Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Currently pending claims are 1 – 20.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the exclaimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1 – 20 are rejected under 35 U.S.C.103 as being unpatentable over Kfir et al. (U.S. Patent 11,489,811), in view of Desai et al. (U.S. Patent 2015/0143504).
As per claim 1, 11 & 16, Kfir teaches an identity-based domain name system (DNS) routing platform configured to apply an overall security policy, specific to an identity associated with a DNS query request, to DNS queries, comprising:
at least one hardware processor (Kfir: Col. 4 Line 52 – Col. 5 Line 15); and
memory storing computer-readable instructions that, when executed by the at least one hardware processor, cause the identity-based DNS routing platform to (Kfir: Abstract & Col. 4 Line 52 – Col. 5 Line 15):
establish, using an unencrypted DNS process, a DNS session between an identity- based DNS routing platform and a client device (Kfir: see above & Col. 1 Line 54 – 64 / Line 37 – 47 / Line 16 – 30 and Col. 2 Line 60 – 64: a DNS traffic protection mechanism is established through a secure platform of an on-device (local) protection agent, on a mobile device, by first capturing an unencrypted DNS query (e.g. sending from an UDP port 53 with cleartext out of a secure network (Kfir: Col. 1 Line 17 – 19 / Line 54 – 64)) and then encrypt it prior to sending to a trusted DNS server to protect against a 3rd-party from intercepting the unencrypted DNS query before the DNS query reaches the trusted source);
receive, while the DNS session is established and from the client device, an unencrypted DNS query request comprising a request for an internet protocol (IP) address for a domain name, wherein the unencrypted DNS query request specifies the domain name (Kfir: see above & Col. 1 Line 17 – 30 and Col. 3 Line 43 – 45);
determine, based on identity information embedded into the unencrypted DNS query request, an identity of a user (Kfir: see above & Col. 1 Line 25 – 30).
However, Kfir does not disclose expressly determining, based on the identity of the user, the security policy specific to the user, wherein the security policy comprises one or more domain name filtering rules.
Desai (& Kfir) teaches determine, based on the identity of the user, the security policy specific to the user, wherein the security policy comprises one or more domain name filtering rules, and each domain name filtering rule comprises respective domain matching criteria and corresponding actions to take on matching domain names (Desai: see above & Para [0139] / [0071]: determining a per user / application specific security policy to manage the DNS query (request) and resolve the actual IP address vs. the requested domain name accordingly).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of determining, based on the identity of the user, the security policy specific to the user, wherein the security policy comprises one or more domain name filtering rules because Desai teaches to alternatively, effectively and securely determine a per user / application specific security policy to manage the DNS query (request) and resolve the actual IP address vs. the requested domain name accordingly (see above) within the Kfir’s system that provides a DNS traffic protection mechanism by first capturing an unencrypted DNS query on an on-device (local) protection agent and then encrypt it prior to sending to a trusted DNS server to protect against a 3rd-party from intercepting the unencrypted DNS query before the DNS query reaches the trusted source (see above).
determine, using the one or more domain name filtering rules and based on the domain name in the unencrypted DNS query request, a first action corresponding to the domain name in response to the unencrypted DNS query request (Kfir: see above & Col. 1 Line 25 – 30) || (Desai: see above & Para [0139] / Para [0071] / Para [0122]: (a) based on the per user / application specific security policy to furnish a DNS response either to accept or deny the DNS request so as to resolve the actual IP address vs. the requested domain name constitutes as a part of the domain name filtering rule, and besides, (b) upon a receipt of a DNS request at the DNS server via an established (secure transport layer) TLS secure tunnel / socket to execute the DNS request between a client / mobile device and a secure cloud-based system platform, wherein a typical TLS handshake exchanges the secure information in an encrypted form and then decrypts the payload data (i.e. DNS query data) in an unencrypted form (cleartext) to determine an appropriate DNS response – this is consistent with the disclosure of the instant specification (SPEC: Para [0124] Line 1 – 3));
determine, based on the first action corresponding to the domain name, an unencrypted DNS query response, wherein determining the unencrypted DNS query response includes executing the request for the IP address for the domain name upstream to identify the IP address for the domain name (see immediate above); and
send, to the client device, the unencrypted DNS query response (Kfir: see above & Col. 6 Line 1 – 6, Col. 1 Line 54 – 64 and Col. 2 Line 60 – 64: (a) an unencrypted DNS response is transmitted back to the (DNS query) requesting entity that sends an unencrypted DNS query to resolve the IP address of the target domain name and besides, (b) at the (protocol) communication interface on the client side, a received encrypted DNS response is decrypted into an unencrypted form (cleartext) and deliver to the (DNS query) requesting entity at the mobile device via the on-device (local) protection agent (see above)) || (Desai: Abstract & Para [0139] Line 1 – 4 / Para [ 0071] / Para [0122]).
