Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsInfoblox Inc. › 18784281
Last updated: April 19, 2026
Application No. 18/784,281

SMART WHITELISTING FOR DNS SECURITY

Non-Final OA §101§103§DP
Filed
Jul 25, 2024
Examiner
RAZA, MUHAMMAD A
Art Unit
2449
Tech Center
2400 — Computer Networks
Assignee
Infoblox Inc.
OA Round
1 (Non-Final)
58%
Grant Probability
Moderate
1-2
OA Rounds
3y 6m
To Grant
99%
With Interview

This examiner grants 58% of cases after interview

+70.8% interview lift. A telephonic interview to clarify the technical implementation could significantly improve the outcome.
Based on 274 resolved cases, 2023–2026

Examiner Intelligence

RAZA, MUHAMMAD A View full profile →
Grants 58% of resolved cases
58%
Career Allow Rate
158 granted / 274 resolved
At TC average
Strong +71% interview lift
Without
With
+70.8%
Interview Lift
resolved cases with interview
Typical timeline
3y 6m
Avg Prosecution
32 currently pending
Career history
306
Total Applications
across all art units

Statute-Specific Performance

§101
17.0%
-23.0% vs TC avg
§103
47.7%
+7.7% vs TC avg
§102
6.5%
-33.5% vs TC avg
§112
21.4%
-18.6% vs TC avg
Black line = Tech Center average estimate • Based on career data from 274 resolved cases

