Prosecution Insights
Last updated: July 17, 2026
Application No. 18/676,904

SYSTEM AND METHOD OF VALIDATING A DOMAIN NAME SYSTEM QUERY

Final Rejection §103
Filed
May 29, 2024
Examiner
ABYANEH, ALI S
Art Unit
2437
Tech Center
2400 — Computer Networks
Assignee
Radware Ltd.
OA Round
2 (Final)
78%
Grant Probability
Favorable
3-4
OA Rounds
1y 1m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
488 granted / 628 resolved
+19.7% vs TC avg
Strong +56% interview lift
Without
With
+56.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
19 currently pending
Career history
654
Total Applications
across all art units

Statute-Specific Performance

§101
3.3%
-36.7% vs TC avg
§103
89.4%
+49.4% vs TC avg
§102
2.5%
-37.5% vs TC avg
§112
1.9%
-38.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 628 resolved cases

Office Action

§103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 1-19 are pending. Claims 1-3, 6, 10-13 and 16 have been amended. In light of Applicant’s amendments rejection of claims under 35 USC § 112 and 35 USC § 101 have been withdrawn. Response to Arguments Applicant's arguments filed 05-04-2026 have been fully considered. Applicant’s argument with respect to rejection of claims under 35 USC § 112 are persuasive. Accordingly, the rejection has been withdrawn. Applicant’s argument with respect to rejection of claims under 35 USC § 101 for being directed to abstract idea are persuasive. Accordingly, the rejections have been withdrawn. Applicant's arguments with respect to rejection of claims under 35 USC § 103 have been fully considered but they are not persuasive. Applicant argues that “Tzak actually teaches only validating the source address of the incoming request, as Tzak relies on the IP address to be the same both times, i.e., the source address of the initial DNS query must match the return query. By contrast, the invention as claimed validates the source of the DNS query using a first source IP address encoded within the modified domain name, irrespective of the source IP address of the return query”. Examiner respectfully disagrees. The relevant claimed limitation is being argued recites “validating, at DNS protection system, the DNS return query by comparing the first token and the determined second token, wherein the first token is extracted from the modified domain name of the DNS return query”. Tzakikario discloses, a guard device (DNS protection system) intercepting a DNS request message and performing authentication process on DNS request. The DNS request message is originated from a client having unauthenticated source address, and is addressed to DNS server. The authentication process carried out by the guard device is a challenge-response process, in which the source address is solicitated to transmit another DNS request. Specifically, the guard processor sends a DNS response to unauthenticated source address. The DNS response from the guard has a form of “example.com CNAME cookie.example. guard-as.com”. The client device upon receiving the response from the guard sending a second DNS request (DNS return query) including a cookie (column 3, line 40-column 4, line 13). The guard perform verification (validating at DNS protection system) based on the cookie in the second DNS request from the client device having unauthenticated source address. Particularly, the guard perform validating the DNS request (DNS return query) by compare a decoded cookie (token ) in second DNS request to the cookie sent in the DNS response (column 6, lines 32-37). Accordingly, Tzakikario discloses the limitation being argued. Applicant further argues that “the instant claims require that the IP address be source included in the modified domain name but such is not taught or suggested by Tzak”. In response, Tzakikario discloses, the cookie sent to the client from guard is/includes among other elements an encoded source IP address (column 5, lines 32-47), which meets the claimed limitation. Applicant argues that “Kulkarni's second channel corresponds to a separate authentication medium for a user which has nothing to do with, nor is it in any way analogous to, a DNS return query from a different source IP address. Further to this point, it does not teach or suggest anything related to validating DNS queries originating from different network source addresses or that is could somehow be applicable to same or otherwise used to modify Tzak. It should thus be recognized that Kulkarni does not actually teach or suggest anything similar to a return query being received from a second source IP address, notwithstanding the Office Action's suggestion to the contrary”. Here, applicant attacks Kulkarni individually, whereas the rejection relies on the combine teaching of Tzakikario and Kulkarni. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Kulkarni was relied on for disclosing that the return query is receive from a second IP address. Kulkarni (column 7, lines 22-24) disclose this limitation of the claim. Tzakikario and Kulkarni are analogous because both are directed to validation or verifying communication received from different source within a network environment. Specifically Tzakikario addresses validation of network communication (e.g., DNS-related responses), while Kulkarni addresses validation of communication received via a separate channel or different source. It would have been obvious to one of ordinary skill in the art to combine Tzakikario and Kulkarni in order to enhance authentication security by implementing multiple channels and devices of a user during authentication. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 2, 7, 8, 10-12, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Tzakikario et al. (US Patent No. 7,620,733 ), hereinafter Tzakikario, in view of Kulkarni et al. (US Patent 8,671,444), hereinafter Kulkarni. As per claim 1, 10 and 11, Tzakikario discloses a method for defending a domain name system (DNS) name server from malicious attacks using a DNS challenge (column 2, lines 24-28, “embodiments of the present invention provide methods and system for DNS authentication ...[t]he authentication, methods described herein comprises a ‘challenge-response’ exchange messages..”), comprising: sending a response to a first source Internet protocol (IP) address specified in an DNS query receive at a DNS protection system (column 3, lines 40-60, “guard device 30 intercepting DNS/UDP request messages…guard processor 34, sends, via network interface 32, a DNS response to the unauthenticated source address”), wherein the response has a modified domain name (column 4, lines 1-5, “[t]he DNS response sent by the guard in response to this request has the form ‘example.CNAME cookie.example.com.gaurd-as .com’”) that includes a first token (column 5, lines 35-36, “the canonical name comprising an encoded ‘cookie,’ i.e., a secret value”), the first source IP address (column 5, lines 47, “ Source IP address”), and an original domain name (column 3, line 66-column4 line 3, example.com); determining at the DNS protection system, receipt of a return query for the modified domain name (column 6, lines 1-3 and 15-18, “[h]aving sent the DNS response, the guard device checks whether the unauthenticated source address sends a second DNS request , at a response checking step 54”…[t]he second DNS request should contain a query for a domain name of the form cookie.mail.example.com.gaurd-as.com”); upon receipt of the DNS return query at the DNS protection system, determining a second token for the return query by executing a function with respect to the first source IP address in the modified domain name (column 6, lines 17-21, “[u]pon receiving the second DNS request, having the form cookie. anyDNSname.guard-as.com, the guard decodes the "cookie" string extracted from the second request and checks whether the cookie comprises the correct information, at a cookie verification step”, the second token is determined by decoding the cookie); and validating, at the DNS protection system the DNS return query by comparing the first token and the determined second token, wherein the first token is extracted from the modified domain name of the DNS return query (column 6, lines 32-35,“If the decoded cookie in the second DNS request does not match the cookie sent in the DNS response, the method reverts to spoof declaration step 56, concluding that the unauthenticated