Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
	This Application claims priority to an Indian Patent Application # IN201911054124 filed 12/27/2019.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/26/2022 has been entered.
DETAILED ACTION
This Office Action is in response to a Request for Continued Examination (RCE) application received on 10/26/2022. In the RCE, Applicant has amended claims 1-4, 9-12 and 17-20 have been amended. Claims 5-8 and 13-16 remain original. No claim has been cancelled and no new claim has been added. 
For this Office Action, claims 1-23 have been received for consideration and have been examined. 



Response to Arguments
Claim Rejection under 35 USC § 102
Applicant’s arguments, filed 10/26/2022, with respect to the rejection(s) of claim(s) 1-2, 4-10, 12-18 and 20-23 under 35 USC § 102 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of new amendments to the claims.
Claim Rejection under 35 USC § 103
	Applicant’s amendments to claims 3, 11 and 19 have changed the scope of the claims and therefore claims are rejected under new ground of rejection. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-10, 12-18 and 20-23 are rejected under 35 U.S.C. 103 as being unpatentable over Meshi et al., (US20180069883A1) in view of Fakeri-Tabrizi et al., (US20160065611A1) hereinafter referred as “Tabrizi”.
Regarding claim 1, Meshi discloses:
A computer-implemented method to manage threats to a protected network having a plurality of internal production systems, the method comprising:
monitoring (i.e. collection step 120 where data is collected [monitored] and transmitted to anomaly detection system 22 for further processing; See FIG. 2-3) network traffic from the plurality of internal production systems of a protected network for domain names ([0036] FIG. 1 is a block diagram that schematically shows a computing facility 20 comprising an anomaly detection system 22 that monitors transmissions from multiple workstations 24 (also referred to as endpoints) to multiple Internet sites 26 in order to determine if any of the Internet sites are hosting malicious Command and Control (CnC) channels; [0054] In a collection step 120, processor collects, during a training period, information on data transmitted from workstations 24 to Internet sites 26, and stores the collected information to analysis records 90. Using embodiments described supra, processor 70 can collect the information from log data 54 or from data packets transmitted over network 30 (e.g., collect from probe 78 in real-time), and store the information to analysis records 90);
determining, for each internal production system of the plurality of internal production systems over the course of a long time interval (i.e. domain name data collected over a single month (e.g., 30 days) is construed as long time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a first collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain … Information that can be used to define the malicious artifact profiles include: [0063] Total number of connections to a given domain 44 during a specific time period (e.g., 30 days); [0086] In order to consider periodicity, embodiments of the present invention may aggregate the data collected over (for example) a single month, and only consider the destination (i.e., a given domain 94));
determining, for each internal production system over the course of a short time interval (i.e. domain name data collected over ‘daily or hourly’ is construed as short time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a second collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain; [0064] Average volume of all the connections to the given domain during a specific time period (e.g., daily or hourly); [0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel);
comparing domain names (i.e. generating ‘access time profile’; See Abstract) to determine suspicious domain names that meet a predetermined condition (See FIG. 7; i.e. See [0072] for predetermined conditions [having longer domain names, having younger domain ages, having hidden registrant information] to detect malicious domain names) ([0072] Examples of how the one or more malicious domain profiles can be used to analyze the information in records 90 include, but are not limited to, assigning higher malicious domain suspiciousness to domains 90 having longer domain names, having younger domain ages, having hidden registrant information (i.e., these are only a few examples); [0073] In a first model generation step 126, processor 70 uses profiles 110, 112 and 114 to generate CnC model 82. In embodiments of the present invention, model 82 analyzes, using the features in profiles 110, 112, and 114, the data transmissions in the collected data to predict if a given domain 44 hosts a CnC channel; [0077] In a model application step 132, processor 70 (e.g., executing classification application 80) applies the CnC model (comprising profiles 110, 112 and 114) and the malicious domain model (comprising profile 116) to the information collected in step 130, and in a prediction step 134, the processor predicts (i.e., determines), suspiciousness (i.e., if any of the domains are hosting malicious CnC channels) based on respective predictions from models 82 and 84; Also See [0160-0163] for multiple comparison steps for comparing domain information for detecting suspicious); and 
requesting to treat the suspicious domain names as suspicious ([0074] Finally, in a second model generation step 128, processor 70 uses profile(s) 116 to generate malicious domain model 84. In embodiments of the present invention, model 84 analyzes, using the features in profile(s) 116, the data transmissions in the collected data to predict if a given domain 44 is malicious; [0078] Finally, in an alert step 136, processor 70 generates alerts for the one or more identified domains; [0079] processor 70 can create a single malicious CnC model that can predict if a given domain 44 hosts a malicious CnC channel. In this embodiment, processor 70 can apply the malicious CnC model to the collected data (i.e., step 134) and predict, using the malicious CnC model, if a given domain 44 is suspected of hosting a malicious CnC channel (i.e., step 136)).
