Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

1.	This action is in response to the application filed on 13 February 2020.
Claims 1-26 are presently pending for examination.

Information Disclosure Statement
2.	The information disclosure statement (IDS) submitted on 05/14/2020, 02/07/2022, 06/19/2022 and 08/01/2022 have being considered by the examiner.

Claim Rejections - 35 USC § 103
3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-26 are rejected under 35 U.S.C. 103 as being unpatentable over Mahjoub et al, U. S. Patent Publication No. 2017/0041333 in view of Cook et al, U. S. Patent Publication No. 2016/0099852.

Regarding claim 1, Mahjoub discloses a method for protecting a computing system, comprising: extracting, from data traffic transmitted over a data network connecting a plurality of computing devices to multiple Internet hosting services, respective sets of transmissions from the computing devices to the Internet hosting services (see Mahjoub, ¶ [0022]; DNS request data is analyzed); identifying, in a given set of the transmissions from a given computing device, multiple domain name system (DNS) requests for an identical second-level domain (2LD) and for different respective sub-domains within the 2LD (see Mahjoub, ¶ [0049]-[0052]; plurality of domain name requests at different levels are identified). 
Although Mahjoub discloses the invention substantially as claimed it does not explicitly disclose computing, by a processor, a number of the different sub-domains within the 2LD and a data size of the multiple DNS requests; and when the number of the different sub-domains and the data size of the multiple DNS requests exceed a predefined criterion, initiating a preventive action to inhibit DNS tunneling from at least the given computing device.
Cook teaches computing, by a processor, a number of the different sub-domains within the 2LD and a data size of the multiple DNS requests; and when the number of the different sub-domains and the data size of the multiple DNS requests exceed a predefined criterion, initiating a preventive action to inhibit DNS tunneling from at least the given computing device (see Cook, ¶ [0021]- [0022]). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to incorporate the teachings of Cook with that of Mahjoub in order to efficiently and effectively detect and prevent DNS tunneling.

Regarding claim 2, Mahjoub-Cook teaches comprising analyzing the given set of transmissions to identify further transmissions to the different sub-domains within the 2LD following the DNS requests submitted with respect to the different sub-domains, wherein initiating the preventive action comprises intervening in the transmissions by the given computing device when there are no further transmissions to at least some of the different sub- domains within the 2LD following the DNS requests (see Mahjoub, ¶ [0059] and [0072]).

Regarding claim 3, Mahjoub-Cook teaches wherein the specified threshold comprises a specified time period (see Mahjoub, ¶ [0103]).

Regarding claim 4, Mahjoub-Cook teaches and comprising computing, by the processor, a number of the transmissions to the 2LD, and when the computed number of transmissions to the 2LD exceeds a predefined 2LD criterion, initiating the preventive action to inhibit DNS tunneling from at least the given computing device (see Cook, ¶ [0020] and [0022]). Same motivation utilized for claim 1 applies equally as well to claim 4.

Regarding claim 5, Mahjoub-Cook teaches and comprising identifying, in a given transmission, a DNS request for a given domain name, and determining, by the processor, an age of the domain name, and when the age of the domain name does meet a predefined age criterion, initiating the preventive action to inhibit DNS tunneling transmissions to at least the given domain name (see Mahjoub, ¶ [0037]).

Regarding claim 6, Mahjoub-Cook teaches and comprising identifying, by the processor, a first given transmission comprising a first DNS request for a given domain name transmitted by a first given computing device at a first time, and when failing to identify a second given transmission comprising a second DNS request for the given domain name transmitted by a second given computing device at a second time previous to the first given time, initiating the preventive action to inhibit DNS tunneling transmissions to at least the given domain name (see Mahjoub, ¶ [0051]-[0052]).

Regarding claim 7, Mahjoub-Cook teaches and comprising identifying, by the processor, a DNS request in a given transmission from a given computing device, and when the given computing device does not comprise a local DNS server, initiating the preventive action to inhibit DNS tunneling transmissions from at least the given computing device (see Mahjoub, ¶ [0053] and [0057]).

Regarding claim 8, Mahjoub-Cook teaches and comprising identifying, by the processor, a plurality of the transmissions comprising DNS requests for a 2LD, and determining a number of unique computing devices that transmitted the DNS requests for the 2LD, and when the determined number of unique computing devices does not meet a predefined 2DL criterion, initiating the preventive action to inhibit DNS tunneling transmissions to at least the given 2LD (see Mahjoub, ¶ [0049] and [0052]).

