Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsPalo Alto Networks Inc. › 18759092
Last updated: April 19, 2026
Application No. 18/759,092

ROOT DOMAIN BENIGNITY EVALUATION

Non-Final OA §103
Filed
Jun 28, 2024
Examiner
SHIN, KYUNG H
Art Unit
2447
Tech Center
2400 — Computer Networks
Assignee
Palo Alto Networks Inc.
OA Round
1 (Non-Final)
82%
Grant Probability
Favorable
1-2
OA Rounds
2y 11m
To Grant
92%
With Interview

Interview Optional

+10.2% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 965 resolved cases, 2023–2026

Examiner Intelligence

SHIN, KYUNG H View full profile →
Grants 82% — above average
82%
Career Allow Rate
791 granted / 965 resolved
+24.0% vs TC avg
Moderate +10% lift
Without
With
+10.2%
Interview Lift
resolved cases with interview
Typical timeline
2y 11m
Avg Prosecution
10 currently pending
Career history
975
Total Applications
across all art units

Statute-Specific Performance

§101
13.6%
-26.4% vs TC avg
§103
51.1%
+11.1% vs TC avg
§102
22.2%
-17.8% vs TC avg
§112
4.9%
-35.1% vs TC avg
Black line = Tech Center average estimate • Based on career data from 965 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION 1. Claims 1 - 20 are pending. Claims 1, 10, 14 are independent. File date on 6-28-2024. Claim Rejections - 35 USC § 103 2. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 3. Claims 1, 2, 8, 10, 14, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Stein et al. (US Patent No. 10,440,042) in view of Cyras et al. (Patent No. WO 2022175709 A1) and further in view of Rai et al. (US Patent No. 12,373,425) and Chen et al. (US PGPUB No. 8,819,209) and Bilge et al. (US Patent No. 10,944,781) and Chiba et al. (Patent No. EP 3252646 A1) and Ma et al. (US PGPUB No. 20210377304). Regarding Claims 1, 10, 14, Stein discloses a method and one or more non-transitory machine-readable media and an apparatus, comprising: a) determining values of a plurality of features of a domain name (Stein col 4: Feature extraction logic 112 is programmed to extract one or more features from a given domain name for a selected domain that was retrieved by AS lookup system 102. A feature represents a characteristic of the domain name. The classifier logic 114 may use the extracted features to determine a risk priority score for the domain name. The extracted features may be stored by feature extraction logic 112.; col 9: classifier logic 114 can be applied to the one or more features extracted for a particular domain name in order to analyze the one or more features of the particular domain name) Stein does not explicitly disclose for c) a first subset of features of the plurality of features and for d) a second set of features of the plurality of features. However, Cyras discloses wherein for c) a first subset of features and for d) a second set of features. (Cyras pages 9-10: the first set of features may be identical to a second set of features, partially different from the second set of features, or completely different from the second set of features.; It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for c) a first subset of features of the plurality of features and for d) a second set of features of the plurality of features as taught by Cyras. One of ordinary skill in the art would have been motivated to employ the teachings of Cyras for the flexibility of a system that utilizes multiple parameters such as groupings of features in the processing of information. (Cyras pages 9-10) Stein-Cryas does not explicitly disclose for c) a first subset of the plurality of features based on the results obtained from prompting the language model. However, Rai discloses: c) a first subset of the plurality of features based on the results obtained from prompting the language model. (Rai col 5: receiving, from a user, a natural language query for retrieving features from a feature store; generating an input prompt by appending text identifying the feature store to the natural language query; determining, by a large language model (LLM), one or more tables or databases from the feature store that are relevant to the natural language query based on the input prompt; retrieving, by the LLM, metadata for the one or more tables or databases from the feature store; determining, by the LLM, one or more feature groups comprising features relevant to the natural language query based on the metadata; generating, by the LLM, a programming language query based on the input prompt, the metadata, and the one or more feature groups; retrieving a list of features within the one or more feature groups that are accessible within the feature store by executing the programming language query on the feature store;) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for c) a first subset of the plurality of features based on the results obtained from prompting the language model as taught by Rai. One of ordinary skill in the art would have been motivated to employ the teachings of Rai for the flexibility of a system that utilizes multiple types of parameters such as first and second subsets of features associated with domain name information. (Rai col 5) Stein-Cyras-Rai does not explicitly disclose for d) a second subset of the domain name based on querying one or more data sources for the domain name. However, Chen discloses: d) a second subset of the domain name based on querying one or more data sources for the domain name. (Chen page 1: receiving responses to the queries from the domain name system servers; and determining one or more different features for one or more domain name system servers in the plurality of domain name system servers based on the received responses.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for d) a second subset of the domain name based on querying one or more data sources for the domain name as taught by Chen. One of ordinary skill in the art would have been motivated to employ the teachings of Chen for the flexibility of a system that utilizes multiple types of parameters such as second subset of features associated with domain name information. (Chen page 1) Stein-Cyras-Rai-Chen does not explicitly disclose for b) querying a model to evaluate benignity of a domain name, wherein an output of the model comprises results of evaluating benignity of the domain name, and for e) inputting the plurality of features into a classification pipeline, wherein the classification pipeline comprises a classifier, and for f) determining if domain name is benign based on output of classification pipeline. However, Bilge discloses: b) querying a model with a plurality of task instructions to evaluate benignity of a domain name, wherein an output of the model comprises