Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objection
Claims 1-9 are objected to because of the following informalities: (FP 7.29.01)
In claims 1 and 7 “DGA” is a first occurrence of abbreviations and should be spelled out for clarity. 
In claims 1, 2, 7 and 8 the abbreviation “DNS” is a first occurrence of abbreviations and should be spelled out for clarity.  
In claims 1, 2, 6, 7, 8 and 10 have number reference in the claims (i.e. client terminal (102)), these numerical references to the drawings are not required in the claim limitation according to U.S. practice.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION— The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 6 and 10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
	Regarding claim 6, the claim recites “chaining of clusters (712) in time (711, 713, 714) according to at least one technique belonging to the group formed by unsupervised automatic learning, supervised automatic learning, community detection.” It is unclear how an unsupervised automatic learning and a supervised automatic learning can both be used in order to chain clusters. For examination purposes only one of the defined technique was used in order to reject this limitation.  
	Regarding claim 10, the claim recites “computer program according to claim 7 comprising process steps for the detection of a DGA domain generation algorithm in a computer communication network”; the preamble of this claim fails to include the system of parent claim 7 therefore this claim is indefinite. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 5, 7 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over NPL “DGA Botnet detection using Collaborative Filtering and Density~based Clustering” (hereinafter 'NGUYEN') and in further view of CN 106576058 A (hereinafter 'Thakar').
Regarding Claims 1
NGUYEN discloses: 
Method for the detection of a DGA domain generation algorithm in a computer communication network (106) comprising at least one resolution server (104) for resolving DNS requests emanating from at least one client terminal (102) (Page 2, Line 6: “DGAs … use current system time as random seed to ensure that output set will be different each time bot execute algorithm. With a collections of domains, bots will send DNS queries to resolve IP address of domains (client terminal). Bots will register one or some domains (by using a server) in group of domains which will be created by DGA”), characterised in that the computer communication network (106) further comprises a detection module (108) coupled to the resolution server (104) and configured to analyse the DNS requests according to the following steps (“Detecting centralized architecture botnets by analyzing DNS traffic logs of a monitored computer network) - for each DNS request, associate the requested domain name and the identity of the requesting client terminal to form a tuple (Page 2, Line 47: “By recording log of DNS traffic from user's computers to DNS server, we gain datasets of NXDomains created by DGA Botrret and connection requests from users to NXDomains; With our collected dataset contain domains and clients connected to, DBSCAN algorithm iterates each domain and get a list of neighbor domain (have same eps user connected to) then added it to current cluster.”);
	NGUYEN does not disclose the following limitation “combine tuples into homogeneous partitions according to the community detection technique; and - deduce for each homogeneous partition all the client terminals using the same DGA”
	Thakar discloses
	combine tuples into homogeneous partitions according to the community detection technique; and - deduce for each homogeneous partition all the client terminals using the same DGA (Page 11, Paragraph 3: “When the lexical complexity scores less than lexical complexity threshold, the domain name may be DGA generated, and thereby add it to NX domain list (frame 555) of the source IP. Operation then determines whether this is the NX domain list of the specific source IP of the first item (frame 560).”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of NGUYEN in order to include a feature where domain name that is generated by a DGA from a source IP is added to an NX domain list as taught by Thakar. One of ordinary skill in the art would have been motivated to do so because Thakar recognizes that by implementing this feature the domain list can partition the domain that do not exist by utilizing a NX domain list (Page 11, Paragraph 3). 
Regarding Claims 4
NGUYEN discloses: 
Method according to claim 1, characterized in that it further comprises a descriptive statistical filtering step (“Domains are recorded into group of NXDomains, and will produce deviation to the later analyzing of NXDomains created by DGA. Therefore, in domain filtering step, all of the benign domains have to be removed and the remaining domains are all generated by DGA botnet and will be used for further analysis.”).
Regarding Claims 5
NGUYEN discloses: 
Method according to claim 4, characterized in that the descriptive statistic is a covariance, standard deviation or Euclidean distance calculation function (“We will apply clustering-classification technique to decide
whether a domain is generated by DGA or not and analyze important statistical features such as distribution of n-gram and length of domain name using training dataset of 1.000.000 top-query domains from alexa.com.”; If the domain length is not within a standard deviation the DGA detection system will filter out the domain).