source address is spoofed”). preventing DNS queries from IP addresses that do not originate from an IP address for which a DNS return query was validated from being transmitted to any DNS name server (column 3 lines 3-8, column 6, lines 32-35, “if the challenge-response procedure is successful in verifying the DNS request is legitimate…the guard device…allows subsequent requests from this address to reach server 22. Otherwise, DNS request is typically discarded”). Tzakikario does not explicitly discloses wherein the return query is received from a second source IP address. However, in an analogous art, Kulkarni discloses the return query is received from a second source IP address (column 7, lines 22-24, “The user takes the token value and uses a second channel where they enter the token value and a second authentication parameter”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Tzakikario and Kulkarni. This would have been obvious because one of ordinary skill in the art would have been motivated to enhance authentication security by implementing multiple channels and devices of a user during authentication. As per claim 2 and 12, Tzakikario further discloses, wherein determining receipt of the DNS return query remediates potential malicious attacks from an unvalidated DNS query (column 3, lines 2-8, if challenge-response procedure is not successful the DNS request is discarded). As per claim 7 and 17, Tzakikario further discloses, generating the first token of a first query (column 5, lines 47, generating the cookie), wherein the first query from the first source IP address has the original domain name (column 3, line 66-column 4, line 1, “DNS request queries server 22 for the IP address corresponding to the domain example.com). As per claim 8 and 18, Tzakikario furthermore discloses, wherein the first token and the second token are each a token, and wherein the token is a random-looking string uniquely generated for each query, wherein the token is generated based on at least one of: a secret, a current time of the each query, the original domain name, and the first source IP address (column 5, lines 44-55, The guard device typically generates the cookie by encoding one or more of the following: Source IP address of the first DNS request. IP TTL (Time-To-Live) value of the first DNS request. IP TTL should not be confused with DNS TTL. The use of IP TTL is further described below. The domain name queried by the first DNS request. A pseudo-random number generated by the guard device”). Claims 3-5 and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over Tzakikario in view of Kulkarni, further in view of Paterson et al. (US Patent No. 12,074,911), hereinafter Paterson. As per claim 3 and 13, Tzakikario further discloses, wherein the return DNS query is valid when the first token is identical to the second token, further comprising: adding the first source IP address [and the second source IP address] of the validated DNS return query to a whitelist (column 6, lies 36-42, “If the two cookies do match, the guard declares the source address authenticated…The guard typically stores the authenticated source address in a "whitelist" of authenticated addresses”). Tzakikario as modified does not explicitly adding the second source IP address. However, adding a second source IP address is old and well known as illustrated by Paterson (column 5, lines 55-63 “ the whitelist definition 22 may be a database or data file that indicates that IP addresses 192.168.0.1-192.168.0.4 are whitelisted access sources 102 for usage of protected user account ‘Ul.’ Additionally the whitelist definition 22 indicates that IP addresses 192.168.0.1 , 192.168.0.5, and 192.168.0.6 are whitelisted access sources 104 for protected user account ‘U2.’”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified Tzakikario to include the well know feature of adding a second or multiple trusted sources to a whitelist as disclosed by Paterson, in order to achieve the predictable result of allowing quick validation of authorized request from different location or systems, thereby improving access efficiency. As per claim 4 and 14, Paterson furthermore disclose, determining a subnet for each of the first source IP address and the second source IP address; and adding IP addresses of the subnet to the whitelist (claim 1, “identify a set of sources…obtain a subset of the set of sources as a whitelist”). The motivation is similar to motivation provided in claim 3. As per claim 5 and 15, Tzakikario furthermore discloses relaying a subsequent query to at least one name server without the DNS challenge, wherein the subsequent query is received from an IP address in the whitelist (column 6, lines 38-41, “The guard typically stores the authenticated source address in a ‘whitelist’ of authenticated addresses in database 35. Subsequent DNS requests originating from this source address are then allowed to reach DNS server 22”) . Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Tzakikario in view of Kulkarni, further in view of Reddy et al. (US Publication No. 2017/0346855), hereinafter Reddy. As per claim 6 and 16, Tzakikario furthermore discloses, wherein a third query for the original domain name accesses the DNS name server via the name server address, wherein the third query and the DNS return query is sent from a same source ( column 6, lines 1-9 and 40-42, “DNS request originated from this source [client] are then allowed to reach DNS server 22”, reaching DNS server 22 is through a third query to DNS. The third query and the return query are sent from the client ). Tzakikario does not explicitly disclose, but in an analogous art, Reddy discloses sending a name server address to the second source IP in association to the modified domain name (figure 4, claim 4, “sending the cached DNS response to the second endpoint device”. The second endpoint has a second IP address). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Tzakikario with Reddy. This would have been obvious because one of ordinary skill in the art would have been motivated to deliver DNS response to different user devices. Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Tzakikario in view of Kulkarni, further in view of Migult et al. (US Publication No. 2025/0126151), hereinafter Migult. As per claim 9 and 19, Tzakikario as modified does not explicitly disclose, but in an analogous art, Migult discloses determining a DNS resolver associated with the first source IP address as a legitimate DNS resolver (paragraph [0074], determines whether the DNS resolver is the expected DNS resolver based on a comparison of the received certificate or the computed hash and the certificate or hash included in the configuration parameters). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the modified Tzakikario with Migult. This would have been obvious because one of ordinary skill in the art would have been motivated to improve end user’s privacy by allowing communication to authorized and trusteed resolver. References Cited, Not Used The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Kaliski et al. (US Publication No.2018/0034827) discloses, one or more DNS services are configured to not only tolerate some commonly observed DNSSEC misconfigurations (while still providing DNSSEC's security guarantees), but also provide a more intelligent DNS resolution process informed by DNSSEC. Vissamsetty et al. (US Publication No. 20180013788) discloses, MITM attacks are detected by intercepting network configuration traffic (name resolution, DHCP, ARP, ICMP, etc.) in order to obtain a description of network components. MITM attacks may be confirmed by transmitting fake credentials to a source of a response to a request for network configuration information. If the fake credentials are accepted or are subsequently used in an access attempt, then a MITM attack may be confirmed. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Ali Abyaneh whose telephone number is (571) 272-7961. The examiner can normally be reached on Monday-Friday from (8:00-5:00). If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached on (571) 270-5143. The fax phone numbers for the organization where this application or proceeding is assigned as (571) 273-8300 Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). /ALI S ABYANEH/Primary Examiner, Art Unit 2437
Read full office action

