Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Note: The claims are statutory per 101 abstract idea.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1 – 20 is/are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 – 11, 13 – 21 of U.S. Patent No. 12081589. Although the claims at issue are not identical, they are not patentably distinct from each other because instant application claims 1-20 are made obvious by said patent claims.
Instant App. # 18771591
U.S. Patent No. 12081589
1. (New) A method comprising: determining, based on a plurality of representations of a first domain name system (DNS) cache, a first subset of the plurality of representations associated with manipulations of the first DNS cache and a second subset of the plurality of representations associated with one or more normal change in the first DNS cache; training, based on the first subset and the second subset, a machine learning model to become a trained machine learning model, wherein the trained machine learning model is configured to detect manipulation of a second DNS cache; and invoking the machine learning model to detect manipulation of the second DNS cache.
2. (New) The method of claim 1, wherein the manipulations of the first DNS cache are changes to byte counts of the first subset of the plurality of representations.
3. (New) The method of claim 1, wherein the manipulations of the first DNS cache are changes to host record internet protocol (IP) addresses of the first subset of the plurality of representations.
4. (New) The method of claim 1, wherein the first subset comprises cache attributes that indicate increased traffic to records of the first subset of the plurality of representations.
5. (New) The method of claim 1, further comprising performing, in response to the machine learning model detecting manipulation of the second DNS cache, a remedial action on the second DNS cache.
6. (New) The method of claim 5, wherein performing the remedial action on the second DNS cache further comprises sending an alert to an administrator of the Application No.: 18/771,591 second DNS cache, the alert identifying one or more records affected by manipulation of the second DNS cache.
7. (New) The method of claim 5, wherein performing the remedial action on the second DNS cache further comprises purging one or more records affected by manipulation of the second DNS cache.
8. (New) A method, comprising:receiving a first representation representing a first snapshot of one or more domain records;receiving a second representation representing a second snapshot of the one or more domain records; andidentifying, based at least on changes between the first representation and the second representation, an abnormal change to the one or more domain records.
9. (New) The method of claim 8, wherein the first representation represents the first snapshot of the one or more domain records from a first domain name system (DNS) cache, the first DNS cache being hosted on a first DNS server, the second representation represents the second snapshot of the one or more domain records from a second DNS cache, and the second DNS cache being hosted on a second DNS server.
10. (New) The method of claim 9, wherein the first DNS server is a root server and the second DNS server is one of a top-level domain (TLD) server or an authoritative name server.
11. (New) The method of claim 9, further comprising sending, to the first DNS server, a request to purge the one or more domain records affected by the abnormal change. Application No.: 18/771,591
12. (New) The method of claim 9, further comprising sending, to the second DNS server, a request to purge the one or more domain records affected by the abnormal change.
13. (New) The method of claim 8, wherein the first representation represents a first caching period of time and the second representation represents a second caching period of time.
14. (New) The method of claim 13, further comprising sending an alert to an administrator, the alert identifying the one or more domain records affected by the abnormal change.
15. (New) A method, comprising: receiving a representation of a DNS cache, the representation comprising a plurality of cache attributes associated with the DNS cache; determining that one or more cache attributes of the representation satisfy one or more alert rules of a plurality of alert rules; and performing, in response to determining that the one or more cache attributes of the representation satisfy the one or more alert rules of the plurality of alert rules, a remedial action.
16. (New) The method of claim 15, wherein a byte count of the DNS cache is a cache attribute of the one or more cache attributes and a first alert rule of the one or more alert rules is satisfied by determining that a change in the byte count of the DNS cache exceeds a threshold identified in the first alert rule.
17. (New) The method of claim 15, wherein a host record internet protocol (IP) address is a cache attribute of the one or more cache attributes and a first alert rule of the one or more alert rules is satisfied by determining that the host record IP address has changed.
18. (New) The method of claim 15, wherein a traffic amount is a cache attribute of the one or more cache attributes and a first alert rule of the one or more alert rules is satisfied by determining that an increase in the traffic amount has occurred.
19. (New) The method of claim 15, further comprising outputting the plurality of alert rules by a trained machine learning model, the trained machine learning model having been trained by a first corpus of abnormal cache changes and a second corpus of normal cache changes.
20. (New) The method of claim 15, wherein performing the remedial action further comprises purging the one or more domain records affected by an abnormal change.