Meshi fails to disclose:
	comparing domain names in the first collection relative to domain names in the second collection; determining suspicious domain names from the domain names in the first collection and the second collections [i.e., the domain name appear in short time period list but not in long term period list].
However, Tabrizi discloses:
	comparing domain names in the first collection relative to domain names in the second collection ([0042-0043] discloses comparing domain names to short term period list [i.e., list for each hour] against the long term period list [i.e., list of N days ago]);
determining suspicious domain names from the domain names in the first collection and the second collections [i.e., the domain name appear in short time period list but not in long term period list] ([0044] & [0046] discloses detecting new domain names  [potentially anomalous] when a domain did not appear in long time period (e.g., X number of days) however it appears in the short time period (e.g., 20 minutes or an hour); [0048] discloses determining a domain name to be malicious when the count value of the domain name meets or exceed the predetermined threshold).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and include a method for detecting anomalies in DNS requests, as disclosed by Tabrizi.
The motivation to include the method for detecting anomalies in DNS requests is to  identify one or more domains that are suspected of hosting malicious Command & Control (CnC) channels by comparing the appearance of domain names to short term period list against the long term period list.
Regarding claim 2, the combination of Meshi and Tabrizi discloses:
The method of claim 1, wherein the suspicious domain names meet the predetermined condition of the comparison when it is determined for a threshold number of internal production systems that the suspicious domain names were included in a predetermined amount of second collections, and wherein it is further determined that the suspicious domain names were not included in the first collection (Tabrizi: [0043] & [0048]).
Regarding claim 4, the combination of Meshi and Tabrizi discloses:
The method of claim 1, further comprising:
determining an attribute (i.e., Domain age according to the WHOIS record; See [0186]/ an age of the given domain; See [0049]) associated with a domain associated with a suspicious domain name of the suspicious domain names ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain);
applying a condition (i.e., checking domain reputation / if domain reputation is malicious / checking domain’s age of registration) to the attribute determined (See FIG. 7; [0160] in a check step 170, processor 70 checks the reputation of the given domain (e.g., using acquired data 88, as described supra); [0161] In a third comparison step 172, if the given domain has a reputation, then in a fourth comparison step 174, processor 70 checks if the given domain's reputation is malicious. If the given domain's reputation is not malicious, then in a fifth comparison step 176, processor 70 checks if the domain is young); and
determining not to request that suspicious domain name be treated as suspicious when the condition is met (See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 5, the combination of Meshi and Tabrizi discloses:
The method of claim 4, further comprising accessing information about registration of the domain name to determine the attribute ([0057] In embodiments of the present invention, processor 70 can use information from the external sources described hereinabove to define malicious domain profiles 116. Additional examples of the information from external or internal sources that processor 70 can acquire and use for profiles 116 include: [0059] WHOIS (i.e., domain registration records). A person or organization that registered (i.e., purchased) a given domain 94 tried to hide their identity (e.g., via a 3rd party service) indicates a high suspicion that the given domain is malicious; [0060] Additionally domains 94 that are newer (i.e., age of registration) are more suspicious than domains 94 that are older).
Regarding claim 6, the combination of Meshi and Tabrizi discloses:
The method of claim 5, wherein the attribute is age of the domain name from a time of registration as indicated by the information about registration and the condition is whether the age of the domain name is at least a threshold age ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain; See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 7, the combination of Meshi and Tabrizi discloses:
The method of claim 1, wherein the method further includes treating the suspicious domain names as suspicious by taking a precautionary action to warn users of internal production systems in the network about the suspicious domain names ([0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain; [0154] The final verdict of the domain is determined by a combination of the domain suspiciousness score and the domain CnC score … Alerts may be presented to a user according to the final score. For example, a “high risk” alert may be presented for domains with a high score).
