REACTIVE DOMAIN GENERATION ALGORITHM (DGA) DETECTION

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This written action is responding to the Amendment dated on 09/25/2025. Claims 1-20 have been amended. Claims 1-20 are submitted for examination. Claims 1-20 are pending. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Response to Arguments Applicant’s amendment filed on September 25, 2025 has claims 1-20 amended. Amended claims 1, 8 and 15 are independent ones. Applicant’s remark, filed on September 25, 2025 at pages 11 indicates, “In the Action, the Office rejects claim 7 under 35 U.S.C. § 112, Second Paragraph, as allegedly being indefinite. As shown above, Applicant herein amends claim 7, thus obviating the grounds for the rejections. Applicant therefore respectfully requests that the Office remove the pending rejection of claim 7 under 35 U.S.C. § 112, Second Paragraph.” Applicant’s amendment and argument regarding the pending rejection under 35 U.S.C. § 112 have been considered, and the argument is found persuasive in view of the amendment. Therefore, the previous claim rejection under 35 U.S.C. § 112 has been withdrawn. Applicant’s remark, filed on September 25, 2025 at pages 11-12 indicates, “The Office rejects claims 1, 3, 6-8, 10, and 13-15 under 35 U.S.C. § 103 as allegedly being obvious over US Patent No. 10,880,319 to Arlitt et al. (hereinafter, "Arlitt") in view of US Patent Appln. Pub. No. 2016/0099961 to Paugh et al. (hereinafter, "Paugh") and further in view of US Patent Appln. Pub. No. 2016/00065534 to Liu et al (hereinafter, "Liu"). Applicant respectfully submits that these claims stand allowable as listed above and discussed below. … During the interview, Applicant's attorney understood the Examiners to agree that claim 1, at least as amended, appeared to overcome the pending § 103 rejection. Applicant thanks the Examiners for this indication. Accordingly, Applicant submits that independent claim 1 is in condition for allowance and respectfully requests that the Office withdraw the § 103 rejection of claim 1.” Applicant’s argument has been considered and is found persuasive. Therefore, the previous prior-art rejection based on the combination of Arlitt, Paugh and Liu is withdrawn. However, Applicant’s amendment necessitates a new ground of rejection, and therefore, new grounds of rejection have been applied to the pending claims. A new ground of rejection is made based on previously applied art by Arlitt et al. (US 10,880,319) hereinafter Arlitt in view of Liu et al. (US 2016/0065534) hereinafter Liu and a newly applied prior-art reference by Dymshits et al. (US 2019/0130100) hereinafter Dymshits. After carefully reviewing the prior arts by Arlitt and Liu, Examiner respectfully traverses the Applicant’s arguments. Specifically, Arlitt teaches a method for identifying DGAs and the device that is generating and sending the infected DNS queries (See Col. 1 and Fig. 2) and taking a remediation action to block the queries (See Col. 6-7, lines 59-3). Therefore, Arlitt teaches the claimed features “a method of detecting a domain generation algorithm (DGA)”; “… wherein the DGA cache is configured to maintain a blocklist associated with DNS queries that are produced by the DGA”; and “blocking the subsequent DNS queries from the client device based on the blocklist”. In addition, Examiner submits that Liu teaches a method and a system that generates or calculates a similarity score (i.e., perplexity score) for a group of domain names associated to a DNS query and cluster the domain names that are similar in score. Therefore, Liu discloses the claimed features, “determining a perplexity score associated with a domain name system (DNS) query received from a client device” (See Parag. 0008 and 0010); “determining a unique qualified name (qname) associated with the DNS query” (See Parag. 0034); “determining, based on the perplexity score and the qname, a group of DNS queries …, wherein the group of DNS queries is associated with similar perplexity scores and qnames” (See Parag. 0008 and 0010); and “transmitting, to a DGA cache (i.e., storage 130 disclosed by Liu), an indication of the client device transmitting the DNS queries, the perplexity score, and the qname” (See Parag. 0025 and 0044). Finally, newly applied prior art by Dymshits describes how to determine if a group of DNS queries/domain names received at an interval of time are within a threshold based on similarity. Therefore, examiner submits that Dymshits teaches “determining that a quantity of DNS queries associated with the group of DNS queries violates a threshold quantity of DNS queries”; and “based on the quantity of DNS queries violating the threshold, determining a comparison between the quantity of DNS queries and a quantity of qnames associated with the group of DNS queries” (See Parag. 