(Currently Amended) A method comprising:
receiving, at a computing device, a plurality of representations of a domain name system (DNS) cache, wherein each representation of the plurality of representations comprises a plurality of cache attributes associated with the DNS cache;
determining, based on the plurality of representations, first subset of the plurality of representations associated with a manipulation of the DNS cache and a second subset of the plurality of representations associated with one or more normal change in the DNS cache;
determining, based on the first subset and the second subset, one or more cache attributes indicative of the manipulation of the DNS cache; and
training, based on the one or more determined cache attributes indicative of the manipulation of the DNS cache to a , and cause a remedial action to be performed on the computing device associated with the DNS cache.
(Original) The method of claim 1, wherein each representation of the plurality of representations is associated with a unique time interval.
(Currently Amended) The method of claim 1, wherein [[the]] at least one representation of the first subset is associated with a malicious attack on the DNS cache.
(Original) The method of claim 1, wherein the plurality of cache attributes associated with the DNS cache comprise one or more of a byte count of the DNS cache, a server name associated with a DNS resolution, a server location associated with the DNS resolution, or a visual representation of the DNS cache.
(Currently Amended) The method of claim 4, wherein the one or more changes in the one or more cache attributes indicative of the manipulation are associated with at least one representation of the first subset, and wherein the at least one representation of the first subset is associated with an abnormal change in one or more of the byte count of the DNS cache, the server name associated with the DNS resolution, the server location associated with the DNS resolution, or the visual representation of the DNS cache.
(Currently Amended) The method of claim 1, wherein the DNS cache is associated with one or more of a root server of the DNS cache, a top-level server of the DNS cache, or an authoritative name server of the DNS cache.
(Currently Amended) The method of claim 1, further comprising:
outputting the trained machine learning model as a plurality of alert rules.
(Currently Amended) A method comprising:
receiving, at a computing device, a representation of a domain name system (DNS) cache, wherein the representation comprises a plurality of cache attributes associated with the DNS cache;
providing the plurality of cache attributes to a trained machine learning model, wherein the trained machine learning model is trained on a first subset of a plurality of historical representations associated with one or more historical abnormal change in the DNS cache and a second subset of the plurality of historical representations associated with one or more historical normal change in the DNS cache; and
causing, based on the one or more changes in the one or more cache attributes being indicative of the manipulation of the DNS cache, a remedial action to be performed on a computing device associated with the DNS cache.
(Original) The method of claim 8, wherein the representation and the manipulation are associated with a malicious attack on the DNS cache.
(Original) The method of claim 8, wherein the manipulation comprises one or more of an abnormal change in a byte count of the DNS cache, an abnormal change in a server name associated with a DNS resolution, an abnormal change in a server location associated with a DNS resolution, or an abnormal change in a visual representation of the DNS cache.
(Currently Amended) The method of claim 8, wherein the computing device associated with the DNS cache comprises one or more of a DNS resolver of the DNS cache, a root server of the DNS cache, a top-level server of the DNS cache, or an authoritative name server of the DNS cache.
(Currently Amended) The method of claim 8, further comprising:
determining, based on the representation and the trained machine learning model, that [[the]] one or more of the plurality of cache attributes of the representation satisfy one or more of [[the]]a plurality of alert rules, wherein the one or more of the plurality of alert rules are satisfied when the trained machine learning model provides a level of confidence above a threshold that the one or more of the plurality of cache attributes are associated with the manipulation of the DNS cache.
(Currently Amended) The method of claim 8, wherein causing the remedial action to be performed on the computing device associated with the DNS cache comprises one or more of:
sending, to an administrator of the DNS cache, an alert comprising an indication of the manipulation of in the DNS cache; or
causing the computing device to clear one or more records of the DNS cache
(Currently Amended) A method comprising:
receiving, at a domain name system (DNS) resolver, a representation of a DNS cache, wherein the representation comprises a plurality of cache attributes associated with the DNS cache;
providing the plurality of cache attributes to a trained machine learning model, wherein the trained machine learning model is configured to detect one or more changes in , wherein the trained machine learning model is trained on a first subset of a plurality of historical representations associated with one or more historical abnormal change in the DNS cache and a second subset of the plurality of historical representations associated with one or more historical normal change in the DNS cache; and
sending, based on the one or more changes in the plurality of cache attributes being indicative of the manipulation of the DNS cache, an alert to a computing device associated with the DNS cache.
