DETAILED ACTION

1.	Claims 1-19 are presented for consideration.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

2.	Claims 1-5, 8, 9, 12, 13, and 16-19 rejected under 35 U.S.C. 103 as being unpatentable over Thakar et al. [ US Patent Application No 2018/0115582 ], in view of Olumofin [ US Patent Application No 2020/0228500 ].

3.	As per claim 1, Thakar discloses the invention as claimed including a system, comprising:
	a processor configured to:
	receive a DNS query [ i.e. receive DNS request ] [ 402, Figure 4A; Abstract and paragraph 0058 ] comprising a subdomain portion and a root domain portion from a client device [ i.e. labels and top/second level domain ] [ paragraph 0004, 0020, and 0021 ];
	determine that the root domain portion received in the DNS query is associated with a malicious DNS tunneling root domain [ i.e. identify domain as potentially engaging in DNS tunneling ] [ 428, Figure 4B; 442, Figure 4C; and paragraphs 0043, 0044, 0067, and 0070 ]; and
	take a remedial action in response to the determining [ i.e. blocks or prevent further DNS traffic with the suspicious domain ] [ paragraphs 0033, 0043, and 0055 ]; and
	a memory coupled to the processor and configured to provide the processor with instructions [ Figure 2 ].
	Thakar does not specifically disclose
	wherein the determination is based at least in part on information obtained from at least one of: (1) an anomaly detector that evaluates a feature vector associated with the root domain portion or (2) a similarity detector configured to use a set of previously determined regular expressions corresponding to at least one previously identified malicious DNS tunneling root domain.
	Olumofin discloses
	wherein the determination is based at least in part on information obtained from at least one of: (1) an anomaly detector that evaluates a feature vector associated with the root domain portion or (2) a similarity detector configured to use a set of previously determined regular expressions corresponding to at least one previously identified malicious DNS tunneling root domain [ i.e. filter (e.g. block or blacklist) a DNS query/request that was determined to be associated with a bad network domain (e.g. domain name/FQDN that was determined to be a homograph of a target domain name) ] [ Figure 2; and paragraphs 0041, 0042, 0058 and 0076 ].
	It would have been obvious to a person skill in the art before effective filing date of the claimed invention to combine the teaching of Thakar and Olumofin because the teaching of Olumofin would enable to provide techniques for detecting homographs of domain names include providing a model that is generated using deep learning techniques [ Olumofin, paragraph 0019 ].

4.	As per claim 2, Thakar discloses wherein taking the remedial action includes preventing the client device from communicating with a malicious DNS server [ i.e. blocks or prevent further DNS traffic with the suspicious domain ] [ paragraphs 0033, 0043, and 0055 ].

5.	As per claim 3, Thakar discloses wherein, in response to receiving the DNS query, the feature vector associated with the root domain portion is updated [ i.e. store fields associated with DNS request [ i.e.  paragraphs 0043, 0044, 0051, and 0067 ].

6.	As per claim 4, Thakar discloses wherein the feature vector maintains information for a sliding time window of DNS query information [ i.e. the most recent time stamp may be considered to be the last DNS request ] [ paragraphs 0049, and 0064 ].

7.	As per claim 5, Thkar discloses wherein a feature included in the feature vector represents a number of distinct fully qualified domain names associated with the root domain portion [ i.e. count ] [ paragraphs 0048, and 0054 ].

8.	As per claim 8, Thakar discloses wherein a feature included in the feature vector represents an average length of fully qualified domain names associated with the root domain portion [ i.e. length of FQDN ] [ paragraphs 0048, and 0059 ].

9.	As per claim 9, Thakar discloses wherein a feature included in the feature vector represents a ratio of record type queries [ i.e. CNAME, MX, and TXT resource records ] [ paragraphs 0051, and 0052 ].

10.	As per claim 12, Thakar discloses wherein a feature included in the feature vector represents entropy of fully qualified domain names associated with the root domain portion [ paragraphs 0043, and 0044 ].

11.	As per claim 13, Thakar discloses wherein a feature included in the feature vector represents whether or not the root domain portion is associated with a trusted authoritative DNS server [ i.e. legitimate or suspicious ] [ paragraphs 0059, and 0060 ].

12.	As per claim 16, Olumofin discloses wherein determining that the root domain portion received in the DNS query is associated with the malicious DNS tunneling root domain includes identifying a common regular expression pattern in the received DNS query and a domain associated with the malicious DNS tunneling root domain [ paragraph 0050 ].