Office Action

§101 §103 §DP
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims Claims 1-20 are pending in this Office Action. Drawings The formal drawings received on 07/25/2024 have been entered. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. US 11206265. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the instant application are obvious variant of claims in U.S. Patent No. US 11206265. Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of U.S. Patent No. US 12101322. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the instant application are obvious variant of claims in U.S. Patent No. US 12101322. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Independent Claim(s): Step 1: Statutory Category. Claim(s) 1-20 is/are directed to statutory category of subject matter. The claim(s) does/do fall within at least one of the four categories of patent eligible subject matter because the claim(s) is/are directed to either a process, machine, manufacture, or composition of matter. Step 2A: Prong One. Judicial Exception. Claim(s) 1-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The claim(s) are directed to abstract idea of generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data, as explained in detail below. The claim(s) do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional computer elements, which are recited at a high level of generality, provide conventional computer functions that do not add meaningful limits to practicing the abstract idea. The independent claim(s) recites, in part, receive a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related event data; receive a set of network related threat data, wherein the set of network related threat data includes DNS related threat data; filter the DNS related event data using the set of network related threat data to obtain filtered DNS related event data; and generate a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data; and a memory coupled to the processor and configured to provide the processor with instructions. These steps describe the concept of generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data, which corresponds to concepts identified as abstract ideas by the courts, such as filtering content, BASCOM Global Internet v. AT&T Mobility, LLC, 827 F.3d 1341, 1345-46, 119 USPQ2d 1236, 1239 (Fed. Cir. 2016). All of these concepts relate to “Certain Methods of Organizing Human Activity” in which “Concepts relating to interpersonal and intrapersonal activities, such as managing relationships or transactions between people, social activities, and human behavior; satisfying or avoiding a legal obligation; advertising, marketing, and sales activities or behaviors; and managing human mental activity.” The concept described in the claim(s) is/are not meaningfully different than “Certain Methods of Organizing Human Activity” found by the courts to be abstract ideas. As such, the description in the claim(s) of generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data is an abstract idea. Enfish, LLC v. Microsoft Corp. 822 F.3d 1327, 1335-36 (Fed. Cir. 2016) (“[T]he first step in the Alice inquiry in this case asks whether the focus of the claims [was] on the specific asserted improvement in computer capabilities … or, instead, on a process that qualifies as an ‘abstract idea’ for which computers are invoked merely as a tool.”) No such evidence exists on this record. Unlike Enfish, where the claims were focused on a specific improvement in how the computer functioned, the claim here merely uses the computer as a tool to perform the abstract concepts, and the claims are not rooted in technology and simply employs conventional techniques used by humans for generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data. The claim here is not similar to claimed patent’s innovative logical model for a computer database (p. 2-3), nor does the claim here have similar specific asserted improvement in computer capabilities (p. 7) as in the Enfish patent. Rather here, the claim is directed to automating the human behavior or task. (See Enfish Memo and Enfish v. Microsoft, May 2016). In addition, simply limiting the invention to a technological environment does “not make an abstract concept any less abstract under step one.” Intellectual Ventures I, 850 F.3d at 1340. Therefore, based on the similarity of the concept described in this claim to abstract ideas identified by the courts in the claim is directed to an abstract idea. For these reasons, afford are ineligible. Step 2A: Prong Two. Practical Application. Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea - see MPEP 2106.05(f). Adding insignificant extra-solution activity to the judicial exception - see MPEP 2106.05(g). Generally linking the use of the judicial exception to a particular technological environment or field of use – see MPEP 2106.05(h). Step 2B: Additional Elements Significantly More Then the Judicial Exception. The independent claim(s) do/does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The claim recites the additional limitations of a “processor” configured to: receive a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related event data; receive a set of network related threat data, wherein the set of network related threat data includes DNS related threat data; filter the DNS related event data using the set of network related threat data to obtain filtered DNS related event data; and generate a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data; and a “memory” coupled to the “processor” and configured to provide the processor with instructions. The “memory” and “processor” are recited at a high level of generality and are recited as performing generic computer functions routinely used in computer applications. Generic computer components recited as performing generic computer functions that are well-understood, routine and conventional activities amount to no more than implementing the abstract idea with a computerized system. Next, “generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data” is stated at a high level of generality without tying it to an algorithm that would improve the functionality of the technology and its broadest reasonable interpretation comprises only generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data through the use of some unspecified generic computers and interface. The use of generic computer components for generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data through an unspecified interface does not impose any meaningful limit on the computer implementation of the abstract idea. These independent claims include insignificant pre-solution limitation(s) [a processor configured to: receive a set of network related event data, wherein the set of network related event data includes Domain Name System (DNS) related event data; receive a set of network related threat data, wherein the set of network related threat data includes DNS related threat data; filter the DNS related event data using the set of network related threat data to obtain filtered DNS related event data;] and post-solution limitation(s) [a memory coupled to the processor and configured to provide the processor with instructions] that do not transform the patent-ineligible concept of an abstract idea to a patent-eligible concept even if they are performed using general purpose computer, as these pre-solution limitation(s) and post-solution limitation(s) add insignificant extrasolution activity to the judicial exception. Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology. Their collective functions merely provide conventional computer implementation. Additionally, adding the words ‘‘apply it’’ (or an equivalent) with the judicial exception (i.e., applying the judicial exception to the Domain Name System network services), or mere instructions to implement an abstract idea on a computer or generally linking the use of the judicial exception to a particular technological environment or field of use (i.e., the Domain Name System network services) is also found to not be enough to qualify as significantly more. Dependent Claim(s): Step 1: Statutory Category. Claim(s) 2-10, 12-15, and 17-20 is/are directed to statutory category of subject matter. The claim(s) does/do fall within at least one of the four categories of patent eligible subject matter because the claim(s) is/are directed to either a process, machine, manufacture, or composition of matter. Step 2A: Judicial Exception. Claim(s) 2-10, 12-15, and 17-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The claim(s) are directed to abstract idea of generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data, without any significant extrasolution activities, as explained in detail below. The claim(s) do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional computer elements, which are recited at a high level of generality, provide conventional computer functions that do not add meaningful limits to practicing the abstract idea. The dependent claim(s) recites, in part, 2. The system recited in claim 1, wherein the DNS related event data includes a set of popular network domains. 3. The system recited in claim 1, wherein the DNS related threat data includes a DNS threat feed. 4. The system recited in claim 1, wherein the DNS related threat data includes a DNS threat feed that is associated with a first enterprise network. 5. The system recited in claim 1, wherein the DNS related threat data includes a DNS threat feed that is automatically filtered to determine a popularity of network domains associated with malware. 6. The system recited in claim 1, wherein the subset of network domains included in the whitelist are selected using a classifier. 7. The system recited in claim 1, wherein the subset of network domains included in the whitelist are selected using a statistical classifier. 8. The system recited in claim 1, wherein: the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware; and the processor is further configured to: output the whitelist to a network device for filtering DNS requests using the whitelist. 9. The system recited in claim 1, wherein: the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware; and the processor is further configured to: periodically update the whitelist based on another set of network related event data and another set of network related threat data, wherein the whitelist is automatically and dynamically adjusted to changes in a production data environment associated with a first enterprise network. 10. The system recited in claim 1, wherein the processor is further configured to: identify a network domain for further evaluation to determine whether the network domain is properly included on a blacklist. These steps describe the concept of generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data, without any significant extrasolution activities, which corresponds to concepts identified as abstract ideas by the courts, such as filtering content, BASCOM Global Internet v. AT&T Mobility, LLC, 827 F.3d 1341, 1345-46, 119 USPQ2d 1236, 1239 (Fed. Cir. 2016). All of these concepts relate to “Certain Methods of Organizing Human Activity” in which “Concepts relating to interpersonal and intrapersonal activities, such as managing relationships or transactions between people, social activities, and human behavior; satisfying or avoiding a legal obligation; advertising, marketing, and sales activities or behaviors; and managing human mental activity.” The concept described in the claim(s) is/are not meaningfully different than “Certain Methods of Organizing Human Activity” found by the courts to be abstract ideas. As such, the description in the claim(s) of generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data, without any significant extrasolution activities, is an abstract idea. Enfish, LLC v. Microsoft Corp. 822 F.3d 1327, 1335-36 (Fed. Cir. 2016) (“[T]he first step in the Alice inquiry in this case asks whether the focus of the claims [was] on the specific asserted improvement in computer capabilities … or, instead, on a process that qualifies as an ‘abstract idea’ for which computers are invoked merely as a tool.”) No such evidence exists on this record. Unlike Enfish, where the claims were focused on a specific improvement in how the computer functioned, the claim here merely uses the computer as a tool to perform the abstract concepts, and the claims are not rooted in technology and simply employs conventional techniques used by humans for generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data, without any significant extrasolution activities. The claim here is not similar to claimed patent’s innovative logical model for a computer database (p. 2-3), nor does the claim here have similar specific asserted improvement in computer capabilities (p. 7) as in the Enfish patent. Rather here, the claim is directed to automating the human behavior or task. (See Enfish Memo and Enfish v. Microsoft, May 2016). In addition, simply limiting the invention to a technological environment does “not make an abstract concept any less abstract under step one.” Intellectual Ventures I, 850 F.3d at 1340. Therefore, based on the similarity of the concept described in this claim to abstract ideas identified by the courts in the claim is directed to an abstract idea. For these reasons, afford are ineligible. Step 2B: Additional Elements Significantly More Then the Judicial Exception. The dependent claim(s) do/does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The claim recites the additional limitations of a “memory” and “processor” for 2. The system recited in claim 1, wherein the DNS related event data includes a set of popular network domains. 