Detailed Action
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

RCE filed on 08/08/2022 has been acknowledged. Claims 1-8 are currently pending and have been considered below. Claim 1 and 7-8 are independent claim. Claim 1, 7-8 have been amended. No claim has been cancelled or added new.

Priority
The application is a 371 of PCT/JP2017/029941 filed on 08/22/2017. This application claims the foreign priority of Japanese application JAPAN 2017-045000 filed on 03/09/2017.

Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/08/2022 has been entered.
Response to Arguments
Applicant’s arguments filed in the amendments on 07/08/2022 have been fully considered but are moot in view of new grounds of rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim 1-8 are rejected under 35 U.S.C. 103 as being unpatentable over “DomainProfiler: Discovering Domain Names Abused in Future” by Daiki Chiba hereinafter Chiba in view of Desai (US Patent Application Publication No 2018/0139235 A1). 

Regarding Claim 1, Chiba discloses an attack countermeasure determination apparatus comprising: 
receiving an arbitrary domain name as input (Chiba, p-493, ¶[Our System: Domain Profiler], domainprofiler is composed of two major modules: monitoring and profiling. The profiling module detects/predicts malicious domain names from inputted target domain names by using the data collected with the monitoring module), and 
acquiring setting information corresponding to the domain name, registration information corresponding to the domain name, and external information corresponding to an address corresponding to the domain name, as feature information on the domain name (Chiba, p-493, ¶[Monitoring Module], the monitoring module collects three types of information that will be used later in the profiling module. The first type of information is domain name lists. Legitimate/popular domain name list and malicious domain name list are collected to create a database. P-494, left column, the second type of information is historical DNS log which means time-series collections of the mappings between domain names and IP addresses. P-495, left column, the registration features are created from the IP addresses registration information corresponding to the rIPs of each target domain name. Registration information is obtained by referring to information of delegated IP addresses from all regional Internet registers (RIPs). P-495, right column, to acquire the features of related domain names (rDomains), a graph of rDomains for each target domain name is constructed using the historical DNS logs collected in the monitoring module. Fig-7 shows an example of rDomains for foo.example.com.); 
first specifying a pre-designated category for the domain name on the basis of the feature information (Chiba, p-496, ¶[Evaluation], three types of datasets are required for evaluation: target domain names, domain name list databases and historical DNS logs. P-496, right column, line 1-20, the first dataset was target domain names, which were composed of training and test sets. To create the Legitimate-Alexa, fully qualified domain names (FQDNs) based on domain names listed in Alexa100k are extracted. For malicious hpHosts, FQDN from 2LD names listed in hpHosts are extracted using a search engine. P-497, ¶[Parameter Tuning], two types of parameters are tuned: the size of the time window in temporal variation patterns (TVP), and the required parameters to run the random forest. P-498, ¶[Feature set Selection], the optimal parameters (time window size, number of trees, and number of sampled features are selected. This section compares the detection performance with different feature sets), and 
determining in a stepwise manner, an attack countermeasure against the domain name in accordance with the specified category (Chiba, p-500, ¶[Evading DomainProfiler], if attacker do not use domain names, countermeasures may be taken by blocking them using IP addresses); and
Chiba does not explicitly teach the following limitation that Balderas teaches:
a memory (Desai, Fig-3/4, ¶[0092]); and 
a processor coupled to the memory and programmed to execute a process comprising (Desai, Fig-3/4, ¶[0091]): 
outputting attack countermeasure information corresponding to the attack countermeasure (Desai, ¶[0089], a real-time analysis of the requested domain is performed. If the domain is flagged for cybersquatting, a policy based action (e.g. block, caution, log, notify) can be taken. ¶[0090], the domain cybersquatting service can perform offline analysis of web access logs using the detection algorithm to identify squatted domains. The domains could be blacklisted, and subsequent attempts to access can trigger policy based action. Finally, additional security scanning can be performed on content from those domains).
wherein the stepwise manner includes at least three steps of specifying the domain name, specifying the pre-designated category, and determining the attack countermeasure (Desai, Fig-7 & 8, ¶[0059], the valid domains are legitimate domains specified by hostnames, e. g. www.zscaler.com, whereas the malicious domains are domains meant to look close to the valid domains to trigger social engineering, phishing, and other types of attacks, e. g. www.zscaller.com. ¶[0063], the domain cybersquatting method includes comparing the one or more unidentified domains to the known valid domains. ¶[0064], the comparison determines a statistical distance between the unidentified domain in question and the various known valid domains. Based on a threshold and the risk score, the unidentified domain can be classified as a potential cybersquatting attempt.  ¶[0089], a real - time analysis of the requested domain is performed. If the domain is flagged for cybersquatting, a policy based action (e.g. block, caution, log, notify) can be taken).
Chiba in view of Desai are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “distributed data processing systems, domain name system and cyber-security and attack mitigation”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Chiba in view of Desai to include the idea of enhancing the security of the domain name system and the internet resources located using it.

