DETAILED ACTION
This office action is in response to the application filed on 4/21/2022.  Claim(s) 1-33 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Priority/Benefit
Applicant’s benefit claim is hereby acknowledged as a continuation of application 16/572,813 filed 09/17/2019 now US Patent 11,343,275, which papers have been placed of record in the file.
Examiner’s Note – Allowable Subject Matter
Claims 2, 13, and 24 overcome the prior art and would otherwise be allowable if incorporated into the base claim along with any intervening claims as well as made to overcome the rejections below.
Claim Objections
Claim(s) 1-23 is/are objected to because of the following informalities: The examiner suggests the following corrections:Claims 1 and 23:
Replacement of "(Domain Name System)" with "Domain Name System (DNS)".
Claims 2-11 and 13-22:
Replacement of "medium claim" with "medium of claim".
Claims 22:
Claim 22 says “medium claim 10” where it appears the applicant intended to write “medium claim 21”.  By a coincidence of the following issue, this did not trigger a rejection under 35 USC 112(b).
Claim 12-22:
Applicant is advised that should claims 12-22 be found allowable, claims 12-22 will be objected to under 37 CFR 1.75 as being a substantial duplicate thereof. When two claims in an application are duplicates or else are so close in content that they both cover the same thing, despite a slight difference in wording, it is proper after allowing one claim to object to the other as being a substantial duplicate of the allowed claim. See MPEP § 608.01(m).	The examiner recommends amending to a different statutory category, such as a system claim to represent the claims.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s).  See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).  
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).  
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens.  An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to:  
http://www.uspto.gov/patents/process/file/fs/guidance/eTD-info-I.jsp.  

Claim(s) 1-33 is/are rejected on the grounds of nonstatutory double patenting as being unpatentable over claims 1-22 of US Patent 11,343,275.  Although the claims at issue are not identical in form, they are not patentably distinct from each other.
	Instant claim 1 is anticipated by patented claim 1 and patented claim 11 teaching a non-transitory computer readable medium.  Instant claim 2 is anticipated by patented claim 1 and patented claim 11 teaching a non-transitory computer readable medium.  Claims 3-11 are anticipated by patented claims 2-10, respectively.  Claim 12 is anticipated by patented claim 12.  Claim 13 is anticipated by patented claim 12.    Claims 14-15 are anticipated by patented claims 13-14.  Claims 16-22 are anticipated by patented claims 14-20, respectively.  Claims 23 and 24 are anticipated by patented claim 21.  Claim 25 is anticipated by patented claim 22.  Claim 26 is anticipated by patented claims 21 and 3.  Claim 27 is anticipated by patented claim 22.  Claim 28 is anticipated by patented claims 21 and 5.  Claim 29 is anticipated by patented claims 21 and 6.  Claim 30 is anticipated by patented claims 21 and 7.  Claim 31 is anticipated by patented claims 21 and 8.  Claim 32 is anticipated by patented claims 21 and 9.  Claim 33 is anticipated by patented claims 21 and 10.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 7-9, 12, 18-20, and 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pon et al. (US 10,862,907 B1), in view of Wu (US 10,362,057 B1). 