3. The system recited in claim 1, wherein the DNS related threat data includes a DNS threat feed. 4. The system recited in claim 1, wherein the DNS related threat data includes a DNS threat feed that is associated with a first enterprise network. 5. The system recited in claim 1, wherein the DNS related threat data includes a DNS threat feed that is automatically filtered to determine a popularity of network domains associated with malware. 6. The system recited in claim 1, wherein the subset of network domains included in the whitelist are selected using a classifier. 7. The system recited in claim 1, wherein the subset of network domains included in the whitelist are selected using a statistical classifier. 8. The system recited in claim 1, wherein: the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware; and the processor is further configured to: output the whitelist to a network device for filtering DNS requests using the whitelist. 9. The system recited in claim 1, wherein: the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware; and the processor is further configured to: periodically update the whitelist based on another set of network related event data and another set of network related threat data, wherein the whitelist is automatically and dynamically adjusted to changes in a production data environment associated with a first enterprise network. 10. The system recited in claim 1, wherein the processor is further configured to: identify a network domain for further evaluation to determine whether the network domain is properly included on a blacklist. The “memory” and “processor” are recited at a high level of generality and are recited as performing generic computer functions routinely used in computer applications. Generic computer components recited as performing generic computer functions that are well-understood, routine and conventional activities amount to no more than implementing the abstract idea with a computerized system. Next, “generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data, without any significant extrasolution activities” is stated at a high level of generality without tying it to an algorithm that would improve the functionality of the technology and its broadest reasonable interpretation comprises only generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data, without any significant extrasolution activities through the use of some unspecified generic computers and interface. The use of generic computer components for generating a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data, without any significant extrasolution activities through an unspecified interface does not impose any meaningful limit on the computer implementation of the abstract idea. These dependent claims include insignificant pre-solution limitation(s) and post-solution limitation(s) that do not transform the patent-ineligible concept of an abstract idea to a patent-eligible concept even if they are performed using general purpose computer, as these pre-solution limitation(s) and post-solution limitation(s) add insignificant extrasolution activity to the judicial exception. Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology. Their collective functions merely provide conventional computer implementation. Additionally, adding the words ‘‘apply it’’ (or an equivalent) with the judicial exception (i.e., applying the judicial exception to the Domain Name System network services), or mere instructions to implement an abstract idea on a computer or generally linking the use of the judicial exception to a particular technological environment or field of use (i.e., the Domain Name System network services) is also found to not be enough to qualify as significantly more. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-3, 11-13, 16-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kislitsin (US 20190222589) in view of Cooley (US 9832209). 1, 11, 16. Kislitsin teaches: A system, comprising: – in paragraphs [0041]-[0153] (System 10 can be used to detect malicious domain names in a network traffic.) a processor configured to: – in paragraphs [0041]-[0153] (A computer-readable medium for long-term storage of data is provided, the medium for storing computer-readable instructions that, when executed by a processor by a computing device, cause the steps of the method described in this document to be performed.) receive a set of network related event data, – in paragraphs [0041]-[0152] (The computing device 1, in particular its analyzing module 1.3, may periodically, after a specified period of time establish a connection with at least one of the above rating sites or access them using the connection module 1.6 in order to extract from the so-accessed rating sites at least one list of popular sites for updating data associated with the known domain names that is stored in the local storage 1.5 data.) wherein the set of network related event data includes Domain Name System (DNS) related event data; – in paragraphs [0041]-[0152] (The updating can be executed on the basis of the list of popular sites from a given one of these rating sites (or lists from multiple rating sites), as well as a summary list of popular sites compiled by the analyzing module 1.3 on the basis of separate lists of popular domain names obtained from each of these rating sites, by, for example, a comparative assessment of popularity indicators assigned to sites in these separate lists, in accordance with a given set of evaluation rules to identify a given number of the most popular sites.) a memory coupled to the processor and configured to provide the processor with instructions. – in paragraphs [0041]-[0153] (A computer-readable medium for long-term storage of data is provided, the medium for storing computer-readable instructions that, when executed by a processor by a computing device, cause the steps of the method described in this document to be performed.) Kislitsin does not explicitly teach: receive a set of network related threat data, wherein the set of network related threat data includes DNS related threat data; filter the DNS related event data using the set of network related threat data to obtain filtered DNS related event data; and generate a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data. However, Cooley teaches: receive a set of network related threat data, – on lines 1-67 in columns 2-18 (Domain reputation information may be obtained from and/or stored within any suitable service or system. Obtaining knowledge about threats from and/or reputations of Internet domains, along with knowledge of Internet domain traffic patterns.) wherein the set of network related threat data includes DNS related threat data; – on lines 1-67 in columns 2-18 (Obtaining knowledge about threats from and/or reputations of Internet domains, along with knowledge of Internet domain traffic patterns.) filter the DNS related event data using the set of network related threat data to obtain filtered DNS related