Regarding claim 8, the combination of Meshi and Tabrizi discloses:
The method of claim 1, wherein the method further includes treating the suspicious domain names as suspicious by taking a blocking action to block packets that include the suspicious domain names ([0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain).
Regarding claim 9, Meshi discloses:
A computer system for managing threats to a network, comprising:
a memory configured to store instructions;
processor disposed in communication with said memory, wherein the processor upon execution of the instructions is configured to:
monitor (i.e. collection step 120 where data is collected [monitored] and transmitted to anomaly detection system 22 for further processing; See FIG. 2) network traffic from the plurality of internal production systems of a protected network for domain names ([0036] FIG. 1 is a block diagram that schematically shows a computing facility 20 comprising an anomaly detection system 22 that monitors transmissions from multiple workstations 24 (also referred to as endpoints) to multiple Internet sites 26 in order to determine if any of the Internet sites are hosting malicious Command and Control (CnC) channels; [0054] In a collection step 120, processor collects, during a training period, information on data transmitted from workstations 24 to Internet sites 26, and stores the collected information to analysis records 90. Using embodiments described supra, processor 70 can collect the information from log data 54 or from data packets transmitted over network 30 (e.g., collect from probe 78 in real-time), and store the information to analysis records 90);
determine, for each internal production system of the plurality of internal production systems over the course of a long time interval (i.e. domain name data collected over a single month (e.g., 30 days) is construed as long time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a first collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain … Information that can be used to define the malicious artifact profiles include: [0063] Total number of connections to a given domain 44 during a specific time period (e.g., 30 days); [0086] In order to consider periodicity, embodiments of the present invention may aggregate the data collected over (for example) a single month, and only consider the destination (i.e., a given domain 94));
determine, for each internal production system over the course of a short time interval (i.e. domain name data collected over ‘daily or hourly’ is construed as short time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a second collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain; [0064] Average volume of all the connections to the given domain during a specific time period (e.g., daily or hourly); [0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel);
comparing domain names (i.e. generating ‘access time profile’; See Abstract) to determine suspicious domain names that meet a predetermined condition (See FIG. 7; i.e. See [0072] for predetermined conditions [having longer domain names, having younger domain ages, having hidden registrant information] to detect malicious domain names) ([0072] Examples of how the one or more malicious domain profiles can be used to analyze the information in records 90 include, but are not limited to, assigning higher malicious domain suspiciousness to domains 90 having longer domain names, having younger domain ages, having hidden registrant information (i.e., these are only a few examples); [0073] In a first model generation step 126, processor 70 uses profiles 110, 112 and 114 to generate CnC model 82. In embodiments of the present invention, model 82 analyzes, using the features in profiles 110, 112, and 114, the data transmissions in the collected data to predict if a given domain 44 hosts a CnC channel; [0077] In a model application step 132, processor 70 (e.g., executing classification application 80) applies the CnC model (comprising profiles 110, 112 and 114) and the malicious domain model (comprising profile 116) to the information collected in step 130, and in a prediction step 134, the processor predicts (i.e., determines), suspiciousness (i.e., if any of the domains are hosting malicious CnC channels) based on respective predictions from models 82 and 84; Also See [0160-0163] for multiple comparison steps for comparing domain information for detecting suspicious); and 
requesting to treat the suspicious domain names as suspicious ([0074] Finally, in a second model generation step 128, processor 70 uses profile(s) 116 to generate malicious domain model 84. In embodiments of the present invention, model 84 analyzes, using the features in profile(s) 116, the data transmissions in the collected data to predict if a given domain 44 is malicious; [0078] Finally, in an alert step 136, processor 70 generates alerts for the one or more identified domains; [0079] processor 70 can create a single malicious CnC model that can predict if a given domain 44 hosts a malicious CnC channel. In this embodiment, processor 70 can apply the malicious CnC model to the collected data (i.e., step 134) and predict, using the malicious CnC model, if a given domain 44 is suspected of hosting a malicious CnC channel (i.e., step 136)).