(Original) The method of claim 15, wherein the representation and the manipulation are associated with a malicious attack on the DNS cache.
(Original) The method of claim 15, wherein the manipulation comprises one or more of an abnormal change in a byte count of the DNS cache, an abnormal change in a server name associated with a DNS resolution, an abnormal change in a server location associated with a DNS resolution, or an abnormal change in a visual representation of the DNS cache.
(Original) The method of claim 15, wherein the alert causes the computing device associated with the DNS cache to clear one or more records of the DNS cache.
(Currently Amended) The method of claim 15, further comprising:
receiving, by [[the]]a DNS resolver, a plurality of alert rules, wherein the plurality of alert rules are configured to detect one or more manipulations of the DNS cache.
(Currently Amended) The method of claim 19 further comprising:
determining, based on the representation, that one or more of the plurality of cache attributes satisfy one or more of the plurality of alert rules, wherein the one or more of the plurality of alert rules are satisfied when the trained machine learning model provides a level of confidence above a threshold that the one or more of the plurality of cache attributes are indicative of the manipulation of the DNS cache.
(New) The method of claim 8, wherein at least one representation of the first subset is associated with a malicious attack on the DNS cache.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
Claim(s) 1 – 3, 5, 6, 8 – 10, 13 – 17 is/are rejected under 35 U.S.C. 102(a)(1) / (2) as being unpatentable by Ogale et al (US 20200228495), hereafter Oga.
Claim 1: Oga teaches a method comprising (Summary): determining, based on a plurality of representations of a first domain name system (DNS) cache, a first subset of the plurality of representations associated with manipulations of the first DNS cache and a second subset of the plurality of representations associated with one or more normal change in the first DNS cache; ([04, Figs. 2, 3] during the learning phase, the agent builds the DNS cache by listening for DNS response messages that map domain names to network addresses... Figs. 2 illustrates normal (i.e., second subset: Once the local DNS has received a DNS entry for example.com, the DCN uses the supplied network address to contact the correct website) Vs Fig. 3: shows corrupted DNS operations (i.e., first subset)).
training, based on the first subset and the second subset, a machine learning model to become a trained machine learning model, wherein the trained machine learning model is configured to detect manipulation of a second DNS cache; ([04] At the end of this learning phase the agent sends the cache entries..., and receives back from the service policies for each of the entries. These policies, specify conditions under which a modification to the corresponding DNS entries (a change in the network address to which a domain name is mapped) will violate the policies (i.e., trained model)).
and invoking the machine learning model to detect manipulation of the second DNS cache. ([05, Fig. 4] during the detection phase, the agent monitors modifications of entries in the DNS cache to detect if an entry has been modified by a DNS response such that the modified entry violates the policy for the entry. The agent detects that a modification violates its policy...).
Claim 2: Oga teaches the method of claim 1, wherein the manipulations of the first DNS cache are changes to byte counts of the first subset of the plurality of representations. ([06] A range of network addresses are used when contacting a domain name outside the private network, but with a consistent pattern of network addresses (i.e., byte counts) identified during the learning phase (all network addresses legitimately associated with example.com are IP addresses that start with 192.168)).
Claim 3: Oga teaches the method of claim 1, wherein the manipulations of the first DNS cache are changes to host record internet protocol (IP) addresses of the first subset of the plurality of representations. ([030, Fig. 2-3] before the top-level DNS sends the valid DNS response to datacenter DNS, the compromised DCN sends out (in operation 3) a flood of hoax DNS entries for example.com. The hoax DNS entries have a different network address from the legitimate DNS entry (in this case, IP address 6.6.6.0 instead of IP address 1.2.3.4)).
Claim 5: Oga teaches the method of claim 1, further comprising performing, in response to the machine learning model detecting manipulation of the second DNS cache, a remedial action on the second DNS cache. ([03] centralized detection service performs additional analysis (on the DNS cache) and takes a (remedial) action).
Claim 6: Oga teaches the method of claim 5, wherein performing the remedial action on the second DNS cache further comprises sending an alert to an administrator of the second DNS cache, the alert identifying one or more records affected by manipulation of the second DNS cache. ([022] the agent notifies a centralized detection service of the violation (by sending an alert). The centralized detection service performs additional analysis and takes an action (notify an administrator, etc.); [08] As an initial check, the centralized service determines whether a new network address is on a list of blacklisted network addresses).
