DNS SECURITY OPERATION CENTER INSIGHTS

§101 §102 §103 §112 §DP

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Information Disclosure Statement The information disclosure statement (IDS) submitted on 12/03/2024 has been considered by the examiner. Specification The disclosure is objected to because of the following informalities: In paragraph [0050], “rpzlogs 208” should read “rpzlogs 216.” In paragraph [0052], e.g., “a cache 332 is provided for a caching the data” should read “a cache 332 is provided for caching the data” In paragraph [0057], “rpzlogs 208” should read “rpzlogs 216.” In paragraph [0067], e.g., “This facilitates a reduction in noise but aggregating such insights into groupings” should read “This facilitates a reduction in noise by aggregating such insights into groupings.” In paragraph [0080], “a confidence level and a threat level are provided” should read “an impact level and a threat level are provided.” In paragraph [0081], “if confidence is low, then low; if confidence is high, then value of threat level” should read if confidence is low, then value of threat level is low; if confidence is high, then value of threat level is high.” In paragraph [0085], “As shown in the graph relationship illustrated in FIG. 4” should read “As shown in the graph relationship illustrated in FIG. 14.” In paragraph [0089], insights correlates to element 416, however, in FIG. 16, insights correlates to 414. In paragraph [0089], “The publisher 1610 provides these events to the above-described notification component 316 for present to the user” should read “The publisher 1610 provides these events to the above-described notification component 316 for presentation to the user.” In paragraph [0093], “based on the predetermined associated action (1704) to, for example, perform” should read “based on the predetermined associated action (1704), for example, perform” Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claims 1, 15, and 20 recite “perform an action based on one or more of the insights”. There is insufficient antecedent basis for “the insights”. For the purpose of examination, the claim limitation will be interpreted as “perform an action based on one or more of the plurality of insights.” Claims 2-14 and 16-19 inherit this rejection. Claim 5 recites “high volume” and “high write throughput”. These terms are relative terms and the specification does not define what is high volume or high write throughput therefore these terms render the claim indefinite. Applicant may amend each of the recitations to “higher than a predetermined threshold.” Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-6 and 14-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a mental process without significantly more. The claim(s) recite(s) collecting data, manipulating data, determining a pattern from the data, and performing actions on the data. This judicial exception is not integrated into a practical application because “performing an action” without indicating what the action is does not integrate the abstract idea into a practical application. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because “performing an action” may simply be additional generation/manipulation of data, which is a well-understood, routine, and conventional activity in computer security. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 1-5, 7, 11-12, and 14-18, and 20 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by US 20240364725 A1 to Sinha et al. (Sinha). Regarding claim 1, Sinha teaches A system, comprising: a processor (Sinha [0080], e.g., one or more processors 719) configured to: collect Domain Name System (DNS) security associated events (Sinha [0020], e.g., the system 100 includes a cybersecurity platform 102 that collects or otherwise receives security data 109 from multiple security data sources 104-108; [0031], e.g., For instance, in some examples, types of data used as part of the security data 109 includes…… DNS lookup events collected from the central DNS servers within the network); generate a plurality of insights based on the collected DNS security associated events (Sinha [0020], e.g., The cybersecurity platform 102 normalizes and/or otherwise preprocesses the received data using a data normalizer 114 and stores the normalized data in the data storage 116. An Artificial Intelligence (AI) engine 118 analyzes the stored data 117 using one or more trained models to generate security insight information); and perform an action based on one or more of the insights (Sinha [0034], e.g., the one or more models of the AI engine 118 are trained using machine learning techniques to perform operations such as investigating the aggregated, normalized security data for anomalous patterns, hunting and/or identifying threats based on the security data, and/or generating recommendations for actions that can be taken to improve the security of the system in some way); and a memory coupled to the processor and configured to provide the processor with instructions (Sinha [0080-0081], e.g., one or more processors 719…… for processing computer executable instructions…… computer executable instructions are provided using any computer-readable media…… Computer-readable media include, for example, computer storage media such as a memory 722). Regarding claim 2, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha further teaches wherein the plurality of insights is automatically generated based on aggregated DNS security associated events (Sinha [0020], e.g., the system 100 includes a cybersecurity platform 102 that collects or otherwise receives security data 109 from multiple security data sources 104-108 (e.g., via data interfaces 110). The cybersecurity platform 102 normalizes and/or otherwise preprocesses the received data using a data normalizer 114 and stores the normalized data in the data storage 116. An Artificial Intelligence (AI) engine 118 analyzes the stored data 117 using one or more trained models to generate security insight information) using a DNS Security Operations Center (SOC) platform (Sinha 0020], e.g., a system 100 configured for collecting, managing, and using aggregated security data to address security threats). Regarding claim 3, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha