Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are pending. Claims 1 and 12-17 have been amended. 
	In view of the applicant’s amendments, interpretation of claims 12-16 under 35 U.S.C. 112 (f) has been removed, and rejections of the claims  under 35 U.S.C. 112 (a) and 112 (b) have been withdrawn.
Response to Amendments
	Applicant’s amendments filed on 10-03-2022  have been considered and entered.
Response to Arguments
	Applicant's amendments/arguments filed on 10-03-2022 have been fully considered and are persuasive. However, upon further consideration, a new ground of rejection is made, as shown in the office action below.
Claim Rejections - 35 USC § 103
		The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claims 1-3 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Compton et al. (US Publication No. 2020/0067970 ) hereinafter Compton, in view of Hou et al. (US Patent No. 10,176,325) hereinafter Hou, further in view of Akiyama et al. (US Publication No. 2016/0134658) hereinafter Akiyama.
	As per claim 1, Compton discloses, a malware detection system, comprising: a microprocessor configured to: operate an endpoint security sensor to detect a malicious data packet associated with a command and control (C2) website (paragraph  [0017],“malware infected computing devices in the malicious botnet typically communicate with a command and control (C2) server ((C2) web site) of the malicious attacker directing the malware infected computing devices to perform various malicious task”; [0021], a botnet mitigation controller server inspect Internet traffic to determine if the Internet traffic is malicious), wherein the detection is based, at least in part on evaluating the malicious data packet for one or more [intended actions] attributes such as type, format, values of the data in the packet (paragraph [0022]-[0023]), retrieve [a fully qualified domain name (FQDN)] domain name associated with the malicious data packet, and cause the [FQDN] domain name to be added to a website blacklist (paragraph [0019], “Threat locations may be identified by botnet detection tools of the network and/or a third-party threat intelligence service providing listing of known (or suspected) malicious C2 server such as…listing of  known (or suspected) malicious C2 server domains, etc. [l]isting of known (or suspected) threat location may be updated as information about malicious C2 server associated with botnet is obtained from botnet detection tools of the network…[t]he listing of known (or suspected) threat location may operate as a blacklist for the network”); an output configured to output an instruction to prevent a user equipment (UE) from establishing a communication channel with the C2 website (paragraph [0056]- [0057], the computing device generates and send a botnet warning indicating that malware has infected the computing device. Computing device may drop one or more packets of malicious Internet traffic. Dropping malicious packet cause the packets to never reach their intended destination).
	While Compton discloses detection is based, at least in part, on evaluating the malicious data packet for one or more attribute, as shown above, Compton does not explicitly disclose detection is based on one or more  intended actions, the evaluating being performed without executing the one or more intended actions. Further, While Compton discloses retrieve domain name and cause the domain name to be added to blacklist, as shown above, Compton does not explicitly disclose retrieving fully qualified domain name (FQDN) and adding fully qualified domain name.
	However, Hou in an analogous art, discloses detection is based on one or more  intended actions (column 8, line 51-64, the detection of C&C malware is based on “detecting the API in an action 412…[t]he types of APIs hooked may include APIs which collect private information like phone number, device id, IMEI, SMS message and the like”, it is noted that  collecting  private information is an intended action of the C& C malware),  the evaluating being performed without executing the one or more intended actions (column 6, lines 51-61 and column 8, line 65-column 9, line 2, “the method for providing static analysis of Fig. 4A in accordance with some embodiments may include disassembling the code and action 422 and detecting C&C malware from the disassembled code an action 424”, it is noted that static analysis does not execute the intended action, analysis is based on disassembling the code and detecting C&C malware from the disassembled code).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Compton to include detection based on one or more  intended actions, the evaluating being performed without executing the one or more intended actions , as disclosed by Hou. This would have been obvious because one of ordinary skill in the art would have been motivated to  do so in order to achieve the predictable result of preventing collection of private information by malicious servers.  
	 Compton in view of Hou does not explicitly disclose retrieving fully qualified domain name (FQDN) and adding fully qualified domain name. However, in an analogous art Akiyama discloses FQDN is retrieved and added to a malicious blacklist (paragraph [0156]- [0157], the examination unit 242a examines that file confirmed to be falsified, obtains and stores FQDN and URL of the malicious website into the malicious site information storage unit). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Compton and Hou to include retrieving fully qualified domain name (FQDN) and adding FQDN to blacklist, as disclosed by Akiyama. This would have been obvious because one of ordinary skill in the art would have been motivated to prevent general users from accessing malicious Web site by utilizing collected FQDN in filtering invasion detection system.
	As per claim 2, Compton furthermore discloses, wherein the microprocessor is further configured to detect the malicious data packet using signature-based malware detection (paragraph [0023], comparing attributes of Internet traffics to attributes of known malicious botnet traffic).
	As per claim 3, Compton furthermore discloses, the UE, and wherein the instruction prevents the UE from establishing the communication channel with the C2 website via a wireless network (paragraph [0056], [0057], computing device may drop one or more packets of malicious Internet traffic, and paragraph [0064], wireless communication functions).
	As per claim 6, Compton furthermore discloses, wherein the instruction prevents the UE from connecting to the C2 website by blocking UE connection to the C2 website, ignoring a UE request to connect to the C2 website, redirecting the UE to an approved website, or combinations thereof (paragraph [0045], [0056] and [0057], customer edge routers route (redirecting) all outbound Internet traffic from customer computing devices addressed to the threat location to computing device (e.g., traffic inspection server, etc.).
	
