IDENTIFYING AND DISRUPTING MALICIOUS TRAFFIC IN TELECOMMUNICATIONS NETWORKS

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This office action is in response to the communication filed on 1/16/2026. Claims 1-20 are pending. Response to Arguments Applicant's arguments on the 35 U.S.C. 102 rejection have been fully considered but are moot in view of new ground(s) of rejection. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 2, 4, 6, 8-12, 14, 16, 20 is/are rejected under AIA 35 U.S.C. 103 as being unpatentable over Vixie et al. (DNS Response Policy Zones (RPZ) draft-vixie-dnsop-dns-rpz-00, 06/21/2018) in view of Wright et al. (US 2018/0046796, “Wright”). As to claim 1, Vixie discloses a computerized method comprising: receiving, by a resolver, a request comprised of a domain name (abstract, section 6, a recursive name server is a resolver receiving a DNS resolving request (request) from a DNS client to an HTTP server (domain name in the request); DNS response policy or RPZ provides rules for the resolver to block access to selected domain names; for example, in sections 3.1, 3.3, 3.4, Vixie discloses the resolver can implement actions such as return NXDOMAIN (domain name non-existing) for certain domain names with the "NXDOMAIN" Action, or allow passthrough for certain client IP addresses or domain names with the “PASSTHRU” action, or block with the "DROP" Action); communicating an additional request comprised of the domain name to a nameserver in a telecommunications network; identifying, by the nameserver, an internet protocol (IP) address for the domain name in response to the additional request (section 6, Recursive DNS servers generally send their requests to authority servers; 4.3, The "Response IP Address" Trigger, the “response IP address” means IP address included in an unaltered DNS response from a nameserver (authority server). Comment: the first three steps are normal and known DNS resolver’s operations of receiving a domain name request, forwarding it to a nameserver, and receiving an IP address from the nameserver, see Karandikar et al. (US 2008/0177897, fig. 4, [0040]); and determining, by the resolver, whether the IP address is associated with malicious activity (this step of determining is broad because it does not clarify how malicious activity associated with the IP address is determined, Vixie, section 4.3, The "Response IP Address" Trigger, certain IP address (e.g., 192.0.2.0/24) in a DNS response can be matched with a certain action (NXDOMAIN, PASSTHRU, DROP. Such IP addresses are read as IP addresses associated with malicious activities; Vixie, section 4.5, The "NSIP" Trigger, the NSIP trigger allows for actions such as dropping DNS responses that contain certain (malicious) nameserver IP addresses). Vixie does not disclose automatically notifying one or more third-party security vendors of the IP address and that the IP address is associated with malicious activity. Wright discloses automatically notifying one or more third-party security vendors of the IP address and that the IP address is associated with malicious activity ([0068], notifying third party security services of the attack information including IP address of an attacker). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Wright’s teachings of reporting malicious IP address to a security service to Vixie’s teachings of DNS RPZ policies in order to simply rely on third-parties to provide analysis or additional security measures on the malicious IP address. As to claim 10, Vixie discloses one or more non-transitory computer-readable media storing instructions that when executed via one or more processors perform a computerized method, the instructions stored on the non-transitory computer-readable media comprising: via the one or more processors (abstract, implicitly by Vixie’s recursive name server): receiving a request comprised of a domain name (abstract, section 6, a recursive name server is a resolver receiving a DNS resolving request (request) from a DNS client to an HTTP server (domain name in the request); DNS response policy or RPZ provides rules for the resolver to block access to selected domain names; for example, in sections 3.1, 3.3, 3.4, Vixie discloses the resolver can implement actions such as return NXDOMAIN (domain name non-existing) for certain domain names with the "NXDOMAIN" Action, or allow passthrough for certain client IP addresses or domain names with the “PASSTHRU” action, or block with the "DROP" Action); communicating, from a recursive resolver, an additional request comprised of the domain name to a nameserver in a telecommunications network; identifying, by the nameserver, an internet protocol (IP) address for the domain name in response to the additional request (section 6, Recursive DNS servers generally send their requests to authority servers; 4.3, The "Response IP Address" Trigger, the “response IP address” means IP address included in an unaltered DNS response from a nameserver (authority server)); and determining, by the recursive resolver, whether the IP address is associated with malicious activity (Vixie, section 4.3, The "Response IP Address" Trigger, certain IP address (e.g., 192.0.2.0/24) in a DNS response can be matched with a certain action (NXDOMAIN, PASSTHRU, DROP. Such IP addresses are read as IP addresses associated with malicious activities; Vixie, section 4.5, The "NSIP" Trigger, the NSIP trigger allows for actions such as dropping DNS responses that contain certain (malicious) nameserver IP addresses). Vixie does not disclose automatically notifying one or more third-party security vendors of the IP address and that the IP address is associated with malicious activity. Wright discloses automatically notifying one or more third-party security vendors of the IP address and that the IP address is associated with malicious activity ([0068], notifying third party security services of the attack information including IP address of an attacker). