DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on March 30, 2021 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto.

Drawings
	The drawings filed on March 30, 2021 are accepted. 

Specification
	The specification filed March 30, 2021 is accepted.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 20 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim does not fall within at least one of the four categories of patent eligible subject matter. Claim 20 recites a computer readable storage medium understood by the examiner in view of the specification, which could be implemented with electronic signals. An electronic signal does not fall under one of the four categories of eligible subject matter. Claim 20 is rejected as being directed to non-statutory subject matter (i.e., signal). 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Antonakakis et al. US 2013/0191915 A1 [hereinafter Antonakakis].

As per claims 1, 14 and 20, Antonakakis teaches a system, comprising: a processor configured to: 
receive a Domain Name System (DNS) stream, wherein the DNS stream includes a DNS query and a DNS response for resolution of the DNS query (i.e., monitoring DNS query/response messages, paragraphs 008-0009); 
detect DNS activity associated with a malicious dictionary associated with a new Dictionary Domain Generation Algorithms (DDGA) malware based on monitored live DNS traffic, wherein detecting DNS activity associated with a malicious dictionary associated with a new DDGA malware based on monitored live DNS traffic comprises identifying a malicious dictionary based on a graph generated based on the DNS stream [paragraphs 0008-0011]; and 
perform a mitigation action in response to detecting the DNS activity associated with the malicious dictionary associated with the new DDGA malware; and a memory coupled to the processor and configured to provide the processor with is instructions [paragraphs 0010-0013].

As per claims 2 and 15, Antonakakis further teaches the system wherein the mitigation action includes blocking the DNS response (i.e., blocking botnet traffic paragraph 0007).

As per claims 3 and 16, Antonakakis further teaches the system wherein the DNS response for resolution of the DNS query includes an IP address, and wherein the processor is further configured to: add the IP address associated with a potentially malicious network domain to a blacklist [paragraph 0013].

As per claims 4 and 17, Antonakakis further teaches the system wherein the DNS response for resolution of the DNS query includes an IP address, and wherein the processor is further configured to: send the IP address associated with a potentially malicious network domain to a firewall [paragraph 0013].

As per claims 5 and 18, Antonakakis further teaches the system wherein the processor is further configured to perform one or more mitigation actions comprising to: generate a firewall rule based on a potentially malicious network domain; configure a network device to block network communications with the potentially malicious network domain; quarantine an infected host, wherein the infected host is determined to be infected based on an association with the potentially malicious network domain; and add the potentially malicious network domain to a reputation feed [paragraph 0013].

As per claims 6 and 19, Antonakakis further teaches the system wherein the processor is further configured to: identify a source IP address, a source host, or an attempt to query a potentially malicious network domain [paragraphs 0008-0011].

As per claim 7, Antonakakis further teaches the system wherein the DNS stream includes NXDOMAIN traffic [paragraphs 0008-0011].

As per claim 8, Antonakakis further teaches the system wherein the DNS stream is automatically filtered to identify natural language related domains included in the DNS stream [paragraphs 0008-0011].

As per claim 9, Antonakakis further teaches the system wherein the DNS stream is automatically filtered to identify natural language related domains included in the DNS stream using a classifier [paragraphs 0008-0011].

As per claim 10, Antonakakis further teaches the system wherein the DNS stream is automatically filtered to remove domains associated with traditional DGA malware [paragraphs 0008-0011].

As per claim 11, Antonakakis further teaches the system wherein the processor is further configured to: filter the DNS stream, wherein the DNS stream is automatically filtered using a classifier to identify natural language related domains included in the DNS stream; and output the filtered DNS stream for generating the graph using the identified natural language related domains included in the DNS stream [paragraphs 0008-0011].

As per claim 12, Antonakakis further teaches the system wherein the processor is further configured to: filter the DNS stream, wherein the DNS stream is automatically filtered using a classifier to identify natural language related domains included in the DNS stream; and output the filtered DNS stream for clustering the identified natural language related domains included in the DNS stream prior to generating the graph based on the DNS stream [paragraphs 0008-0011].

As per claim 13, Antonakakis further teaches the system wherein the processor is further configured to: detect command and control botnet related activity based on the malicious dictionary [paragraphs 0008-0011].


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BEEMNET W DADA whose telephone number is (571)272-3847. The examiner can normally be reached Monday-Friday, 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

BEEMNET W. DADA
Primary Examiner
Art Unit 2435



/BEEMNET W DADA/               Primary Examiner, Art Unit 2435