As per claim 2, 12 & 17, the instant claim is directed to a claimed content having functionality corresponding to the Claims 1, and are rejected by a similar rationale.
As per claim 3 – 4, 13 – 14 & 18 – 19, Kfir as modified teaches wherein the identity information is encrypted by a local resolver, and wherein the unencrypted DNS query request passes through the local resolver prior to being received at the unencrypted DNS query request (Kfir: see above & Col. 1 Line 54 – 64 / Line 37 – 47 / Line 16 – 30 and Col. 2 Line 60 – 64: a DNS traffic protection mechanism is established through a secure platform of an on-device (local) protection agent, on a mobile device, by first capturing an unencrypted DNS query (e.g. sending from an UDP port 53 with cleartext out of a secure network (Kfir: Col. 1 Line 17 – 19 / Line 54 – 64)) and then encrypt it prior to sending to a trusted DNS server to protect against a 3rd-party from intercepting the unencrypted DNS query before the DNS query reaches the trusted source).
As per claim 5, 15 & 20, Kfir as modified teaches determining that the domain name matches a first domain name rule that indicates traffic to matching domains should be blocked, wherein the unencrypted DNS query response comprises at least one of: an IP address of a block notification page, or a notification that the requested IP address is blocked (Desai: see above & Para [0072] / [0071] / [0139]: (a) provision of DNS black/white list security policy and (b) returning a response with an IP address – a notification either a correct IP address (if permitted) or a secure webserver IP address (if blocked / inspected) for further analysis).
As per claim 6, Kfir as modified teaches determining that the domain name matches a first domain name rule that indicates traffic to matching domains should be allowed, wherein the unencrypted DNS query response comprises an IP address of a server associated with the domain name in the unencrypted DNS query request (Kfir: see above & Col. 6 Line 1 – 6, Col. 1 Line 54 – 64 and Col. 2 Line 60 – 64: (a) an unencrypted DNS response is transmitted back to the (DNS query) requesting entity that sends an unencrypted DNS query to resolve the IP address of the target domain name and besides, (b) at the (protocol) communication interface on the client side, a received encrypted DNS response is decrypted into an unencrypted form (cleartext) and deliver to the (DNS query) requesting entity at the mobile device via the on-device (local) protection agent (see above)) || (Desai: Abstract & Para [0139] Line 1 – 4 / Para [ 0071] / Para [0122]).
As per claim 7, Kfir as modified teaches determining that the domain name matches a first domain name rule that indicates traffic to matching domains should be logged by a proxy server (Kfir: see above & Col. 1 Line 37 – 47: a DNS proxy) || (Desai: see above & FIG. 5B / E-560, Para [0031] Line 10 – 14 and Para [0071] / [0139]: a proxy server is also a part of a secure webserver and also logging the DNS activity).
As per claim 8, Kfir as modified teaches wherein the unencrypted DNS query response comprises an IP address of the proxy server (Desai: see above & FIG. 5B / E-560 and Para [0071] / [0139]: (i) if the DNS query is blocked / inspected, returning a response with an IP address of a secure webserver IP address (if blocked / inspected) for further analysis – a proxy server is also a part of a secure webserver; and besides, (ii) in a case that the response of the DNS query is sent to a proxy server, a return message of the DNS query response clearly also comprises an IP address of the proxy server).
As per claim 9, Kfir as modified teaches wherein the unencrypted DNS query response is configured to cause outgoing traffic to and incoming traffic from the IP address of a server associated with the domain name of the unencrypted DNS query request to be conducted via the proxy server (Kfir: see above 7 Col. 1 Line 37 – 64 and Col. 2 Line 56 – 64) || (Desai: see above).
As per claim 10, the instant claim is directed to a claimed content having functionality
corresponding to the Claims 1 – 9, and are rejected by a similar rationale.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
---------------------------------------------------
/Longbit Chai/
Longbit Chai E.E. Ph.D.
Primary Examiner, Art Unit 2431
No. #2547 – 2025 ---------------------------------------------------