Regarding claims 1, 12, and 23, Pon teaches:
“A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a computer system, causes the one or more processors to perform a method (Pon, Col. 3, Ln. 63 – Col. 4, Ln. 5 disclose a non-transitory computer readable medium to execute the method steps) comprising: 	monitoring (Pon, Fig. 2, step 202, Col. 17 Ln. 25-30 teaches monitoring DNS data), by a processing device (Pon, Fig. 1, Data Handler 130 on Network analyzer 120, Col. 17 Ln. 53-59, Col. 6, Ln. 25-47, Data Handler performs step 202 and is a module on network analyzer 120 and implemented as a computer), a plurality of (Domain Name System) records pertaining to at least one domain or subdomain (Pon, Col. 7 Ln. 28 – Col. 9, Ln. 51 active and passive techniques are used to acquire DNS information regarding domains and subdomains) of an entity (Pon, Col. 17, Ln. 37-38 the data collected is specifically related to an entity); 	detecting (Pon, Col. 18, Ln. 25-27 and Col. 19 Ln. 25-29 network event includes detecting that DNS information has changed), by the processing device (Pon, Fig. 1, Data Handler 130, and Data Analyzer 122 on Network analyzer 120 perform detecting), a modification of a DNS record of the plurality of DNS records (Pon, Col. 18, Ln. 25-27 and Col. 19 Ln. 25-29 network event includes detecting that DNS information has changed) within a defined time-frame (Pon, 18, Ln. 11-16 discloses that the discrete data sets are based on user defined periods of time); and 	responsive to said detecting (Pon, Fig. 2, step 204 Col. 18, Ln. 63-67 based on detecting a network event which includes a change in the DNS data assess the network threat to an identity of the entity), determining, by the processing device (Pon, Fig. 1, Data Handler 130, and Data Analyzer 122 on Network analyzer 120 perform step 204), whether the modification is anomalous (Pon, Fig. 2, step 204 Col. 18, Ln. 63-67 based on detecting a network event which includes a change in the DNS data assess the network threat to an identity of the entity.  Pon, Col. 25 Ln. 37- Col. 26 Ln. 3 teaches that the assessment can incorporate multiple data sources to make a determination about the network event and the change), by assigning a criticality value to the modification, wherein the criticality value is based on two or more of: a current value and a previous value of one or more fields of the DNS record (Pon, Fig. 2 steps 210-216, Col. 20 Ln. 32-44, Col. 21 Ln. 38 – Col. 22 Ln. 31, Col. 23 Ln. 14-42 a measure of a network threat may be computed as a valued on a scale based on the changes to the DNS value including the resolved domain/subdomain name of the record)”.
Pon does not, but in related art, Wu teaches:	“an attribute of the DNS record, a derived attribute based on the DNS record (Wu, Fig. 28, Col. 80 Ln. 8-47 depicts DNS detection engine and describes the method to include various metadata related to the DNS data such as the time and the determined geographic region of the DNS request to make security decisions)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Pon and Wu, to modify the malicious DNS active and passive data threat detection system of Pon to include the method to include various metadata related to the DNS data such as the time and geographic location of the DNS request to make security decisions as taught in Wu.  The motivation to do so constitutes applying a known technique (i.e., method to include various metadata related to the DNS data such as the time and geographic location of the DNS request to make security decisions) to known devices and/or methods (i.e., malicious DNS data threat detection system) ready for improvement to yield predictable results.

Regarding claims 7 and 18, Pon in view of Wu teaches:
“The non-transitory computer-readable storage medium claim 1 (Pon in view of Wu teaches the limitations of the parent claims as discussed above), wherein each of the one or more fields of the DNS record, the attribute of the DNS record, and the derived attribute of the DNS record is associated with a weight for purposes of assigning the criticality value (Pon, Col. 21 Ln. 47 – Col. 22 Ln. 31 and Col. 23 Ln. 14-42 teaches using a weighted set of metrics for determining the criticality of the network threat that is detected)”.

Regarding claims 8 and 19, Pon in view of Wu teaches:
“The non-transitory computer-readable storage medium claim 1 (Pon in view of Wu teaches the limitations of the parent claims as discussed above)”.
The combination of Pon in view of Wu does not, but in the same reference Wu teaches:	 “the method further comprising: 	when the modification is determined to be anomalous, causing, by the processing device, an alert to be sent to a network administrator of the entity (Wu, Col. 81, Ln. 35-45 teaches sending an alert to an administrator with an anomalous DNS event has occurred)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Pon and Wu, to modify the malicious DNS active and passive data threat detection system of Pon in view of Wu to include the method to alert an administrator as taught in Wu.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Regarding claims 9 and 20, Pon in view of Wu teaches: 
“The non-transitory computer-readable storage medium claim 1 (Pon in view of Wu teaches the limitations of the parent claims as discussed above), wherein the assigning the criticality value to the modification comprises: 	inputting of two or more of:  the current value and the previous value of the one or more fields of the DNS record, the attribute of the DNS record (Pon, Fig. 2 steps 210-216, Col. 20 Ln. 32-44, Col. 21 Ln. 38 – Col. 22 Ln. 31, Col. 23 Ln. 14-42 a measure of a network threat may be computed as a valued on a scale based on the changes to the DNS value including the resolved domain/subdomain name of the record), and the derived attribute of the DNS record (Wu, Fig. 28, Col. 80 Ln. 8-47 depicts DNS detection engine and describes the method to include various metadata related to the DNS data such as the time and the determined geographic region of the DNS request to make security decisions) to a machine learning algorithm implementing a decision tree (Pon, Col. 21 Ln. 47 – Col. 22 Ln. 31 teaches using machine learning decision tree algorithm to make classifications on DNS events that occur based on changes of DNS information)”.