Regarding Claims 7
System for detecting a DGA domain generation algorithm in a computer communication network (106) comprising at least one DNS request resolution server (104) for resolving DNS requests from at least one client terminal (102), characterised in that the computer communication network (106) further comprises a detection module (108) coupled to the resolution server (104) and comprising data processing means configured, for each DNS request, to associate the requested domain name and the identity of the requesting client terminal to form a tuple; to combine in homogeneous partitions the tuples thus combined according to the community detection technique; and to deduce for each homogeneous partition all the client terminals using a same DGA (Refer to Claim 1 for rejection rational). 
Regarding claim 10 
A computer program according to claim 7 comprising process steps for the detection of a DGA domain generation algorithm in a computer communication network (106) comprising at least one resolution server (104) for resolving DNS requests emanating from at least one client terminal (102), characterised in that the computer communication network (106) further comprises a detection module (108) coupled to the resolution server (104) and configured to analyse the DNS requests according to the following steps: - for each DNS request, associate the requested domain name and the identity of the requesting client terminal to form a tuple; - combine tuples into homogeneous partitions according to the community detection technique; and - deduce for each homogeneous partition all the client terminals using the same DGA (Refer to Claim 1 for rejection rational).

Claims 2 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over NPL “DGA Botnet detection using Collaborative Filtering and Density~based Clustering” (hereinafter 'NGUYEN'), in view of CN 106576058 A (hereinafter 'Thakar'), in view of NPL “CODDULM: An Approach for Detecting C&C Domains of DGA on Passive DNS Traffic” (hereinafter 'Chunyu'), and in further view of US 8,260,914 B1 (hereinafter 'Ranjan').
Regarding claim 2
NGUYEN and Thakar doesn’t disclose the following limitation “characterized in that the community detection technique is carried out from a bipartite graph comprising: a) a plurality of nodes of client terminal type (310); b) a plurality of domain type nodes (340); c) a plurality of edges (320), each representing a DNS query from a client terminal node (311) to a domain node (344); a domain node (344) being connectable to multiple client terminal nodes (311) and a client terminal node (311) being connectable to multiple domain nodes (344)” 
Chunyu discloses:
Method according to claim 1, characterized in that the community detection technique is carried out from a bipartite graph comprising: a) a plurality of nodes of client terminal type (310); b) a plurality of domain type nodes (340); c) a plurality of edges (320), each representing a DNS query from a client terminal node (311) to a domain node (344); a domain node (344) being connectable to multiple client terminal nodes (311) and a client terminal node (311) being connectable to multiple domain nodes (344) (Page 2, Right Column, line 11: “Finding Suspicious Infected Hosts through Bipartite Graph Clustering … CODDULM uses the bipartite graph clustering method to find the DGA generated NXDomains and the infected hosts; The relationship between IP (client terminal) addresses and NXDomains (domain node) can be regarded as a bipartite graph which is shown in Fig. 4.”),
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of NGUYEN and Thakar in order to include a feature where a detection technique comprises of a bipartite graph that contains a plurality of edges and domains as taught by Chunyu. One of ordinary skill in the art would have been motivated to do so because Chunyu recognizes that by implementing this feature infected hosts and domains can be identified through Bipartite Graph Clustering (Page 2, Right Column, line 11). 
NGUYEN, Thakar, and Chunyu do not disclose the following limitation “and d) the community detection of tuples in said bipartite graph being capable of generating distinct partitions (410, 430), themselves distributed in bipartite graphs including tuples representing a coherent set of client terminals making DNS queries on a set of domains”
Ranjan discloses
and d) the community detection of tuples in said bipartite graph being capable of generating distinct partitions (410, 430), themselves distributed in bipartite graphs including tuples representing a coherent set of client terminals making DNS queries on a set of domains (Column 11, Line 30: “In one or more embodiments, DNS queries in a partitioned group belong to a common connected component in an IP-domain bipartite graph of the DNS queries. In such embodiments, the connected component is identified by performing connected component analysis of the IP-domain bipartite graph of the DNS queries.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of NGUYEN, Thakar, and Chunyu in order to include a feature where a bipartite graph includes a distinct partitions of the client terminals making DNS queries on a set of domains as taught by Ranjan. One of ordinary skill in the art would have been motivated to do so because Ranjan recognizes that by implementing this feature a bipartite graph can tuple distinct partition of the infected client host and domain list together (Column 11, Line 30).
