DETAILED ACTION
The following is non-final office action in response to applicant’s RCE filed on 09/28/2022 for response of office action mailed on 04/05/2022. Claim 1-4, 9-12, 17-18, and 21-22 are amended. Claim 5 and claim 20 were cancelled previously. Claim 23-26 are added.  Claims 1-4, 6-19 and 21-26 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s amendments to independent claims 1, 9 and 17 filed on 09/28/2022, with respect to claim rejection under 35 U.S.C 103 have been considered.
Applicant’s arguments, (A) and (B) on independent claim 1, filed on 09/28/2022, have been considered and the argument (B) is not persuasive.
As provided in further detail below, applicant’s arguments regarding that the references fail to show certain features are unpersuasive in view of the grounds of rejection discussed in detail. Please note that during patent examination, the pending claims even when interpreted in view of the specification must be “given their broadest reasonable interpretation.” Phillips v. AWH Corp., 415 F.3d 1303, 1316, 75 USPQ2d 1321, 1329 (Fed. Cir. 2005), In re Am. Acad, of Sci. Tech. Ctr., 367 F.3d 1359, 1364, 70 USPQ2d 1827, 1830] (Fed. Cir. 2004). As such, although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.
Regarding argument (A) on claim 1 on page 11-12, claim 1 is amended with new limitation, receive content categorization data from at least one data feed, wherein the content categorization data identifies a social media data.  Claim 9 and 17 although are different, amended with similar limitations. The applicant’s amendments to claim 1 necessitated the new grounds of rejection presented in this office action. Hence, applicant’s arguments with respect to rejections of claim 1, 9 and 17, along with dependent claims have been considered but are moot in view of the new grounds of rejection. New prior art is introduced.
Regarding argument (B) on claim 1 on page 13, Applicant argues that “the office action has failed to set forth a prima facie case of obviousness to reject claim 12” because claim 12 does not depend from claim 3. Examiner carefully review the arguments and respectfully disagree. In the last office action, the rejections for claim 4 and 12 are combined because they recite some limitations. Claim 4 is dependent claim of claim 3, which is stated in the office action.
Applicant presents no further arguments. 

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 26 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.  
Regarding claim 26, claim 26 recites “at least one predetermined percentage” that relates to the content categorization. The specification discloses percentage and predetermined thresholds/time in profile multiple times, but does not disclose any details any “predetermined percentage”.  For the examination purpose, examiner interprets the predetermined percentage as percentage. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1-3, 6, 8-11, 13-19, 21, 23, and 25-26 are rejected under 35 U.S.C. 103 as being unpatentable over Manadhata (US20170323102) in view of Koulinitch (US20110185436, hereinafter Kou). 
Regarding claim 1, 9 and 17, Manadhata teaches a computer-implemented method for profiling domain name service (DNS) traffic, the method comprising: receiving DNS transaction data that is associated with DNS logging operations performed by a DNS server (Manadhata: inspecting DNS transaction data, wherein the DNS transaction data are copied DNS streams between clients and DNS server through a network tap; claim 1; Para. 0010) (examiner note: copying DNS packets to the system is equivalent to logging); receiving identification data that associates a first set of identification data to a second set of identification data (Manadhata: profile tracking domain names in the request for each client; Para. 0010; Para.0017), wherein the first set of identification data comprises Internet Protocol (IP) addresses, wherein the second set of identification data comprises one or more user identifiers (Manadhata: profile tracking IP addresses in the response for each client; Para. 0010 and 00197); partitioning, based on the second set of identification data, the DNS transaction data into a plurality of data partitions, wherein a given data partition included in the plurality of data partitions corresponds to a distinct user identifier of the second set of identification data (Manadhata: observation logic inspect DNS transactions and maintain a query profile for each client based on the content of DNS transactions; profile 142 is for client 112 and profile 144 is for client 114; Para. 0015;
Fig. 1: 
    PNG
    media_image1.png
    116
    204
    media_image1.png
    Greyscale