Claim 8: Oga teaches a method, comprising (Summary): receiving a first representation representing a first snapshot of one or more domain records; receiving a second representation representing a second snapshot of the one or more domain records; and identifying, based at least on changes between the first representation and the second representation, an abnormal change to the one or more domain records. (Summary, [04, Figs. 2, 3]: during a first operational phase of an agent executing on the DCN, builds a DNS cache that stores entries; During a second operational phase of the agent, the method detects that an entry of the DNS cache has been modified by a DNS response such that the modified entry violates the policy for the entry. Based on the detection, the method sends an alert to the centralized service. The centralized service performs additional analysis on the modification to determine whether to allow the DCN to use the modified DNS cache entry).
Claim 9: Oga teaches a method of claim 8, wherein the first representation represents the first snapshot of the one or more domain records from a first domain name system (DNS) cache, the first DNS cache being hosted on a first DNS server, the second representation represents the second snapshot of the one or more domain records from a second DNS cache, and the second DNS cache being hosted on a second DNS server. ([032, Fig. 4] shows the data structure of a DNS caches. An uncompromised DNS cache 400 and a compromised DNS cache 405).
Claim 10: Oga teaches a method of claim 9, wherein the first DNS server is a root server and the second DNS server is one of a top-level domain (TLD) server or an authoritative name server. ([027, Fig. 2] The system includes a top-level DNS 215, and a web-site 220 (i.e., root server)).
Claim 13: Oga teaches a method of claim 8, wherein the first representation represents a first caching period of time and the second representation represents a second caching period of time. ([027, 32, Fig. 2, 4] shows normal operations of a DNS caching system; a time to live (TTL) value counting down the amount of time for with the DNS entry is considered valid i.e., first; the data structure of a DNS cache of an entry changing from a valid entry to a compromised entry (i.e., second) and a TTL of 500 hours).
Claim 14: Oga teaches a method of claim 13, further comprising sending an alert to an administrator, the alert identifying the one or more domain records affected by the abnormal change. ([03] the agent notifies a centralized detection service of the violation (by sending an alert)).
Claim 15: Oga teaches a method, comprising (Summary): receiving a representation of a DNS cache, the representation comprising a plurality of cache attributes associated with the DNS cache; determining that one or more cache attributes of the representation satisfy one or more alert rules of a plurality of alert rules; and performing, in response to determining that the one or more cache attributes of the representation satisfy the one or more alert rules of the plurality of alert rules, a remedial action. ([04, Figs. 2, 3] the agent builds the DNS cache by listening for DNS response messages that map domain names to network addresses. [03, 07] an agent executing on the DCN uses a DNS cache with entries (addresses, a time to live (TTL) value i.e., attributes) that each (i) map a domain name to a network address and (ii) include a policy for the entry that indicates conditions under which the policy has been violated. When the agent detects that a cache entry has been modified in such a way as to violate the policy, the agent notifies a centralized detection service of the violation (by sending an alert). The centralized detection service can then perform additional analysis and take an action).
Claim 16: Oga teaches a method of claim 15, wherein a byte count of the DNS cache is a cache attribute of the one or more cache attributes and a first alert rule of the one or more alert rules is satisfied by determining that a change in the byte count of the DNS cache exceeds a threshold identified in the first alert rule. ([06] A range of network addresses are used when contacting a domain name outside the private network, but with a consistent pattern of network addresses (i.e., byte counts) identified during the learning phase (all network addresses legitimately associated with example.com are IP addresses that start with 192.168); [042] a new DNS entry may have a network address outside an allowed range of network addresses… policy violation results in a higher alert severity).
Claim 17: Oga teaches a method of claim 15, wherein a host record internet protocol (IP) address is a cache attribute of the one or more cache attributes and a first alert rule of the one or more alert rules is satisfied by determining that the host record IP address has changed. ([039] if the network address with which a domain name is associated is modified, this could violate a policy that restricts allowable network addresses for the domain name).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oga as applied to claims above, and further in view of Chandra et al (US 20100074125), Cha.
Claim 4: Oga teaches the method of claim 1, but is silent on wherein the first subset comprises cache attributes that indicate increased traffic to records of the first subset of the plurality of representations.