0040 and 0041). Finally, Examiner submits that the new combination of Arlitt, Liu and Dymshits teaches the claim limitations in independent claim 1 and would render the amended features obvious. Applicant further recites similar remarks as listed above for independent claims 8 and 15. See the aforementioned response on item 9, which addresses how the combination of prior-art references by Arlitt, Liu and Dymshits would render the claimed limitations obvious. Applicant further recites similar remarks as listed above for dependent claims. Please refer to the aforementioned response on item 10, which addresses how the combination of prior-art references by Arlitt, Liu and Dymshits would render the claimed limitations obvious. Claim Objections Claim 1 (similar for claims 8 and 15) is objected to because of the following informalities: Claim 1 recites, “… determining, based on the perplexity score and the qname, a group of DNS queries …”; “… wherein the group of DNS queries is associated with similar perplexity scores and qnames …”; “… determining a comparison between the quantity of DNS queries and a quantity of qnames associated with the group of DNS queries …”; and “… transmitting the DNS queries, the perplexity score, and the qname …”. However, it is not clear if the claimed feature “the qname” is referring to the “a unique qualified name (qname)” previously claimed. The claim should recite, as an example, “… determining, based on the perplexity score and the unique qname, a group of DNS queries …”. Appropriate correction is required. Claim 4 (similar for claims 11 and 18) is objected to because of the following informalities: Claim 4 recites, “storing, within the DGA cache, a vectors defining the perplexity scores of the group of DNS queries …”. However, the claimed feature “a vectors defining the perplexity scores”, improperly combines a singular article with a plural noun. As written, it is unclear whether the claim intends to recite a single vector, multiple vectors, a single perplexity score or multiple perplexity scores. Therefore, appropriate correction is required. Claim 4 (similar for claims 11 and 18) is objected to because of the following informalities: Claim 4 recites, “… transmitting, to the DGA cache, the indication of number of entries including the identification of the client device transmitting the DNS queries, the perplexity score, and the qname …”. However, it is not clear if the claimed feature “the qname” is referring to the “a unique qualified name (qname)” previously claimed on independent claim 1. Appropriate correction is required.. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 3-4, 6-8, 10-11, 13-15, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Arlitt et al. (US 10,880,319) hereinafter Arlitt in view of Liu et al. (US 2016/0065534) hereinafter Liu and further in view of Dymshits et al. (US 2019/0130100) hereinafter Dymshits. As per Claim 1, Arlitt teaches a method of detecting a domain generation algorithm (DGA), (Arlitt, Col. 1, lines 20-24; “FIG. 2 is a block diagram of a network arrangement that includes a Domain Name System (DNS) server including a Domain Generation Algorithm (DGA) domain name identification engine and an infected device identification engine.”) comprising: [determining a perplexity score associated with a domain name system (DNS) query received from a client device]; [determining a unique qualified name (qname) associated with the DNS query]; [determining, based on the perplexity score and the qname, a group of DNS queries] comprising the DNS query and the group being usable to block subsequent DNS queries (Arlitt, Col. 7, lines 1-2; “blocking processing of a subsequent DNS query that contains a DGA domain previously identified (i.e., blocklist)”.”), [wherein the group of DNS queries is associated with similar perplexity scores and qnames]; [determining that a quantity of DNS queries associated with the group of DNS queries violates a threshold quantity of DNS queries]; [based on the quantity of DNS queries violating the threshold, determining a comparison between the quantity of DNS queries and a quantity of qnames associated with the group of DNS queries]; [transmitting, to a DGA cache, an indication of the client device transmitting the DNS queries, the perplexity score, and the qname], wherein the DGA cache is configured to maintain a blocklist associated with DNS queries that are produced by the DGA (Arlitt, Col. 6-7, lines 59-3; “The remediation engine 234 can take remediation action to address the malware-infected electronic device. Remediation actions that can be performed by the remediation engine 234 can include any or some combination of the following: blocking the malware-infected electronic device from accessing the network 206, disabling the malware-infected electronic device (such as by shutting it down), performing a malware cleaning process on the malware-infected electronic device to quarantine or remove the malware, blocking processing of a subsequent DNS query that contains a DGA domain previously identified (i.e., blocklist)”. … Col. 10, lines 58-67; “If a DNS server 214 at the first level 210 has the domain name in its cache memory, then the DNS server 214 responds with the corresponding network address. In case of a cache miss (i.e., the domain name is not in the cache memory), the DNS query is forwarded to the DNS server 216 at the second level 212 of the hierarchy 208. The DNS server 216 then checks its own cache memory for the domain name. In case of a cache miss, the DNS query is then forwarded to a DNS query