Regarding claim 9, Mahjoub-Cook teaches and comprising identifying, in a given transmission, a DNS request for a given domain name, and determining, by the processor, whether or not the domain name is a registered domain name, and when domain name is not a registered domain name, initiating the preventive action to inhibit DNS tunneling transmissions to at least the given domain name (see Mahjoub, ¶ [0057] and [0059]).

Regarding claim 10, Mahjoub-Cook teaches and comprising identifying, by the processor, a DNS request in a given transmission from a given computing device to a given Internet hosting service, and when the given Internet hosting service does not comprise a public DNS server, initiating the preventive action to inhibit DNS tunneling transmissions from at least the given computing device (see Mahjoub, ¶ [0034]- [0035]).

Regarding claim 11, Mahjoub-Cook teaches and comprising identifying, in a given transmission, a DNS request for a given domain name, and determining, by the processor, whether or not the domain name comprises any random characters, and when domain name comprises any random characters, initiating the preventive action to inhibit DNS tunneling transmissions to at least the given domain name (see Mahjoub, ¶ [0039]- [0040]).

Regarding claim 12, Mahjoub discloses an apparatus method for protecting a computing system, comprising: a network interface card (NIC) (see Mahjoub, ¶ [0134]; NIC card is disclosed); and at least one processor (see Mahjoub, ¶ [0133]; processor is disclosed) configured: to extract, via the NIC from data traffic transmitted over a data network connecting a plurality of computing devices to multiple Internet hosting services, respective sets of transmissions from the computing devices to the Internet hosting services (see Mahjoub, ¶ [0022]; DNS request data is analyzed), to identify, in a given set of the transmissions from a given computing device, multiple domain name system (DNS) requests for an identical second-level domain (2LD) and for different respective sub-domains within the 2LD (see Mahjoub, ¶ [0049]-[0052]; plurality of domain name requests at different levels are identified).
Although Mahjoub discloses the invention substantially as claimed, it does not explicitly disclose to compute a number of the different sub- domains within the 2LD and a data size of the multiple DNS requests, and when the number of the different sub-domains and the data size of the multiple DNS requests exceed a predefined criterion, to initiate a preventive action to inhibit DNS tunneling from at least the given computing device.
Cook teaches to compute a number of the different sub- domains within the 2LD and a data size of the multiple DNS requests, and when the number of the different sub-domains and the data size of the multiple DNS requests exceed a predefined criterion, to initiate a preventive action to inhibit DNS tunneling from at least the given computing device (see Cook, ¶ [0021]- [0022]). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to incorporate the teachings of Cook with that of Mahjoub in order to efficiently and effectively detect and prevent DNS tunneling.

Regarding claim 13, Mahjoub-Cook teaches wherein a given processor is further configured to analyze the given set of transmissions to identify further transmissions to the different sub-domains within the 2LD following the DNS requests submitted with respect to the different sub- domains, and wherein a given processor is configured to initiate the preventive action by intervening in the transmissions by the given computing device when there are no further transmissions to at least some of the different sub-domains within the 2LD following the DNS requests (see Mahjoub, ¶ [0059] and [0072]).

Regarding claim 14, Mahjoub-Cook teaches wherein the specified threshold comprises a specified time period (see Mahjoub, ¶ [0103]).

Regarding claim 15, Mahjoub-Cook teaches wherein a given processor is further configured to compute a number of the transmissions to the 2LD, and when the computed number of transmissions to the 2LD exceeds a predefined 2LD criterion, to initiate the preventive action to inhibit DNS tunneling from at least the given computing device (see Cook, ¶ [0020] and [0022]). Same motivation utilized for claim 1 applies equally as well to claim 4.

Regarding claim 16, Mahjoub-Cook teaches wherein a given processor is further configured to identify, in a given transmission, a DNS request for a given domain name, and to determine an age of the domain name, and when the age of the domain name does meet a predefined age criterion, to initiate the preventive action to inhibit DNS tunneling transmissions to at least the given domain name (see Mahjoub, ¶ [0037]).

Regarding claim 17, Mahjoub-Cook teaches wherein a given processor is further configured to identify a first given transmission comprising a first DNS request for a given domain name transmitted by a first given computing device at a first time, and when failing to identify a second given transmission comprising a second DNS request for the given domain name transmitted by a second given computing device at a second time previous to the first given time, to initiate the preventive action to inhibit DNS tunneling transmissions to at least the given domain name (see Mahjoub, ¶ [0051]-[0052]).

Regarding claim 18, Mahjoub-Cook teaches wherein a given processor is further configured to identify a DNS request in a given transmission from a given computing device, and when the given computing device does not comprise a local DNS server, to initiate the preventive action to inhibit DNS tunneling transmissions from at least the given computing device (see Mahjoub, ¶ [0053] and [0057]).