; client number 112, 114 are used to identify each client; Para. 0008); for a first data partition included in the plurality of data partitions, receiving content categorization data from at least one data feed (Manadhata: domain names in the DNS request and IP addresses in the DNS responses are categorized as being whitelisted, blacklisted and grey; Para. 0011; inspecting DNS transaction data and maintain a query profile associated with each client based on contents of the DNS transaction data and update profile based on the number of types domains in DNS transaction data; Para. 0015; query profiles tracking number of types of domains and IP addresses for each client; Para.0017); determining a first score based on (i) one or more domain names specified in the first data partition, (ii) the content categorization data, and (iii) at least one scoring criteria, wherein the first data partition corresponds to a first user identifier of the one or more users identifiers (Manadhata: generating infection scores for each client based on each client query profile periodically; Para. 0022; Para. 0030; Para. 0023); evaluating the first score based on profiling criteria to detmine a first profiling result for the first user identifier(Manadhata: prioritizing the remediation for each client based on infection score and other profile criteria; Fig.1: Prioritization logic (160); Para. 0026; Para. 0027; 
Fig. 1: 
    PNG
    media_image2.png
    151
    277
    media_image2.png
    Greyscale
; and causing one or more operations involving the first profiling result to be performed, wherein the one or more operations relate to at least one of: managing an activity, persistent storage, or data analysis (Manadhata: remedy action is performed based on the priority determined by prioritization logic, wherein the actions includes removing malware from the client or restoring client to a prior state; Para. 0027; Claim 11; Para. 0039). 
Yet, Manadhata does not teach wherein the content categorization data identifies a social media data.  
However, in the same field of endeavor, Kou teaches wherein the content categorization data identifies a social media data (Kou: URL reputation service provides classes/classification regarding website including social networking website, Para. 0039, 0056). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by Manadhata to include wherein the content categorization data identifies a social media data as disclosed by Kou. One of ordinary skill in the art would have been motivated to make this modification in order to manage the website access based on categorization as suggested by Kou (Kou: Para. 0051). 
Regarding claim 2 and 10, combination of Manadhata and Ram teaches the method of claim 1. In addition, Manadhata teaches selecting one or more DNS transactions included in the DNS transaction data that share a first user identifier as a first identifying characteristic in a set of identifying characteristics; and generating the first data partition based on the one or more DNS transactions (Manadhata: Para. 0015: observation logic 130 may inspect DNS request packets (e.g., DNS request packets 122) and DNS response packets and maintain a query profile associated with the client based on contents of the DNS request packets and DNS response packets. In this example, profile 142 is associated with client 112, profile 144 is associated with client 114, and profile 146 is associated with client 116; Para. 0017: Though profiles 142, 144, and 146 are only illustrated as tracking numbers of whitelisted, blacklisted, and grey domains from DNS request packets, many other metrics may be tracked within the query profiles. In addition to tracking numbers of various types of domains requested in DNS request packets, query profiles (e.g., profile 142) may track numbers of types of IP addresses received by clients (e.g., client 112) from DNS servers (e.g., DNS server 199) in DNS response packets; Fig. 1: 
    PNG
    media_image3.png
    181
    319
    media_image3.png
    Greyscale
 ; client number 112, 114 are used to identify each client; Para. 0008).
Regarding claim 3, 11 and 18, combination of Manadhata and Kou teaches the method of claim 1. In addition, Manadhata teaches performing, based on the first user identifier, one or more comparison operations between one or more DNS transactions included in the DNS transaction data and the identification data to select one or more DNS transactions; and generating the first data partition based on the one or more selected DNS transactions (Manadhata: Para. 0015: observation logic 130 may inspect DNS request packets (e.g., DNS request packets 122) and DNS response packets and maintain a query profile associated with the client based on contents of the DNS request packets and DNS response packets. In this example, profile 142 is associated with client 112, profile 144 is associated with client 114, and profile 146 is associated with client 116; Para. 0017: Though profiles 142, 144, and 146 are only illustrated as tracking numbers of whitelisted, blacklisted, and grey domains from DNS request packets, many other metrics may be tracked within the query profiles. In addition to tracking numbers of various types of domains requested in DNS request packets, query profiles (e.g., profile 142) may track numbers of types of IP addresses received by clients (e.g., client 112) from DNS servers (e.g., DNS server 199) in DNS response packets; client number 112, 114 are used to identify each client; Para. 0008).