Claim(s) 3-4, 10-11, 14-15, 21-22, 25-26, and 29-33 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pon, in view of Wu, in view of Janakiraman (US 2020/0137094 A1).
Regarding claims 3, 14, and 25, Pon in view of Wu teaches:
“The non-transitory computer-readable storage medium claim 1 (Pon in view of Wu teaches the limitations of the parent claims as discussed above)”.
Pon in view of Wu does not, but in related art, Janakiraman teaches:	“wherein the one or more fields of the DNS record are indicative of a name of a service associated with the DNS record or a destination Internet Protocol (IP) address (Janakiraman, ¶ 79-81 disclose detecting either the service that is being accessed or the destination IP for the DNS record that is being accessed.  Janakiraman ¶ 64-67 discloses accessing DNS records either by recording passive flow data or accessing databases)”.
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Pon, Janakiraman, and Wu, to modify the malicious DNS active and passive data threat detection system of Pon and Wu to include the method to record service name and destination information in studying DNS activity as taught in Janakiraman.  The motivation to do so would be, as stated by Wu constitutes applying a known technique (i.e., method to record service name and destination information in studying DNS activity) to known devices and/or methods (i.e., malicious DNS data threat detection system) ready for improvement to yield predictable results.

Regarding claims 4, 15, and 26, Pon in view of Wu in view of Janakiraman teaches:
“The non-transitory computer-readable storage medium claim 3 (Pon in view of Wu in view of Janakiraman teach the limitations of the parent claims as discussed above), wherein the attribute of the DNS record is indicative of a time at which the modification was made or a record type of the DNS record (Pon, Col. 17 Ln. 37-67 teaches monitoring and detecting changes to DNS information.  Further, Janakiraman ¶ 67 teaches monitoring DNS changes.  Janakiraman, ¶ 82-83 teaches timestamping DNS server access times)”.

Regarding claims 10 and 21, Pon in view of Wu teaches:
“The non-transitory computer-readable storage medium claim 1 (Pon in view of Wu teaches the limitations of the parent claims as discussed above) ”.
Pon in view of Wu does not, but in related art, Janakiraman teaches:
 “wherein the one or more subdomains are obtained using an enumeration technique (Janakiraman, ¶ 72-76 and 108 teaches determining subdomains by enumerating word variations and using database lookups of known subdomain names)”.
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Pon, Janakiraman, and Wu, to modify the malicious DNS active and passive data threat detection system of Pon and Wu to include the method to determine subdomains by enumerating word variations and using database lookups of known subdomain names as taught in Janakiraman.  The motivation to do so would be, as stated by Wu constitutes applying a known technique (i.e method to determine subdomains by enumerating word variations and using database lookups of known subdomain names) to known devices and/or methods (i.e., malicious DNS data threat detection system) ready for improvement to yield predictable results.

Regarding claims 11 and 22, Pon in view of Wu in view of Janakiraman teaches:
“The non-transitory computer-readable storage medium claim 10 (Pon in view of Wu in view of Janakiraman teaches the limitations of the parent claims as discussed above), wherein the enumeration technique comprises any of use of a keyword-based search for DNS records associated with the entity and obtaining a list of known DNS records associated with the entity (Janakiraman, ¶ 72-76 and 108 teaches determining subdomains by enumerating word variations and using database lookups of known subdomain names)”.
Regarding claim 29, Pon in view of Wu in view of Janakiraman teaches: 
“The method of claim 26 (Pon in view of Wu in view of Janakiraman teach the limitations of the parent claims as discussed above), wherein each of the one or more fields of the DNS record, the attribute of the DNS record, and the derived attribute of the DNS record is associated with a weight for purposes of assigning the criticality value (Pon, Col. 21 Ln. 47 – Col. 22 Ln. 31 and Col. 23 Ln. 14-42 teaches using a weighted set of metrics for determining the criticality of the network threat that is detected)”.