at a higher level (not shown) of the hierarchy 208.”); and blocking the subsequent DNS queries from the client device based on the blocklist (Arlitt, Col. 7, lines 1-2; “blocking processing of a subsequent DNS query that contains a DGA domain previously identified (i.e., blocklist)”. … Col. 7, lines 37-60; “The whitelist of benign domain names can refer to any data collection of domain names identified as benign. The benign domain names included in the whitelist are domain names that have been identified to not be DGA generated, based on historical data or based on expertise or knowledge of an entity, including a human, a machine, or a program. Any domain name that is included in the whitelist of benign domain names would not be considered further by the DGA domain identification engine 218. The n-gram repository includes a data structure (e.g., a database, a list, or any other data collection) of n-grams that have been identified as n-grams that do not appear in words of a given language, such as the English language or some other language. The n-grams stored in the n-gram repository include n-grams. The n-grams in the n-gram repository can be referred to as “forbidden” n-grams.” An n-gram is a sequence of n letters where a letter can include an alphabet character, a number, a symbol, or any other type of character. For example, in the domain name “bqwqeiswupyny.org,” forbidden trigrams (n-grams with n=3) are: bqw, qei, swu, pyn, yny, qwq, etc.”). Arlitt does not expressly teach: determining a perplexity score associated with a domain name system (DNS) query received from a client device; determining a unique qualified name (qname) associated with the DNS query; determining, based on the perplexity score and the qname, a group of DNS queries …, wherein the group of DNS queries is associated with similar perplexity scores and qnames; determining that a quantity of DNS queries associated with the group of DNS queries violates a threshold quantity of DNS queries; based on the quantity of DNS queries violating the threshold, determining a comparison between the quantity of DNS queries and a quantity of qnames associated with the group of DNS queries; transmitting, to a DGA cache, an indication of the client device transmitting the DNS queries, the perplexity score, and the qname … However, Liu teaches: determining a perplexity score associated with a domain name system (DNS) query received from a client device (Liu, Parag. [0008]; “In some example embodiments, a method for correlation of domain names includes receiving DNS data associated with a plurality of domain names, generating multidimensional vectors based on the DNS data such that each of the domain names is associated with one of the multidimensional vectors, calculating similarity scores for each pair of the plurality of domain names based on comparison of corresponding multidimensional vectors, and clustering one or more sets of domain names selected from the plurality of domain names based on the similarity scores and such that a difference between the similarity scores corresponding to each pair of the domain names in each of clusters is below a predetermined threshold.” … Parag.[0010]; “The DNS data can be associated with a plurality of DNS queries, and can include, for example, for each of the DNS queries, an IP address of a client generating a DNS request, a time stamp of the DNS request, a DNS query name, and a DNS query type. The classifier can be trained by performing a forward propagation process to obtain a dictionary of the domain names with corresponding multidimensional vectors.” Examiner submits that the perplexity score is a measure related to a similarity between domain names strings. Therefore, the similarity score teach by Liu is analogous to the claimed perplexity score. The similarity score is used to classify/group DNS queries received by a client device.” ); determining a unique qualified name (qname) associated with the DNS query (Liu, Parag. [0034]; “The client device 105 can make certain inquires via the computer network environment 100, such as, for example, a request to open a website in a browser, download a file from the Internet, access a web service via a software application, and so forth. The client query may include a DNS query associated with a domain name or a host name (e.g., “www. nominum.com'), which requires resolution to an IP address. The DNS query initiated by the client device 105 can be transmitted to a recursive DNS server, or simply, DNS 110, which can be associated with a particular ISP 115.”); determining, based on the perplexity score and the qname, a group of DNS queries …, wherein the group of DNS queries is associated with similar perplexity scores and qnames (Liu, Parag. [0008]; “In some example embodiments, a method for correlation of domain names includes receiving DNS data associated with a plurality of domain names, generating multidimensional vectors based on the DNS data such that each of the domain names is associated with one of the multidimensional vectors, calculating similarity scores for each pair of the plurality of domain names based on comparison of corresponding multidimensional vectors, and clustering one or more sets of domain names selected from the plurality of domain names based on the similarity scores and such that a difference between the similarity scores corresponding to each pair of the domain names in each of clusters is below a predetermined threshold..” … Parag.