event data; and – on lines 1-67 in columns 2-18 (Select all Internet domains with reputations above a predetermined threshold and traffic volume higher than a predetermined threshold.) generate a whitelist using the filtered DNS related event data, – on lines 1-67 in columns 2-18 (Selection module 108 may select the subset of Internet domains for use in default whitelists and/or whitelists that are customized for particular users and/or gateways systems.) wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data; and – on lines 1-67 in columns 2-18 (Selection module 108 may select all Internet domains with reputations above a predetermined threshold and traffic volume higher than a predetermined threshold. In addition to evaluating reputation and traffic volume information, selection module 108 may consider a variety of other types of information in determining which Internet domains are to be selected for inclusion in a domain whitelist. Selection module 108 may consider the types of data typically provided by an Internet domain to determine whether the Internet domain should be selected for inclusion in a whitelist.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Kislitsin with Cooley to include receive a set of network related threat data, wherein the set of network related threat data includes DNS related threat data; filter the DNS related event data using the set of network related threat data to obtain filtered DNS related event data; and generate a whitelist using the filtered DNS related event data, wherein the whitelist includes a subset of network domains included in the DNS related event data based on a data driven model of the DNS related event data and the DNS related threat data, as taught by Cooley, on lines 1-67 in columns 1-4, to perform security scans on incoming traffic to identify and block malicious Internet content. 2, 12, 17. The system recited in claim 1, Kislitsin teaches: wherein the DNS related event data includes a set of popular network domains. – in paragraphs [0041]-[0152] (The updating can be executed on the basis of the list of popular sites from a given one of these rating sites (or lists from multiple rating sites), as well as a summary list of popular sites compiled by the analyzing module 1.3 on the basis of separate lists of popular domain names obtained from each of these rating sites, by, for example, a comparative assessment of popularity indicators assigned to sites in these separate lists, in accordance with a given set of evaluation rules to identify a given number of the most popular sites.) 3, 13, 18. The system recited in claim 1, Cooley teaches: wherein the DNS related threat data includes a DNS threat feed. – on lines 1-67 in columns 2-18 (Domain reputation information may be obtained from and/or stored within any suitable service or system. Obtaining knowledge about threats from and/or reputations of Internet domains, along with knowledge of Internet domain traffic patterns.) Claim(s) 4, 14, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kislitsin (US 20190222589) in view of Cooley (US 9832209), and further in view of Harris (US 20160173510). 4, 14, 19. The system recited in claim 1, Combination of Kislitsin and Cooley does not explicitly teach: wherein the DNS related threat data includes a DNS threat feed that is associated with a first enterprise network. However, Harris teaches: wherein the DNS related threat data includes a DNS threat feed that is associated with a first enterprise network. – in paragraphs [0004]-[0172] (A remote threat management facility configured to manage threats to an enterprise; and a plurality of devices associated with the enterprise, where each of the plurality of devices has a memory and a processor, the memory storing a URL cache including a reputation score and a time to live for each of a plurality of URLs, and the processor configured to update the URL cache on each of the plurality of devices using reputation scores from the remote threat management facility to add new entries for new URL traffic to the URL cache and using the time to live to expire existing entries from the URL cache.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Kislitsin and Cooley with Harris to include wherein the DNS related threat data includes a DNS threat feed that is associated with a first enterprise network, as taught by Harris, in paragraphs [0002]-[0034], to provide techniques for threat detection in an enterprise network. Claim(s) 5, 15, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kislitsin (US 20190222589) in view of Cooley (US 9832209), and further in view of Xu (US 20170163603). 5, 15, 20. The system recited in claim 1, Combination of Kislitsin and Cooley does not explicitly teach: wherein the DNS related threat data includes a DNS threat feed that is automatically filtered to determine a popularity of network domains associated with malware. However, Xu teaches: wherein the DNS related threat data includes a DNS threat feed that is automatically filtered to determine a popularity of network domains associated with malware. – in paragraphs [0018]-[0109] (An additional filtering operation can be performed using a DGA-domain prediction to filter out time-sensitive DGA domains (DGA-generated domain names) from the ranked listing of popular NX domains, because such NX domains would typically only be used for at most one day by such C&C malware.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Kislitsin and Cooley with Xu to include wherein the DNS related threat data includes a DNS threat feed that is automatically filtered to determine a popularity of network domains associated with malware, as taught by Xu, in paragraphs [0002]-[0051], to identify and prevent the further spread of malware in a network. Claim(s) 6-9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kislitsin (US 20190222589) in view of Cooley (US 9832209), and further in view of Balduzzi (US 10057279). 6. The system recited in claim 1, Combination of Kislitsin and Cooley does not explicitly teach: wherein the subset of network domains included in the whitelist are selected using a classifier. However, Balduzzi teaches: wherein the subset of network domains included in the whitelist are selected using a classifier. – on lines 1-67 in columns 2-14 (The URL classifier 152 may be configured to distinguish between malicious and benign URLs.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Kislitsin and Cooley with Balduzzi to include wherein the subset of network domains included in the whitelist are selected using a classifier, as taught by Balduzzi, on lines 1-67 in columns 1-2, to provide a technique for protecting computers against remote malware downloads includes a malware download detection system and participating client computers that provide download event information to the malware download detection system. 