results of evaluating benignity of the domain name; (Bilge col 1: identifying malicious domain names from a passive domain name system server log may include (1) creating, at a computing device, a pool of domain names at least in part from the passive domain name server log, (2) identifying respective features of each domain name in the pool of domain names, (3) preparing a list of known benign domain names and the respective features of each known benign domain name on the list of known benign domain names, wherein the known benign domain names are in the pool of domain names, (4) preparing a list of known malicious domain names and the respective features of each known malicious domain name on the list of known malicious domain names, wherein the known malicious domain names are in the pool of domain names, (5) computing a classification model based at least in part on (A) the respective features of each known benign domain name on the list of known benign domain names, and (B) the respective features of each known malicious domain name on the list of known malicious domain names,). e) inputting the values of the plurality of features into a classification pipeline, wherein the classification pipeline comprises a classifier that was; (Bilge col 12: may classify, using classification models (classification model), unclassified domain names as malicious domain names, based on the respective features of the unclassified domain names.) f) determining if the domain name is benign based, at least in part, on the output of the classification pipeline. (Bilge col 12: may classify, using classification models, unclassified domain names as malicious domain names, based on the respective features of the unclassified domain names.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for b) querying a model to evaluate benignity of a domain name, wherein an output of the model comprises results of evaluating benignity of the domain name, and for e) inputting the plurality of features into a classification pipeline, wherein the classification pipeline comprises a classifier, and for f) determining if domain name is benign based on output of classification pipeline as taught by Bilge. One of ordinary skill in the art would have been motivated to employ the teachings of Bilge for the flexibility of a system that enables multiple techniques such as classification of domain names to determine benign or malicious domain names. (Bilge col 12) Stein-Cyras-Rai-Chen-Bilge does not explicitly disclose for b) prompting a language model, and for c) determining values based upon results from prompting the language model. However, Chiba discloses wherein for b) prompting a language model, and for c) determining values based upon results from prompting the language model. (Chiba ¶ 023: information indicating malignancy or benignity like that represented in the label column in FIG. 3 is also necessary. For example, the row of Serial Number 1 in FIG. 3 represents that the label of the communication partner whose domain name is "foo.example.com" represents "benignity".; ¶ 026: The malignancy calculator 104 may generate a model for calculating malignancy by supervised machine learning, where the characteristic information about the known communication partners is input data and whether the known communication partners are malignant or benign is output data, and may calculate malignancy of the subject communication partner by using the model.; ¶ 059: the malignancy calculator 104 generates a training model that is a model for calculating malignancy by applying a given algorithm to characteristic information about known communication partners like that illustrated in FIG. 3.; ¶ 069:The malignancy calculator 104 uses the characteristic information about the known communication partners as input data, generates a model for calculating malignancy by supervised machine learning where whether the known communication partners are malignant or benign is used as output data and calculates malignancy of the subject communication partner by using the generated model.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for b) prompting a language model, and for c) prompting the language model as taught by Chiba. One of ordinary skill in the art would have been motivated to employ the teachings of Chiba for the flexibility of a system that enables the utilization of multiple types of data processing models such as language models in the determination of a benign status. (Chiba ¶ 023; ¶ 026) Stein-Cyras-Rai-Chen-Bilge-Chiba does not explicitly disclose for e) previously trained to predict whether domain names are benign, comprises a prediction of whether the domain name is benign. However, Ma discloses for e) previously trained to predict whether domain names are benign, wherein an output of the classification pipeline comprises a prediction of whether the domain name is benign. (Ma ¶ 045: machine learning training process collects data samples with labels (benign or malicious), extracts a set of features from these samples, and feeds the features into a machine learning model to determine patterns. The output of this training process is a machine learning model that can predict the likelihood a new domain is benign or malicious,) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for e) previously trained to predict whether domain names are benign, comprises a prediction of whether the domain name is benign as taught by Ma. One of ordinary skill in the art would have been motivated to employ the teachings of Ma for the flexibility of a system that enables the utilization of training techniques to a determination prediction of benign or malicious domain names. (Ma ¶ 045) Furthermore, for Claim 10, Stein discloses wherein one or more non-transitory machine-readable media having program code stored thereon, the program code comprising instructions to perform operations. (Stein col 3: Each of these systems and logic may be implemented using one or more computer programs, other software elements, or a combination of software, firmware and hardware. In one embodiment, each of the functional elements shown in FIG. 1 is implemented using executables compiled or otherwise prepared based upon computer program source code organized in projects or packages of multiple files associated with different classes, and object implementations of the classes that implement functional methods.) Furthermore, for Claim 14, Stein discloses wherein a processor, and a machine-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to perform operations. (Stein col 3: Each of these systems and logic may be implemented using one or more computer programs, other