Regarding claim 8 
System according to claim 7, characterised in that the community detection comprises a bipartite graph comprising: - a plurality of client terminal type nodes (310), a plurality of domain type nodes (340); - a plurality of edges (320), each representing a DNS query from a client terminal node (311) to a domain node (344); a domain node (344) being connectable to multiple client terminal nodes (311) and a client terminal node (311) being connectable to multiple domain nodes (344), and - the search for communities of tuples being capable of generating distinct partitions (410, 430), themselves distributed in bipartite graphs including tuples representing a coherent set of client terminals making DNS queries on a set of domains (Refer to Claim 2 for rejection rational).
Claims 3 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over NPL “DGA Botnet detection using Collaborative Filtering and Density~based Clustering” (hereinafter 'NGUYEN'), in view of CN 106576058 A (hereinafter 'Thakar'), in view of NPL “CODDULM: An Approach for Detecting C&C Domains of DGA on Passive DNS Traffic” (hereinafter 'Chunyu'), in view of US 8,260,914 B1 (hereinafter 'Ranjan') and in further view of US 2019/0026355 A1 (hereinafter ‘Yano’).
Regarding claim 3
NGUYEN, Thakar, Chunyu and Ranjan do not disclose the following limitation “characterized in that it further comprises a measure of the quality of the clustering according to a calculation of the modularity of the tuples communities thus detected”
Yano discloses:
Method according to claim 2, characterized in that it further comprises a measure of the quality of the clustering according to a calculation of the modularity of the tuples communities thus detected (¶127: “The clustering section 125 calculates a modularity evaluation value Q for the case where the generated cluster merger plan is used. The clustering section 125 repeats the generation of a cluster merger plan and the calculation of a modularity evaluation value Q for each of selection patterns for selecting two clusters from among the current clustering results and identifies a cluster merger plan for which the maximum modularity evaluation value Q has been calculated”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of NGUYEN, Thakar, Chunyu and Ranjan in order to include a feature that can calculate the modularity of a cluster merger as taught by Yano. One of ordinary skill in the art would have been motivated to do so because Yano recognizes that by implementing this feature a system can merge multiple clusters together based on their modularity score (¶127). 
Regarding claim 9 
System according to claim 8, characterized in that the processing means further comprise measuring means suitable for measuring the quality of clustering according to a calculation of the modularity of the tuples communities thus detected (Refer to claim 3 rejection).
Claims 6 is rejected under 35 U.S.C. 103 as being unpatentable over NPL “DGA Botnet detection using Collaborative Filtering and Density~based Clustering” (hereinafter 'NGUYEN'), in view of CN 106576058 A (hereinafter 'Thakar'), and in further view of US 10,685,295 B1 (hereinafter ‘Ross’).
Regarding claim 6
NGUYEN and Thakar do not disclose the following limitation “characterized in that it further comprises a search for chaining of clusters (712) in time (711, 713, 714) according to at least one technique belonging to the group formed by unsupervised automatic learning, supervised automatic learning, community detection”
Ross discloses
Method according to claim 1, characterized in that it further comprises a search for chaining of clusters (712) in time (711, 713, 714) according to at least one technique belonging to the group formed by unsupervised automatic learning, supervised automatic learning, community detection (Claim 4: “The method of claim 1, further comprising: automatically load-balancing the machine learning model based on operations and input/output required of the model at compile time.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of NGUYEN and Thakar in order to include a feature that can chain cluster together (similar functionality as a load balancer) within a certain time using machine learning as taught by Ross. One of ordinary skill in the art would have been motivated to do so because Ross recognizes that by implementing this feature a system can use artificial intelligence in order to group clusters together (claim 4).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/             Examiner, Art Unit 2431                                                                                                                                                                                           
/SHIN-HON (ERIC) CHEN/             Primary Examiner, Art Unit 2431