Regarding claim 6, the rejection of claim 1 is incorporated herein. In addition, Manadhata teaches wherein the DNS transaction data comprises at least one of a DNS query or a DNS response (Manadhata: Para. 0010: “System 100 includes an observation logic 130. Observation logic may inspect DNS packets (e.g., DNS request packets 122). DNS packets 122 may be retrieved from a data stream 190 between a client (e.g., client 112) and a DNS server 199. Figure 1 illustrates two data streams 190, including a DNS request stream of DNS request packets sent from clients to DNS server 199 and a DNS response stream of DNS response packets sent from DNS server 99 to clients”).
Regarding claim 8, the rejection of claim 1 is incorporated herein. In addition, Manadhata teaches wherein evaluating the first score comprises applying the profiling criteria to the first score to generate a profile of network activities (Manadhata: Fig.1: Prioritization logic (160); Para. 0027: “a prioritization logic 160 may be illustrated. Client 112, which was given an infection score of 30% by infection score generation logic 150, has a value of 100, client 114 has an infection score of 40% and a value of 1000, and client 116 has an infection score of 80% and a value of 300. In this example, the priorities are ranked by multiplying infection scores by client value, and consequently client 114 has the highest priority for remediation, followed by client 116, and client 112”).
Regarding claim 13 and 19, the rejection of claim 9 is incorporated herein. In addition, Manadhata teaches wherein determining the first score comprises performing one or more comparison operations between the first data partition and at least one additional data feed based on the at least one scoring criteria (Manadhata: Para. 0045: “Control data set 460 may be used by infection score generation logic 440 when infection score generation logic 440 generates infection scores for members of the set of clients. Specifically, infection score generation logic 440 may compare DNS query profiles 420 to control data set 460 to generate infection scores”; Para. 0046: “Learning logic 470 may modify control data set 460 over time based on the infection scores. By way of illustration, over time, learning logic 470 may detect certain patterns in infection scores based on certain trends in query profiles. Consequently, if these patterns are recognized as being associated with benign activity, control data set 460 may be updated to reduce the likelihood that benign activity is prioritized for remedial action. Conversely, if patterns in infection scores and query profiles begin to indicate that a certain type of activity is associated with a malicious event, control data set 460 may be updated to increase the Likelihood that clients performing the certain type of activity are prioritized for remedial action”).
Regarding claim 14, the rejection of claim 13 is incorporated herein. In addition, Manadhata teaches wherein the at least one additional data feed comprises at least one of (i) a threat feed or (ii) a content categorization feed that includes the content categorization data (Manadhata: Fig. 1, Control data (155); Para. 0022: “Control data 155 may contain data previously retrieved from a set of machines known to be infected and a set of machines known to be free of malware”; Para. 0023: “which may be useful when the control data contains information regarding multiple types of malware”).
Regarding claim 15, the rejection of claim 9 is incorporated herein. In addition, Manadhata teaches wherein determining the first score comprises performing a comparison operation between i) a domain name specified in a DNS query included in the first data partition and ii) a domain name specified in a first scoring criterion that is included in the at least one scoring criteria (Manadhata: Para. 0011: the domain names are categorized as being associated with whitelisted domains (e.g., [good1].com, [good2].com), blacklisted domains (e.g., [bad1].com), and grey domains (e.g., [grey1].com); Para. 0015: In evaluating how likely a client is infected with a malware, observation logic 130 may inspect DNS request packets (e.g., DNS request packets 122) and DNS response packets and maintain a query profile associated with the client based on contents of the DNS request packets and DNS response packets…. As mentioned above, DNS request packets 122, which were sent from client 1 12, contain 2 white-listed domains, 1 blacklisted domain, and one grey domain. Consequently, Observation logic 130 may update profile 142 based on the numbers of types domains in DNS request packets 122”). 