software elements, or a combination of software, firmware and hardware. In one embodiment, each of the functional elements shown in FIG. 1 is implemented using executables compiled or otherwise prepared based upon computer program source code organized in projects or packages of multiple files associated with different classes, and object implementations of the classes that implement functional methods.) Regarding Claim 2, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the method of claim 1. Stein does not explicitly disclose generating a prompt that indicates the domain name and the plurality of task instructions, wherein prompting the language model comprises inputting the prompt to the language model. (prompt: input to a model) However, Bilge discloses wherein further comprising generating a prompt that indicates the domain name and the plurality of task instructions based on a prompt template, wherein prompting the language model comprises inputting the prompt to the language model. (Bilge col 1: identifying malicious domain names from a passive domain name system server log may include (1) creating, at a computing device, a pool of domain names at least in part from the passive domain name server log, (2) identifying respective features of each domain name in the pool of domain names, (3) preparing a list of known benign domain names and the respective features of each known benign domain name on the list of known benign domain names, wherein the known benign domain names are in the pool of domain names, (4) preparing a list of known malicious domain names and the respective features of each known malicious domain name on the list of known malicious domain names, wherein the known malicious domain names are in the pool of domain names, (5) computing a classification model based at least in part on (A) the respective features of each known benign domain name on the list of known benign domain names, and (B) the respective features of each known malicious domain name on the list of known malicious domain names,.; col 12: may classify, using classification models (classification model), unclassified domain names as malicious domain names, based on the respective features of the unclassified domain names) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for generating a prompt that indicates the domain name and the plurality of task instructions, wherein prompting the language model comprises inputting the prompt to the language model as taught by Bilge. One of ordinary skill in the art would have been motivated to employ the teachings of Ma for the flexibility of a system that enables the utilization of training techniques for determining prediction of benign domain names or malicious domain names. (Bilge col 12) Regarding Claim 8, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the method of claim 1. Stein does not explicitly disclose one or more of an indication of popularity of the domain name, an age of the domain name, search engine results from searching the domain name, passive Domain Name System (pDNS) data of the domain name, a lexical feature of the domain name, and a registrant of the domain name. However, Bilge discloses wherein the second subset of features comprises one or more of an indication of popularity of the domain name, an age of the domain name, search engine results from searching the domain name, passive Domain Name System (pDNS) data of the domain name, a lexical feature of the domain name, and a registrant of the domain name. (Bilge col 1: identifying malicious domain names from a passive domain name system server log may include (1) creating, at a computing device, a pool of domain names at least in part from the passive domain name server log, (2) identifying respective features of each domain name in the pool of domain names, (3) preparing a list of known benign domain names and the respective features of each known benign domain name on the list of known benign domain names, wherein the known benign domain names are in the pool of domain names, (4) preparing a list of known malicious domain names and the respective features of each known malicious domain name on the list of known malicious domain names, wherein the known malicious domain names are in the pool of domain names, (5) computing a classification model based at least in part on (A) the respective features of each known benign domain name on the list of known benign domain names, and (B) the respective features of each known malicious domain name on the list of known malicious domain names,; (selected: passive Domain Name System (pDNS) data of the domain name)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for one or more of an indication of popularity of the domain name, an age of the domain name, search engine results from searching the domain name, passive Domain Name System (pDNS) data of the domain name, a lexical feature of the domain name, and a registrant of the domain name as taught by Bilge. One of ordinary skill in the art would have been motivated to employ the teachings of Bilge for the flexibility of a system that enables multiple techniques to such as classification of domain names to determine benign or malicious domain names. (Bilge col 1) Regarding Claim 19, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the method of claim 14. Stein does not explicitly disclose one or more of an indication of popularity of the domain name, an age of the domain name, search engine results from searching the domain name, passive Domain Name System (pDNS) data of the domain name, a lexical feature of the domain name, and a registrant of the domain name. However, Bilge discloses wherein the second subset of features comprises one or more of an indication of popularity of the domain name, an age of the domain name, search engine results from searching the domain name, passive Domain Name System (pDNS) data of the domain name, a lexical feature of the domain name, and a registrant of the domain name. (Bilge col 1: identifying malicious domain names from a passive domain name system server log may include (1) creating, at a computing device, a pool of domain names at least in part from the passive domain name server log, (2) identifying respective features of each domain name in the pool of domain names, (3) preparing a list of known benign domain names and the respective features of each known benign domain name on the list of known benign domain names, wherein the known benign domain names are in the pool of domain names, (4) preparing a list of known malicious domain names and the respective features of each known malicious domain name on the list of known malicious