Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 12/26/2020. Claims 1-15 are currently pending. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as failing to set forth the subject matter which the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the applicant regards as the invention. 

Regarding claims 1 and 15, applicant recites “the related DNS packet” without sufficient antecedent basis for this limitation. It is not entirely clear which related DNS packet applicant is referring to as there is no mention of related DNS packet previously in claims 1 and 15. Claims 2-14 are rejected under U.S.C. 112(b) due to dependency on claim 1. 
Also, Lines 10 and 17 of claim 15 recite a critical state. It is not entirely clear if applicant is referring to the same critical state.
Appropriate correction is therefore required to cure the indefiniteness pointed out and any other similar ones in the claims.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 7-10, and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over USPGPub. No 20170295196 to ARNELL et al. (hereinafter ARNELL) in view of USPGPub. No. 20210258325 to Meyer et al. (hereinafter Meyer) and further in view of USPGPub. No. 20210073661 to Matlick et al. (hereinafter Matlick). 


Regarding claim 1, ARNELL discloses a method for detecting anomalies of a DNS traffic in a network comprising:
 - analysing, through a network analyser (11) (FIG. 1, Packet Capture Devices 130, ¶0013, wherein receiving, capturing, and forwarding packets to the intended destination is a form of analysis being carried out on the data packets exchanged in the network) connected to said network, each data packets exchanged in said network (¶0013, private network,); 
- isolating, through said network analyser (11), from each of said analysed data packets the related DNS packet (FIG. 1, module 122, ¶0013, wherein receiving from each of a plurality of packet capture devices of a private network, Domain name system (DNS) query packets is interpreted as isolating the related DNS packet from each analysed data packets. See also FIG. 3, module 302 wherein DNS query packets are obtained from a plurality of network packet capture devices.); 
- evaluating, through a computerized data processing unit (21) (FIG. 2, DNS TRAFFIC ANALYZER 260), each of said DNS packets generating a DNS packet status (¶0038, “the DNS traffic analyzer 260 may also produce a confidence score associated with an anomaly”, wherein produce confidence score on the DNS packets is interpreted as generating a DNS packet status); 
- signaling, through said computerized data processing unit (21), an anomaly of said DNS traffic when said DNS packet status defines a critical state (¶0037, wherein exceeding a particular threshold is interpreted as defining a critical state); 
and wherein said critical state is identified when said DNS packet status is comprised in a critical state database stored in a storage medium (31) (¶0041, wherein the DNS traffic analyzer may include databases for detection of DNS anomalies, and ¶0037, analytics Library 265 wherein data store in an analytics library 265 may be used by the DNS analyser 260 to identify DNS anomalies).  
   


However, ARNELL does not explicitly disclose the following limitation:
- aggregating, through said computerized data processing unit (21), said DNS packet classifications generating said DNS packet status; 
wherein said evaluating further comprises: - assessing, through said computerized data processing unit (21), each of said DNS packet by a plurality of evaluating algorithms generating a DNS packet classification for each of said evaluating algorithms; 
Meyer discloses rule score for each of the DNS profiles which can be combined to generate respective profile scores (¶0116, “In some embodiments, each given rule 90 within each given profile generates a given rule score. The rule scores for each of the profiles can be combined to generate respective profile scores, and the sum of the profile scores for a given transmission 26 exceeding a specified profile score threshold indicates that the given transmission comprises suspicious DNS tunneling activity”, wherein combining the DNS profile score is interpreted as aggregating the DNS packet classification). 
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL to include the concept of aggregating the DNS packet classification as disclosed by Meyer and be motivated in doing so in order to initiate a preventive action to prevent DNS tunneling from a given computer device when the aggregate score exceed a predefined threshold-Meyer abstract in part.
	Also, the combination of ARNELL and Meyer does not explicitly disclose the following limitation:
wherein said evaluating further comprises: - assessing, through said computerized data processing unit (21), each of said DNS packet by a plurality of evaluating algorithms generating a DNS packet classification for each of said evaluating algorithms; 
Matlick discloses plurality of evaluating algorithms which can be used to assess each of the said DNS packets in order to generate a DNS packet classification for each of said evaluating algorithms (¶0047, “Another ML technique includes ensemble learning, which uses multiple learning algorithms to obtain better predictive performance than could be obtained from any of the constituent learning algorithms alone…”), 
	Matlick also discloses Random Forest algorithm which combines multiple decision trees and aggregates their predictions to arrive at the final predictions (¶0048, “One example of an ensemble model is the Random Forest algorithm, which combines multiple decision trees and aggregates their predictions using a majority vote in case of a classification problem or by taking the average for regression tasks…”)
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL and Meyer to include using multiple algorithms disclosed by Matlick to classify DNS packets and aggregate their predictions to arrive at the final predictions based on the rationale of using a known technique to improve similar devices (methods, or products) in the same way (MPEP 2143.I.