Regarding claim 19, Mahjoub-Cook teaches wherein a given processor is further configured to identify a plurality of the transmissions comprising DNS requests for a 2LD, and to determine a number of unique computing devices that transmitted the DNS requests for the 2LD, and when the determined number of unique computing devices does not meet a predefined 2DL criterion, to initiate the preventive action to inhibit DNS tunneling transmissions to at least the given 2LD (see Mahjoub, ¶ [0049] and [0052]).

Regarding claim 20, Mahjoub-Cook teaches wherein a given processor is further configured to identify, in a given transmission, a DNS request for a given domain name, and to determine whether or not the domain name is a registered domain name, and when domain name is not a registered domain name, to initiate the preventive action to inhibit DNS tunneling transmissions to at least the given domain name (see Mahjoub, ¶ [0057] and [0059]).

Regarding claim 21, Mahjoub-Cook teaches wherein a given processor is further configured to identify a DNS request in a given transmission from a given computing device to a given Internet hosting service, and when the given Internet hosting service does not comprise a public DNS server, to initiate the preventive action to inhibit DNS tunneling transmissions from at least the given computing device (see Mahjoub, ¶ [0034]- [0035]).

Regarding claim 22, Mahjoub-Cook teaches wherein a given processor is further configured to identify, in a given transmission, a DNS request for a given domain name, and to determine whether or not the domain name comprises any random characters, and when domain name comprises any random characters, to initiate the preventive action to inhibit DNS tunneling transmissions to at least the given domain name (see Mahjoub, ¶ [0039]- [0040]).

Regarding claim 23, Mahjoub discloses a computer software product for protecting a computing system, the product comprising a non-transitory computer- readable medium, in which program instructions are stored, which instructions, when read by a computer (Computer-readable storage media is disclosed), cause the computer: to extract, from data traffic transmitted over a data network connecting a plurality of computing devices to multiple Internet hosting services, respective sets of transmissions from the computing devices to the Internet hosting services (see Mahjoub, ¶ [0022]; DNS request data is analyzed); to identify, in a given set of the transmissions from a given computing device, multiple domain name system (DNS) requests for an identical second-level domain (2LD) and for different respective sub-domains within the 2LD (see Mahjoub, ¶ [0049]-[0052]; plurality of domain name requests at different levels are identified).
Although Mahjoub discloses the invention substantially as claimed, it does not explicitly disclose to compute a number of the different sub-domains within the 2LD and a data size of the multiple DNS requests; and when the number of the different sub-domains and the data size of the multiple DNS requests exceed a predefined criterion, to initiate a preventive action to inhibit DNS tunneling from at least the given computing device.
Cook teaches to compute a number of the different sub-domains within the 2LD and a data size of the multiple DNS requests; and when the number of the different sub-domains and the data size of the multiple DNS requests exceed a predefined criterion, to initiate a preventive action to inhibit DNS tunneling from at least the given computing device (see Cook, ¶ [0021] - [0022]). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to incorporate the teachings of Cook with that of Mahjoub in order to efficiently and effectively detect and prevent DNS tunneling

Regarding claim 24, Mahjoub discloses a method for protecting a computing system, comprising: extracting, from data traffic transmitted over a data network connecting a plurality of computing devices to multiple Internet hosting services, respective sets of transmissions from the computing devices to the multiple Internet hosting services (see Mahjoub, ¶ [0022]; DNS request data is analyzed); identifying, in a given set of the transmissions from a given computing device, a first given transmission comprising a domain name system (DNS) request for a given domain (see Mahjoub, ¶ [0049]-[0052]; plurality of domain name requests at different levels are identified).
Although Mahjoub discloses the invention substantially as claimed, it does not explicitly disclose analyzing, by a processor, the sets of the transmissions to identify a second given transmission to the given domain that was transmitted prior to the first given transmission, analyzing the given set of the transmissions to identify a third given transmission to the given domain that was transmitted subsequent to the first given transmission; and when identifying the second and the third given transmissions, initiating a preventive action to inhibit DNS tunneling from at least the given computing device (see Cook, ¶ [19]-[0022]). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to incorporate the teachings of Cook with that of Mahjoub in order to efficiently and effectively detect and prevent DNS tunneling