Prosecution Timeline

May 29, 2024
Application Filed
Dec 02, 2025
Non-Final Rejection mailed — §103
May 04, 2026
Response Filed
Jul 07, 2026
Final Rejection mailed — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12651063
OBTAINING IMMUTABLE SNAPSHOTS IN STORAGE SYSTEMS FOR RECOVERY AFTER CORRUPTED DATA DETECTION
2y 4m to grant Granted Jun 09, 2026
Patent 12645794
METHOD, ELECTRONIC DEVICE, AND COMPUTER PROGRAM PRODUCT FOR SNAPSHOT CLASSIFICATION
3y 2m to grant Granted Jun 02, 2026
Patent 12647462
Systems and methods for intelligent application definition and protection
2y 6m to grant Granted Jun 02, 2026
Patent 12627697
CYBER THREAT INFORMATION PROCESSING APPARATUS, CYBER THREAT INFORMATION PROCESSING METHOD, AND STORAGE MEDIUM STORING CYBER THREAT INFORMATION PROCESSING PROGRAM
3y 1m to grant Granted May 12, 2026
Patent 12615283
Systems and Methods for Network Security
2y 3m to grant Granted Apr 28, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
78%
Grant Probability
99%
With Interview (+56.0%)
3y 3m (~1y 1m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 628 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month