DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 20 is rejected under 35 U.S.C. 101 because claim 20 represents a claim that does not fall within one of the four statutory categories of invention. Since the claimed computer readable storage medium may be software carried on a wave, the claim as a whole can be considered to be only a carrier wave which is not a "process", "machine" or "article of manufacture". 
The claim may be amended by changing “computer readable storage medium” to -- non-transitory computer readable storage medium --, thus excluding that portion of the scope covering transitory signals.  


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-13 are rejected under 35 U.S.C. 103 as being unpatentable over Wood, publication number: US 2014/0310394 in view of Xu, patent number: US 9 917 852.

As per claim 1, Wood teaches a system, comprising:
a processor configured to:
receive a set of DNS query records that represent DNS queries made by a plurality of client devices (network traffic data, [0020]);
generate a first DNS query signature that represents a pattern of DNS queries for a first domain, previously determined to be malicious, using at least a portion of the received set of DNS query records (generating signature based on known patterns, [0022], DNS querying, [0018]);
generate a second DNS query signature for a second domain using at least a portion of the received set of DNS query records (Second signature, [0023]); and
compare the first DNS query signature and the second DNS query signature, and identify the second DNS query signature as malicious based on a detected match between the first DNS query signature and the second DNS query signature (comparing new signatures with known ones, [0023], identifying dangerous applications, [0002]); 
and 
a memory coupled to the processor and configured to provide the processor with instructions (memory, [0017][0019]).

Woods does not teach prefiltering the received DNS query records to remove at least a portion of the DNS queries based on a set of criteria and 
Classifying a second domain as a malicious domain.
In an analogous art, Xu teaches prefiltering the received DNS query records to remove at least a portion of the DNS queries based on a set of criteria (removing known or whitelisted records, col. 19, lines 28- col. 20, lines 6) and 
Classifying a second domain as a malicious domain (reporting after determining maliciousness, col. 16, lines 27-42).
Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to modify Wood’s detection system to exclude well know sites as described in Xu’s detection system for the advantage of reducing the processing load placed on the system. 


As per claims 2, the combination teaches wherein the first DNS query signature is generated at least in part by counting a number of requests for the first domain in a time interval (Woods: Patterns, [0023][0035]).

As per claim 3, the combination teaches wherein the first DNS query signature is generated at least in part by aggregating a plurality of counts for a plurality of time intervals into a time series (Woods: Bins, [0022][0030]).

As per claim 4, the combination teaches wherein generating the first DNS query signature includes validating the first DNS query signature (Woods: Fourier transforms, [0022]).

As per claims 5, the combination teaches wherein validating the first DNS query signature includes performing a fast Fourier transform (Woods: Fourier transforms, [0022]).

As per claim 6, the combination teaches wherein the prefiltering includes removing DNS query records associated with one or more benign domains (Xu: excluding whitelisted sites from the analysis, col. 19, line 28 – col. 20, line 6)

As per claim 7, the combination teaches wherein the prefiltering includes removing DNS query records associated with NX domains (Woods: excluding NX domains from the analysis, col. 19, line 28 – col. 20, line 6)

As per claims 8, the combination teaches wherein comparing the first DNS query signature and the second DNS query signature includes determining a product-moment correlation coefficient using the respective first and second DNS query signatures (Woods: Threshold, [0030]).

As per claims 9, the combination teaches wherein comparing the first DNS query signature and the second DNS query signature includes performing a shift on the second DNS query signature (Woods: deviations, [0030][0032]).

As per claim 10, the combination teaches wherein the processor is further configured to associate malware family information pertinent to the first domain with the second domain (Woods: associating with known patterns, [0023]).

As per claim 11, the combination teaches wherein the processor is further configured to associate malicious behavioral information pertinent to the first domain with the second domain (Woods: associating with known patterns, [0023]).

As per claim 12, the combination teaches wherein the processor is further configured to provide an indicator of the second domain’s maliciousness to a security appliance (Woods: associating with known patterns, [0023]).

As per claim 13, the combination teaches wherein the processor is further configured to provide the first DNS query signature to a security appliance (Woods: Adding to library, [0022]).






Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 14 – 16 and 18 - 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Wood, publication number: US 2014/0310394.

As per claims 14 and 20, Wood teaches a method, comprising:
receive a set of DNS query records (network traffic data, [0020]);
generate a first DNS query signature for a first domain, previously determined to be malicious, using at least a portion of the received set of DNS query records (generating signature based on known patterns, [0022], DNS querying, [0018]);
generate a second DNS query signature for a second domain using at least a portion of the received set of DNS query records (Second signature, [0023]); and
compare the first DNS query signature and the second DNS query signature, and identify the second DNS query signature as malicious based on a detected match between the first DNS query signature and the second DNS query signature (comparing new signatures with known ones, [0023], identifying dangerous applications, [0002]).

As per claim 15, Wood teaches wherein the first DNS query signature is generated at least in part by counting a number of requests for the first domain in a time interval (Patterns, [0023][0035]).

As per claim 16, Wood teaches wherein generating the first DNS query signature includes performing a fast Fourier transform (Fourier transforms, [0022])

As per claim 18, Wood teaches wherein comparing the first DNS query signature and the second DNS query signature includes determining a product-moment correlation coefficient using the respective first and second DNS query signatures (Threshold, [0030]).

As per claim 19, Wood teaches wherein comparing the first DNS query signature and the second DNS query signature includes performing a shift on the second DNS query signature (deviations, [0030][0032]).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Wood, publication number: US 2014/0310394 in view of Xu, patent number: US 9 917 852.

As per claim 17, Wood teaches recognizing problematic DNS trends. 
Woods does not teach wherein generating the second DNS query signature includes filtering out DNS query records associated with one or more benign domains.
In an analogous art, Xu teaches wherein generating the second DNS query signature includes filtering out DNS query records associated with one or more benign domains (excluding whitelisted sites from the analysis, col. 19, line 28 – col. 20, line 6)

Therefore, it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the invention to modify Wood’s detection system to exclude well know sites as described in Xu’s detection system for the advantage of reducing the processing load placed on the system. 



Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUGBENGA O IDOWU whose telephone number is (571)270-1450. The examiner can normally be reached Monday-Friday 8am - 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/OLUGBENGA O IDOWU/Primary Examiner, Art Unit 2494