Meshi fails to disclose:
	comparing domain names in the first collection relative to domain names in the second collection; determining suspicious domain names from the domain names in the first collection and the second collections [i.e., the domain name appear in short time period list but not in long term period list].
However, Tabrizi discloses:
	comparing domain names in the first collection relative to domain names in the second collection ([0042-0043] discloses comparing domain names to short term period list [i.e., list for each hour] against the long term period list [i.e., list of N days ago]);
determining suspicious domain names from the domain names in the first collection and the second collections [i.e., the domain name appear in short time period list but not in long term period list] ([0044] & [0046] discloses detecting new domain names  [potentially anomalous] when a domain did not appear in long time period (e.g., X number of days) however it appears in the short time period (e.g., 20 minutes or an hour); [0048] discloses determining a domain name to be malicious when the count value of the domain name meets or exceed the predetermined threshold).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and include a method for detecting anomalies in DNS requests, as disclosed by Tabrizi.
The motivation to include the method for detecting anomalies in DNS requests is to  identify one or more domains that are suspected of hosting malicious Command & Control (CnC) channels by comparing the appearance of domain names to short term period list against the long term period list.
Regarding claim 10, the combination of Meshi and Tabrizi discloses:
The computer system of claim 9, wherein the suspicious domain names meet the predetermined condition of the comparison when it is determined for a threshold number of internal production systems that the suspicious domain names were included in a predetermined amount of second collections, and wherein it is further determined that the suspicious domain names were not included in the first collection (Tabrizi: [0043] & [0048]).
Regarding claim 12, the combination of Meshi and Tabrizi discloses:
The computer system of claim 9, wherein the processor upon execution of the instructions is further configured to:
determine an attribute (i.e., Domain age according to the WHOIS record; See [0186]/ an age of the given domain; See [0049]) associated with a domain associated with a suspicious domain name of the suspicious domain names ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain);
apply a condition (i.e., checking domain reputation / if domain reputation is malicious / checking domain’s age of registration) to the attribute determined (See FIG. 7; [0160] in a check step 170, processor 70 checks the reputation of the given domain (e.g., using acquired data 88, as described supra); [0161] In a third comparison step 172, if the given domain has a reputation, then in a fourth comparison step 174, processor 70 checks if the given domain's reputation is malicious. If the given domain's reputation is not malicious, then in a fifth comparison step 176, processor 70 checks if the domain is young); and
determine not to treat the suspicious domain name as suspicious when the condition is met (See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 13, the combination of Meshi and Tabrizi discloses:
The computer system of claim 12, wherein the processor upon execution of the instructions is further configured to access information about registration of the domain name to determine the attribute ([0057] In embodiments of the present invention, processor 70 can use information from the external sources described hereinabove to define malicious domain profiles 116. Additional examples of the information from external or internal sources that processor 70 can acquire and use for profiles 116 include: [0059] WHOIS (i.e., domain registration records). A person or organization that registered (i.e., purchased) a given domain 94 tried to hide their identity (e.g., via a 3rd party service) indicates a high suspicion that the given domain is malicious; [0060] Additionally domains 94 that are newer (i.e., age of registration) are more suspicious than domains 94 that are older).
Regarding claim 14, the combination of Meshi and Tabrizi discloses:
The computer system of claim 13, wherein the attribute is age of the domain name from a time of registration as indicated by the information about registration, and the condition is whether the age of the domain name is at least a threshold age ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain; See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 15, the combination of Meshi and Tabrizi discloses:
The computer system of claim 9, wherein the processor upon execution of the instructions is further configured to treat the suspicious domain names as suspicious, including taking a precautionary action to warn users of internal production systems in the network about the suspicious domain names ([0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain; [0154] The final verdict of the domain is determined by a combination of the domain suspiciousness score and the domain CnC score … Alerts may be presented to a user according to the final score. For example, a “high risk” alert may be presented for domains with a high score).
