer, server, or host. The FQDN may consist of two parts: a subdomain name and a core domain name).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Fakeri-Tabrizi in the domain name server based validation of network connections of Lee/Tazuma by using core domain name and FQDN in analyzing DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to retrieve and use FQDN information for anomaly detection by anomaly detection system (Fakeri-Tabrizi, [Abstract], [0038-0040]).

Regarding claim 8, Lee/Tazuma/Fakeri-Tabrizi combination further teaches:
The system of claim 7, wherein: the domain name is an abbreviation or subset of the FQDN shortened for mobile access (Fakeri-Tabrizi, [0038] the anomaly detection system 120 can retrieve for further use one or more of the following: a FQDN (including a core domain name and all subdomain names, if any), timestamp, …). Also [0040] The second DNS request is a subset of the first DNS request when both of them refer to the same FQDN, the same domain name, the same core domain name, or when they share at least some of common subdomains. And [0068] the computer system 300 can be a personal computer (PC), hand held computing device, telephone, mobile computing device (i.e. mobile access)).  

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Lee/Tazuma combination as applied above, further in view of Pechersky (US20140325045A1, hereinafter, “Pechersky”).
Regarding claim 9, Lee/Tazuma combination teaches:
The system of claim 1, 
While the combination of Lee/Tazuma does not explicitly teach the following limitation, Pechersky in the similar field of endeavor teaches:
wherein: the domain name is an alias of the server hosting the website (Pechersky, discloses system and method for directing network traffic (such as web traffic), [Abstract]. And [0047] the name server 62 is configured to receive a query in the form of a destination identifier, such as a domain name, and return a query result such as a numerical address or an alias. For example, a numerical address can be an Internet Protocol (IP) address associated with the destination identifier... The alias can be a query result that is another destination identifier used for a subsequent query at the name server 62. For example, if the destination identifier is a domain name (e.g. "google.com"), the query result can be another domain name (e.g. "google.ca") to which the query redirects).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Pechersky in the domain name server based validation of network connections of Lee/Tazuma by using alias as subsequent query as destination identifier for domain name. This would have been obvious because the person having ordinary skill in the art would have been motivated to use alias for destination identifier for directing network traffic (Pechersky, [Abstract], [0047]).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Lee/Tazuma combination as applied above to claim 1, further in view of Larson et al (US8521888B2, hereinafter, “Larson”).
Regarding claim 10, Lee/Tazuma combination teaches:
The system of claim 1, 
While the combination of Lee/Tazuma does not explicitly teach the following limitation, Pechersky in the similar field of endeavor teaches:
wherein: the domain name is non-conforming to an Internet protocol (Larson, discloses system and method for secure communications using secure domain names, [Title], [Claim1]. And [Col. 7 lines 29-42] The present invention provides a domain name service that provides secure computer network addresses for secure, non-standard top-level domain names (i.e. domain name is non-conforming to an Internet protocol) ... According to the invention, the portal authenticates a query for a secure computer network address, and the domain name database stores secure computer network addresses for the computer network. Each secure computer network address is based on a non-standard top-level domain name, …).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Larson in the domain name server based validation of network connections of Lee/Tazuma by using non-standard top-level domain name for secure communications. This would have been obvious because the person having ordinary skill in the art would have been motivated for a computer network that includes a portal connected to a computer network, such as the Internet, and a domain name database connected to the computer network through the portal to have the portal authenticates a query for a secure computer network address, and the domain name database stores secure computer network addresses for the computer network for secure internet communication (Larson, [Col. 7 lines 29-42]).