Regarding claim 25, Mahjoub discloses an apparatus method for protecting a computing system, comprising: a network interface card (NIC); and at least one processor configured: to extract, via the NIC from data traffic transmitted over a data network connecting a plurality of computing devices to multiple Internet hosting services, respective sets of transmissions from the computing devices to the multiple Internet hosting services (see Mahjoub, ¶ [0022]; DNS request data is analyzed), to identify, in a given set of the transmissions from a given computing device, a first given transmission comprising a domain name system (DNS) request for a given domain (see Mahjoub, ¶ [0049]-[0052]; plurality of domain name requests at different levels are identified).
Although Mahjoub discloses the invention substantially as claimed, it does not explicitly disclose to analyze the sets of the transmissions to identify a second given transmission to the given domain that was transmitted prior to the first given transmission, to analyze the given set of the transmissions to identify a third given transmission to the given domain that was transmitted subsequent to the first given transmission, and when identifying the second and the third given transmissions, initiating a preventive action to inhibit DNS tunneling from at least the given computing device.
Cook teaches to analyze the sets of the transmissions to identify a second given transmission to the given domain that was transmitted prior to the first given transmission, to analyze the given set of the transmissions to identify a third given transmission to the given domain that was transmitted subsequent to the first given transmission, and when identifying the second and the third given transmissions, initiating a preventive action to inhibit DNS tunneling from at least the given computing device (see Cook, ¶ [19]-[0022]). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to incorporate the teachings of Cook with that of Mahjoub in order to efficiently and effectively detect and prevent DNS tunneling.

Regarding claim 26, Mahjoub discloses a computer software product for protecting a computing system, the product comprising a non-transitory computer- readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer: to extract, from data traffic transmitted over a data network connecting a plurality of computing devices to multiple Internet hosting services, respective sets of transmissions from the computing devices to the multiple Internet hosting services (see Mahjoub, ¶ [0022]; DNS request data is analyzed); to identify, in a given set of the transmissions from a given computing device, a first given transmission comprising a domain name system (DNS) request for a given domain (see Mahjoub, ¶ [0049]-[0052]; plurality of domain name requests at different levels are identified).
Although Mahjoub discloses the invention substantially as claimed, it does not explicitly disclose to analyze the sets of the transmissions to identify a second given transmission to the given domain that was transmitted prior to the first given transmission; to analyze the given set of the transmissions to identify a third given transmission to the given domain that was transmitted subsequent to the first given transmission; and when identifying the second and the third given transmissions, to initiate a preventive action to inhibit DNS tunneling from at least the given computing device (see Cook, ¶ [19]-[0022]). It would have been obvious to one of ordinary skill in the art before the effective filling date of the invention to incorporate the teachings of Cook with that of Mahjoub in order to efficiently and effectively detect and prevent DNS tunneling.

Prior Art of Record
4.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Please refer to form PTO-892 (Notice of Reference Cited) for a list of relevant prior art.
a. US-20160294773-A1 is directed to new and improved techniques for a behavior analysis based DNS tunneling detection and classification framework for network security are disclosed. In some embodiments, a platform implementing an analytics framework for DNS security is provided for facilitating DNS tunneling detection. For example, an online platform can implement an analytics framework for DNS security based on passive DNS traffic analysis.
b. US-20160366159-A1 is directed to traffic feature information extraction method including a regular expression process, a clustering process, and a feature information extraction process. The regular expression process extracts an item set in advance from a traffic log and represents a partial character string included in the item in a regular expression based on a predetermined rule. The clustering process clusters an entry of the traffic log represented in the regular expression. The feature information extraction process extracts, as traffic feature information of each of clusters, an entry having a minimum total sum of distances among entries included in the clustered traffic logs.
c. US-20200014714-A1 is directed to system and computer-implemented method to detect particular Domain Name System (DNS) misuse, wherein the method includes obtaining monitored network data. The monitored network data includes respective instances of request traffic. The request traffic is associated with DNS requests that request resolution of a name that belongs to at least one identified domain. Each DNS request is sent from a source address of one or more stub resolver; the source address of the stub resolver may be spoofed. Each instance of request traffic includes the source address, the name for which DNS resolution is requested to be resolved, and the at least one identified domain associated with a corresponding DNS request. The method further includes tracking over time, using a probabilistic algorithm, an approximation of a first cardinality of names belonging to a selected domain of the at least one identified domain included in the instances of request traffic. The method further includes tracking over time, using the probabilistic algorithm, an approximation of a second cardinality of source addresses associated with the selected domain included in the instances of request traffic. The method further includes detecting a combination of a first condition of the approximation of the first cardinality and the second condition of the approximation of the second cardinality, wherein the combination of the first and second conditions indicates the occurrence of a specific DNS misuse. The method further includes performing an action to at least one of output a notification of and correct a condition associated with the detected occurrence of the specific DNS misuse.

Conclusion
5.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMED IBRAHIM whose telephone number is (571)270-1132.  The examiner can normally be reached on Monday through Friday from 9:30AM to 6:00PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on 571-272-3964.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Mohamed Ibrahim/
Primary Examiner, Art Unit 2444