Regarding Claim 2, Chiba in view of Desai discloses the attack countermeasure determination apparatus according to claim 1, wherein the first specifying sequentially determines attack countermeasure means, an attack countermeasure granularity, and an expiration date of the attack countermeasure (Chiba, p-500, ¶[Effectiveness of Temporal Variation Patterns], TVP is designed to detect changing malicious domain names. One type of malicious domain name is expired domain names due to the termination of services or the merger and acquisition of companies. Some of these expired domain names were re-registered by third party attackers. Also Desai, ¶[0089], a real-time analysis of the requested domain is performed. If the domain is flagged for cybersquatting, a policy based action (e.g. block, caution, log, notify) can be taken).

Regarding Claim 3, Chiba in view of Desai discloses the attack countermeasure determination apparatus according to claim 1, wherein the first specifying comprises: 
second specifying whether the domain name corresponds to a malicious domain name created by abusing an authorized service or an attack-specific domain name created for an attack only, by using information of the category specified for the domain name, determine attack countermeasure means for the specified domain name in accordance with a type of the specified domain name, and determining attack countermeasure means corresponding to the malicious domain name with respect to the domain name when the domain name corresponds to both the malicious domain name and the attack-specific domain name (Chiba, p-493, ¶[Monitoring Module], the monitoring module collects three types of information that will be used later in the profiling module. The first type of information is domain name lists. Legitimate/popular domain name list and malicious domain name list are collected to create a database. P-494, left column, the second type of information is historical DNS log which means time-series collections of the mappings between domain names and IP addresses. P-495, left column, the registration features are created from the IP addresses registration information corresponding to the rIPs of each target domain name. Registration information is obtained by referring to information of delegated IP addresses from all regional Internet registers (RIPs). P-495, right column, to acquire the features of related domain names (rDomains), a graph of rDomains for each target domain name is constructed using the historical DNS logs collected in the monitoring module. Fig-7 shows an example of rDomains for foo.example.com. Desai, ¶[0089], a real-time analysis of the requested domain is performed. If the domain is flagged for cybersquatting, a policy based action (e.g. block, caution, log, notify) can be taken).

Regarding Claim 4, Chiba in view of Desai discloses the attack countermeasure determination apparatus according to claim 1, wherein the first specifying comprises: 
third specifying operational features of the domain name from a state of an upper domain name or a lower domain name of the domain name or a state of content present under the domain name by using the information of the category specified for the domain name, and determining an attack countermeasure granularity for the domain name (Chiba, p-493, ¶[Monitoring Module], the monitoring module collects three types of information that will be used later in the profiling module. The first type of information is domain name lists. Legitimate/popular domain name list and malicious domain name list are collected to create a database. P-494, left column, the second type of information is historical DNS log which means time-series collections of the mappings between domain names and IP addresses. P-495, left column, the registration features are created from the IP addresses registration information corresponding to the rIPs of each target domain name. Registration information is obtained by referring to information of delegated IP addresses from all regional Internet registers (RIPs). P-495, right column, to acquire the features of related domain names (rDomains), a graph of rDomains for each target domain name is constructed using the historical DNS logs collected in the monitoring module. Fig-7 shows an example of rDomains for foo.example.com. Desai, ¶[0089], a real-time analysis of the requested domain is performed. If the domain is flagged for cybersquatting, a policy based action (e.g. block, caution, log, notify) can be taken).

Regarding Claim 5, Chiba in view of Desai discloses the attack countermeasure determination apparatus according to claim 1, wherein the first specifying comprises:
determining an expiration date of the attack countermeasure against the domain name by using the information of the category specified for the domain name (Chiba, p-500, ¶[Effectiveness of Temporal Variation Patterns], TVP is designed to detect changing malicious domain names. One type of malicious domain name is expired domain names due to the termination of services or the merger and acquisition of companies. Some of these expired domain names were re-registered by third party attackers.).