domain names, wherein the known malicious domain names are in the pool of domain names, (5) computing a classification model based at least in part on (A) the respective features of each known benign domain name on the list of known benign domain names, and (B) the respective features of each known malicious domain name on the list of known malicious domain names,.; (selected: passive Domain Name System (pDNS) data of the domain name,)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for one or more of an indication of popularity of the domain name, an age of the domain name, search engine results from searching the domain name, passive Domain Name System (pDNS) data of the domain name, a lexical feature of the domain name, and a registrant of the domain name as taught by Bilge. One of ordinary skill in the art would have been motivated to employ the teachings of Bilge for the flexibility of a system that enables multiple techniques such as classification of domain names to determine benign or malicious domain names. (Bilge col 1) 4 Claims 3, 9, 13, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Stein in view of Cyras and further in view of Rai and Chen and Bilge and Chiba and Ma and Huffner et al. (US Patent No. 10,673,814). Regarding Claim 3, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the method of claim 1. Stein does not specifically disclose at least one of a task instruction to determine a brand name associated with the domain name, a task instruction to determine if the domain name is indicative of a social engineering attack, and a task instruction to determine if the domain name is indicative of typosquatting. However, Huffner discloses wherein the plurality of task instructions comprises at least one of a task instruction to determine a brand name associated with the domain name, a task instruction to determine if the domain name is indicative of a social engineering attack, and a task instruction to determine if the domain name is indicative of typosquatting. (Huffner col 2: a request for analysis of relevance of a domain name to a brand name may be obtained. In response to the request, a list of features may be determined. The features may include information associated with one or more terms included as substrings in the domain name. The determining may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, determining a relevance measurement value, and determining a score of the determined relevance measurement value of each term to the brand name, based on the analyzing.; (selected: a task instruction to determine a brand name associated with the domain name)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for at least one of a task instruction to determine a brand name associated with the domain name, a task instruction to determine if the domain name is indicative of a social engineering attack, and a task instruction to determine if the domain name is indicative of typosquatting as taught by Huffner. One of ordinary skill in the art would have been motivated to employ the teachings of Huffner for the flexibility of a system that enables multiple task operations such as determining a brand name associated with the domain name. (Huffner col 2) Regarding Claim 9, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the method of claim 1. Stein does not specifically disclose the domain name is a root domain. However, Huffner discloses wherein the domain name is a root domain. (Huffner col 1: Domain names are organized in subordinate levels (subdomains) of the DNS root domain, which is nameless. The first-level set of domain names are the top-level domains (TLDs), including the generic top-level domains (gTLDs), such as the prominent domains com, info, net, edu, and org, and the country code top-level domains (ccTLDs).) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for the domain name is a root domain as taught by Huffner. One of ordinary skill in the art would have been motivated to employ the teachings of Huffner for the flexibility of a system that enables processing associated with multiple types of domains such as a root domain. (Huffner col 1) Regarding Claim 13, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the non-transitory machine-readable media of claim 10. Stein does not explicitly disclose task instructions comprises at least one of a task instruction to determine a brand name associated with the domain name, a task instruction to determine if the domain name is indicative of a social engineering attack, a task instruction to determine if the domain name is indicative of typosquatting, and task instructions to determine one or more search results for the domain name, summarize the one or more search results to generate a summary, and determine if the domain name is benign based on the summary of the search results. However, Huffner discloses wherein the program code further comprises instructions to generate a prompt that indicates the domain name and the plurality of task instructions based on a prompt template, wherein the plurality of task instructions comprises at least one of a task instruction to determine a brand name associated with the domain name, a task instruction to determine if the domain name is indicative of a social engineering attack, a task instruction to determine if the domain name is indicative of typosquatting, and task instructions to determine one or more search results for the domain name, summarize the one or more search results to generate a summary, and determine if the domain name is benign based on the summary of the search results. (Huffner col 2: a request for analysis of relevance of a domain name to a brand name may be obtained. In response to the request, a list of features may be determined. The features may include information associated with one or more terms included as substrings in the domain name. The determining may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, determining a relevance measurement value, and determining a score of the determined relevance measurement value of each term to the brand name, based on the analyzing.; (selected: a task instruction to determine a brand name associated with the domain name)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for task instructions comprises at least one of a task instruction to determine a brand name associated with the domain name, a task instruction to determine if the domain name is indicative of a social engineering attack, a task instruction to determine if the domain name is indicative of typosquatting, and task instructions to determine one or more search results for the domain name, summarize the one or more search results to generate a summary, and determine if the domain name is benign based on the summary of the search results as taught by Huffner. One of ordinary skill in the art would have been motivated to employ the teachings of Huffner for the flexibility of a system that enables multiple task operation such as determining a brand name associated with the domain name. (Huffner col 2) Regarding Claim 20, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the apparatus of claim 14. Stein does not specifically disclose the domain name is a root domain. However, Huffner discloses wherein the domain name is a root domain. (Huffner col 1: Domain names are organized in subordinate levels (subdomains) of the DNS root domain, which is nameless. The first-level set of domain names are the top-level domains (TLDs), including the generic top-level domains (gTLDs), such as the prominent domains com, info, net, edu, and org, and the country code top-level domains (ccTLDs).) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for the domain name is a root domain as taught by Huffner. One of ordinary skill in the art would have been motivated to employ the teachings of Huffner for the flexibility of a system that enables processing associated with multiple types of domains such as a root domain. (Huffner col 1) 5. Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Stein in view of Cyras and further in view of Rai and Chen and Bilge and Chiba and Ma and Essawi et al. (Patent No. WO 2010147794 A1). Regarding Claim 4, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the method of claim 1. Stein does not explicitly disclose determining search results for domain name, summarize search results to generate a summary, and determine if the domain name is benign based on summary. However, Essawi discloses wherein the plurality of task instructions comprises task instructions to determine one or more search results for the domain name, summarize the one or more search results to generate a summary, and determine if the domain name is benign based on the summary of the search results. (Essawi ¶ 051: SecurityAuditorReportManager 460 will flush the transaction log and SQL summary caches and generate two reports: a summary report 468 which gives a high level report of the types and counts of errors and a detail error report 464. Other reports 35 can be generated as appropriate to the particular application.; ¶ 011: present invention provide operations staff with alerts when any changes to the SRS registry; database are performed outside of known 25 applications. Thus, information related to malicious activity associated with the registry database is provided by the embodiments described herein.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for determining search results for domain name, summarize search results to generate a summary, and determine if the domain name is benign based on summary as taught by Essawi. One of ordinary skill in the art would have been motivated to employ the teachings of Essawi for the flexibility of a system that enables processing of multiple parameters and the generation of a summary report with domain name is benign or malicious. (Essawi ¶ 051; ¶ 011) 6. Claims 5 - 7, 11, 12, 15 - 17 are rejected under 35 U.S.C. 103 as being unpatentable over Stein in view of Cyras and further in view of Rai and Chen and Bilge and Chiba and Ma and Baughman et al. (US PGPUB No. 20180077120). Regarding Claim 5, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the method of claim 1. Stein does not explicitly disclose determining a score indicating benignity of the domain name based on evaluating the values of the features based on a plurality of heuristics, and determining if the domain name is benign is also based on score indicating benignity of the domain name. However, Baughman discloses further comprising determining a score indicating benignity of the domain name based on evaluating the values of the second subset of features based on a plurality of heuristics, wherein determining if the domain name is benign is also based on the score indicating benignity of the domain name. (Baughman ¶ 026: establish if a given character string represents a resource that is benign, malignant, suspicious, and/or malicious. In one aspect, a “reputation” score may be established of a resource that is being requested, via a variable number of independent analytic methods by applying one or more heuristics and a weighted average. For example, a reputation score within a selected or define ranged may categorize or classify a character string and/or domain name as benign, malignant, suspicious, and/or malicious. In one aspect, an analytic metric-operation may be a DNS response resource record botnet signature detection analysis. For example, a DNS response (answer, authority and additional sections) may be captured, extracted and analyzed in real-time where extracted features may be examined via heuristic analysis to classify a domain as either benign, malignant, suspicious, and/or malicious.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for determining a score indicating benignity of the domain name based on evaluating the values of the features based on a plurality of heuristics, and determining if the domain name is benign is also based on score indicating benignity of the domain name as taught by Baughman. One of ordinary skill in the art would have been motivated to employ the teachings of Baughman for the flexibility of a system that enables a plurality of features such as relevant scores to be utilized to determine benignity or maliciousness. (Baughman ¶ 026) Regarding Claim 6, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the method of claim 5, Stein does not explicitly disclose determining if the domain name is benign comprises verifying the output of the classifier based on the score indicating benignity of the domain name. However, Baughman discloses wherein determining if the domain name is benign comprises verifying the output of the classifier based on the score indicating benignity of the domain name. (Baughman ¶ 029: In an additional aspect for an analytic metric operation for classifying a domain as either benign, malignant, suspicious, and/or malicious, a domain-IP cross verification to an intelligence database may be used where the DNS domain name IP address may be cross verified against a black-white list and other Cyber Intelligence sources. For example, the domain-IP cross verification operation includes comparing the DNS domain name IP address against trusted reputation stores..) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for determining if the domain name is benign comprises verifying the output of the classifier based on the score indicating benignity of the domain name as taught by Baughman. One of ordinary skill in the art would have been motivated to employ the teachings of Baughman for the flexibility of a system that enables a plurality of features such as relevant scores to be utilized to determine benignity or maliciousness. (Baughman ¶ 026) Regarding Claim 7, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the method of claim 5. Stein does not explicitly disclose evaluating the second subset of features based on the plurality of heuristics comprises evaluating each feature value of the values of the second subset of features. However, Chen discloses wherein evaluating the second subset of features based on the plurality of heuristics comprises evaluating each feature value of the values of the second subset of features. (Chen page 1: receiving responses to the queries from the domain name system servers; and determining one or more different features for one or more domain name system servers in the plurality of domain name system servers based on the received responses.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for evaluating the second subset of features based on the plurality of heuristics comprises evaluating each feature value of the values of the second subset of features as taught by Chen. One of ordinary skill in the art would have been motivated to employ the teachings of Chen for the flexibility of a system that utilizes multiple types of parameters such as second subset of features associated with domain name information. (Chen page 1) Stein does not explicitly disclose determining the score comprises determining the score based on results of evaluating the values of each of the second subset of features based on the one or more respective criteria. However, Baughman discloses wherein determining the score comprises determining the score based on results of evaluating the values of each of the second subset of features based on the one or more respective criteria. (Baughman ¶ 029: In an additional aspect for an analytic metric operation for classifying a domain as either benign, malignant, suspicious, and/or malicious, a domain-IP cross verification to an intelligence database may be used where the DNS domain name IP address may be cross verified against a black-white list and other Cyber Intelligence sources. For example, the domain-IP cross verification operation includes comparing the DNS domain name IP address against trusted reputation stores.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for determining the score comprises determining the score based on results of evaluating the values of each of the second subset of features based on the one or more respective criteria as taught by Baughman. One of ordinary skill in the art would have been motivated to employ the teachings of Baughman for the flexibility of a system that enables a plurality of features such as relevant scores to be utilized to determine benignity or maliciousness. (Baughman ¶ 026) Regarding Claim 11, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the non-transitory machine-readable media of claim 10. Stein does not specifically disclose evaluate values of second plurality of features based on a plurality of heuristics and determine a score indicating benignity of domain name based on evaluation. However, Baughman discloses wherein the program code further comprises instructions to evaluate the values of the second plurality of features based on a plurality of heuristics and determine a score indicating benignity of the domain name based on the evaluation, wherein the determination of whether the domain name is benign is also based on the score indicating benignity of the domain name. (Baughman ¶ 026: establish if a given character string represents a resource that is benign, malignant, suspicious, and/or malicious. In one aspect, a “reputation” score may be established of a resource that is being requested, via a variable number of independent analytic methods by applying one or more heuristics and a weighted average. For example, a reputation score within a selected or define ranged may categorize or classify a character string and/or domain name as benign, malignant, suspicious, and/or malicious. In one aspect, an analytic metric-operation may be a DNS response resource record botnet signature detection analysis. For example, a DNS response (answer, authority and additional sections) may be captured, extracted and analyzed in real-time where extracted features may be examined via heuristic analysis to classify a domain as either benign, malignant, suspicious, and/or malicious.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for evaluate values of second plurality of features based on a plurality of heuristics and determine a score indicating benignity of domain name based on evaluation as taught by Baughman. One of ordinary skill in the art would have been motivated to employ the teachings of Baughman for the flexibility of a system that enables a plurality of features such as relevant scores to be utilized to determine benignity or maliciousness. (Baughman ¶ 026) Regarding Claim 12, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the non-transitory machine-readable media of claim 11. Stein does not explicitly disclose evaluate the values of the second plurality of features based on the plurality of heuristics comprise instructions to evaluate each of the values of the second plurality of features. However, Chen discloses wherein the instructions to evaluate the values of the second plurality of features based on the plurality of heuristics comprise instructions to evaluate each of the values of the second plurality of features. (Chen page 1: receiving responses to the queries from the domain name system servers; and determining one or more different features for one or more domain name system servers in the plurality of domain name system servers based on the received responses.