Regarding claim 16, the rejection of claim 9 is incorporated herein. In addition, Manadhata teaches wherein performing one or more operations involving the first profiling result comprises transmitting the first profiling result to a network management tool (Manadhata: Claim 11: The DNS based infection scoring system of claim 10, where the prioritization logic causes the remedial action to be performed by one or more of, initiating a logic to perform the remedial action, and providing an alert to an administrator identifying the member of the set of clients and the remedial action). 
Regarding claim 21, the rejection of claim 1 is incorporated herein. In addition, Manadhata teaches wherein determining the first score comprises generating the first score based on a set of DNS queries associated with the DNS transaction first data partition that were initiated to resolve a first domain name of the one or more domain names (Manadhata: Para. 0015: “observation logic 130 may inspect DNS request packets (e.g., DNS request packets 122) and DNS response packets and maintain a query profile associated with the client based on contents of the DNS request packets and DNS response packets”; Para. 0042: “Infection score generation logic 340 may generate weighted infection scores for members of the set of clients 399. The infection scores may be generated for members of the set of clients 399 based on their respective DNS query profiles 320”; Para. 0001:“The domain name system (DNS) is used to translate web addresses (e.g., www.lexamplej.eom) into internet protocol (IP) addresses”; Para. 0010: “DNS request packets having single domain names are shown, there may be situations where a DNS request packet contains several domain names”).
Regarding claim 23, the rejection of claim 1 is incorporated herein. In addition, Manadhata teaches receiving a threat feed from at least one data feed, wherein the threat feed identifies a potentially malicious web site, wherein determining the first score is further based on the threat feed (Manadhata: query profiles tracking the type of malicious domain and generating infection score based on the query profiles; Claim 2, Para. 0012 and 0022). 
Regarding claim 25, the rejection of claim 1 is incorporated herein. In addition, Kou further teaches wherein the social media data comprises a domain name associated with a social networking website (Kou: Para. 0039, 0056 and 0015). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by the combination to include wherein the social media data comprises a domain name associated with a social networking website as disclosed by Kou. manage the website access based on categorization as suggested by Kou (Kou: Para. 0051).
Regarding claim 26, the rejection of claim 1 is incorporated herein. In addition, Manadhata teaches wherein determining the first score comprises: computing a percentage of the one or more domain names specified in the first data partition that relate to the content categorization, wherein the profiling criteria comprises at least one predetermined percentage that relates to the content categorization (Manadhata: query profiles includes derived metrics which includes percentage of malicious domains and IP addresses, Para. 0021; calculating scores based on the profiles; Para. 0022). 
Claim 4 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Manadhata in view of Kou, and further in view of Rolia et al. (US 20170318037, hereinafter Rolia). 
Regarding claim 4 and 12, combination of Manadhata and Kou teach the method of claim 3. In addition, Manadhata further teaches wherein, the one or more user identifiers are included in a set of identifying characteristics (Manadhata: Para. 0037). 
Yet, combination does not teach wherein the set of identifying characteristic further comprises a media access control (MAC) address, or a certificate.
However, in the same field of endeavor, Rolia teaches wherein the set of identifying characteristic further comprises a media access control (MAC) address, or a certificate (Rolia: Para. 0048: identifying characteristics, such as an IP or MAC address, are some examples of data). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the set of identifying characteristic further comprises a media access control (MAC) address, or a certificate as disclosed by Rolia. One of ordinary skill in the art would have been motivated to make this modification in order to manage anomalies as suggested by Rolia (Rolia: Para. 0028). 
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Manadhata in view of Kou, and further in view of Raghavan (US20150309918).
Regarding claim 7, combination of Manadhata and Kou teach the computer-implemented method of claim 1. 
