DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 11/24/2021.
Claims 1-20 are pending and are rejected.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/8/2022 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-3, 7, 9-12, 14-17, and 19 are rejected under 35 U.S.C. 102(a)(1)as being anticipated by Choi (US 20160294859 A).
As to claim 1, Choi teaches a system, comprising: 
a processor configured to: 
aggregate a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related query data ([0045], fig. 1, the DNS data collection unit 10 collects traffic exchanged (aggregate a set of network related event data) between a client and a recursive name server using a passive DNS replication method); 
cluster the DNS related query data ([0048] fig. 1, the malicious domain cluster detection unit 30 may generate a domain cluster based on the DNS data (DNS related query data) collected by the DNS data collection unit 10); and 
generate similarity clusters for domains based on their DNS related query data ([0050], fig. 1, the clustering module unit 31 may generate a domain cluster by grouping domains exhibiting group activities into the domain cluster using DNS data collected (clusters for domains based on their DNS related query data) by the DNS data collection unit 10. In this case, one or more domain clusters may be generated); and 
a memory coupled to the processor and configured to provide the processor with instructions ([0086], fig. 3, the processor 121 may be a semiconductor device for executing processing instructions stored in a central processing unit, the memory 123, or the storage 128).

As to claims 2 and 16, Choi teaches all limitations of parents claims 1 and 15, wherein the set of network related event data includes passive DNS (pDNS) data ([0045] the passive DNS replication method refers to a method of connecting a network tapping apparatus  to a crossroad at which network traffic moves to a DNS server 1 and allowing the network tapping apparatus to replicate and deliver network traffic that comes from and goes to the DNS server 1 in real time).

As to claims 3 and 17, Choi teaches all limitations of parents claims 1 and 15, wherein the set of network related event data includes passive DNS (pDNS) data aggregated over a period of time ([0049] the clustering module unit represents domains in the form of an IP address list of hosts that have queried the corresponding domain for a specific period, wherein [0045] teaches a collections traffic using a passive DNS).

As to claim 7, Choi teaches the system recited in claim 1, wherein the processor is further configured to: 
detect anomalous network activity within a first enterprise network based on a baseline of DNS activity associated with the first enterprise network ([0014] detecting a malicious domain cluster, including: a domain name server (DNS) data collection unit configured to collect DNS traffic over a network (first enterprise network) and store the DNS traffic in a database).

As to claim 9, Choi teaches the system recited in claim 1, wherein the set of network related event data includes passive DNS (pDNS) data aggregated over a period of time to express pDNS data at-scale, and quantify similarity of the pDNS data aggregated over the period of time, within and across networks based on telemetry-based similarity for DNS, and wherein the processor is further configured to: 
perform a similar domain search using the pDNS data aggregated over the period of time ([0049] the clustering module unit represents domains in the form of an IP address list of hosts that have queried the corresponding domain for a specific period. Next, the clustering module unit 31 calculates similarities in the host IP address between the domains, and groups domains having similar host IP address lists into a cluster).

As to claim 10, Choi teaches the system recited in claim 1, wherein the set of network related event data includes passive DNS (pDNS) data aggregated over a period of time to express pDNS data at-scale, and quantify similarity of the pDNS data aggregated over the period of time, within and across networks based on telemetry-based similarity for DNS, and wherein the processor is further configured to: 
perform a network summarization using the pDNS data aggregated over the period of time.

As to claim 11, Choi teaches the system recited in claim 1, wherein the set of network related event data includes passive DNS (pDNS) data aggregated over a period of time to express pDNS data at-scale, and quantify similarity of the pDNS data aggregated over the period of time, within and across networks based on telemetry-based similarity for DNS, and wherein the processor is further configured to: 
perform a domain characterization using the pDNS data aggregated over the period of time ([0048] the malicious domain cluster detection unit may generate a domain cluster based on the DNS data collected by the DNS data collection unit, may learn the characteristics of a normal cluster and a malicious cluster in the domain cluster; [0049] represents domains in the form of an IP address list of hosts that have queried the corresponding domain for a specific period).