13.	As per claim 17, Thakar discloses wherein determining that the root domain portion received in the DNS query is associated with the malicious DNS tunneling root domain includes determining that a DNS server associated with the root domain portion and with the malicious DNS tunneling root domain share an IP address [ paragraphs 0015, and 0054 ].

14.	As per claim 18, it is rejected for similar reasons as stated above in claim 1.

15.	As per claim 19, it is rejected for similar reasons as stated above in claim 1.


16.	Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Thakar et al. [ US Patent Application No 2018/0115582 ], in view of Olumofin [ US Patent Application No 2020/0228500 ], and further in view of Fakeri-Tabrizi et al. [ US Patent Application No 2016/0065611 ].

17.	As per claim 6, Thakar in view of Olumofin does not specifically disclose wherein a feature included in the feature vector represents an average DNS query count for each fully qualified domain name associated with the root domain portion.  Fakeri-Tabrizi discloses wherein a feature included in the feature vector represents an average DNS query count for each fully qualified domain name associated with the root domain portion [ i.e. average or median count values ] [ paragraphs 0009, and 0048 ].  It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Thakar, Olumofin, and Fakeri-Tabrizi  because the teaching of Fakeri-Tabrizi would enable to provide system and method for detecting anomaly trends in DNS request streams [ Fakeri-Tabrizi, paragraph 0002 ].


18.	Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Thakar et al. [ US Patent Application No 2018/0115582 ], in view of Olumofin [ US Patent Application No 2020/0228500 ], and further in view of Takeuchi et al. [ US Patent Application No 2002/0111769 ].

19.	As per claim 7, Thakar in view of Olumofin does not specifically disclose wherein a feature included in the feature vector represents a Jeffrey distribution of DNS query counts for all fully qualified domain names associated with the root domain portion.  Takeuchi discloses wherein a feature included in the feature vector represents a Jeffrey distribution of DNS query counts for all fully qualified domain names associated with the root domain portion [ i.e. Jeffreys distribution ] [ Abstract; and paragraphs 0013, and 0015 ].  It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Thakar, Olumofin and Takeuchi because the teaching of Takeuchi would enable to provide a method which is capable of preventing a reduction of performance [ Takeuchi, paragraph 0010 ].


20.	Claims 10, 11 are rejected under 35 U.S.C. 103 as being unpatentable over Thakar et al. [ US Patent Application No 2018/0115582 ], in view of Olumofin [ US Patent Application No 2020/0228500 ], and further in view of Wyschogrod et al. [ US Patent Application No 2012/0054860 ].

21.	As per claim 10, Thakar in view of Olumofin does not specifically disclose wherein a feature included in the feature vector represents a ratio of meaningful words in fully qualified domain names associated with the root domain portion.  Wyschogrod discloses wherein a feature included in the feature vector represents a ratio of meaningful words in fully qualified domain names associated with the root domain portion [ i.e. words ] [ paragrpahs 0017, and 0053 ].  It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Thakar, Olumofin, and Wyschogrod because the teaching of Wyschogrod would enable to detect covert DNS tunnels using n-grams [ Wyschogrod, paragraph 0004 ].

22.	As per claim 11, Wyschogrod discloses wherein a feature included in the feature vector represents an n-gram frequency of fully qualified domain names associated with the root domain portion [ Abstract; and paragraph 0017 ].


23.	Claims 14, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Thakar et al. [ US Patent Application No 2018/0115582 ], in view of Olumofin [ US Patent Application No 2020/0228500 ], and further in view of Baughman et al. [ US Patent Application No 2018/0063162 ].

24.	As per claim 14, Thakar in view of Olumofin does not specifically disclose wherein the updated feature vector is compared against a previously built benign traffic model.  Baughman discloses wherein the updated feature vector is compared against a previously built benign traffic model [ i.e. benign classification ] [ paragraph 0060 ].  It would have been obvious to a person skill in the art before the effective filing date of the claimed invention to combine the teaching of Thakar, Olumofin and Baughman because the teaching of Baughman would enable to provide DNS tunneling detection operation that prohibits independent actors from defining their own protocol and implementing a purposely written client and host program to carry out arbitrary communications [ Baughman, paragraph 0017 ].

25.	As per claim 15, Baughman discloses wherein the previously built benign traffic model comprises an isolation forest [ paragraph 0062 ]..

Response to Arguments

26.	Applicant’s arguments with respect to claim(s) 1-19 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUSTIN NGUYEN whose telephone number is (571)272-3971. The examiner can normally be reached Monday-Friday 9-6 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Gillis can be reached on 571-2727952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/DUSTIN NGUYEN/Primary Examiner, Art Unit 2446