Yet, the combination does not teach wherein evaluating the first score comprises performing one or more comparison operations between the first score and a predetermined threshold specified in a first profiling criterion that is included in the profiling criteria to determine whether the first score fits a predetermined profile specified in the first profiling criterion.
However, in the same field of endeavor, Raghavan teaches wherein evaluating the first score comprises performing one or more comparison operations between the first score and a predetermined threshold specified in a first profiling criterion that is included in the profiling criteria to determine whether the first score fits a predetermined profile specified in the first profiling criterion (Raghavan: Para. 0044: “The RA 304 determines the risk profile by comparing the risk profile score …..with one or more risk profile predefined threshold values based on one or more conditions or rules”; Para. 0069-0070: “At block 608, the risk profile score (C) is compared with the High risk profile threshold (HRPT). In one embodiment, a determination is made as to whether the risk profile score exceeds or equals the HRPT. If the determination is TRUE, then the method proceeds to block 610 via "YES"…….At block 610, assign high risk profile”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein evaluating the first score comprises performing one or more comparison operations between the first score and a predetermined threshold specified in a first profiling criterion that is included in the profiling criteria to determine whether the first score fits a predetermined profile specified in the first profiling criterion as disclosed by Raghavan. One of ordinary skill in the art would have been motivated to make this modification in order to profile the risk level dynamically as suggested by Raghavan (Raghavan: Para. 0006).
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Manadhata , in view of Kou and Rolia, and further in view of Ranjan (US8260914). 
Regarding claim 22, combination of Manadhata, Ram, and Rolia teaches the method of claim 4. 
Yet, the combination does not teach wherein each data partition further corresponds to a different identifying characteristic included in the set of identifying characteristics.
However, in the same field of endeavor, Ranjan teaches wherein each data partition further corresponds to a different identifying characteristic included in the set of identifying characteristics (Ranjan: Col. 8, line 18-31: the detection module (122) includes the grouping module (124) that is configured to partition the obtained DNS queries into groups based on common attributes. In one or more embodiments, DNS queries in a partitioned group share a common top level domain name corresponding to the DNS queries. In one or more embodiments, DNS queries in a partitioned group share a common IP address that the DNS queries map to. In one or more embodiments, DNS queries in a partitioned group belong to a common connected component in an IP-domain bipartite graph of the DNS queries. In such embodiments, the connected component is identified by performing connected component analysis of the IP-domain bipartite graph of the DNS queries). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the method disclosed by the combination to include wherein each data partition further corresponds to a different identifying characteristic as disclosed by Ranjan. One of ordinary skill in the art would have been motivated to make this modification in order to detect malicious domain name in a network as suggested by Ranjan (Ranjan: abstract).
Claim 24  is rejected under 35 U.S.C. 103 as being unpatentable over Manadhata in view of Kou, and further in view of Ramachandran et al. (US20160080212, hereinafter Ram). 
Regarding claim 24, combination of Manadhata and Kou teach the method of claim 1. 
Yet, combination does not teach wherein the IP addresses of the first set of identification data comprise source IP addresses, wherein the first user identifier is associated with a plurality of source IP addresses. 
However, in the same field of endeavor, Ram teaches wherein the IP addresses of the first set of identification data comprise source IP addresses, wherein the first user identifier is associated with a plurality of source IP addresses (Ram: Para. 0544, 0894, 0875). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the system disclosed by the combination to include wherein the IP addresses of the first set of identification data comprise source IP addresses, wherein the first user identifier is associated with a plurality of source IP addresses as disclosed by Ram. One of ordinary skill in the art would have been motivated to make this modification in order to manage the network traffic flow based on source DNS queries as suggested by Ram (Ram: Para. 0019). 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Weill et al. US20160028607: DNS traffic caching 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIN CHANG whose telephone number is (571)272-9998.  The examiner can normally be reached on Monday-Thursday 9AM-6PM EST Friday: Variable.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)-272-3787.The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/L.C./Examiner, Art Unit 2438                          /TAGHI T ARANI/                          Supervisory Patent Examiner, Art Unit 2438