But analogous art Cha teaches wherein the first subset comprises cache attributes that indicate increased traffic to records of the first subset of the plurality of representations. (Cha: [0031] The system includes a flow pair component that identifies correlated occurrences from flow dependencies in the trace. The flow pair component identifies flow groups that co-occur with frequency significantly greater than chance and repeat consistently over long periods of time).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Oga to include the idea of getting traffic rate as taught by Cha so that the traffic evaluator detects malicious traffic, machines infected by viruses, mysq1 bot scans, SSH scans targeting key routers, etc. (027).
Claim(s) 7, 11, 12, 18 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Oga as applied to claims above, and further in view of Wright et al (US 20180063190), Wri.
Claim 7: Oga teaches the method of claim 5, but silent on wherein performing the remedial action on the second DNS cache further comprises purging one or more records affected by manipulation of the second DNS cache.
But analogous art Wri teaches wherein performing the remedial action on the second DNS cache further comprises purging one or more records affected by manipulation of the second DNS cache. (Wri: [060] Implementing takedown operations can include hosting provider by removing the attack website from the hosting space, DNS provider by deleting DNS zones for the attack website).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Oga to include the idea of deleting bad DNS entries as taught by Wri so that the process ameliorates the threat of a cyber-attack or the like by the potential attacker or an affiliate thereof. ([025]).
Claim 11: Oga teaches a method of claim 9, but analogous art Wri teaches further comprising sending, to the first DNS server, a request to purge the one or more domain records affected by the abnormal change. (Wri: [060] notifying a suitable entity and/or any other action. Implementing takedown operations can include hosting provider by removing the attack website from the hosting space, DNS provider by deleting DNS zones for the attack website).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Oga to include the idea of deleting bad DNS entries as taught by Wri so that the process ameliorates the threat of a cyber-attack or the like by the potential attacker or an affiliate thereof. ([025]).
Claim 12: Oga teaches the method of claim 9, but analogous art Wri teaches further comprising sending, to the second DNS server, a request to purge the one or more domain records affected by the abnormal change. (Wri: [060] notifying a suitable entity and/or any other action. Implementing takedown operations can include hosting provider by removing the attack website from the hosting space, DNS provider by deleting DNS zones for the attack website).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Oga to include the idea of deleting bad DNS entries as taught by Wri so that the process ameliorates the threat of a cyber-attack or the like by the potential attacker or an affiliate thereof. ([025]).
Claim 18: Oga teaches a method of claim 15, but analogous art Wri teaches wherein a traffic amount is a cache attribute of the one or more cache attributes and a first alert rule of the one or more alert rules is satisfied by determining that an increase in the traffic amount has occurred. (Wri: [024] The HTTP cookie collects data indicative of: … frequency of visits, timing of visits, and/or other attack website visitor data; [030] Attack website visitor fingerprints is compared against known attacker digital fingerprints in identifying attackers and/or illegitimate attack websites).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Oga to include the idea of determining that an increase in the traffic amount as taught by Wri so that the process ameliorates the threat of a cyber-attack or the like by the potential attacker or an affiliate thereof. ([025]).
Claim 19: Oga teaches a method of claim 15, but analogous art Wri teaches further comprising outputting the plurality of alert rules by a trained machine learning model, the trained machine learning model having been trained by a first corpus of abnormal cache changes and a second corpus of normal cache changes. ([056] Automatically classifying a potential attack website can include generating one or more models for distinguishing between non-attack websites and attack websites. An attack website identification model is preferably generated from attack website features. Attack website features can be extracted from website monitoring data, attack website activity, and/or any suitable data …).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Oga to include the idea of using attack website features to train models as taught by Wri so that the process ameliorates the threat of a cyber-attack or the like by the potential attacker or an affiliate thereof. ([025]).
Claim 20: Oga teaches the method of claim 15, but analogous art Wri teaches wherein performing the remedial action further comprises purging the one or more domain records affected by an abnormal change. (Wri: [060] Implementing takedown operations can include hosting provider by removing the attack website from the hosting space, DNS provider by deleting DNS zones for the attack website).
Therefore, it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Oga to include the idea of deleting bad DNS entries as taught by Wri so that the process ameliorates the threat of a cyber-attack or the like by the potential attacker or an affiliate thereof. ([025]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8.30am-4.30pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached at (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BADRINARAYANAN /Primary Examiner, Art Unit 2494.