[0010]; “The DNS data can be associated with a plurality of DNS queries, and can include, for example, for each of the DNS queries, an IP address of a client generating a DNS request, a time stamp of the DNS request, a DNS query name, and a DNS query type. The classifier can be trained by performing a forward propagation process to obtain a dictionary of the domain names with corresponding multidimensional vectors.” Examiner submits that DNS data by Liu is associated with the DNS query and the domain name (interpreted as qname).” ); transmitting, to a DGA cache, an indication of the client device transmitting the DNS queries, the perplexity score, and the qname (Liu, Parag. [0025]; “An example approach can involve obtaining DNS data related to multiple DNS queries. The DNS queries can be collected from one or more ISPs, which can be located in multiple parts of the world. Each of the DNS queries is typically associated with a certain domain name. Therefore, the DNS data includes multiple domain names. The DNS data can also include data related to DNS data, such as, for example, an IP address of a client generating a DNS request, a time stamp of the DNS request, a DNS query name, and/or a DNS query type.” … Parag. [0034]; “The client query may include a DNS query associated with a domain name or a host name (e.g., “www. nominum.com'), which requires resolution to an IP address. The DNS query initiated by the client device 105 can be transmitted to a recursive DNS server, or simply, DNS 110. which can be associated with a particular ISP 115.” … Parag. [0038]; “The data collector 121 can store the received DNS data to storage 130 such as a computer memory.” … Parag. [0044]; “The system 120 further includes a correlation agent 124 for calculating similarity scores of the domain names based on the multidimensional vectors and for clustering (grouping) certain domain names based on the similarity scores. The similarity scores and the multidimensional vectors can be stored in the storage 130.”). Arlitt and Liu are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a method, to identify Domain Generation Algorithm attacks to a DNS server based on a determined score for a particular group of domain requests. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Liu system into Arlitt system, with a motivation to provide a method to transmit and store identified DNS queries groups defined by a DGA (Liu, Parag. [0035-0045). The combination of Arlitt and Liu does not expressly teach: determining that a quantity of DNS queries associated with the group of DNS queries violates a threshold quantity of DNS queries; based on the quantity of DNS queries violating the threshold, determining a comparison between the quantity of DNS queries and a quantity of qnames associated with the group of DNS queries. However, Dymshits teaches: determining that a quantity of DNS queries associated with the group of DNS queries violates a threshold quantity of DNS queries (Dymshits, Parag. [0041]; “At a process 350, it is determined whether the count of suspected DNS queries is too many (i.e., violates a threshold). In some examples, the count maintained by process 345 is compared to a configurable threshold to determine whether too many suspected DNS queries have been detected. In some examples, the configurable threshold corresponds to a maximum number of suspected DNS queries that are considered acceptable over the known interval of process 345. In some examples, the configurable threshold may correspond to a percentage of all the DNS queries received and analyzed by processes 320-340 during the known interval (i.e., group of DNS queries). In some examples, the configurable threshold may vary depending upon the higher level domain with which a respective count is being maintained so that the sensitivity to exfiltration may be adjusted on a per higher level domain basis, such as to account for a previous suspected history of exfiltration with that higher level domain.”); based on the quantity of DNS queries violating the threshold, determining a comparison between the quantity of DNS queries and a quantity of qnames associated with the group of DNS queries (Dymshits, Parag. [0040-0041]; “At the process 345, the DNS query is counted as being suspected of exfiltration. A running count of the number of DNS queries suspected of exfiltration is maintained by incrementing the count. In some examples, the count may be periodically reset to zero so that the count represents a number of suspected DNS queries over a known interval of time. In some examples, the known interval may correspond to one of a sequence of consecutive intervals with the count being reset to zero with the start of each interval or a sliding interval where sub-counts from a most recent group of subintervals are summed together. In some examples, the count may be associated with a sliding window over a most recent interval and/or a most