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for evaluate the values of the second plurality of features based on the plurality of heuristics comprise instructions to evaluate each of the values of the second plurality of features as taught by Chen. One of ordinary skill in the art would have been motivated to employ the teachings of Chen for the flexibility of a system that utilizes multiple types of parameters such as second subset of features associated with domain name information. (Chen page 1) Stein does not explicitly disclose determine the score based on results of evaluation of the values of the plurality of features based on the one or more respective criteria. However, Baughman discloses wherein the instructions to determine the score comprise instructions to determine the score based on results of evaluation of each of the values of the second plurality of features based on the one or more respective criteria. (Baughman ¶ 026: establish if a given character string represents a resource that is benign, malignant, suspicious, and/or malicious. In one aspect, a “reputation” score may be established of a resource that is being requested, via a variable number of independent analytic methods by applying one or more heuristics and a weighted average. For example, a reputation score within a selected or define ranged may categorize or classify a character string and/or domain name as benign, malignant, suspicious, and/or malicious. In one aspect, an analytic metric-operation may be a DNS response resource record botnet signature detection analysis. For example, a DNS response (answer, authority and additional sections) may be captured, extracted and analyzed in real-time where extracted features may be examined via heuristic analysis to classify a domain as either benign, malignant, suspicious, and/or malicious.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for determine the score based on results of evaluation of the values of the plurality of features based on the one or more respective criteria as taught by Baughman. One of ordinary skill in the art would have been motivated to employ the teachings of Baughman for the flexibility of a system that enables a plurality of features such as relevant scores to be utilized to determine benignity or maliciousness. (Baughman ¶ 026) Regarding Claim 15, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the apparatus of claim 14. Stein does not explicitly disclose determine a score indicating benignity of the domain name based on evaluation of the values of the plurality of features based on a plurality of heuristics, and based on the score indicating benignity of the domain name. However, Baughman discloses wherein further comprising instructions executable by the processor to cause the apparatus to determine a score indicating benignity of the domain name based on evaluation of the values of the second plurality of features based on a plurality of heuristics, wherein the determination of if the domain name is benign is also based on the score indicating benignity of the domain name. (Baughman ¶ 026: establish if a given character string represents a resource that is benign, malignant, suspicious, and/or malicious. In one aspect, a “reputation” score may be established of a resource that is being requested, via a variable number of independent analytic methods by applying one or more heuristics and a weighted average. For example, a reputation score within a selected or define ranged may categorize or classify a character string and/or domain name as benign, malignant, suspicious, and/or malicious. In one aspect, an analytic metric-operation may be a DNS response resource record botnet signature detection analysis. For example, a DNS response (answer, authority and additional sections) may be captured, extracted and analyzed in real-time where extracted features may be examined via heuristic analysis to classify a domain as either benign, malignant, suspicious, and/or malicious.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for determine a score indicating benignity of the domain name based on evaluation of the values of the plurality of features based on a plurality of heuristics, and based on the score indicating benignity of the domain name as taught by Baughman. One of ordinary skill in the art would have been motivated to employ the teachings of Baughman for the flexibility of a system that enables a plurality of features such as relevant scores to be utilized to determine benignity or maliciousness. (Baughman ¶ 026) Regarding Claim 16, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the apparatus of claim 15. Stein does not explicitly disclose cause the apparatus to determine the score based on evaluation of each of the values of the plurality of features based on the one or more respective criteria. However, Baughman discloses wherein the instructions executable by the processor to cause the apparatus to evaluate the values of the second plurality of features based on the plurality of heuristics comprise instructions executable by the processor to cause the apparatus to evaluate each of the values of the second plurality of features based on one or more respective criteria, wherein the instructions executable by the processor to cause the apparatus to determine the score comprise instructions executable by the processor to cause the apparatus to determine the score based on the evaluation of each of the values of the second plurality of features based on the one or more respective criteria. (Baughman ¶ 026: establish if a given character string represents a resource that is benign, malignant, suspicious, and/or malicious. In one aspect, a “reputation” score may be established of a resource that is being requested, via a variable number of independent analytic methods by applying one or more heuristics and a weighted average. For example, a reputation score within a selected or define ranged may categorize or classify a character string and/or domain name as benign, malignant, suspicious, and/or malicious. In one aspect, an analytic metric-operation may be a DNS response resource record botnet signature detection analysis. For example, a DNS response (answer, authority and additional sections) may be captured, extracted and analyzed in real-time where extracted features may be examined via heuristic analysis to classify a domain as either benign, malignant, suspicious, and/or malicious.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for determine the score based on evaluation of each of the values of the plurality of features based on the one or more respective criteria as taught by Baughman. One of ordinary skill in the art would have been motivated to employ the teachings of Baughman for the flexibility of a system that enables a plurality of features such as relevant scores to be utilized to determine benignity or maliciousness. (Baughman ¶ 026) Regarding Claim 17, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the apparatus of claim 15. Stein does not explicitly disclose cause apparatus to verify output of classifier based on score indicating benignity of the domain name. However, Baughman discloses wherein the instructions executable by the processor to cause the apparatus to determine if the domain name is benign comprise instructions executable by the processor to cause the apparatus to verify the output of the classifier based on the score indicating benignity of the domain name. (Baughman ¶ 029: In an additional aspect for an analytic metric operation for classifying a domain as either benign, malignant, suspicious, and/or malicious, a domain-IP cross verification to an intelligence database may be used where the DNS domain name IP address may be cross verified against a black-white list and other Cyber Intelligence sources. For example, the domain-IP cross verification operation includes comparing the DNS domain name IP address against trusted reputation stores.