Regarding Claim 6, Chiba in view of Desai discloses the attack countermeasure determination apparatus according to claim 1, wherein the outputting outputs the attack countermeasure information in a data format corresponding to a type of an apparatus of an output destination (Desai, ¶[0089], a real-time analysis of the requested domain is performed. If the domain is flagged for cybersquatting, a policy based action (e.g. block, caution, log, notify) can be taken).

Regarding Claim 7, Chiba discloses an attack countermeasure determination method performed by an attack countermeasure determination apparatus, the attack countermeasure determination method comprising the steps of: 
a step of receiving an arbitrary domain name as input (Chiba, p-493, ¶[Our System: Domain Profiler], domainprofiler is composed of two major modules: monitoring and profiling. The profiling module detects/predicts malicious domain names from inputted target domain names by using the data collected with the monitoring module), and 
acquiring setting information corresponding to the domain name, registration information corresponding to the domain name, and external information corresponding to an address corresponding to the domain name, as feature information on the domain name (Chiba, p-493, ¶[Monitoring Module], the monitoring module collects three types of information that will be used later in the profiling module. The first type of information is domain name lists. Legitimate/popular domain name list and malicious domain name list are collected to create a database. P-494, left column, the second type of information is historical DNS log which means time-series collections of the mappings between domain names and IP addresses. P-495, left column, the registration features are created from the IP addresses registration information corresponding to the rIPs of each target domain name. Registration information is obtained by referring to information of delegated IP addresses from all regional Internet registers (RIPs). P-495, right column, to acquire the features of related domain names (rDomains), a graph of rDomains for each target domain name is constructed using the historical DNS logs collected in the monitoring module. Fig-7 shows an example of rDomains for foo.example.com); 
a step of specifying a pre-designated category for the domain name on the basis of the feature information (Chiba, p-496, ¶[Evaluation], three types of datasets are required for evaluation: target domain names, domain name list databases and historical DNS logs. P-496, right column, line 1-20, the first dataset was target domain names, which were composed of training and test sets. To create the Legitimate-Alexa, fully qualified domain names (FQDNs) based on domain names listed in Alexa100k are extracted. For malicious hpHosts, FQDN from 2LD names listed in hpHosts are extracted using a search engine. P-497, ¶[Parameter Tuning], two types of parameters are tuned: the size of the time window in temporal variation patterns (TVP), and the required parameters to run the random forest. P-498, ¶[Feature set Selection], the optimal parameters (time window size, number of trees, and number of sampled features are selected. This section compares the detection performance with different feature sets), and 
determining, in a stepwise manner, an attack countermeasure against the domain name in accordance with the specified category (Chiba, p-500, ¶[Evading DomainProfiler], if attacker do not use domain names, countermeasures may be taken by blocking them using IP addresses); and 
Chiba does not explicitly teach the following limitation that Desai teaches:
a step of outputting attack countermeasure information corresponding to the attack countermeasure (Desai, ¶[0089], a real-time analysis of the requested domain is performed. If the domain is flagged for cybersquatting, a policy based action (e.g. block, caution, log, notify) can be taken. ¶[0090], the domain cybersquatting service can perform offline analysis of web access logs using the detection algorithm to identify squatted domains. The domains could be blacklisted, and subsequent attempts to access can trigger policy based action. Finally, additional security scanning can be performed on content from those domains);
wherein the stepwise manner includes at least three steps of specifying the domain name, specifying the pre-designated category, and determining the attack countermeasure (Desai, Fig-7 & 8, ¶[0059], the valid domains are legitimate domains specified by hostnames, e. g. www.zscaler.com, whereas the malicious domains are domains meant to look close to the valid domains to trigger social engineering, phishing, and other types of attacks, e. g. www.zscaller.com. ¶[0063], the domain cybersquatting method includes comparing the one or more unidentified domains to the known valid domains. ¶[0064], the comparison determines a statistical distance between the unidentified domain in question and the various known valid domains. Based on a threshold and the risk score, the unidentified domain can be classified as a potential cybersquatting attempt.  ¶[0089], a real - time analysis of the requested domain is performed. If the domain is flagged for cybersquatting, a policy based action (e.g. block, caution, log, notify) can be taken).
Chiba in view of Desai are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “distributed data processing systems, domain name system and cyber-security and attack mitigation”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Chiba in view of Desai to include the idea of enhancing the security of the domain name system and the internet resources located using it.