	Claims 4 and 5 are rejected under 35 U.S.C. 103 as being unpatentable over Compton, in view of Hou, in view of Akiyama, further in view of Schryver (US Publication No. 2017/0054761) hereinafter Schryver.
	As per claim 4, Compton in view of Hou and Akiyama discloses all limitations of claim as applied to claim 1 above. Compton in view of Hou and Akiyama does not explicitly disclose, but in an analogous art Schryver discloses, wherein the website blacklist is stored or located within a Domain Name Server Response Policy Zone (DNS RPZ) (paragraph [0049]- [0049], store PRZ backlist data to RPZ database, the PRZ backlist data includes list of suspected domain names supporting malicious activity).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Compton, Hou and Akiyama to store blacklist within DNS PRZ, as disclosed by Schryver. This would have been obvious because one of ordinary skill in the art would have been motivated to store blacklist within the well-known DNS RPZ, in order to achieve the predictable result of blocking malicious access request and activities.
	As per claim 5, Schryver further discloses, wherein the DNS RPZ prevents DNS resolution of the FQDN associated with the C2 website (paragraph [0048], blacklist data include policy information associated with each domain. The policy information specifies an action for DNS resolver to take to resolve the associated domain, the action may be for example to block or prevent the request). The motivation to combine is similar to the motivation provided for claim 4.

	Claims 7-10 are rejected under 35 U.S.C. 103 as being unpatentable over Compton, in view of Hou, in view of Akiyama , further in view of Cothrell et al. (US Publication No. 2006/0161983) hereinafter Cothrell. 
	As per claim 7, Compton in view of Hou and Akiyama discloses all limitations of claim as applied to claim 1 above. Compton in view of Hou and Akiyama does not explicitly disclose, but in an analogous art Cothrell discloses, a network test access point (TAP) configured to mirror or copy data  passing between telecommunication network nodes (paragraph [0010]- [0011] getaway 105 provide a copy of packet passing between network 104 and 106  to IDS 102); wherein the endpoint security sensor configured to: inspect the data mirrored or copied by the network TAP, and identify the malicious data packet based on a characteristic or feature of the data mirrored or copied by the network TAP (paragraph [0019], IDS 102 communicates copy of the packet to processor 112, which analyzes the traffic to determine whether it includes an attack signature).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Compton, Hou and Akiyama to include network test access point (TAP) configured to mirror or copy data  passing between telecommunication network nodes; and an endpoint security sensor configured to: inspect the data mirrored or copied by the network TAP, and identify the malicious data packet based on a characteristic or feature of the data mirrored or copied by the network TAP, as disclosed by Cothrell. This would have been obvious because one of ordinary skill in the art would have been motivated to do so, in or der to achieve the predictable result of analyzing and detecting hostile actions and communication in the network.
	As per claim 8, Cothrell furthermore discloses, wherein the telecommunication network nodes are a serving gateway (SGW) and a packet data network gateway (PGW) (paragraph [0012], network 104 includes collection of networked communication devices exchanging information including for example, switches and gateways). The motivation to combine is similar to the motivation provided for claim 7.
	As per claim 9, Cothrell furthermore discloses, wherein the characteristic or feature is a signature (paragraph [0019], attack signature). The motivation to combine is similar to the motivation provided for claim 7.
	As per claim 10, Cothrell furthermore discloses, wherein the endpoint security sensor is further configured to compare the signature of the malicious data packet against a database of known malware signatures (paragraph [0016], comparing information to attack signature). The motivation to combine is similar to the motivation provided for claim 7.

	Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Compton, in view of  Hou, in view of Akiyama, in view of Cothrell, further in view of Dargis et al. (US Publication No. 2009/0094691) hereinafter Dargis. 
	As per claim 11, Compton in view of Hou, Akiyama  and Cothrell discloses all limitations of claim as applied to claim 9 above. Compton in view of Hou, Akiyama and Cothrell does not explicitly disclose, but in an analogous art Dargis discloses, wherein the endpoint security sensor is further configured to identify the data packet as malicious based on the digital signature on a bit or byte level (paragraph [0021], “compare a data packet to a digital signature representative of a malicious packet”).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Compton, Hou, Akiyama and Cothrell to include identifying the data packet as malicious based on the digital signature on a bit or byte level, as disclosed by Dargis. This would have been obvious because one of ordinary skill in the art would have been motivated to optimize the accuracy and speed of analyzing and detecting malicious packets by using a digital representative of data.

	Claims 12-15 are rejected under 35 U.S.C. 103 as being unpatentable over Compton, in view of Hou, in view of Akiyama , in view of Shah et al. (US Publication No. 2020/0252803) hereinafter Shah, further in view of Jones (US publication No. 2010/0161787) hereinafter Jones.
	As per claim 12, Compton in view of Hou and  Akiyama teaches all limitations of claim as applied to claim 1 above. Compton in view of Hou and Akiyama does not explicitly teach the microprocessor is further configured to: extract a log file generated by the detection of the malicious data packet, and retrieve a packet capture via a uniform resource locator (URL) of the log file. However, in an analogous art, Shah discloses a microprocessor is configured to: extract a log file generated by detection of the malicious data packet (paragraph [0024], [0092], browsing engine 430 accessing a malicious URL database 430 that stores a list of identified malicious URLs). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Compton, Hou and Akiyama to extract a log file generated by detection of the malicious data packet, as disclosed by shah. This would have been obvious because one of ordinary skill in the art would have been motivated to prevent compromise of the system by determining if a URL is a malicious URL and preventing access to malicious websites.
	Compton in view of Hou, Akiyama and Shah does not explicitly disclose retrieving a packet capture via a uniform resource locator (URL) of the log file. However, retrieving a packet capture via a uniform resource locator (URL) of the log file it is well known in the art, as illustrated by Jones (abstract, paragraph [0076]- [0077], receiving a list of URLs, selecting a webpage URL from the list, receiving via packet capture, a webpage associated with the selected URL).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Compton, Hou, Akiyama and Shah to include a well-known feature of retrieving a packet capture via a uniform resource locator (URL) of the log file, as disclosed by Jones. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to receive and collect packet data associated with the webpage.
	As per claim 13, Jones furthermore discloses, wherein the microprocessor is further configured to store the packet capture on a storage device (paragraph [0081], “storing the packet capture”). The motivation is similar to the motivation provided in claim 12.
	As per claim 14,  Akiyama furthermore discloses the microprocessor is further configured  to extract the FQDN (paragraph [0156], the examination unit store FQDN). The motivation is to utilize the FQDN in a firewall or Web proxy and preventing users from accessing malicious web site and becoming infected with malware. 
	As per claim 15, Jones furthermore discloses, wherein the microprocessor is further configured to process a packet capture queue on a storage device (figure 13, paragraph [0081]- [0082], processing stored packet capture). The motivation is to collect statistics associated with page level or connection level.

	Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Compton, in view of Hou, in view of Akiyama, in view of Shah , in view of Jones, further in view of Ou et al. (US Publication No. 2014/0137254) hereinafter Ou. 
	As per claim 16, Compton as modified teaches all limitations of claim as applied to claim 12 above. Compton as modified does not explicitly teach, wherein the microprocessor is further configured to dedpulicate FQDNs by checking malicious FQDNs against a current malicious FQDN list and removing any duplicate malicious FQDNs from a currently detected FQDN list while retaining the malicious FQDNs on the current malicious FQDN list. 
	However, in an analogous art, Ou discloses dedpulicate website by checking prohibited (malicious) website against a current prohibited (malicious) list and removing any duplicate website from a currently detected list while retaining the prohibited on the current prohibited list (paragraph [0037], “When updating the connection-prohibited website on the local website sub-list, detecting whether a connection permitted website on the local website cache sub-list and connection-prohibited website on the local website sub-list are duplicates, if yes, deleting the website from the local website cache sub-list). 
	It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention to combine the modified Compton with Ou. This would have been obvious because one of ordinary skill in the art would have been motivated to update the list of connection prohibited websites and protect the network by blocking connections to the listed prohibited malicious websites.
	It is noted that Ou does not explicitly disclose FQDNs list, instead discloses prohibited website list.  Although FQDNS list and website list are not completely identical, they are obvious variations of one another. Further, substitution of one known element (i.e., FQDN list) for another known element (website list) does not require an inventive step. Such variation or substitution would have been predictable and obvious to one of ordinary skill in the art before the effective filing date of the claimed invention.
	Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Compton, in view of Hou, in view of Akiyama, further in view of Pularikkal et al. (US Publication No. 2019/0036888) hereinafter Pularikkal. 
	As per claim 17, Compton in view of Hou and Akiyama discloses all limitations of claim as applied to claim 1 above. Compton in view of Hou Akiyama does not explicitly disclose the microprocessor further configured to cause a trusted FQDN to be added to a whitelist to prevent the trusted FQDN from being processed as malicious. However, updating whitelist with trusted FQDN is old and well known as illustrated by Pularikkal (paragraph [0026], “updates the list of whitelisted FQDNs based on an enterprise policy”).
	 It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Compton, Hou and Akiyama to include cause a trusted FQDN to be added to a whitelist, as disclosed by Pularikkal. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to permit communication to safe destinations based on an updated whitelist of destinations.
	Claims 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Compton, in view of  Hou, in view of Akiyama, further in view of Gupta et al. (US Publication No. 2020/0106806) hereinafter Gupta. 
	As per claim 18, Compton in view of Hou and Akiyama discloses all limitations of claim as applied to claim 1 above. Compton in view of Hou and Akiyama does not explicitly disclose, wherein the FQDN is retrieved by extracting the FQDN from a header of the malicious data packet. However, in an analogous art, Gupta discloses, the FQDN is retrieved by extracting the FQDN from a header of the malicious data packet (paragraph [0071], “an attack model may indicate that a FQDN is a good indicator of whether a packet is based, so the service engine pipeline can look at the FQDN layer header before other layer headers”). 	
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Compton, Hou and Akiyama to include the FQDN is retrieved by extracting the FQDN from a header of the malicious data packet, as discloses by Gupta. This would have been obvious because one of ordinary skill in the art would have been motivated to determine malicious entities form the header of the communication packets.
	As per claim 19, Compton in view of  Hou and Akiyama discloses all limitations of claim as applied to claim 1 above. Compton in view of Hou and Akiyama does not explicitly disclose, wherein the FQDN is retrieved by extracting the FQDN from the malicious data packet. However, in an analogous art, Gupta discloses, he FQDN is retrieved by extracting the FQDN from the malicious data packet (paragraph [0071], “an attack model may indicate that a FQDN is a good indicator of whether a packet is based, so the service engine pipeline can look at the FQDN layer header before other layer headers”. It is noted that header is a part of data packet, thus, in Gupta it could be said the FQDN is retrieved from the malicious data packet). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Compton, Hou and Akiyama to include the FQDN is retrieved by extracting the FQDN from the malicious data packet, as discloses by Gupta. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to determine malicious entities based on the communication packets.

	Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Compton, in view of Hou, in view of Akiyama, further in view of Du Ming et al. (WO2019136953) hereinafter Du Ming. 
	As per claim 20, Compton in view of Hou and Akiyama discloses all limitations of claim as applied to claim 1 above. Compton in view of Hou and Akiyama does not explicitly disclose, wherein the FQDN is retrieved by extracting the FQDN from a log generated when the malicious data packet is detected. However, in an analogous art, Du discloses he FQDN is retrieved by extracting the FQDN from a log generated when the malicious data packet is detected (abstract, C&C domain name analysis-based botnet detection device extract C&C domain names used for attack activity by means of analyzing a domain name system log record). 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Compton and Akiyama to include the FQDN is retrieved by extracting the FQDN from a log generated when the malicious data packet is detected as disclosed by Du. This would have been obvious because one of ordinary skill in the art would have been motivated to do so in order to timely capture attack behavior and locate the botnet.

References Cited, Not Used

	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
	Schottland et al. (US Patent No. 11,316,900) discloses, a static analysis engine is configured to perform a light-weight examination of an object to determine whether that object is suspicious and/or malicious. The static analysis engine employs analysis techniques, such as heuristics or pattern matching for example, in order to detect unrecognizable or known, malicious characteristics without execution of the object.
	Aziz (US Patent No. 9,027,135) discloses, systems and methods for prospective client identification using malware attack detection. A malware device is identified. The entity with the responsibility for the malware device or a potentially compromised device in communication with the malware device is determined. A message is communicated to the entity based on the detem1ination.

Conclusion
	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/ALI S ABYANEH/Primary Examiner, Art Unit 2437