further teaches wherein the plurality of insights are automatically generated and correlated based on aggregated DNS security associated events (Sinha [0020], e.g., the system 100 includes a cybersecurity platform 102 that collects or otherwise receives security data 109 from multiple security data sources 104-108 (e.g., via data interfaces 110). The cybersecurity platform 102 normalizes and/or otherwise preprocesses the received data using a data normalizer 114 and stores the normalized data in the data storage 116. An Artificial Intelligence (AI) engine 118 analyzes the stored data 117 using one or more trained models to generate security insight information) using a DNS Security Operations Center (SOC) platform (Sinha 0020], e.g., a system 100 configured for collecting, managing, and using aggregated security data to address security threats), and wherein the DNS SOC platform receives the DNS security associated events from a plurality of DNS security related detectors (Sinha [0022], e.g., the group of security data sources 104-108 include one or more security products, tools, and/or applications that are each configured to provide specific security services and to collect or otherwise obtain data that pertains to those specific security services…… an example data source is MITRE ATT&CK that provides details about adversarial tactics, techniques, and common knowledge. Additionally, or alternatively, other example security data sources include Cloud Access Security Brokers (CASB), Data Loss Prevention (DLP) tools, Intrusion Prevention Systems (IPS), Firewall Applications, Extended Detection and Response (XDR) tools, Endpoint Detection and Response (EDR), Security Operations Center (SOC) platforms, Safety Management Systems (SMS), Learning Management Systems (LMS), or the like). Regarding claim 4, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha further teaches wherein the plurality of insights is automatically generated based on aggregated DNS security associated events (Sinha [0020], e.g., the system 100 includes a cybersecurity platform 102 that collects or otherwise receives security data 109 from multiple security data sources 104-108 (e.g., via data interfaces 110). The cybersecurity platform 102 normalizes and/or otherwise preprocesses the received data using a data normalizer 114 and stores the normalized data in the data storage 116. An Artificial Intelligence (AI) engine 118 analyzes the stored data 117 using one or more trained models to generate security insight information) using a DNS Security Operations Center (SOC) platform (Sinha 0020], e.g., a system 100 configured for collecting, managing, and using aggregated security data to address security threats) wherein the DNS SOC platform receives the DNS security associated events from a plurality of DNS security related detectors (Sinha [0022], e.g., the group of security data sources 104-108 include one or more security products, tools, and/or applications that are each configured to provide specific security services and to collect or otherwise obtain data that pertains to those specific security services…… an example data source is MITRE ATT&CK that provides details about adversarial tactics, techniques, and common knowledge. Additionally, or alternatively, other example security data sources include Cloud Access Security Brokers (CASB), Data Loss Prevention (DLP) tools, Intrusion Prevention Systems (IPS), Firewall Applications, Extended Detection and Response (XDR) tools, Endpoint Detection and Response (EDR), Security Operations Center (SOC) platforms, Safety Management Systems (SMS), Learning Management Systems (LMS), or the like), and wherein the DNS SOC platform includes an insights pipeline (Sinha [0025], e.g., the security data 109 sent to the cybersecurity platform 102, [0028], e.g., the data normalizer 114 is configured to create combined datasets by extracting and/or joining logs and/or platform output data from the multiple security data sources, [0034-0035], e.g., the AI engine 118…… configured to use one or more models to analyze the normalized data in order to detect anomalies and/or predict security events…… AI engine 118 deploys ML models to analyze live, real-time data to hunt for potential threats on the associated system that may have been missed by the individual cybersecurity tools and/or platforms (e.g., the security data sources 104-108) and/or to determine and provide security recommendations, [0039], e.g., cybersecurity platform 102 is configured to perform automated incident response operations, such as Security Orchestration, Automation and Response (SOAR) which dynamically protects against identified and potential threats using implemented remedial responses, security workflow orchestration, and/or dynamic automated risk management and response operations, [0041], e.g., visualizations that are provided via the visualization layer 132 include a holistic cybersecurity health assessment interface generated based on the aggregated, normalized data from the multiple security data sources; Fig.1). Regarding claim 5, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha further teaches wherein high volume DNS security associated events are modeled, aggregated and stored in an efficient manner to achieve high write throughput and read performant (Sinha [0015], e.g., Further, the disclosure improves the efficiency of resource use in the associated system, including use of data storage resources, use of network bandwidth resources, use of processing resources, and the like. Because the disclosure describes the collection of all available security data in a single platform and analysis of that comprehensive dataset in the single platform, the likelihood of duplicated processing efforts by other security tools or duplicate data transfers between other tools is reduced significantly. The disclosure enables flexible, centralized security data analysis such that reliance on analysis by other tools that might include duplicate resource usage can be reduced). Regarding claim 7, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha further teaches wherein the processor is further configured to perform the following action in response to identification of a