Regarding claim 2, ARNELL in view of Meyer and further in view of Matlick discloses the method for detecting anomalies of a DNS traffic according to claim 1. 
ARNELL further discloses wherein said isolating further comprises extracting, through said computerized data processing unit (21) (¶0015, DNS traffic analyzer 140) , all the features from each of said DNS packet (¶0015, “characteristics of the at least one DNS query packets”), wherein said assessing further comprises defining, through said computerized data processing unit (21), a plurality of family subsets of said features (¶0028,  “…subset of the DNS packets”…), 
However, ARNELL in view of Meyer does not explicitly disclose the following limitation:
and wherein each of said plurality of evaluating algorithms generates a DNS 21Our Ref.: P1009400US packet classification from a sole family subset.   
	Matlick discloses an ensemble technique (bootstrap aggregating) that trains each model in the ensemble using a randomly drawn subset of the training set to achieve very high classification accuracy which can be used to generate a DNS packet classification from a sole family subset (¶0049 “…bagging trains each model in the ensemble using a randomly drawn subset of the training set…”)
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL, Meyer and Matlick in claim1 to include using the plurality of algorithms disclosed by Matlick to generate a classification of subset of DNS packets and be motivated in doing so because it reduces the consumption of network resources and improves classification accuracy. 

Regarding claim 7, ARNELL in view of Meyer and further in view of Matlick discloses the method for detecting anomalies of a DNS traffic according to claim 1. 
ARNELL further discloses, wherein said assessing further comprises defining, through said computerized data processing unit (21), a Query-based subset of said features (¶0047, “DNS query length”, this is in line with ¶0059 of the applicant’s specification), 
However, ARNELL in view of Meyer does not explicitly disclose the following limitation:
wherein said evaluating algorithms comprise at least one algorithm of Query-based approach type,
 and wherein each of said plurality of evaluating algorithms of a Query-based approach type generates a DNS packet classification from one or more features of said Query-based subset.  
Matlick discloses wherein said evaluating algorithms comprise at least one algorithm of Query-based approach type (¶0045, logistic regression, support vector machines (SVMs)),
 and wherein each of said plurality of evaluating algorithms of a Query-based approach type (¶0045) which can be used to generates a DNS packet classification (¶0049, “…high classification accuracy”) from one or more features of said Query-based subset (¶0049 “subset of the training set.”)  
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL, Meyer and Matlick in claim 1 to include the concept of a query-based algorithms disclosed by Matlick to generate a classification of subset of DNS packets and be motivated in doing so in order to make good predictions with a particular problem- Matlick ¶0047 in part.  

Regarding claim 8, ARNELL in view of Meyer and further in view of Matlick discloses the method for detecting anomalies of a DNS traffic according to claim 7. 
Matlick further discloses wherein said algorithms of a Query-based approach type comprise at least one of the Isolation Forest algorithm, the Support Vector Machine algorithm, the J48 algorithm, the Naive Bayes algorithm, the Logistic Regression algorithm, and the K-means algorithm (¶0045, logistic regression, support vector machines (SVMs)).  
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL, Meyer and Matlick in claim 7 to include the concept of a query-based algorithms disclosed by Matlick to generate a classification of subset of DNS packets and be motivated in doing so in order to make good predictions with a particular problem- Matlick ¶0047 in part. 

Regarding claim 9, ARNELL in view of Meyer and further in view of Matlick discloses the method for detecting anomalies of a DNS traffic according to claim 1. 
ARNELL further discloses wherein said assessing further comprises defining, through said computerized data processing unit (21), a Transaction-based subset of said features (¶0047, “DNS query length”, in line with ¶0062 of the applicant’s specification),
However, ARNELL does not explicitly disclose the following limitation:
wherein said evaluating algorithms comprise at least one algorithm of a Transaction-based approach type, 
and wherein each of said plurality of evaluating algorithms of a Transaction- based approach type generates a DNS packet classification from one or more features of said Transaction-based subset.  
Matlick discloses wherein said evaluating algorithms comprise at least one algorithm of a Transaction-based approach type (¶0045, “k-nearest neighbor (kNN)”),
	and wherein each of said plurality of evaluating algorithms of a Transaction- based approach type (¶0045, “k-nearest neighbor (kNN), support vector machines (SVMs)”) which can be used to generate a DNS packet classification from one or more features of said Transaction-based subset (¶0049 “…subset of the training set…”).
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL, Meyer, and Matlick in claim 1 to include the concept of transaction-based algorithms types disclosed by Matlick to generate a classification of subset of DNS packets as disclosed by Matlick and be motivated in doing so in order to have quick and high classification accuracy-Matlick ¶0049 in part. 

