Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

                DETAILED ACTION	
1.	This action is in response to the amendment and argument field on 30 June 2022.
2.	Claims 1-20 remain Pending and Rejected.			

                                                               Responses to the Argument

3. 	The applicant’s arguments filed on 30 June 2022 have been fully considered but they are not persuasive. In the Remarks, the applicant has argued in substance:
	
Argument:
	“However, beyond brief citations to paragraphs [0015] and [0016] of Xie, the Office does not explain which specific elements of Xie from paragraphs [0015] and [0016] are being interpreted as the "monitored server," the "adversary server," or the "network address" of the monitored server that are recited in claim 1. Applicant respectfully submits that Xie does not describe any type of response that includes "a network address of a monitored server" that could "cause the requesting process to communicate with the monitored server instead of an adversary server," as claim 1 recite”. 
Response:
	Examiner respectfully disagrees, because, examiner looked at the claim limitation and interpreted, but not bringing/adding any limitation from the Specification into the claim, while it was interpreted. Based on Broadest Reasonable interpretation (BRI), in claim cited “receiving request” in first line; in second line “determining that a domain name”. Is it by a DNS provider or just computer/server or a human or what? Since it’s a method claim it’s not clear how(steps) and what(function) is involved. Therefore, based on this analysis, any machine /server/ device/ computer/etc., can receive DNS request for returning corresponding result, such as IP address. If we look at the paragraph 12 and 18, addition to previously cited portion of Xi, its clearly mentioned that a DNS query/request received from a client and based on some condition it is forwarded/redirected to DNS server and it determine/identify whether extracted domain is malicious or not and DNS communication monitored and analyzed to resolve DNS request into IP address which is the same as claim limitation (second line) of claim 1. For that reason, rejection sustained.
Argument:
“Applicant respectfully submits that Xie does not describe returning an IP address, or any other network address”.
Response:
	Please see the response above.

                                                            Claim Rejections - 35 USC § 102

4.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –	
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected 35 U.S.C §102 (a)(2) as being anticipated by Xie Huagang (US Publication No. 20120303808), hereinafter Xie.

Regarding claim 1: 
receiving a domain name resolution request from a requesting process operating on a device (Xie, abstract, 18).
determining that a domain name included in the domain name resolution request is indicative of malicious activity (Xie, ¶10, 12, 18).
and responding to the domain name resolution request with a network address of a monitored server to cause the requesting process to communicate with the monitored server instead of an adversary server (Xie, ¶15-16, 18).
Regarding claim 2: 
wherein the receiving comprises receiving the domain name resolution request as a redirected domain name resolution request redirected from a domain name server (Xie, ¶9).
Regarding claim 3:
wherein the determining comprises determining at least one of: that the domain name is included in a list of known malicious or suspicious domains, that the domain name is unfamiliar, that the domain name is associated with a specific geographic location, or that the domain name is associated with a specific entity (Xie, ¶10).
Regarding claim 4: 
wherein the adversary server is an adversary command-and-control system or an adversary exfiltration system, and the monitored server poses as the adversary command-and-control system or the adversary exfiltration system during communications with the requesting process (Xie, ¶18).
Regarding claim 5:
wherein the monitored server decodes communications from the requesting process (Xie, ¶4).
Regarding claim 6: 
wherein the monitored server determines that the requesting process is utilizing a specific protocol to encode communications, and performs at least one of selecting a corresponding communications protocol for decoding the communications, or attempting to learn the specific protocol (Xie, ¶12, 18).
Regarding claim 7:
further comprising sending an alert to at least one of a security agent executing on the device or a client entity associated with the device (Xie, ¶13).
Regarding claim 8: 
further comprising transitioning an attack associated with the requesting process from the device to a monitored device, wherein the monitored device poses as the device originally impacted by the attack (Xie, ¶1).
Regarding claim 9: 
further comprising, in response to the determining, configuring the monitored server with one or more protocols utilized by the requesting process to enable the monitored server to pose as the adversary server during communications with the requesting process. (Xie, ¶9).
Regarding claim 10:
A system comprising: one or more processors; 
memory storing computer-executable instructions that, when executed by the one or more processors, cause the system to perform operations comprising: receiving a domain name resolution request from a requesting process operating on a device (Xie, abstract, para.7).
determining that a domain name included in the domain name resolution request is indicative of malicious activity (Xie, ¶10).
and responding to the domain name resolution request with a network address of a monitored server to cause the requesting process to communicate with the monitored server instead of an adversary server (Xie, ¶15-16).
Regarding claim 11: 
wherein the determining comprises determining at least one of: that the domain name is included in a list of known malicious or suspicious domains, that the domain name is unfamiliar, that the domain name is associated with a specific geographic location, or that the domain name is associated with a specific entity (Xie, ¶10).
Regarding claim 12:
wherein the operations further comprise sending an alert to at least one of a security agent executing on the device or a client entity associated with the device (Xie, ¶13).
Regarding claim 13:
wherein the operations further comprise transitioning an attack associated with the requesting process from the device to a monitored device, wherein the monitored device poses as the device originally impacted by the attack (Xie, ¶1).
Regarding claim 14: 
wherein the operations further comprise, in response to the determining, configuring the monitored server with one or more protocols utilized by the requesting process to enable the monitored server to pose as the adversary server during communications with the requesting process (Xie, ¶9).
Regarding claim 15:
a monitored server configured to pose as an adversary server (Xie, ¶12).
and a security system computing device configured to: receive a domain name resolution request from a requesting process operating on a device (Xie, abstract).
determine that a domain name included in the domain name resolution request is indicative of malicious activity (Xie, ¶10).
and respond to the domain name resolution request with a network address of the monitored server to cause the requesting process to communicate with the monitored server instead of the adversary server (Xie, ¶15-16).
Regarding claim 16: 
wherein the monitored server is configured to decode communications from the requesting process (Xie, ¶4).
Regarding claim 17: 
wherein the monitored server is configured to determine that the requesting process is utilizing a specific protocol to encode communications, and to perform at least one of selecting a corresponding communications protocol for decoding the communications, or attempting to learn the specific protocol (Xie, ¶14).
Regarding claim 18:
wherein the security system computing device is configured to send an alert to at least one of a security agent executing on the device or a client entity associated with the device (Xie, ¶13).
Regarding claim 19:
wherein the security system computing device is configured to transition an attack associated with the requesting process from the device to a monitored device of the security service system, wherein the monitored device poses as the device originally impacted by the attack (Xie, ¶1).
Regarding claim 20: 
wherein the security system computing device is configured to configured the monitored server with one or more protocols utilized by the requesting process to enable the monitored server to pose as the adversary server during communications with the requesting process (Xie, ¶9).

                   Conclusion 

5.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure (See form “PTO-892 Notice of reference cited).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MONJUR RAHIM whose telephone number is (571)270-3890.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890