Regarding Claim 8, Chiba discloses a non-transitory computer-readable recording medium having stored therein an attack countermeasure determination program for causing a computer to execute a process comprising: 
a step of receiving an arbitrary domain name as input (Chiba, p-493, ¶[Our System: Domain Profiler], domainprofiler is composed of two major modules: monitoring and profiling. The profiling module detects/predicts malicious domain names from inputted target domain names by using the data collected with the monitoring module), and 
acquiring setting information corresponding to the domain name, registration information corresponding to the domain name, and external information corresponding to an address corresponding to the domain name, as feature information on the domain name (Chiba, p-493, ¶[Monitoring Module], the monitoring module collects three types of information that will be used later in the profiling module. The first type of information is domain name lists. Legitimate/popular domain name list and malicious domain name list are collected to create a database. P-494, left column, the second type of information is historical DNS log which means time-series collections of the mappings between domain names and IP addresses. P-495, left column, the registration features are created from the IP addresses registration information corresponding to the rIPs of each target domain name. Registration information is obtained by referring to information of delegated IP addresses from all regional Internet registers (RIPs). P-495, right column, to acquire the features of related domain names (rDomains), a graph of rDomains for each target domain name is constructed using the historical DNS logs collected in the monitoring module. Fig-7 shows an example of rDomains for foo.example.com); 
a step of specifying a pre-designated category for the domain name on the basis of the feature information (Chiba, p-496, ¶[Evaluation], three types of datasets are required for evaluation: target domain names, domain name list databases and historical DNS logs. P-496, right column, line 1-20, the first dataset was target domain names, which were composed of training and test sets. To create the Legitimate-Alexa, fully qualified domain names (FQDNs) based on domain names listed in Alexa100k are extracted. For malicious hpHosts, FQDN from 2LD names listed in hpHosts are extracted using a search engine. P-497, ¶[Parameter Tuning], two types of parameters are tuned: the size of the time window in temporal variation patterns (TVP), and the required parameters to run the random forest. P-498, ¶[Feature set Selection], the optimal parameters (time window size, number of trees, and number of sampled features are selected. This section compares the detection performance with different feature sets), and 
determining, in a stepwise manner, an attack countermeasure against the domain name in accordance with the specified category (Chiba, p-500, ¶[Evading DomainProfiler], if attacker do not use domain names, countermeasures may be taken by blocking them using IP addresses); and 
Chiba does not explicitly teach the following limitation that Desai teaches
a step of outputting attack countermeasure information corresponding to the attack countermeasure (Desai, ¶[0089], a real-time analysis of the requested domain is performed. If the domain is flagged for cybersquatting, a policy based action (e.g. block, caution, log, notify) can be taken. ¶[0090], the domain cybersquatting service can perform offline analysis of web access logs using the detection algorithm to identify squatted domains. The domains could be blacklisted, and subsequent attempts to access can trigger policy based action. Finally, additional security scanning can be performed on content from those domains);
wherein the stepwise manner includes at least three steps of specifying the domain name, specifying the pre-designated category, and determining the attack countermeasure (Desai, Fig-7 & 8, ¶[0059], the valid domains are legitimate domains specified by hostnames, e. g. www.zscaler.com, whereas the malicious domains are domains meant to look close to the valid domains to trigger social engineering, phishing, and other types of attacks, e. g. www.zscaller.com. ¶[0063], the domain cybersquatting method includes comparing the one or more unidentified domains to the known valid domains. ¶[0064], the comparison determines a statistical distance between the unidentified domain in question and the various known valid domains. Based on a threshold and the risk score, the unidentified domain can be classified as a potential cybersquatting attempt.  ¶[0089], a real - time analysis of the requested domain is performed. If the domain is flagged for cybersquatting, a policy based action (e.g. block, caution, log, notify) can be taken).
Chiba in view of Desai are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “distributed data processing systems, domain name system and cyber-security and attack mitigation”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Chiba in view of Desai to include the idea of enhancing the security of the domain name system and the internet resources located using it.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-Form 892).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WASIKA NIPA whose telephone number is (571)272-8923.  The examiner can normally be reached on M-F, 8 am to 5 pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/WASIKA NIPA/           Primary Examiner, Art Unit 2433