Regarding claim 10, ARNELL in view of Meyer and further in view of Matlick discloses the method for detecting anomalies of a DNS traffic according to claim 9. 
Matlick further discloses wherein said algorithms of a Transaction-based approach type comprise at 23Our Ref.: P1009400US least one of the K-nearest Neighbor algorithm, the Multilayer Perceptron and Support Vector Machines algorithm (¶0045, “k-nearest neighbor (kNN), support vector machines (SVMs)”).  
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL, Meyer, and Matlick in claim 9 to include the concept of transaction-based algorithms types disclosed by Matlick to generate a classification of subset of DNS packets and be motivated in doing so in order to have quick and high classification accuracy-Matlick ¶0049 in part.

Regarding claim 13, ARNELL in view of Meyer and further in view of Matlick discloses the method for detecting anomalies of a DNS traffic according to claim 1. 
Matlick further discloses wherein said evaluating algorithms comprise at least one algorithm of an IP-based approach type (¶0045, “decision tree”), 
wherein said assessing further comprises defining, through said computerized data processing unit (21), an IP-based subset of said features (¶0369, “entropy”), 
and wherein each of said plurality of evaluating algorithms of an IP-based approach type (¶0045, “decision tree”) which can be used to generate a DNS packet classification from one or more features of said IP-based subset (¶0049 “…subset of the training set…”). 
 Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL, Meyer, and Matlick, in claim 1 to include the concept of decision tree which is an algorithm of an IP-based approach type disclosed by Matlick and be motivated in doing so because decision tree can handle both numerical and categorical data.

Regarding claim 14, ARNELL in view of Meyer and further in view of Matlick discloses the method for detecting anomalies of a DNS traffic according to claim 13. 
Matlick further discloses wherein said algorithms of an IP-based approach type comprise at least one of the Decision Tree algorithm and the Support Vector Machine algorithm (¶0045, “decision tree” and “support vector machines (SVMs)”).  
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL, Meyer, and Matlick in claim 1 to include the concept of decision tree which is an algorithm of an IP-based approach type disclosed by Matlick and be motivated in doing so because decision tree can handle both numerical and categorical data and simple to understand.

Regarding claim 15, ARNELL discloses an apparatus (1) for detecting anomalies of a DNS traffic in a network comprising a network analyser (11) (FIG. 1, Packet Capture Devices 130, ¶0013, wherein receiving, capturing, and forwarding packets to the intended destination is a form of analysis being carried out on the data packets exchanged in the network) to be connected to said network, 24Our Ref.: P1009400US computerized data processing unit (21) (FIG. 2, DNS TRAFFIC ANALYZER 260), operatively connected to said network analyser (11) and storage medium (31) (FIG. 2, ANALYTIC LIBRARY 265, ¶0037) operatively connected to said data computerized data processing unit (21) (DNS analyzer 260 is operatively connected to analytic library 265),
 wherein said network analyser (11), in use, analyses each data packets exchanged in said network and isolates from each of said analysed data packets the related DNS packet (FIG. 1, module 122, ¶0013, wherein receiving from each of a plurality of packet capture devices of a private network, Domain name system (DNS) query packets is interpreted as isolating the related DNS packet from each analysed data packets. See also FIG. 3, module 302 wherein DNS query packets are obtained from a plurality of network packet capture devices.); 
 wherein said computerized data processing unit (21), in use, evaluates each of said DNS packets generating a DNS packet status (¶0038, “the DNS traffic analyzer 260 may also produce a confidence score associated with an anomaly”, wherein produce confidence score on the DNS packets is interpreted as generating a DNS packet status), 
 and signals an anomaly of said DNS traffic when said DNS packet status defines a critical state (¶0037, wherein exceeding a particular threshold is interpreted as defining a critical state),
and wherein said computerized data processing unit (21) identifies a critical state when said DNS packet status is comprised in said critical state database (¶0041, wherein the DNS traffic analyzer may include databases for detection of DNS anomalies, and ¶0037, analytics Library 265).  
 wherein said storage medium (31) (¶0037, analytics Library 265) stores a plurality of evaluating algorithms and a critical state database (¶0041, wherein the DNS traffic analyzer may include databases for detection of DNS anomalies, these databases can also be used to store the said plurality of evaluating algorithms.), 

