DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/24/20211 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C 103 as being unpatentable over Baughman et al. (US 2017/0318035), hereon referred to as Baughman, in view of O’Leary et al. (US 2016/0065535), and hereon referred to as O’Leary. 
In regards to claims 1, 8 & 15, Baughman discloses analyzing DNS communications (A DNS protocol attribute is a data field (field) or a record inside the packet, which is present in the packet according to the DNS protocol, which has a characteristic other than an actual value expressed by the contents of that field, and where the characteristic can be analyzed to determine DNS communication-specific information. Generally, a record can include one or more fields; Paragraphs 0037; 0047); and identifying DNS tunneling or exfiltration based on analysis of said DNS communications (Attribute heuristic may be configured such that if entropy exceeding the threshold is found in that field, the attribute heuristic identifies the attribute as being used maliciously. Using such fields, malicious DNS tunneling may try to repeatedly send changing requests; Paragraphs 0041-0045). 
However, Baughman does not disclose wherein analyzing said DNS communications comprises: identifying a distinct query count for each of a plurality of clients over a specified time period and a data transfer direction between said plurality of clients and one or more servers; and categorizing said DNS communications based on session features associated with at least one of query type, transfer capability, and server response. In an analogous art O’Leary discloses wherein analyzing said DNS communications comprises: identifying a distinct query count for each of a plurality of clients over a specified time period and a data transfer direction between said plurality of clients and one or more servers (The DNS data can be supplied in fragments accumulated over a predetermined period (e.g., ranging from minutes to years). Furthermore, certain metric values for each or some of the domain names appearing in the DNS data can be retrieved from the DNS data. These metric values can include a query count (QC), a client count (CC), a network count (NC), among others; Paragraphs 0024-0029); and categorizing said DNS communications based on session features associated with at least one of query type, transfer capability, and server response (Ranks the domain names based on the score for each of the domain names. The ranking can include normalization of the scores and sorting the scores based on one or more predetermined rule; Paragraphs 0056-0059).  
At the time before the effective filing date of the invention, it would have been obvious to one with ordinary skill in the art to combine the teachings disclosed by Baughman, with the teachings disclosed by O’Leary regarding wherein analyzing said DNS communications comprises: identifying a distinct query count for each of a plurality of clients over a specified time period and a data transfer direction between said plurality of clients and one or more servers; and categorizing said DNS communications based on session features associated with at least one of query type, transfer capability, and server response. The suggestion/motivation of the combination would have been to provide additional categorization based on DNS data (O’Leary; Paragraph 0002). 
In regards to claims 2, 9 & 16, O’Leary discloses wherein said DNS communications comprise queries and analyzing said DNS communications further comprises analyzing lexical features of said queries (The DNS data can be supplied in fragments accumulated over a predetermined period (e.g., ranging from minutes to years). Furthermore, certain metric values for each or some of the domain names appearing in the DNS data can be retrieved from the DNS data. These metric values can include a query count (QC), a client count (CC), a network count (NC), among others; Paragraphs 0024-0029).
In regards to claims 3, 10 & 17, O’Leary discloses wherein categorizing said DNS communications comprises categorizing query types based on transfer capability (Ranks the domain names based on the score for each of the domain names. The ranking can include normalization of the scores and sorting the scores based on one or more predetermined rule; Paragraphs 0056-0059).  
In regards to claims 4, 11 & 18, O’Leary discloses comprising identifying query type diversity (The DNS data can include domain names and also some DNS query related data such as an IP address of a client generating a DNS request, a time stamp of the DNS request, a DNS query name, a DNS query type, among other things; Paragraph 0024).
	In regards to claims 5, 12 & 16, O’Leary discloses wherein analyzing said DNS communications comprises analyzing a payload of a response (The DNS data can include domain names and also some DNS query related data such as an IP address of a client generating a DNS request, a time stamp of the DNS request, a DNS query name, a DNS query type, among other things; Paragraph 0024).
In regards to claims 6, 13 & 20, Baughman discloses breaking down features into session features, lexical features, and active profiling (Other attribute heuristics can similarly be configured for encryption or encoding in CNAME and other attributes; length or size of CNAME, TX, or other fields; entropy in CNAME and other attributes, numerosity of "NXdomain" (domain not found response) or other values in a response field; a number of times the DNS server (C&C server in a malicious case) failed to resolve a requested domain; Paragraphs 0045; 0085).
In regards to claims 7 & 14, the combination of Baughman and O’Leary discloses categorizing bidirectional and attacker-to-client unidirectional transfers using the query type and the server response (The elements presented in the claim(s) do not contain any additional features, do not present any inventive step or novelty not addressed/presented in the combination of Baughman and O’Leary. Examiner takes official notice, that these elements are common known, minor design details that are derivable from the prior art and are well known, and obvious to an ordinary skill in the art. The additional features of these claims represent normal design options, which the skilled person would implement the combination of Baughman and O’Leary, depending on the circumstances, without exercising any inventive activity).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARIF E ULLAH whose telephone number is (571)272-5453. The examiner can normally be reached Mon-Fri 7:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHARIF E ULLAH/Primary Examiner, Art Unit 2495