recent number of examined DNS queries. In some examples, separate counts may be kept for different higher level domains so that the number of suspected DNS queries is tracked per higher level domain. At a process 350, it is determined whether the count of suspected DNS queries is too many (i.e., violates a threshold). In some examples, the count maintained by process 345 is compared to a configurable threshold to determine whether too many suspected DNS queries have been detected. In some examples, the configurable threshold corresponds to a maximum number of suspected DNS queries that are considered acceptable over the known interval of process 345. In some examples, the configurable threshold may correspond to a percentage of all the DNS queries received and analyzed by processes 320-340 during the known interval (i.e., group of DNS queries). In some examples, the configurable threshold may vary depending upon the higher level domain with which a respective count is being maintained so that the sensitivity to exfiltration may be adjusted on a per higher level domain basis, such as to account for a previous suspected history of exfiltration with that higher level domain.”); Arlitt, Liu and Dymshits are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a method, to identify Domain Generation Algorithm attacks to a DNS server based on a determined score for a particular group of domain requests. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Dymshits system into Arlitt-Liu system, with a motivation to provide a method to determine if a DNS query violates a predetermined threshold (Dymshits, Parag. [0041]). As per claim 3, the combination of Arlitt, Liu and Dymshits teach the method of claim 1. Arlitt teaches further comprising storing, within a main cache of a DNS server, domain names of the group of DNS queries and DNS query responses associated with the group of DNS queries (Arlitt, Col. 5, lines 1-8; “The DNS servers 214 at the first level 210 receive DNS queries directly from electronic devices (including 202 and 204) over the network 206. A DNS server 214 that receives a DNS query performs a lookup of the domain name included in the DNS query in mapping information stored in a cache memory of the receiving DNS server 214. If a match is identified, then the receiving DNS server 214 returns a DNS response containing a corresponding address.”). As per claim 4, the combination of Arlitt, Liu and Dymshits teach the method of claim 1. Liu teaches wherein the transmitting, to the DGA cache, the indication of the client device transmitting the DNS queries, the perplexity score, and the qname (Liu, Parag. [0025]; “An example approach can involve obtaining DNS data related to multiple DNS queries. The DNS queries can be collected from one or more ISPs, which can be located in multiple parts of the world. Each of the DNS queries is typically associated with a certain domain name. Therefore, the DNS data includes multiple domain names. The DNS data can also include data related to DNS data, such as, for example, an IP address of a client generating a DNS request, a time stamp of the DNS request, a DNS query name, and/or a DNS query type.” … Parag. [0034]; “The client query may include a DNS query associated with a domain name or a host name (e.g., “www. nominum.com'), which requires resolution to an IP address. The DNS query initiated by the client device 105 can be transmitted to a recursive DNS server, or simply, DNS 110. which can be associated with a particular ISP 115.” … Parag. [0038]; “The data collector 121 can store the received DNS data to storage 130 such as a computer memory.” … Parag. [0044]; “The system 120 further includes a correlation agent 124 for calculating similarity scores of the domain names based on the multidimensional vectors and for clustering (grouping) certain domain names based on the similarity scores. The similarity scores and the multidimensional vectors can be stored in the storage 130.”) further comprises: storing, within the DGA cache, a vectors defining the perplexity scores of the group of DNS queries (Liu, Parag. [0035]; “In certain embodiments, the DNS query includes the following DNS data: an IP address of the client 105, a time stamp of the DNS inquiry, DNS query name (e.g., a domain name), and/or a DNS query type. The DNS data can be aggregated or stored in a cache of DNS 100.” … Parag. [0044]; “The system 120 further includes a correlation agent 124 for calculating similarity scores of the domain names based on the multidimensional vectors and for clustering (grouping) certain domain names based on the similarity scores. The similarity scores and the multidimensional vectors can be stored in the storage 130.”); and In addition, Dymshits teaches: incrementing a counter for each of the DNS queries associated with the group of DNS queries, wherein determining that the quantity of DNS queries associated with the group of DNS queries violates the threshold quantity is based at least in part on the counter (Dymshits, Parag. [0013]; “A composite score for the outbound message is then determined from the likelihoods of the segments. When the composite score is below the threshold of likelihood identified