As to claim 12, Choi teaches the system recited in claim 1, wherein the set of network related event data includes passive DNS (pDNS) data aggregated over a period of time to express pDNS data at-scale, and quantify similarity of the pDNS data aggregated over the period of time, within and across networks based on telemetry-based similarity for DNS, and wherein the processor is further configured to: 
detect a domain change and/or anomaly using the pDNS data aggregated over the period of time ([0048] may detect whether the domain cluster is malicious based on the result of the learning; [0016] represent each of the domains in the form of a list of IP addresses of hosts that have queried the corresponding domain for a specific period).

As to claim 14, Choi teaches the system recited in claim 1, wherein the set of network related event data includes passive DNS (pDNS) data aggregated over a period of time to express pDNS data at-scale, and  quantify similarity of the pDNS data aggregated over the period of time, within and across networks based on telemetry-based similarity for DNS, and wherein the processor is further configured to: 
perform an application and service discovery using the pDNS data aggregated over the period of time ([0063] each of the domain popularities may be measured using an external service (e.g., Alexa) provided by measuring the popularity ranking of a domain based on a domain history). 

As to claim 15, Choi teaches a method, comprising: 
aggregating a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related query data ([0045], fig. 1, the DNS data collection unit 10 collects traffic exchanged (aggregate a set of network related event data) between a client and a recursive name server using a passive DNS replication method); 
clustering the DNS related query data ([0048] fig. 1, the malicious domain cluster detection unit 30 may generate a domain cluster based on the DNS data (DNS related query data) collected by the DNS data collection unit 10); and 
generating similarity clusters for domains based on their DNS related query data ([0050], fig. 1, the clustering module unit 31 may generate a domain cluster by grouping domains exhibiting group activities into the domain cluster using DNS data collected (clusters for domains based on their DNS related query data) by the DNS data collection unit 10. In this case, one or more domain clusters may be generated). 

As to claim 19, Choi teaches a computer program product, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for:
aggregating a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related query data ([0045], fig. 1, the DNS data collection unit 10 collects traffic exchanged (aggregate a set of network related event data) between a client and a recursive name server using a passive DNS replication method); 
clustering the DNS related query data ([0048] fig. 1, the malicious domain cluster detection unit 30 may generate a domain cluster based on the DNS data (DNS related query data) collected by the DNS data collection unit 10); and 
generating similarity clusters for domains based on their DNS related query data ([0050], fig. 1, the clustering module unit 31 may generate a domain cluster by grouping domains exhibiting group activities into the domain cluster using DNS data collected (clusters for domains based on their DNS related query data) by the DNS data collection unit 10. In this case, one or more domain clusters may be generated).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4-6, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Choi (US 20160294859 A) in view of Weber (US 20190238576 A1).
As to claims 4, 18, and 20, Choi teaches all limitations of parents claims 1, 15, and 19, Choi does not explicitly teach
wherein the set of network related event data includes passive DNS (pDNS) data aggregated over a period of time to express passive DNS (pDNS) data at-scale, and similarity of the pDNS data aggregated over the period of time is quantified, within and across networks based on telemetry-based similarity for DNS using a statistical model;
Weber teaches 
wherein the set of network related event data includes passive DNS (pDNS) data aggregated over a period of time to express passive DNS (pDNS) data at-scale, and similarity of the pDNS data aggregated over the period of time is quantified, within and across networks based on telemetry-based similarity for DNS using a statistical model ([0026] domain filter may then operate on network traffic on data path to compare (at-scale) domains in the network traffic to those in identified malicious domains; [0031] passive DNS records may indicate network addresses associated with each domain (identified by a domain name) in the DNS messages, percentage of digits in domain, number of unique IPs seen for domain, number of unique TTLs (time to live) seen for the domain, length of longest meaningful substring, number of unique countries seen, age of the domain, daily similarity of passive DNS records (similarity for DNS using a statistical model), short-lived passive DNS history, repeated pattern of passive DNS records (data aggregated over a period of time), or some other type of DNS related information).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Choi disclosure, the comparison of data to identify anomalies, as taught by Weber.  One would be motivated to do so to identify a first plurality of domain names associated with a malicious domain campaign and seed a first clustering algorithm with the first plurality of domain names.	