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Wright’s teachings of reporting malicious IP address to a security service to Vixie’s teachings of DNS RPZ policies in order to simply rely on third-parties to provide analysis or additional security measures on the malicious IP address. As to claim 20, Vixie discloses a system comprising: a server having one or more processors and access to a memory, the server being communicatively coupled to a telecommunications network; an application running on the server, the application configured to, via the one or more processors (abstract, implicitly by Vixie’s recursive name server): receiving a request comprised of a domain name (abstract, section 6, a recursive name server is a resolver receiving a DNS resolving request (request) from a DNS client to an HTTP server (domain name in the request); DNS response policy or RPZ provides rules for the resolver to block access to selected domain names; for example, in sections 3.1, 3.3, 3.4, Vixie discloses the resolver can implement actions such as return NXDOMAIN (domain name non-existing) for certain domain names with the "NXDOMAIN" Action, or allow passthrough for certain client IP addresses or domain names with the “PASSTHRU” action, or block with the "DROP" Action); requesting an internet protocol (IP) address for the domain name; receiving the IP address (section 6, Recursive DNS servers generally send their requests to authority servers; 4.3, The "Response IP Address" Trigger, the “response IP address” means IP address included in an unaltered DNS response from a nameserver (authority server)); and determining whether the IP address is associated with malicious activity (Vixie, section 4.3, The "Response IP Address" Trigger, certain IP address (e.g., 192.0.2.0/24) in a DNS response can be matched with a certain action (NXDOMAIN, PASSTHRU, DROP. Such IP addresses are read as IP addresses associated with malicious activities; Vixie, section 4.5, The "NSIP" Trigger, the NSIP trigger allows for actions such as dropping DNS responses that contain certain (malicious) nameserver IP addresses). Vixie does not disclose automatically notifying one or more third-party security vendors of the IP address and that the IP address is associated with malicious activity. Wright discloses automatically notifying one or more third-party security vendors of the IP address and that the IP address is associated with malicious activity ([0068], notifying third party security services of the attack information including IP address of an attacker). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Wright’s teachings of reporting malicious IP address to a security service to Vixie’s teachings of DNS RPZ policies in order to simply rely on third-parties to provide analysis or additional security measures on the malicious IP address. As to claim 2, Vixie discloses determining whether the IP address is associated with malicious activity comprises, based on a domain name service response policy zone (DNS RPZ), determining that the IP address is associated with malicious activity, wherein the DNS RPZ specifies a plurality of IP addresses that are associated with malicious activity as determined using data traffic from the telecommunications network (Vixie, 4.3, 4.5). As to claims 4, 14, Vixie discloses determining whether the IP address is associated with malicious activity comprises: querying a database that is updated in near real-time using data traffic from the telecommunications network, wherein the database stores a plurality of IP addresses that are associated with malicious activity in the data traffic; and determining that the IP address is associated with malicious activity when there is a match in the database (Vixie, section 7, updating of the DNS RPZ incrementally in a timely manner after each change). As to claims 6, 16, Vixie discloses identifying, in near real-time, one or more patterns in data traffic from the telecommunications network that are markers of malicious activity based on a concurrent occurrence of one or more: a particular geographic area, a particular date and time, a particular key word, a particular special character, or a particular host name; updating a database to store the one or more patterns identified for subsequent malicious activity determinations; and determining the IP address is associated with malicious activity when the IP address is associated with the one or more patterns (Vixie, section 7, updating of the DNS RPZ incrementally in a timely manner after each change, section 4.4, host name can be read as nameserver names used in triggers to drop certain DNS responses). As to claim 8, Vixie discloses when the IP address is determined to not be associated with malicious activity, communicating the IP address to a user device that corresponds to the request comprised of the domain name (4.3, 4.5, responses that contain IP addresses not matched in the rules are returned or forwarded to client). As to claim 9, Vixie discloses when the IP address is determined to be associated with malicious activity, communicating a notification to a user device that corresponds to the request comprised of the domain name, the notification specifying that the domain name is associated with malicious activity (section 3.6, In the example below, a client that asks for A RRs for"BAD.EXAMPLE.COM" will receive a response starting with"BAD.EXAMPLE.COM CNAME BAD.EXAMPLE.COM.GARDEN.EXAMPLE.NET".) As to claim 11, Vixie discloses determining whether the IP address is associated with malicious activity comprises, based on a domain name service response policy zone (DNS RPZ), determining that the IP address is associated with malicious activity (Vixie, 4.3, 4.5). As to claim 12, Vixie discloses the DNS RPZ specifies a plurality of IP addresses that are associated with malicious activity as determined using data traffic from the telecommunications network (Vixie, 4.3, 4.5, 7, updating of the DNS RPZ or traffic). Claim(s) 3, 13 is/are rejected under AIA 35 U.S.C. 103 as being unpatentable over Vixie-Wright in view of Woodworth et al. (US 2024/0048587, “Woodworth”). As to claims 3, 13, Vixie-Wright does not disclose determining whether the IP address is associated with malicious activity comprises determining whether the IP address is associated with a threshold-exceeding volume of data traffic within a particular time period, wherein the threshold-exceeding volume of data traffic indicates that the IP address is predicted to correspond to an attack domain. Woodworth discloses determining whether the IP address is associated with malicious activity comprises determining whether the IP address is associated with a threshold-exceeding volume of data traffic within a particular time period, wherein the threshold-exceeding volume of data traffic indicates that the IP address is predicted to correspond to an attack domain ([0063] and/or [0025]). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Woodworth’s teachings to Vixie-Wright’s teachings of DNS RPZ policies in order to implement an alternative method of determining malicious domain/IP address based on quantitative analysis of traffic. Claim(s) 5, 15 is/are rejected under AIA 35 U.S.C. 103 as being unpatentable over Vixie-Wright in view of de Monseignat (US 2009/0077383, “de Monseignat”). As to claims 5, 15, Vixie-Wright does not disclose identifying one or more patterns in data traffic from the telecommunications network that are indicators of a phishing campaign; updating a database to store the one or more patterns identified for subsequent malicious activity determinations; and determining the IP address is associated with malicious activity when the IP address is associated with the one or more patterns. de Monseignat discloses identifying one or more patterns in data traffic from the telecommunications network that are indicators of a phishing campaign; updating a database to store the one or more patterns identified for subsequent malicious activity determinations; and determining the IP address is associated with malicious activity when the IP address is associated with the one or more patterns ([0126]-[0142], detection of phishing domain patterns and associated IP address). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply de Monseignat’s teachings of phishing attack mitigation to Vixie-Wright’s teachings of DNS RPZ policies in order to implement phishing mitigation with the policies of Vixie. Claim(s) 7, 17 is/are rejected under AIA 35 U.S.C. 103 as being unpatentable over Vixie-Wright in view of Gupta et al. (US 2020/0106806, “Gupta”). As to claims 7, 17, Vixie-Wright does not disclose identifying one or more patterns in data traffic from the telecommunications network that are indicators of a distributed denial of service (DDoS) attack; updating a database to store the one or more patterns identified for subsequent malicious activity determinations; and determining the IP address is associated with malicious activity when the IP address is associated with the one or more patterns. Gupta discloses identifying one or more patterns in data traffic from the telecommunications network that are indicators of a distributed denial of service (DDoS) attack; updating a database to store the one or more patterns identified for subsequent malicious activity determinations; and determining the IP address is associated with malicious activity when the IP address is associated with the one or more patterns (fig. 2, [0017]). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Gupta’s teachings of DNS DDoS attack mitigation to Vixie-Wright’s teachings of DNS RPZ policies in order to implement DDoS mitigation with the policies of Vixie further with machine learning (Gupta, abstract). Claim(s) 18 is/are rejected under AIA 35 U.S.C. 103 as being unpatentable over Vixie-Wright in view of Schryver (US 2017/0054761). As to claim 18, Vixie-Wright discloses identifying when the IP address is determined to be associated with malicious activity (as in claim 10). Vixie-Wright does not disclose selecting a plurality of user devices that are associated with one or more of: particular geographic area, a particular device type, or a particular user demographic; and communicating a notification to the plurality of user devices, the notification specifying that the domain name is associated with malicious activity. Schryver discloses selecting a plurality of user devices that are associated with one or more of: particular geographic area, a particular device type, or a particular user demographic; and communicating a notification to the plurality of user devices, the notification specifying that the domain name is associated with malicious activity (fig. 2, [0041], [0042], [0048], pushing update information of a domain name blacklist to subscribing devices, such as admins or resolvers 102). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Schryver’s teachings to Vixie-Wright’s teachings of DNS RPZ policies in order to update subscribing devices about new malicious domains. Claim(s) 19 is/are rejected under AIA 35 U.S.C. 103 as being unpatentable over Vixie-Wright in view of what was known in the art (by taking Official Notice or “ON”). As to claim 19, Vixie-Wright does not disclose communicating the IP address to a user device that corresponds to the request comprised of the domain name causes the user device to retrieve content using the IP address. However, Official notice is taken that it is a normal behavior of a DNS resolver to communicate the IP address to a user device that corresponds to the request comprised of the domain name causes the user device to retrieve content using the IP address (see Karandikar et al. (US 2008/0177897, fig. 4, [0040]). It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply what was known in the art to Vixie-Wright’s teachings of DNS RPZ policies in order to implement a known and normal DNS behavior such as a client uses a resolved IP address to retrieve content from the domain name in the request. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is included in form PTO 892. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to HIEU T HOANG whose telephone number is (571) 270-1253. The examiner can normally be reached Mon-Fri 9 AM -5 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /HIEU T HOANG/Primary Examiner, Art Unit 2449