Regarding claim 16, the combination of Meshi and Tabrizi discloses:
The computer system of claim 9, wherein the processor upon execution of the instructions is further configured to treat the suspicious domain names as suspicious, including taking a blocking action to block packets that include the suspicious domain names ([0035] Embodiments described herein focus on communication between a malware and a domain. There can also be channels between malware and IP addresses, and some embodiments of the present invention are likewise applicable, mutatis mutandis, to detecting malicious IP addresses. Therefore, in some embodiments generating an alert for a given domain may comprise blocking access to the given domain or to any IP addresses belonging to the given domain).
Regarding claim 17, Meshi discloses:
A non-transitory computer readable storage medium and one or more computer programs embedded therein, the computer programs comprising instructions, which when executed by a computer system, cause the computer system to:
monitor (i.e. collection step 120 where data is collected [monitored] and transmitted to anomaly detection system 22 for further processing; See FIG. 2) network traffic from the plurality of internal production systems of a protected network for domain names ([0036] FIG. 1 is a block diagram that schematically shows a computing facility 20 comprising an anomaly detection system 22 that monitors transmissions from multiple workstations 24 (also referred to as endpoints) to multiple Internet sites 26 in order to determine if any of the Internet sites are hosting malicious Command and Control (CnC) channels; [0054] In a collection step 120, processor collects, during a training period, information on data transmitted from workstations 24 to Internet sites 26, and stores the collected information to analysis records 90. Using embodiments described supra, processor 70 can collect the information from log data 54 or from data packets transmitted over network 30 (e.g., collect from probe 78 in real-time), and store the information to analysis records 90);
determine, for each internal production system of the plurality of internal production systems over the course of a long time interval (i.e. domain name data collected over a single month (e.g., 30 days) is construed as long time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a first collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain … Information that can be used to define the malicious artifact profiles include: [0063] Total number of connections to a given domain 44 during a specific time period (e.g., 30 days); [0086] In order to consider periodicity, embodiments of the present invention may aggregate the data collected over (for example) a single month, and only consider the destination (i.e., a given domain 94));
determine, for each internal production system over the course of a short time interval (i.e. domain name data collected over ‘daily or hourly’ is construed as short time interval; This information is collected in Malicious artifact profiles 114; See FIG. 2), a second collection of each unique domain name that is output by the internal production system ([0062] The one or more malicious artifact profiles can be used to identify patterns or features of the specific transmissions to the given domain; [0064] Average volume of all the connections to the given domain during a specific time period (e.g., daily or hourly); [0067] Examples of how the one or more access time profiles can be used to analyze the information in records 90 include: [0069] A higher number of distinct hours during a given time period (i.e., based on time 100) that a given domain 94 is accessed by workstations 24 indicates a higher suspicion that the given domain is a (malicious or benign) CnC channel);
comparing domain names (i.e. generating ‘access time profile’; See Abstract) to determine suspicious domain names that meet a predetermined condition (See FIG. 7; i.e. See [0072] for predetermined conditions [having longer domain names, having younger domain ages, having hidden registrant information] to detect malicious domain names) ([0072] Examples of how the one or more malicious domain profiles can be used to analyze the information in records 90 include, but are not limited to, assigning higher malicious domain suspiciousness to domains 90 having longer domain names, having younger domain ages, having hidden registrant information (i.e., these are only a few examples); [0073] In a first model generation step 126, processor 70 uses profiles 110, 112 and 114 to generate CnC model 82. In embodiments of the present invention, model 82 analyzes, using the features in profiles 110, 112, and 114, the data transmissions in the collected data to predict if a given domain 44 hosts a CnC channel; [0077] In a model application step 132, processor 70 (e.g., executing classification application 80) applies the CnC model (comprising profiles 110, 112 and 114) and the malicious domain model (comprising profile 116) to the information collected in step 130, and in a prediction step 134, the processor predicts (i.e., determines), suspiciousness (i.e., if any of the domains are hosting malicious CnC channels) based on respective predictions from models 82 and 84; Also See [0160-0163] for multiple comparison steps for comparing domain information for detecting suspicious); and 
requesting to treat the suspicious domain names as suspicious ([0074] Finally, in a second model generation step 128, processor 70 uses profile(s) 116 to generate malicious domain model 84. In embodiments of the present invention, model 84 analyzes, using the features in profile(s) 116, the data transmissions in the collected data to predict if a given domain 44 is malicious; [0078] Finally, in an alert step 136, processor 70 generates alerts for the one or more identified domains; [0079] processor 70 can create a single malicious CnC model that can predict if a given domain 44 hosts a malicious CnC channel. In this embodiment, processor 70 can apply the malicious CnC model to the collected data (i.e., step 134) and predict, using the malicious CnC model, if a given domain 44 is suspected of hosting a malicious CnC channel (i.e., step 136)).