As to claim 5, Choi teaches the system recited in claim 1, Choi does not explicitly teach
wherein the set of network related event data includes DNS related query data associated with a first enterprise network and DNS related query data associated with a second enterprise network;
Weber teaches
wherein the set of network related event data includes DNS related query data associated with a first enterprise network and DNS related query data associated with a second enterprise network ([0024] third party services or platforms (first and second enterprise network) are employed to collect passive DNS records).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Choi disclosure, the association between DNS and service providers, as taught by Weber.  One would be motivated to do so to identify a first plurality of domain names associated with a malicious domain campaign and seed a first clustering algorithm with the first plurality of domain names.	

As to claim 6, Choi teaches the system recited in claim 1, Choi does not explicitly teach wherein the processor is further configured to: 
compare DNS activities within a first enterprise network based on a baseline of DNS activity associated with the first enterprise network.
Weber teaches
compare DNS activities within a first enterprise network based on a baseline of DNS activity associated with the first enterprise network ([0026] domain filter may then operate on network traffic on data path to compare domains in the network traffic to those in identified malicious domains 122. If there is a match, domain filter may block the network traffic including the matched domain, may notify the sender of that network traffic of the malicious domain, or may perform some other function).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Choi disclosure, the comparison of data to identify anomalies, as taught by Weber.  One would be motivated to do so to identify a first plurality of domain names associated with a malicious domain campaign and seed a first clustering algorithm with the first plurality of domain names.

Claims 8 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Choi (US 20160294859 A) in view of Arnell (US 20170295196 A1).
As to claim 8, Choi teaches the system recited in claim 1, Choi does not explicitly teach 
wherein the processor is further configured to: compare DNS activities between a first enterprise network and other enterprise networks. 
Arnell teaches 
wherein the processor is further configured to: compare DNS activities between a first enterprise network and other enterprise networks ([0040], fig. 2, the DNS analyzer 260 may compare addresses resolved by an internal DNS server 230 (first enterprise network) to addresses resolved by the external DNS server 240 (second enterprise network) to which the particular client device changed).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Choi disclosure, the comparison of DNS activities between two servers, as taught by Arnell.  One would be motivated to do so to determine whether an anomaly exists.

As to claim 13, Choi teaches the system recited in claim 1, Choi does not explicitly teach 
wherein the set of network related event data includes passive DNS (pDNS) data aggregated over a period of time to express pDNS data at-scale, and quantify similarity of the pDNS data aggregated over the period of time, within and across networks based on telemetry-based similarity for DNS, and wherein the processor is further configured to: 
identify a network misconfiguration using the pDNS data aggregated over the period of time.
Arnell teaches
identify a network misconfiguration using the pDNS data aggregated over the period of time ([0006] a network anomaly may be indicative of a problem with one or more components of the computing network, and may be caused by a variety of things, such as malicious software (“malware”), malfunctioning hardware, or misconfigured devices, to name a few. Domain Name System (DNS) traffic is one type of network traffic which may be analyzed to identify potential problems with network components).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Choi disclosure, a misconfiguration of devices, as taught by Arnell.  One would be motivated to do so to determine whether an anomaly exists.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Pawar (US 20180103409 A1) and Brandwine (US 9374244 B1).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANH NGUYEN whose telephone number is (571)270-0657. The examiner can normally be reached M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 5712703037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ANH NGUYEN/Primary Examiner, Art Unit 2456                                                                                                                                                                                                                                                                                                                                                                                                           
21