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for cause apparatus to verify output of classifier based on score indicating benignity of the domain name as taught by Baughman. One of ordinary skill in the art would have been motivated to employ the teachings of Baughman for the flexibility of a system that enables a plurality of features such as relevant scores to be utilized to determine benignity or maliciousness. (Baughman ¶ 026) 7. Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Stein in view of Cyras and further in view of Rai and Chen and Bilge and Chiba and Ma and Huffner and Essawi et al. (Patent No. WO 2010147794 A1). Regarding Claim 18, Stein-Cyras-Rai-Chen-Bilge-Chiba-Ma discloses the apparatus of claim 14. Stein does not explicitly disclose generate a prompt that indicates the domain name and the plurality of task instructions based on a prompt template, wherein the plurality of task instructions comprises at least one of a task instruction to determine a brand name associated with the domain name, a task instruction to determine if the domain name is indicative of a social engineering attack, a task instruction to determine if the domain name is indicative of typosquatting) However, Huffner discloses wherein further comprising instructions executable by the processor to cause the apparatus to generate a prompt that indicates the domain name and the plurality of task instructions based on a prompt template, wherein the plurality of task instructions comprises at least one of a task instruction to determine a brand name associated with the domain name, a task instruction to determine if the domain name is indicative of a social engineering attack, a task instruction to determine if the domain name is indicative of typosquatting. (Huffner col 2: a request for analysis of relevance of a domain name to a brand name may be obtained. In response to the request, a list of features may be determined. The features may include information associated with one or more terms included as substrings in the domain name. The determining may include obtaining a language model for each term, analyzing a cluster of language models closest to the obtained language model, determining a relevance measurement value, and determining a score of the determined relevance measurement value of each term to the brand name, based on the analyzing.; (selected: a task instruction to determine a brand name associated with the domain name)) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for at least one of a task instruction to determine a brand name associated with the domain name, a task instruction to determine if the domain name is indicative of a social engineering attack, and a task instruction to determine if the domain name is indicative of typosquatting as taught by Huffner. One of ordinary skill in the art would have been motivated to employ the teachings of Huffner for the flexibility of a system that enables multiple task operation such as determining a brand name associated with the domain name. (Huffner col 2) Steini does not explicitly disclose determine search results for the domain name, summarize search results to generate a summary, and determine if the domain name is benign based on the summary of the search results. However, Essawi discloses wherein task instructions to determine one or more search results for the domain name, summarize the one or more search results to generate a summary, and determine if the domain name is benign based on the summary of the search results. (Essawi ¶ 051: SecurityAuditorReportManager 460 will flush the transaction log and SQL summary caches and generate two reports: a summary report 468 which gives a high level report of the types and counts of errors and a detail error report 464. Other reports 35 can be generated as appropriate to the particular application.; ¶ 011: present invention provide operations staff with alerts when any changes to the SRS registry; database are performed outside of known 25 applications. Thus, information related to malicious activity associated with the registry database is provided by the embodiments described herein.) It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Stein for determine search results for the domain name, summarize search results to generate a summary, and determine if the domain name is benign based on the summary of the search results as taught by Essawi. One of ordinary skill in the art would have been motivated to employ the teachings of Essawi for the flexibility of a system that enables processing of multiple parameters and the generation of a summary report of domain name is benign or malicious. (Essawi ¶ 051; ¶ 011) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920. The examiner can normally be reached M - F: 12pm - 8pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached at 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KYUNG H SHIN/ 3-12-2026Primary Examiner, Art Unit 2447
Read full office action

Prosecution Timeline

Jun 28, 2024
Application Filed
Dec 20, 2025
Non-Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/145,099
Patent 12598160
PROXY SERVER WITH DYNAMIC MEMORY BUFFER
2y 5m to grant Granted Apr 07, 2026
18/394,403
Patent 12592948
CROSS PROTOCOL MALWARE TRAFFIC DETECTION USING A TWO-LAYER ML ARCHITECTURE
2y 5m to grant Granted Mar 31, 2026
18/595,748
Patent 12592966
Dynamic Feature Optimization Leveraging Quantum Simulation for Fake Account Detection
2y 5m to grant Granted Mar 31, 2026
18/494,523
Patent 12585532
FRAMEWORK FOR SELECTING THRESHOLDS FOR ANOMALY DETECTION MODELS AND GENERATING QUANTITATIVE EXPLANATIONS
2y 5m to grant Granted Mar 24, 2026
18/327,596
Patent 12574360
SYSTEM AND METHOD USING GENETIC ALGORITHMS FOR ANOMALY DETECTION IN A MOBILE NETWORK
2y 5m to grant Granted Mar 10, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
82%
Grant Probability
92%
With Interview (+10.2%)
2y 11m
Median Time to Grant
Low
PTA Risk
Based on 965 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month