during the training, the outbound message is flagged as suspicious and a counter of the suspicious outbound messages is incremented. When the counter indicates that there have been too many (e.g., above a predetermined threshold number, as discussed in detail below with respect to FIG. 3) suspicious outbound messages, an exfiltration alert is issued and the suspicious outbound messages may additionally be prevented from being further transmitted.” … Parag. [0040]; “At a process 350, it is determined whether the count of suspected DNS queries is too many. In some examples, the count maintained by process 345 is compared to a configurable threshold to determine whether too many suspected DNS queries have been detected. In some examples, the configurable threshold corresponds to a maximum number of suspected DNS queries that are considered acceptable over the known interval of process 345. … When too many suspected DNS queries are detected, an alert is generated using process 355. Otherwise, another DNS query is received and analyzed by returning to process 320.”). As per claim 6, the combination of Arlitt, Liu and Dymshits teach the method of claim 1. Arlitt further teaches wherein blocking the subsequent DNS queries comprises blocking the subsequent DNS queries that correspond to the group of DNS queries (Arlitt, Col. 7, lines 1-2; “blocking processing of a subsequent DNS query that contains a DGA domain previously identified (i.e., blocklist)”). As per claim 7, the combination of Arlitt, Liu and Dymshits teach the method of claim 1. Liu further teaches wherein determining the group of DNS queries includes grouping domains with the similar perplexity scores, grouping the domains with a similar qname shape, grouping the domains with a similar top-level domain (TLD), grouping the domains associated with a similar time period or combinations thereof (Liu, Parag. [0008]; “… clustering one or more sets of domain names selected from the plurality of domain names based on the similarity scores and such that a difference between the similarity scores corresponding to each pair of the domain names in each of cluster is below a predetermined threshold.” … Parag.[0010]; “The DNS data can be associated with a plurality of DNS queries, and can include, for example, for each of the DNS queries, an IP address of a client generating a DNS request, a time stamp of the DNS request, a DNS query name, and a DNS query type. The classifier can be trained by performing a forward propagation process to obtain a dictionary of the domain names with corresponding multidimensional vectors.” … Parag. [0039]; “In certain embodiments, the data modifier 122 can group DNS queries of DNS data by client IP address. In further embodiments, the data modifier 122 can sort or rank DNS queries of received DNS data by time stamps. In yet further embodiments, the data modifier 122 can sort DNS queries of received DNS data by a DNS query type (such as “A.” “AAAA,” “AFSDB,” “APL,” “DNAME,” “LOC,” “MX,” “SRV,” and so forth).). As per claim 8, it is a non-transitory computer-readable medium claim that recites similar features as claimed on independent claim 1. Therefore, claim 8 is rejected based on same rationale applied to independent claim 1. As per claim 10, the rejection of claim 8 has been included. In addition, is a non-transitory computer-readable medium claim that recites similar limitations as claimed on dependent claim 3. Therefore, claim 10 is rejected based on same rationale applied to dependent claim 3. As per claim 11, the rejection of claim 8 has been included. In addition, is a non-transitory computer-readable medium claim that recites similar limitations as claimed on dependent claim 4. Therefore, claim 11 is rejected based on same rationale applied to dependent claim 4. As per claim 13, the rejection of claim 8 has been included. In addition, is a non-transitory computer-readable medium claim that recites similar limitations as claimed on dependent claim 6. Therefore, claim 13 is rejected based on same rationale applied to dependent claim 6. As per claim 14, the rejection of claim 8 has been included. In addition, is a non-transitory computer-readable medium claim that recites similar limitations as claimed on dependent claim 7. Therefore, claim 14 is rejected based on same rationale applied to dependent claim 7. As per claim 15, it is a system claim that recites similar features as claimed on independent claim 1. Therefore, claim 15 is rejected based on same rationale applied to independent claim 1. As per claim 17, the rejection of claim 15 has been included. In addition, is a system claim that recites similar limitations as claimed on dependent claim 3. Therefore, claim 17 is rejected based on same rationale applied to dependent claim 3. As per claim 18, the rejection of claim 15 has been included. In addition, is a system claim that recites similar limitations as claimed on dependent claim 4. Therefore, claim 18 is rejected based on same rationale applied to dependent claim 4. As per claim 20, the rejection of claim 15 has been included. In addition, is a system claim that recites similar limitations as claimed on dependent claim 7. Therefore, claim 20 is rejected based on same rationale applied to dependent claim 7. Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Arlitt et al. (US 10,880,319) hereinafter Arlitt in view of Liu et al. (US 2016/0065534) hereinafter Liu and further in view of Dymshits et al. (US 2019/0130100) hereinafter Dymshits, as applied to claim 1, and further in view of Huang et al. (US 10,764,246) hereinafter Huang. As per claim 2, the combination of Arlitt, Liu and Dymshits teach the method of claim 1. Liu teaches: wherein the perplexity score (Liu, Parag. [0008]; “In some example embodiments, a method for correlation of domain names includes receiving DNS data associated with a plurality of domain names, generating multidimensional vectors based on the DNS data such that each of the domain names is associated with one of the multidimensional vectors, calculating similarity scores for each pair of the plurality of domain names based on comparison of corresponding multidimensional vectors, and clustering one or more sets of domain names selected from the plurality of domain names based on the similarity scores and such that a difference between the similarity scores corresponding to each pair of the domain names in each of clusters is below a predetermined threshold..” … Parag.[0010]; “The DNS data can be associated with a plurality of DNS queries, and can include, for example, for each of the DNS queries, an IP address of a client generating a DNS request, a time stamp of the DNS request, a DNS query name, and a DNS query type. The classifier can be trained by performing a forward propagation process to obtain a dictionary of the domain names with corresponding multidimensional vectors.” Examiner submits that the perplexity score is a measure related to a similarity between domain names strings. Therefore, the similarity score teach by Liu is analogous to the claimed perplexity score. The similarity score is used to classify/group DNS queries received by a client device.” ) comprises [a string of characters within a domain name of the DNS query, the perplexity score being determined based at least in part on a Markov model comparing two characters of the string of characters to another character of the string of characters] The combination of Arlitt, Liu and Dymshits does not expressly teach: wherein the [perplexity score] comprises a string of characters within a domain name of the DNS query, the [perplexity score] being determined based at least in part on a Markov model comparing two characters of the string of characters to another character of the string of characters. However, Huang teaches: wherein the [perplexity score] comprises a string of characters within a domain name of the DNS query, the perplexity score being determined based at least in part on a Markov model comparing two characters of the string of characters to another character of the string of characters (Huang, Col. 9, lines 58-67; “In addition to the deep neural network models, a n-gram based model (e.g., Xgboost model) for learning the pattern of DGAs is disclosed. The n-gram is a contiguous sequence of n items from a given sample of text. The items can be letters, numbers, or special characters. An n-gram model is a type of probabilistic language model for predicting the next item in such a sequence in the form of a (n-1) order Markov model. Using Latin numerical prefixes, an n-gram of size 1 is referred to as a “unigram;” size 2 is a “bigram.” Here, n can be 1, 2, 3, etc.”) Arlitt, Liu, Dymshits and Huang are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a method, to identify Domain Generation Algorithm attacks to a DNS server based on a determined score for a particular group of domain requests. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Huang system into Arlitt-Liu-Dymshits system, with a motivation to provide a method to assign a similarity score to group of domain requests received from a client device based on a Markov model (Huang, Col. 9, lines 58-67). As per claim 9, the rejection of claim 8 has been included. In addition, is a non-transitory computer-readable medium claim that recites similar limitations as claimed on dependent claim 2. Therefore, claim 9 is rejected based on same rationale applied to dependent claim 2. As per claim 16, the rejection of claim 15 has been included. In addition, is a system claim that recites similar limitations as claimed on dependent claim 2. Therefore, claim 16 is rejected based on same rationale applied to dependent claim 2. Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Arlitt et al. (US 10,880,319) hereinafter Arlitt in view of Liu et al. (US 2016/0065534) hereinafter Liu and further in view of Dymshits et al. (US 2019/0130100) hereinafter Dymshits, as applied to claim1, and further in view of Martini (US 2018/0069878). As per claim 5, the combination of Arlitt, Liu and Dymshits teach the method of claim 1. Arlitt teaches wherein the blocklist (Arlitt, Col. 7, lines 1-2; “blocking processing of a subsequent DNS query that contains a DGA domain previously identified (i.e., blocklist)”) is [determined based at least in part on a real-time blocklist (RBL) cache, the RBL cache including blocklisted client devices corresponding to the DNS queries of the DGA cache. The combination of Arlitt, Liu and Dymshits does not expressly teach: a real-time blocklist (RBL) cache, the RBL cache including blocklisted client devices corresponding to the DNS queries of the DGA cache. However, Martini teaches: a real-time blocklist (RBL) cache, the RBL cache including blocklisted client devices corresponding to the DNS queries of the DGA cache (Martini, Parag. [0033]; “The anti-malware system 140 uses data storage techniques and storage devices, shown as database 160, to create and maintain the associations, or links between client identities and DNS usage information. As an example, the anti-malware system 140 passively scans a proxy connection request, including a URL, as it is transmitted to the proxy server 120 from the client device 130 and stores the extracted information (i.e., client identity, hostname). For example, the anti-malware system 140 stores an identity of a client device 130 (e.g., IP address) extracted from the proxy connection request as a record in the rules 162 of database 160, in order to maintain the client identity while the requested hostname for the connection is being resolved.” … Parag. [0035]; “Rules 162 can include, but is not limited to: a DNS request rate for a particular client; a DNS request failure rate for a particular client; hostnames with invalid IP addresses; and the like. In some cases, rules 162 include network hostnames, or domain names, that have been previously identified by the anti-malware system 140 as bad hostnames (e.g., generating a DNS error), hostnames known to be associated with malware (e.g., a blacklist); IP address associated with bad hostnames, or other information. The anti-malware system 140 may analyze the DNS information 164 based on the rules 162 to determine if any of the clients 130a-c are exhibiting behavior indicative of a malware infection.”), Arlitt, Liu, Dymshits and Martini are from similar field of technology. Prior to the instant application’s effective filling date, there was a need for providing a method, to identify Domain Generation Algorithm attacks to a DNS server based on a determined score for a particular group of domain requests. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Martini system into Arlitt-Liu-Dymshits system, with a motivation to provide a method that stores the identified clients (identifier) that are sending the DNS requests infected or having a malware (i.e., DGA) and placing them in a blacklist (Martini, Parag. [0033-0035]). As per claim 12, the rejection of claim 8 has been included. In addition, is a non-transitory computer-readable medium claim that recites similar limitations as claimed on dependent claim 5. Therefore, claim 12 is rejected based on same rationale applied to dependent claim 5. As per claim 19, the rejection of claim 15 has been included. In addition, is a system claim that recites similar limitations as claimed on dependent claim 5. Therefore, claim 19 is rejected based on same rationale applied to dependent claim 5. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Burton (US 12,149,422) relates to techniques for Qprints using telemetry-based similarity for DNS are provided. In some embodiments, a system/process/computer program product for Qprints using telemetry-based similarity for DNS in accordance with some embodiments includes aggregating a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related query data; clustering the DNS related query data; and generating similarity clusters for domains based on their DNS related query data. For example, the set of network related event data can include passive DNS (pDNS) data aggregated over a period of time to express pDNS data at-scale, and similarity of the pDNS data aggregated over the period of time is quantified, within and across networks based on telemetry-based similarity for DNS using a statistical model. Thakar, et al. (US 2016/0057165) relates to systems and methods for detection of domain generated algorithms (DGA) and their command and control (C&C) servers are disclosed. In one embodiment, such an approach includes examining DNS queries for DNS resolution failures, and monitoring certain set of parameters such as number of levels, length of domain name, lexical complexity, and the like for each failed domain. These parameters may then be compared against certain thresholds to determine if the domain name is likely to be part of a DGA malware. Domain names identified as being part of a DGA malware may then be grouped together. Once a DGA domain name has been identified, activity from that domain name can be monitored to detect successful resolutions from the same source to see if any of the successful domain resolutions match these parameters. If they match specific thresholds, then the domain is determined to be a C&C server of the DGA malware and may be identified as such. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEX D CARRASQUILLO whose telephone number is (571)270-5045. The examiner can normally be reached Monday - Friday 9:00 am - 6:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /A.D.C./Examiner, Art Unit 2498 /Jeremy S Duffield/Primary Examiner, Art Unit 2498