detected malicious domain: automatically block the malicious domain (Sinha [0067], e.g., the cybersecurity platform 102 identifies malicious websites and blocks watering hole attacks associated therewith). Regarding claim 11, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha further teaches wherein the processor is further configured to perform the following action in response to identification of a DNS data exfiltration attack: block the DNS data exfiltration attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (Sinha [0036], e.g., AI engine 118 includes trained ML models include advanced analytics use-cases…… the use-cases include traffic analysis and/or data exfiltration use-cases such as identifying user behavior and tracking/blocking the sensitive data movements, [0068] and [0074] describe monitoring and blocking data movement activities for sensitive data). Regarding claim 12, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha further teaches wherein the processor is further configured to perform the following action in response to identification of a phishing attack: block the phishing attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (Sinha [0036], e.g., AI engine 118 includes trained ML models include advanced analytics use-cases…… the use-cases include traffic analysis and/or data exfiltration use-cases such as identifying user behavior and tracking/blocking the sensitive data movements and/or preventing data loss from phishing activities; [0069], e.g., In an example, the cybersecurity platform 102 prevents data loss from phishing activities). Regarding claim 14, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha further teaches wherein the processor is further configured to: report the plurality of insights for a first network aggregated for a predetermined period of time using a DNS Security Operations Center (SOC) insights platform (Sinha [0033], e.g., the data storage 116 includes a secondary database for storing aggregated data from the big-data storage (e.g., aggregation of data therein is carried out periodically (every 30 minutes or 1 hour)). The aggregated database is used as a “single source of truth” for presenting security information on security dashboard interfaces. This security information enables users to view the current state of security in the system and to react to issues that arise). Regarding claim 15, the claim recites a method of the system of claim 1, and is similarly analyzed. Regarding claim 16, the claim recites a method of the system of claim 2, and is similarly analyzed. Regarding claim 17, the claim recites a method of the system of claim 3, and is similarly analyzed. Regarding claim 18, the claim recites a method of the system of claim 4, and is similarly analyzed. Regarding claim 20, Sinha teaches a computer program product embodied in a non-transitory computer readable medium and comprising computer instructions (Sinha [0081], e.g., computer executable instructions are provided using any computer-readable media that is accessible by the computing apparatus 718. Computer-readable media include, for example, computer storage media such as a memory 722). The rest of the limitation recites a computer program product of the system of claim 1, and is similarly recited. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claim(s) 6 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sinha in view of US 20250310358 A1 to Gulikers et al. (Gulikers), which claims priority U.S. Prov. Appl. Ser. No. 63/573,286, filed Apr. 2, 2024 and U.S. Prov. Appl. Ser. No. 63/573,288, filed Apr. 2, 2024. Regarding claim 6, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha does not explicitly teach, but Gulikers teaches wherein the DNS security associated events are aggregated and stored in a graph data store for correlating threat lifecycle (Gulikers, Provisional Application (63/573,286) pg. 12, lines 16-21 and Fig. 5; [0073], e.g., threat intelligence lifecycle manager 512 may use security data 510 obtained by workflow manager 514 to populate a knowledge graph 516…… In one implementation, threat intelligence lifecycle manager 512 may store knowledge graph 516 in a graph database such as AarangoDB or the like; Also see Fig, 11A). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to have modified the teachings of Sinha with the teachings of Gulikers with reasonable expectation of success. One of ordinary skill in the art would have been motivated to make the modification for the benefit of enhancing attack detection (Gulikers [0175], e.g., As noted above, conventional approaches to attack simulations and threat detections fail to produce and utilize fata that is fully realistic with respect to attack scenarios. Consequently, such systems fail to recognize novel or slightly altered attack patterns, leading to vulnerabilities. In contrast, the techniques herein leverage data augmentation in attack simulations to enhance attack detection. For example, by combining components of simulated and/or real attacks and background activity into a knowledge graph, a more realistic mimicry of data may be achieved). Regarding claim 19, the claim recites a method of the system of claim 6, and is similarly analyzed. Claim(s) 8 and 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sinha in view of US 20230362176 A1 to Jiang et al. (Jiang). Regarding claim 8, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha teaches wherein the processor is further configured to perform the following action in response to identification of a [domain generation algorithm (DGA)] attack: block the [DGA] attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (Sinha [0013], e.g., The cybersecurity platform then analyzes the normalized data to detect or otherwise identify security issues in the system…… and/or performs automatic remedial operations to address the issues (e.g., blocking network traffic, revoking user permissions, halting intrusive processes)). Sinha does not explicitly teach, but Jiang teaches identifying a domain generation algorithm (DGA) attack (Jiang [0082], e.g., an action can be performed in response to a verdict that the source IP address of the DGA domain cluster is compromised. In some embodiments, analysis of the source IP address of the DGA domain cluster is performed to generate a malware signature) and blocking the DGA attack (Jiang [0082], e.g., In some embodiments, the action relates to blocking the compromised source IP address associated with the detected DGA malware attack). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to have modified the teachings of Sinha with the teachings of Jiang with reasonable expectation of success. One of ordinary skill in the art would have been motivated to make the modification for the benefit of detecting zero day attacks (Jiang [0089], e.g., Because the verdicts are detected in real time or near real time, malware samples associated with the compromised source IP addresses can belong to a zero day attack campaign launch, which uses a DGA as an attack technique…… This early detection can provide an opportunity for network security research services to alert members or entities to prepare for a forthcoming attack campaign). Regarding claim 10, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha further teaches wherein the processor is further configured to perform the following action in response to identification of a [command and control (C2)] attack: block the [C2] attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (Sinha [0013], e.g., The cybersecurity platform then analyzes the normalized data to detect or otherwise identify security issues in the system…… and/or performs automatic remedial operations to address the issues (e.g., blocking network traffic, revoking user permissions, halting intrusive processes)). Sinha does not explicitly teach, but Jiang teaches identifying a command and control (C2) attack (Jiang [0019-0020], e.g., a firewall can identify and prevent the further spread of malware in a network…… Example malware includes…… botnet command and control (C&C)) and blocking the C2 attack (Jiang [0052], e.g., determine that the client device is infected with identified malware, such that a responsive action can be performed (e.g., the client device can be disinfected, quarantined, reported to a network/security administrator for the network, the client device's attempt(s) to connect to the bad network domains(s) can be blocked, and/or some other responsive action can be performed based on policy). The motivation to combine is the same as that of claim 8. Claim(s) 9 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sinha in view of "Network-based Detection and Prevention System against DNS-based Attacks", May 2021 to Mohammed et al. (Mohammed). Regarding claim 9, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha further teaches wherein the processor is further configured to perform the following action in response to identification of a [DNS tunneling (DNST)] attack: block the [DNST] attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (Sinha [0013], e.g., The cybersecurity platform then analyzes the normalized data to detect or otherwise identify security issues in the system…… and/or performs automatic remedial operations to address the issues (e.g., blocking network traffic, revoking user permissions, halting intrusive processes)). Sinha does not explicitly teach, but Mohammed teaches identifying a DNS tunneling (DNST) attack (Mohammed [2.4 Detection using Machine Learning], e.g., machine learning is being used for detecting various security threats including DNS tunneling) and blocking the DNST attack (Mohammed [2.4 Detection using Machine Learning], e.g., Based on the classification model results, DNS queries and responses from or to these malicious domains will be blocked). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to have modified the teachings of Sinha with the teachings of Mohammed with reasonable expectation of success. One of ordinary skill in the art would have been motivated to make the modification for the benefit of improving present methods of detecting and preventing of DNS-based attacks (Mohammed [Abstract], e.g., Based on the results, we can conclude that the detection system is significant and original improvement of the present methods used for detecting and preventing DNS-based attacks). Regarding claim 13, most of the limitations of this claim have been noted in the rejection of claim 1. Sinha further teaches wherein the processor is further configured to perform the following action in response to identification of a [spear] phishing attack: block the [spear] phishing attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (Sinha [0036], e.g., AI engine 118 includes trained ML models include advanced analytics use-cases…… the use-cases include traffic analysis and/or data exfiltration use-cases such as identifying user behavior and tracking/blocking the sensitive data movements and/or preventing data loss from phishing activities; [0069], e.g., In an example, the cybersecurity platform 102 prevents data loss from phishing activities). Sinha does not explicitly teach, but Mohammed teaches identifying a spear phishing attack (Mohammed [6.1.1 Experimental Setup], e.g., The detection system uses blacklisted domain name lists which protects clients from Internet attacks, including Phishing and spear phishing attacks) and blocking the spear phishing attack (Mohammed [6.1.1 Experimental Setup], e.g., As we show in the results section, we blocked many advertisement websites based on blacklisted lists). The motivation to combine is the same as that of claim 9. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1-4, 7-13, 15-16, and 20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-4, 8-16, and 20 of copending Application No. 18/895,178 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are broader version of claims of application no. 18/895,178 that anticipate the claims of the instant application. This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented. 18/895,158 (Instant Application) 18/895,178 (Reference Application) 1. A system, comprising: a processor configured to: collect Domain Name System (DNS) security associated events; generate a plurality of insights based on the collected DNS security associated events; and perform an action based on one or more of the insights; and a memory coupled to the processor and configured to provide the processor with instructions. 