Regarding claim 30, Pon in view of Wu in view of Janakiraman teaches:
“The method of claim 26 (Pon in view of Wu in view of Janakiraman teach the limitations of the parent claims as discussed above)”.
The combination of Pon in view of Wu view of Janakiraman does not, but in the same reference Wu teaches:	 “the method further comprising: when the modification is determined to be anomalous, causing, by the processing device, an alert to be sent to a network administrator of the entity (Wu, Col. 81, Ln. 35-45 teaches sending an alert to an administrator with an anomalous DNS event has occurred)”.	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Pon, Janakiraman, and Wu, to modify the malicious DNS active and passive data threat detection system of Pon in view of Wu in view of Janakiraman to include the method to alert an administrator as taught in Wu.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
	
Regarding claim 31, Pon in view of Wu in view of Janakiraman teaches: 
“The method of claim 26 (Pon in view of Wu in view of Janakiraman teach the limitations of the parent claims as discussed above), wherein said assigning a criticality value to the modification comprises: 	inputting of two or more of: the current value and the previous value of the one or more fields of the DNS record, the attribute of the DNS record (Pon, Fig. 2 steps 210-216, Col. 20 Ln. 32-44, Col. 21 Ln. 38 – Col. 22 Ln. 31, Col. 23 Ln. 14-42 a measure of a network threat may be computed as a valued on a scale based on the changes to the DNS value including the resolved domain/subdomain name of the record), and the derived attribute of the DNS record (Wu, Fig. 28, Col. 80 Ln. 8-47 depicts DNS detection engine and describes the method to include various metadata related to the DNS data such as the time and the determined geographic region of the DNS request to make security decisions) to a machine learning algorithm implementing a decision tree (Pon, Col. 21 Ln. 47 – Col. 22 Ln. 31 teaches using machine learning decision tree algorithm to make classifications on DNS events that occur based on changes of DNS information)”.
Regarding claim 32, Pon in view of Wu in view of Janakiraman teaches:
“The method of claim 26 (Pon in view of Wu in view of Janakiraman teach the limitations of the parent claims as discussed above), wherein the subdomain is obtained using an enumeration technique (Janakiraman, ¶ 72-76 and 108 teaches determining subdomains by enumerating word variations and using database lookups of known subdomain names)”.

Regarding claim 33, Pon in view of Wu in view of Janakiraman teaches:
	“The method of claim 32 (Pon in view of Wu in view of Janakiraman teach the limitations of the parent claims as discussed above), wherein the enumeration technique comprises any of  use of a keyword-based search for DNS records associated with the entity and obtaining a list of known DNS records associated with the entity (Janakiraman, ¶ 72-76 and 108 teaches determining subdomains by enumerating word variations and using database lookups of known subdomain names)”.
Claim(s) 5-6, 16-17 and 27-28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pon, in view of Wu, in view of Janakiraman  in view of Merdinger et al. (US 10,402,876 B1).
Regarding claims 5, 16, and 27, Pon, in view of Wu, in view of Janakiraman  teaches:
“The non-transitory computer-readable storage medium claim 4 (Pon, in view of Wu, in view of Janakiraman  teaches the limitations of the parent claims as discussed above)”.
Pon, in view of Wu, in view of Janakiraman  do not, but in related art, Merdinger teaches:	“wherein the derived attribute includes a data selected from a group consisting of: a metadata associated with the user (Merdinger, Col. 11, Ln. 11-27 teaches DNS metadata associated with a user who is attempting to alter DNS information)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Pon, Janakiraman, Merdinger, and Wu, to modify the malicious DNS active and passive data threat detection system of Pon in view of Wu in view of Janakiraman method to monitor metadata of the user attempting to make a change in DNS information.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results.

Regarding claims 6, 17, and 28, Pon, in view of Wu, in view of Janakiraman  in view of Merdinger teaches:
“The non-transitory computer-readable storage medium claim 5 (Pon, in view of Wu, in view of Janakiraman  in view of Merdinger teaches the limitations of the parent claim as discussed above), wherein the metadata associated with the user comprises any or a combination of: an email address of the user (Merdinger, Col. 11, Ln. 11-27 teaches DNS metadata including the email address associated with a user who is attempting to alter DNS information)”.


Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435