DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-20 are pending.  Claims 1, 8 and 15 are independent.

3.	The IDS submitted on 2/10/2020 has been considered.

Allowable Subject Matter
4.	Claims 3, 5, 7, 10, 12, 14, 17, 18 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.










Claim Objections
5.	Claim 16 is objected to because of a typographical error.  
Claim 16 recites “The computer system of claim 15, further comprising the program instructions executable to: 
…; and
generating, by the computer system, the domain clusters based on domain activities.” (emphasis added).  The verb “to generating” would make the claim grammatically wrong.

Appropriate correction is required.

Claim Rejections - 35 USC § 102
6.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

7.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

8.	Claims 1, 2, 4, 6, 8, 9, 11, 13, 15, 16 and 19 are rejected under 35 U.S.C. 102 as being anticipated by Xu (US Patent 9,560,072).
As regarding claim 1, Xu discloses computer-implemented method for creating malware domain sinkholes by domain clustering, the method comprising: 
clustering, by a computer system, malware domains into domain clusters [col. 17 line 3 thru col. 18 line 31]; 
collecting, by the computer system, domain metrics in the domain clusters [col. 17 line 3 thru col. 18 line 31]; 
sorting, by the computer system, clustered malware domains in respective ones of the domain clusters, based on the domain metrics [col. 18 lines 32-52 and col. 20 lines 14-393]; and 
selecting, by the computer system, from the clustered malware domains in the respective ones of the domain clusters, a predetermined number of top domains as candidates of respective domain sinkholes, the respective domain sinkholes being created for the respective ones of the domain clusters [col. 18 lines 32-52 and col. 20 lines 14-393].  

As regarding claim 2, Xu further discloses The computer-implemented method of claim 1, further comprising: generating, by the computer system, the domain clusters based on malware domain families, using a convolutional neural network model [col. 17 line 3 thru col. 18 line 31].  

As regarding claim 4, Xu further discloses The computer-implemented method of claim 1, further comprising: generating, by the computer system, the domain clusters based on domain activities [col. 17 lines 27-55].  

As regarding claim 6, Xu further discloses The computer-implemented method of claim 1, further comprising: 
collecting, by the computer system, metrics of the respective domain sinkholes [col. 7 lines 32-60]; 
determining, by the computer system, whether change of the metrics of the respective domain sinkholes exceeds a first predetermined threshold [col. 7 lines 32-60]; and  
P201907372US01Page 25 of 33re-selecting, by the computer system, the candidates of the respective domain sinkhole, in response to determining that the change of the metrics of the respective domain sinkholes exceeds the first predetermined threshold [col. 7 lines 32-60].  

As regarding claim 8, Xu discloses A computer program product for creating malware domain sinkholes by domain clustering, the computer program product comprising a computer readable storage medium having program instructions embodied therewith, the program instructions executable by one or more processors [col. 2 lines 29-46], the program instructions executable to: 
cluster, by a computer system, malware domains into domain clusters [col. 17 line 3 thru col. 18 line 31]; 
collect, by the computer system, domain metrics in the domain clusters [col. 17 line 3 thru col. 18 line 31]; 
sort, by the computer system, clustered malware domains in respective ones of the domain clusters, based on the domain metrics [col. 18 lines 32-52 and col. 20 lines 14-393]; and 
select, by the computer system, from the clustered malware domains in the respective ones of the domain clusters, a predetermined number of top domains as candidates of respective domain sinkholes, the respective domain sinkholes being created for the respective ones of the domain clusters [col. 18 lines 32-52 and col. 20 lines 14-393].  

As regarding claim 9, Xu further discloses The computer program product of claim 8, further comprising the program instructions executable to: generate, by the computer system, the domain clusters based on malware domain families, using a convolutional neural network model [col. 17 line 3 thru col. 18 line 31].   

As regarding claim 11, Xu further discloses The computer program product of claim 8, further comprising the program instructions executable to: generating, by the computer system, the domain clusters based on domain activities [col. 17 line 3 thru col. 18 line 31].  

As regarding claim 13, Xu further discloses The computer program product of claim 8, further comprising the program instructions executable to: 
collect, by the computer system, metrics of the respective domain sinkholes [col. 7 lines 32-60];  
P201907372US01Page 28 of 33determine, by the computer system, whether change of the metrics of the respective domain sinkholes exceeds a first predetermined threshold [col. 7 lines 32-60]; and 
re-select, by the computer system, the candidates of the respective domain sinkhole, in response to determining that the change of the metrics of the respective domain sinkholes exceeds the first predetermined threshold [col. 7 lines 32-60].  

As regarding claim 15, Xu discloses A computer system for creating malware domain sinkholes by domain clustering, the computer system comprising: one or more processors, one or more computer readable tangible storage devices, and program instructions stored on at least one of the one or more computer readable tangible storage devices for execution by at least one of the one or more processors, the program instructions executable to: 
cluster, by a computer system, malware domains into domain clusters [col. 17 line 3 thru col. 18 line 31];  
collect, by the computer system, domain metrics in the domain clusters [col. 17 line 3 thru col. 18 line 31];  
sort, by the computer system, clustered malware domains in respective ones of the domain clusters, based on the domain metrics [col. 18 lines 32-52 and col. 20 lines 14-393]; and 
select, by the computer system, from the clustered malware domains in the respective ones of the domain clusters, a predetermined number of top domains as candidates of respective domain sinkholes, the respective domain sinkholes being created for the respective ones of the domain clusters [col. 18 lines 32-52 and col. 20 lines 14-393].  

As regarding claim 16, Xu further discloses The computer system of claim 15, further comprising the program instructions executable to: 
generate, by the computer system, the domain clusters based on malware domain families, using a convolutional neural network model [col. 17 line 3 thru col. 18 line 31]; and 
generating, by the computer system, the domain clusters based on domain activities [col. 17 line 3 thru col. 18 line 31].  

As regarding claim 19, Xu further discloses The computer system of claim 15, further comprising the program instructions executable to: 
collect, by the computer system, metrics of the respective domain sinkholes [col. 7 lines 32-60]; 
determine, by the computer system, whether change of the metrics of the respective domain sinkholes exceeds a first predetermined threshold [col. 7 lines 32-60]; and  
P201907372US01Page 31 of 33re-select, by the computer system, the candidates of the respective domain sinkhole, in response to determining that the change of the metrics of the respective domain sinkholes exceeds the first predetermined threshold [col. 7 lines 32-60].  







CONCLUSION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THONG P TRUONG/
Examiner, Art Unit 2433   

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433