7. The system recited in claim 1, Combination of Kislitsin and Cooley does not explicitly teach: wherein the subset of network domains included in the whitelist are selected using a statistical classifier. However, Balduzzi teaches: wherein the subset of network domains included in the whitelist are selected using a statistical classifier. – on lines 1-67 in columns 2-14 (The URL classifier 152 may be configured to distinguish between malicious and benign URLs. The URL classifier 152 may comprise a statistical classifier that is configured to classify the source URL of the downloaded file.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Kislitsin and Cooley with Balduzzi to include wherein the subset of network domains included in the whitelist are selected using a statistical classifier, as taught by Balduzzi, on lines 1-67 in columns 1-2, to provide a technique for protecting computers against remote malware downloads includes a malware download detection system and participating client computers that provide download event information to the malware download detection system. 8. The system recited in claim 1, Cooley teaches: the processor is further configured to: output the whitelist to a network device for filtering DNS requests using the whitelist. – on lines 1-67 in columns 2-18 (Selection module 108 may select the subset of Internet domains for use in default whitelists and/or whitelists that are customized for particular users and/or gateways systems.) Combination of Kislitsin and Cooley does not explicitly teach: wherein: the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware. However, Balduzzi teaches: wherein: the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware; and – on lines 1-67 in columns 2-14 (Consider u is an unknown URL and that all of its neighbors are unknown nodes, so they cannot contribute meaningfully to classifying u. Nonetheless, if u shares the same URL path with a group of malicious URLs (because, for example, they were generated by the same malware kit), and if there are some known malware files or infected client machines connected to this group of malicious URLs in the download graph 153, the group of malicious URLs will have an impact on accurately labeling u as malicious, because the badness reputation score custom character of the group of malicious URLs will be used to compute some features of u.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Kislitsin and Cooley with Balduzzi to include wherein: the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware, as taught by Balduzzi, on lines 1-67 in columns 1-2, to provide a technique for protecting computers against remote malware downloads includes a malware download detection system and participating client computers that provide download event information to the malware download detection system. 9. The system recited in claim 1, Cooley teaches: the processor is further configured to: periodically update the whitelist based on another set of network related event data and another set of network related threat data, – on lines 1-67 in columns 2-18 (Network gateway system 230 may use Internet domain whitelist 126 as an initial whitelist, may use Internet domain whitelist 126 to update an existing whitelist (e.g., whitelist 232), and/or may use Internet domain whitelist 126 to replace an existing whitelist.) wherein the whitelist is automatically and dynamically adjusted to changes in a production data environment associated with a first enterprise network. – on lines 1-67 in columns 2-18 (Network gateway system 230 may use Internet domain whitelist 126 as an initial whitelist, may use Internet domain whitelist 126 to update an existing whitelist (e.g., whitelist 232), and/or may use Internet domain whitelist 126 to replace an existing whitelist.) Combination of Kislitsin and Cooley does not explicitly teach: wherein: the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware. However, Balduzzi teaches: wherein: the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware; and – on lines 1-67 in columns 2-14 (Consider u is an unknown URL and that all of its neighbors are unknown nodes, so they cannot contribute meaningfully to classifying u. Nonetheless, if u shares the same URL path with a group of malicious URLs (because, for example, they were generated by the same malware kit), and if there are some known malware files or infected client machines connected to this group of malicious URLs in the download graph 153, the group of malicious URLs will have an impact on accurately labeling u as malicious, because the badness reputation score custom character of the group of malicious URLs will be used to compute some features of u.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Kislitsin and Cooley with Balduzzi to include wherein: the DNS related event data is automatically filtered using a classifier to exclude one or more network domains associated with malware, as taught by Balduzzi, on lines 1-67 in columns 1-2, to provide a technique for protecting computers against remote malware downloads includes a malware download detection system and participating client computers that provide download event information to the malware download detection system. Claim(s) 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kislitsin (US 20190222589) in view of Cooley (US 9832209), and further in view of Lin (US 10853431). 10. The system recited in claim 1, Combination of Kislitsin and Cooley does not explicitly teach: wherein the processor is further configured to: identify a network domain for further evaluation to determine whether the network domain is properly included on a blacklist. However, Lin teaches: wherein the processor is further configured to: identify a network domain for further evaluation to determine whether the network domain is properly included on a blacklist. – on lines 1-67 in columns 2-9 (The placement of a URL on a blacklist may not immediately result in its exclusion from distribution to users of the online system, but may instead flag it as suspicious and requiring further administrative review by the online system.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Kislitsin and Cooley with Lin to include wherein the processor is further configured to: identify a network domain for further evaluation to determine whether the network domain is properly included on a blacklist, as taught by Lin, on lines 1-67 in columns 1-2, to identify webpages with a high likelihood of providing a low quality user experience and prevent them from being presented to users of the online system. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD RAZA whose telephone number is (571)272-7734. The examiner can normally be reached Monday-Friday, 7:00 A.M.-5:00 P.M.. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached at (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MUHAMMAD RAZA/Primary Examiner, Art Unit 2449
Read full office action