However, ARNELL does not explicitly disclose the following limitation:
and aggregates said DNS packet classifications generating said DNS packet status; 
wherein said computerized data processing unit (21) assesses each of said DNS packet by said plurality of evaluating algorithms, generating a DNS packet classification for each of said evaluating algorithms,

 	Meyer discloses rule score for each of the DNS profiles which can be combined to generate respective profile scores (¶0116, “In some embodiments, each given rule 90 within each given profile generates a given rule score. The rule scores for each of the profiles can be combined to generate respective profile scores, and the sum of the profile scores for a given transmission 26 exceeding a specified profile score threshold indicates that the given transmission comprises suspicious DNS tunneling activity”, wherein combining the DNS profile score is interpreted as aggregating the DNS packet classification). 
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL to include the concept of aggregating the DNS packet classification as disclosed by Meyer and be motivated in doing so in order to initiate a preventive action to prevent DNS tunneling from a given computer device when the aggregate score exceed a predefined threshold-Meyer abstract in part.
Also, the combination of ARNELL and Meyer does not explicitly disclose the following limitation:	
wherein said computerized data processing unit (21) assesses each of said DNS packet by said plurality of evaluating algorithms, generating a DNS packet classification for each of said evaluating algorithms, 
Matlick discloses plurality of evaluating algorithms which can be used to assess each of the said DNS packets in order to generate a DNS packet classification for each of said evaluating algorithms (¶0047, “Another ML technique includes ensemble learning, which uses multiple learning algorithms to obtain better predictive performance than could be obtained from any of the constituent learning algorithms alone…”), 
	Matlick also discloses Random Forest algorithm which combines multiple decision trees and aggregates their predictions to arrive at the final predictions (¶0048, “One example of an ensemble model is the Random Forest algorithm, which combines multiple decision trees and aggregates their predictions using a majority vote in case of a classification problem or by taking the average for regression tasks…”)
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL and Meyer to include using of multiple algorithms disclosed by Matlick to classify DNS packets and aggregate their predictions to arrive at the final predictions based on the rationale of using a known technique to improve similar devices (methods, or products) in the same way (MPEP 2143.I.

Claims 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over USPGPub. No 20170295196 to ARNELL et al. (hereinafter ARNELL) in view of USPGPub. No. 20210258325 to Meyer et al. (hereinafter Meyer) and further in view of USPGPub. No. 20210073661 to Matlick et al. (hereinafter Matlick) and further in view of USPGPub. No. 20210266293 to Liu et al. (hereinafter Liu).

Regarding claim 11, ARNELL in view of Meyer and further in view of Matlick discloses the method for detecting anomalies of a DNS traffic according to claim 1. 
However, the combination of ARNELL, Meyer, and Matlick does not explicitly disclose the following limitation:
wherein said evaluating algorithms comprise at least one algorithm of a Domain-based approach type, 
wherein said assessing further comprises defining, through said computerized data processing unit (21), a Domain-based subset of said features,
 and wherein each of said plurality of evaluating algorithms of a Domain-based approach type generates a DNS packet classification from one or more features of said Domain-based subset.  
Liu discloses wherein said evaluating algorithms comprise at least one algorithm of a Domain-based approach type (¶0059 “isolation forest), 
wherein said assessing further comprises defining, through said computerized data processing unit (21), a Domain-based subset of said features (¶0052, The average length of FQDNs in the group, and ¶0053, “The ratio of queries for A/AAAA…”),
and wherein each of said plurality of evaluating algorithms of a Domain-based approach type generates a DNS packet classification from one or more features of said Domain-based subset (¶0059, “…Any anomalies detected by the model are anomalous to benign DNS traffic and thus can be classified as malicious DNS tunneling traffic…”).   
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL, Meyer, and Matlick in claim 1 to include the concept of Domain-based algorithms types generating a classification of subset of DNS packets as disclosed by Liu and be motivated in doing so in order to have a fast computation and memory efficient system-Liu ¶0059 in part. 

Regarding claim 12, ARNELL in view of Meyer and further in view of Matlick and further in view of Liu discloses the method for detecting anomalies of a DNS traffic according to claim 11.
Liu further discloses wherein said algorithms of a Domain-based approach type comprise the Isolation Forest algorithm (¶0059, “isolation Forest”).  
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of ARNELL, Meyer, Matlick, and Liu in claim 11 to include the concept of isolation forest as disclosed by Liu and be motivated in doing so in order to have a fast computation and memory efficient system-Liu ¶0059 in part. 


Allowable Subject Matter
Claim3 3-6 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495                                                                                                                                                                                                        
/MAUNG T LWIN/Primary Examiner, Art Unit 2495