Claims 13, 23 are rejected under 35 U.S.C. 103 as being unpatentable over Lee/Tazuma combination as applied above, further in view of Kasman et al (US20160173527A1, hereinafter, “Kasman”).
Regarding claim 13, similarly claim 23, Lee/Tazuma combination teaches:
The system of claim 1, the method of claim 17,
While the combination of Lee/Tazuma does not explicitly teach the following limitation, Kasman in the similar field of endeavor teaches:
wherein: the proxy server is configured to mitigate threats or cyberattacks launched via the redirected access request and report back to the inspection component (Kasman, discloses method for protecting against DDoS attack, [Abstract]. And referring to fig. 1, and [0011] The server-side machine instructions can be logically grouped into functional modules including: a reverse proxy traffic handler and a user-interactive DDoS attack mitigation scheme handler for issuing DDoS attack mitigation challenges and authenticating the users' authenticating actions... if not authenticated, responding, by the DDoS attack mitigation central processing server, a notification data (i.e. report back) to the DDoS attack mitigation SDK to block the request, which in turn displaying to the user that the authentication of the DDoS attack mitigation challenge has failed and that the request is blocked), 
Lee further teaches: that the redirected access request is attempting to access a blocked website or resource if an entry is found for the IP address of the redirected access request in the block database (Lee, [0011] based on the IP address not being included in the DNS query cache, the verification device can determine that a security verification was not performed or that the security verification resulted in determining that the IP address was associated with a malicious destination. In this case, the verification device can block establishment of a network connection between the target destination and the user device. And [0013] verification device 104 can determine whether the target destination is on a whitelist of permissible destinations, a blacklist of malicious destinations).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kasman in the domain name server based validation of network connections of Lee/Tazuma by using DDoS attack mitigation system as proxy server to mitigate attack and provide notification to user. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the user-interactive DDoS attack mitigation scheme of Kasman (Kasman, [Abstract]) to mitigate the malicious attack of associated with request that does not include DNS query of Lee.

Claims 15, 25 are rejected under 35 U.S.C. 103 as being unpatentable over Lee/Tazuma combination as applied above, further in view of Zhang et al (US20160119193A1, hereinafter, “Zhang”).
Regarding claim 15, similarly claim 25, Lee/Tazuma combination teaches:
The system of claim 1, the method of claim 17,
While the combination of Lee/Tazuma does not explicitly teach the following limitation, Zhang in the similar field of endeavor teaches:
wherein: the proxy server is configured to continuously monitor and/or audit every redirected IP address [only] access request to validate packet and/or content of the redirected IP address only access request (Zhang, discloses method for detecting redirection packet as proxy internet access. And referring to fig. 3, and [0051] Step 302: intercepting (i.e. monitor or audit) an access request from the same internet account. And [0053] Specifically, to determine whether an access request is a response to a redirection packet, the proxy detection device first checks whether the target IP address of the access request is a proxy detection device). See Lee for access request with IP address only as shown for claim 1 above. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Zhang in the domain name server based validation of network connections of Lee/Tazuma by detecting and determining redirected access request. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect an access request is a response to a redirection request (Zhang, [Abstract]).

Claims 16, 26 are rejected under 35 U.S.C. 103 as being unpatentable over Lee/Tazuma/Zhang combination as applied above, further in view of Kaidi (US20210400080A1, hereinafter, “Kaidi”).
Regarding claim 16, similarly claim 26, Lee/Tazuma/Zhang combination teaches:
The system of claim 15, the method of claim 25, 
While the combination of Lee/Tazuma/Zhang does not explicitly teach the following limitation, Kaidi in the same field of endeavor teaches:
wherein: the proxy server is configured to inspect packet and/or contents of the IP address-only access request for various malicious and/or evasive behaviors; block, delete or quarantine the IP address-only access request if any malicious and/or evasive behavior is found (Kaidi, discloses methods and systems for detecting and automatically blocking malicious traffic directed at service provider, see [Abstract]. And [0016] The system may create or update a list of IP addresses associated with malicious activity (referred to as malicious IP addresses herein), comprising the IP addresses of requests received as part of the second set of requests. The system may then block any requests originating from a malicious IP address. The system may instead (or an addition to blocking) flag each request from a malicious IP address for other action).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kaidi in the domain name server based validation of network connections of Lee/Tazuma/Zhang by having proxy node for detecting and blocking malicious traffic to service provider associated with dissociated IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect and automatically block malicious traffic directed to service provider (Kaidi, [Abstract], [0001]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Hoewisch et al (US20200374262A1) discloses system and method for automated traffic flow control using domain name.
Georgiev (US20130036468A1) discloses method of anti-phishing and domain name protection.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436