Meshi fails to disclose:
	comparing domain names in the first collection relative to domain names in the second collection; determining suspicious domain names from the domain names in the first collection and the second collections [i.e., the domain name appear in short time period list but not in long term period list].
However, Tabrizi discloses:
	comparing domain names in the first collection relative to domain names in the second collection ([0042-0043] discloses comparing domain names to short term period list [i.e., list for each hour] against the long term period list [i.e., list of N days ago]);
determining suspicious domain names from the domain names in the first collection and the second collections [i.e., the domain name appear in short time period list but not in long term period list] ([0044] & [0046] discloses detecting new domain names  [potentially anomalous] when a domain did not appear in long time period (e.g., X number of days) however it appears in the short time period (e.g., 20 minutes or an hour); [0048] discloses determining a domain name to be malicious when the count value of the domain name meets or exceed the predetermined threshold).
It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and include a method for detecting anomalies in DNS requests, as disclosed by Tabrizi.
The motivation to include the method for detecting anomalies in DNS requests is to  identify one or more domains that are suspected of hosting malicious Command & Control (CnC) channels by comparing the appearance of domain names to short term period list against the long term period list.
Regarding claim 18, the combination of Meshi and Tabrizi discloses:
The non-transitory computer readable storage medium of claim 17, wherein the suspicious domain names meet the predetermined condition of the comparison when it is determined for a threshold number of internal production systems that the suspicious domain names were included in a predetermined amount of second collections, and wherein it is further determined that the suspicious domain names were not included in the first collection (Tabrizi: [0043] & [0048]).
 Regarding claim 20, the combination of Meshi and Tabrizi discloses:
The non-transitory computer readable storage medium of claim 17, wherein the computer system is further caused to:
determine an attribute (i.e., Domain age according to the WHOIS record; See [0186]/ an age of the given domain; See [0049]) associated with a domain associated with a suspicious domain name of the suspicious domain names ([0049] Acquired data 88 comprises data (typically acquired from one or more external sources, as described hereinbelow) that can be used to identify information about domains 94 … As described hereinbelow, for a given data record 104 having a given domain 106, domain information 108 can include data such as … (c) an age of the given domain);
apply a condition (i.e., checking domain reputation / if domain reputation is malicious / checking domain’s age of registration) to the attribute determined (See FIG. 7; [0160] in a check step 170, processor 70 checks the reputation of the given domain (e.g., using acquired data 88, as described supra); [0161] In a third comparison step 172, if the given domain has a reputation, then in a fourth comparison step 174, processor 70 checks if the given domain's reputation is malicious. If the given domain's reputation is not malicious, then in a fifth comparison step 176, processor 70 checks if the domain is young); and
determine not to treat the suspicious domain name as suspicious when the condition is met (See FIG. 7 Flowchart steps; when determination of reputation of domain in steps 172, 174 & 176 results positive such as “Domain has a reputation? Yes” [step 172], “Reputation is Malicious? No [step 174] & “Domain is Young? No” [step 176] then process classify the given domain as “Benign/Nonthreatening”; See [0160-0163]).
Regarding claim 21, the combination of Meshi and Tabrizi discloses:
The method of claim 1, wherein monitoring the network traffic, determining the first collection, determining the second collection, and comparing the domain names are performed in real time, and/or the long term interval is the most recent long time interval completed ([0043] & [0045] discloses ‘a probe’ which collects data in real-time from the network communication between workstations to internet sites and passes that information to processor of anomaly detection system).