Prosecution Timeline

Jul 25, 2024
Application Filed
Dec 22, 2025
Non-Final Rejection — §101, §103, §DP (current)

Precedent Cases

Applications granted by this same examiner with similar technology

16/217,321
Patent 12603935
WORKFLOW COORDINATION IN COORDINATION NAMESPACE
2y 5m to grant Granted Apr 14, 2026
18/078,231
Patent 12598147
COLLABORATIVE RELATIONAL MANAGEMENT OF NETWORK AND CLOUD-BASED RESOURCES
2y 5m to grant Granted Apr 07, 2026
18/486,496
Patent 12592917
NETWORK LINK ESTABLISHMENT IN A MULTI-CLOUD INFRASTRUCTURE
2y 5m to grant Granted Mar 31, 2026
17/944,226
Patent 12587451
AUTOMATING SECURED DEPLOYMENT OF CONTAINERIZED WORKLOADS ON EDGE DEVICES
2y 5m to grant Granted Mar 24, 2026
18/298,838
Patent 12580978
APPLICATION-CENTRIC WEB PROTOCOL-BASED DATA STORAGE
2y 5m to grant Granted Mar 17, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
58%
Grant Probability
99%
With Interview (+70.8%)
3y 6m
Median Time to Grant
Low
PTA Risk
Based on 274 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month