DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 9/20/2021 has been entered.
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative Benjamin Koopferstock on August 23, 2022.

Claims
Please replace claims as following: 
Claim 5 (Currently Amended) The method of claim 1, wherein discarding, in the cleaning component, the incoming signals having at least one of the particulars of the DDoS attack comprises or discarding incoming signals when a number of incoming signals carrying a same source IP address exceeds a predetermined threshold






Claim 8 (Currently Amended) The method of claim 1, further comprising:
determining whether a downloader of the malware or the C&C server is hosted in the infrastructure by verifying the address or the domain name of the downloader of the malware or of the C&C server; and
if the downloader of the malware or the C&C server is hosted in a compromised component of the infrastructure, or placing the compromised component of the infrastructure in quarantine

Claim 9 (Currently Amended) A system for defending an infrastructure against a distributed denial of service (DDoS) attack, wherein the system comprises at least one processor and memory comprising executable instructions, and wherein the system further comprises: 
a cleaning component, wherein the instructions, when executed by the at least one processor, cause the cleaning component 
a software decoy, wherein the instructions, when executed by the at least one processor, cause the software decoy 
a command and control (C&C) data collector, wherein the instructions, when executed by the at least one processor, cause the C&C data collector 
receive the malware from the software decoy, and 
extract from the malware an address or a domain name of a C&C server; and

a client, wherein the instructions, when executed by the at least one processor, cause the client 
receive the address or the domain name of the C&C server from the C&C data collector[[;]],
use the address or the domain name of the C&C server to initiate a connection of the client to the C&C server,
after the initiation of the connection of the client to the C&C server, receive, a command intended by the C&C server to cause the client to participate in the DDoS attack, and
forward particulars of the DDoS attack to the cleaning component.

Claim 10 (Currently Amended) The system of claim 9, wherein the instructions, when executed by the at least one processor, cause the C&C data collector 
directly reading the address or the domain name of the C&C server if the malware is not encrypted;
using one or more previously detected ciphering keys of known malwares to decipher the malware server if the malware is encrypted; and
if the malware is still encrypted after using the one or more previously detected ciphering keys, performing an automatic, static analysis of a binary of the malware.

Claim 11 (Currently Amended) The system of claim 10, wherein the instructions, when executed by the at least one processor, cause the C&C data collector 
locating a predetermined machine language instruction sequence in the malware;
locating a ciphering key on which the predetermined machine language instruction sequence is applied in the malware;
extracting the ciphering key from the malware;
deciphering the malware using the ciphering key; and
locating the address or the domain name of the C&C server in the deciphered malware.




Claim 14 (Currently Amended) The system of claim 9, wherein the instructions, when executed by the at least one processor, cause the system 
determine whether a downloader of the malware or the C&C server is hosted in the infrastructure by verifying the address or the domain name of the downloader of the malware or of the C&C server; and
if the downloader of the malware or the C&C server is hosted in a compromised component of the infrastructure, cause the infrastructure to alert a customer having content hosted in the compromised component of the infrastructure[[,]] or place the compromised component of the infrastructure in quarantine
















Examiner's Statement of Reason for Allowance

Claims 1-5 and 7-19 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is directed to methods and systems for defending an infrastructure against a distributed denial of service (DDoS) attack use a software decoy installed in the infrastructure to deliberately attract a malware. An address or a domain name of a command and control (C&C) server is extracted 5fro the malware. A client of the infrastructure uses the address or the domain name of the C&C server to connect to the C&C server. The client receives a command intended by the C&C server to cause the client to participate in the DDoS attack. The client forwards particulars of the DDoS attack to a cleaning component. The cleaning component discards incoming signals having one or more of the particulars of the DDoS attack. The address or 10doin name of the C&C server may be obfuscated in the malware, in which case reverse engineering is used to decipher the malware.