Regarding claim 22, the combination of Meshi and Tabrizi discloses:
The computer system of claim 9, wherein the processor is configured to monitor the network traffic, determine the first collection, determine the second collection, and compare the domain names in real time, and/or the long term interval is the most recent long time interval completed ([0043] & [0045] discloses ‘a probe’ which collects data in real-time from the network communication between workstations to internet sites and passes that information to processor of anomaly detection system).
Regarding claim 23, the combination of Meshi and Tabrizi discloses:
The non-transitory computer readable storage medium of claim 17, wherein the computer system is caused to monitor the network traffic, determine the first collection, determine the second collection, and compare the domain names in real time, and/or the long term interval is the most recent long time interval completed ([0043] & [0045] discloses ‘a probe’ which collects data in real-time from the network communication between workstations to internet sites and passes that information to processor of anomaly detection system).


Claims 3, 11 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Meshi et al., (US20180069883A1) in view of Fakeri-Tabrizi et al., (US20160065611A1) hereinafter referred as “Tabrizi” and further in view of O’Connor., (US9979748B2).
Regarding claim 3, the combination of Meshi and Tabrizi fails to disclose:
The method of claim 1, further comprising comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are requested to be treated as suspicious.
However, O’Connor discloses:
	comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are requested to be treated as suspicious (FIG. 3; Col. 12, Line # 56-60 discloses determining if the target domain name is whitelisted. The system can maintain one or more whitelists or other designation of domain names that are believed to be legitimate or otherwise not associated with malware; Col. 12, Line # 65-67 through Col. 13, Line # 1-67 discloses when domain name is not in whitelist, the domain name is considered suspicious and further steps (i.e., 125, 126, 128, 130 and 132) are performed and eventually the domain name is flagged for further analysis (i.e., step 134)). 
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and have a system which compares the domain names against the whitelist database, as disclosed by O’Connor.
	The motivation to have a system which compares the domain names against the white list database is to detect suspicious domain names and protect the endpoint computers from potential malicious attacks through suspicious domain names.
Regarding claim 11, the combination of Meshi and Tabrizi fails to disclose:
The computer system of claim 9, wherein the processor upon execution of the instructions is further configured to compare the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are requested to be treated as suspicious.
However, O’Connor discloses:
	comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are requested to be treated as suspicious (FIG. 3; Col. 12, Line # 56-60 discloses determines if the target domain name is whitelisted. The system can maintain one or more whitelists or other designation of domain names that are believed to be legitimate or otherwise not associated with malware; Col. 12, Line # 65-67 through Col. 13, Line # 1-67 discloses when domain name is not in whitelist, the domain name is considered suspicious and further steps (i.e., 125, 126, 128, 130 and 132) are performed and eventually the domain name is flagged for further analysis (i.e., step 134)). 
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and have a system which compares the domain names against the whitelist database, as disclosed by O’Connor.
	The motivation to have a system which compares the domain names against the white list database is to detect suspicious domain names and protect the endpoint computers from potential malicious attacks through suspicious domain names.
Regarding claim 19, the combination of Meshi and Tabrizi fails to disclose:
The non-transitory computer readable storage medium of claim 17, wherein the computer system is further caused to compare the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are requested to be treated as suspicious.
However, O’Connor discloses:
	comparing the suspicious domain names to a white list, wherein only the suspicious domain names that are not on the white list are requested to be treated as suspicious (FIG. 3; Col. 12, Line # 56-60 discloses determines if the target domain name is whitelisted. The system can maintain one or more whitelists or other designation of domain names that are believed to be legitimate or otherwise not associated with malware; Col. 12, Line # 65-67 through Col. 13, Line # 1-67 discloses when domain name is not in whitelist, the domain name is considered suspicious and further steps (i.e., 125, 126, 128, 130 and 132) are performed and eventually the domain name is flagged for further analysis (i.e., step 134)). 
	It would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to modify the Meshi reference and have a system which compares the domain names against the whitelist database, as disclosed by O’Connor.
	The motivation to have a system which compares the domain names against the white list database is to detect suspicious domain names and protect the endpoint computers from potential malicious attacks through suspicious domain names.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US20040258044A1 - Method and apparatus for managing email messages.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/S.M.A./Patent Examiner, Art Unit 2432                                                                                                                                                                                                        
/SYED A ZAIDI/Primary Examiner, Art Unit 2432