1. A system, comprising: a processor configured to: collect Domain Name System (DNS) security associated events; generate a plurality of insights based on the collected DNS security associated events, wherein at least one of the plurality of insights includes a mass spreading detection insight; and perform an action based on one or more of the insights including the mass spreading detection insight; and a memory coupled to the processor and configured to provide the processor with instructions 2. The system recited in claim 1, wherein the plurality of insights is automatically generated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform. 2. The system recited in claim 1, wherein the plurality of insights is automatically generated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform. 3. The system recited in claim 1, wherein the plurality of insights are automatically generated and correlated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform, and wherein the DNS SOC platform receives the DNS security associated events from a plurality of DNS security related detectors. 3. The system recited in claim 1, wherein the plurality of insights are automatically generated and correlated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform, and wherein the DNS SOC platform receives the DNS security associated events from a plurality of DNS security related detectors. 4. The system recited in claim 1, wherein the plurality of insights is automatically generated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform, wherein the DNS SOC platform receives the DNS security associated events from a plurality of DNS security related detectors, and wherein the DNS SOC platform includes an insights pipeline. 4. The system recited in claim 1, wherein the plurality of insights is automatically generated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform, wherein the DNS SOC platform receives the DNS security associated events from a plurality of DNS security related detectors, and wherein the DNS SOC platform includes an insights pipeline. 7. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a detected malicious domain: automatically block the malicious domain. 8. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a detected malicious domain: automatically block the malicious domain. 8. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a domain generation algorithm (DGA) attack: block the DGA attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform. 9. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a domain generation algorithm (DGA) attack: block the DGA attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform. 10. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a command and control (C2) attack: block the C2 attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform. 11. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a command and control (C2) attack: block the C2 attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform. 11. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a DNS data exfiltration attack: block the DNS data exfiltration attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform. 12. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a DNS data exfiltration attack: block the DNS data exfiltration attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform. 12. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a phishing attack: block the phishing attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform. 13. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a phishing attack: block the phishing attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform. 13. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a spear phishing attack: block the spear phishing attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform. 14. The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a spear phishing attack: block the spear phishing attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform. 15. A method, comprising: collecting Domain Name System (DNS) security associated events; generating a plurality of insights based on the collected DNS security associated events; and performing an action based on one or more of the insights. 15. A method, comprising: collecting Domain Name System (DNS) security associated events; generating a plurality of insights based on the collected DNS security associated events, wherein at least one of the plurality of insights includes a mass spreading detection insight; and performing an action based on one or more of the insights including the mass spreading detection insight. 16. The method of claim 15, wherein the plurality of insights is automatically generated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform 16. The method of claim 15, wherein the plurality of insights is automatically generated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform 20. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: collecting Domain Name System (DNS) security associated events; generating a plurality of insights based on the collected DNS security associated events; and performing an action based on one or more of the insights. 20. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: collecting Domain Name System (DNS) security associated events; generating a plurality of insights based on the collected DNS security associated events, wherein at least one of the plurality of insights includes a mass spreading detection insight; and performing an action based on one or more of the insights including the mass spreading detection insight. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 20250202916 A1 to Duan et al. discloses collecting DNS-related activity, determining whether the DNS-related activity is associated with DNS tunneling attack, and based on the association, performing an action. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to LAWRENCE Q TRUONG whose telephone number is (571)272-6973. The examiner can normally be reached Monday - Friday, 7:30 am - 5 pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached at (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /LAWRENCE Q TRUONG/Examiner, Art Unit 2434 /NOURA ZOUBAIR/Primary Examiner, Art Unit 2434