The closest prior art, are Sullivan (US 2017/0180312 A1), Xu et al. (US 10,320,810 B1), Wang et al. (US 9,762,596 B2), Vissamsetty et al. (US 2017/0171244 A1) and Zeitlin et al. (US 2016/0164894 A1) in which, Sullivan discloses identifying a domain of a command and control server of a botnet are described. Upon receipt of a request to register a domain for a service that includes a proxy server, where the proxy server is to receive and process traffic for that domain if registration is successful, a determination of whether the domain was generated by a domain generation algorithm (DGA) is performed. Responsive to determining that the domain was generated by the DGA, performing at least one of: denying registration of the domain for the service, and accepting registration of the domain for the service and causing the proxy server to monitor communications received to and from the domain; and in which Xu teaches profiling and fingerprinting of communication and control (C&C) infrastructure is disclosed herein. An initial C&C profile is transmitted to a first network monitoring system. The initial C&C profile includes at least one of: a domain corresponding to a C&C channel, and a C&C pattern corresponding to a C&C channel. At least in part in response to information received from a second network monitoring system, the initial C&C profile is revised. An updated C&C profile is transmitted to the first network monitoring system; and in which Wang teaches heuristic botnet detection. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score; and in which Vissamsetty teaches one or more “BotMagnet” modules that are exposed to infection by malicious code. The BotMagnets may include one or more virtual machines hosing operating systems in which malicious code may be installed and executed without exposing sensitive data or other parts of a network. In particular, outbound traffic may be transmitted to a Sinkhole module that implements a service requested by the outbound traffic and transmits responses to the malicious code executing within the BotMagnet. Credentials for services implemented by a BotSink may be planted in an active directory (AD) server. The BotSink periodically uses the credentials thereby creating log entries indicating use thereof. In response to an attacker accessing the services using the credentials, the BotSink engages and monitors an attacker system and may generate an alert; and in which Zeitlin teaches securing a computer system includes detecting a malware attack on a honeypot node, and, based on the detected malware attack, automatically generating investigation directives for verifying whether an endpoint of the computer system is subject to the malware attack. The investigation directives are distributed to one or more software agents that are each associated with one or more endpoints of the computer system. At least one infected endpoint in the computer system, which is subject to the malware attack, is identified by the software agents using the investigation directives.

However, none of Sullivan (US 2017/0180312 A1), Xu et al. (US 10,320,810 B1), Wang et al. (US 9,762,596 B2), Vissamsetty et al. (US 2017/0171244 A1) and Zeitlin et al. (US 2016/0164894 A1), teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent Claim 1, and substantially similar Claim 9 and Claim 19.  For example, none of the cited prior art teaches or suggest the steps of Claim 1 and similarly Claim 9: receiving, at a software decoy of the infrastructure, a malware intended to infect the software decoy; receiving the malware from the software decoy at a command and control (C&C) data collector of the infrastructure; extracting from the malware, by the C&C data collector, an address or a domain name of a C&C server; sending, from the C&C data collector to a client of the infrastructure, the address or the domain name of the C&C server; using, by the client, the address or the domain name of the C&C server to initiate a connection of the client to the C&C server; after the initiation of the connection of the client to the C&C server, receiving, at the client, a command intended by the C&C server to cause the client to participate in the DDoS attack; forwarding particulars of the DDoS attack from the client to a cleaning component of the infrastructure; and discarding, in the cleaning component, incoming signals having at least one of the particulars of the DDoS attack; and none of the cited prior art teaches or suggest the steps of Claim 19: receiving, at a software decoy of the infrastructure, a malware intended to infect the software decoy; receiving the malware from the software decoy at a command and control (C&C) data collector of the infrastructure; extracting from the malware, by the C&C data collector, an address or a domain name of a C&C server; sending, from the C&C data collector to a client of the infrastructure, the address or the domain name of the C&C server; using, by the client, the address or the domain name of the C&C server to initiate a connection of the client to the C&C server; after the initiation of the connection of the client to the C&C server, receiving, at the client, a command intended by the C&C server to cause the client to participate in the DDoS attack; forwarding an address of a target of the DDoS attack from the client to a cleaning component of the infrastructure; determining that the address of the target is part of the infrastructure; and after determining that the address of the target is part of the infrastructure, updating a routing table of the infrastructure to cause routing of incoming messages destined to the address of the target toward the cleaning component.


Therefore, the claims are allowable over the cited prior art.


Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 attached.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385.  The examiner can normally be reached on Monday-Friday 10am - 6pm (MDT).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KARI L SCHMIDT/Primary Examiner, Art Unit 2439