Prosecution Insights
Last updated: July 17, 2026
Application No. 18/895,178

DNS SECURITY OPERATION CENTER INSIGHTS FOR MASS SPREADING DETECTION

Non-Final OA §101§103
Filed
Sep 24, 2024
Priority
Jul 25, 2024 — provisional 63/675,552
Examiner
ABRISHAMKAR, KAVEH
Art Unit
2494
Tech Center
2400 — Computer Networks
Assignee
Infoblox Inc.
OA Round
1 (Non-Final)
78%
Grant Probability
Favorable
1-2
OA Rounds
1y 3m
Est. Remaining
95%
With Interview

Examiner Intelligence

Grants 78% — above average
78%
Career Allowance Rate
808 granted / 1035 resolved
+20.1% vs TC avg
Strong +17% interview lift
Without
With
+17.2%
Interview Lift
resolved cases with interview
Typical timeline
3y 0m
Avg Prosecution
16 currently pending
Career history
1054
Total Applications
across all art units

Statute-Specific Performance

§101
3.2%
-36.8% vs TC avg
§103
66.0%
+26.0% vs TC avg
§102
18.0%
-22.0% vs TC avg
§112
2.1%
-37.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 1035 resolved cases

Office Action

§101 §103
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 1. This action is in response to the communication filed on September 24, 2024. Claims 1-20 were originally received for consideration. No preliminary amendments for the claims have been received. 2. Claims 1-20 are currently pending consideration. Information Disclosure Statement 3. Initialed and dated copies of Applicant’s IDS (form 1449), received on 12/03/2024 and 3/16/2026, are attached to this Office Action. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. 4. Claims 1-7, and 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Claim 1 (the representative claim) discloses a system which falls into one of the four statutory categories of invention. 5. The claim(s) recite(s) collecting DNS security associated events, generating a plurality of insights based on the collected data, and performing an action based on the insights. Under the broadest reasonable interpretation, the terms of the claims are presumed to have their plain meaning consistent with the specification as it would be interpreted by one of ordinary skill in the art (MPEP 2111). The claims disclose generating a plurality of insights based on collected information which falls under a mental process as a human can perform the method of generating insights based on collected data using a pen and paper. The use of a generic processor and memory are merely generic computer components that implement the abstract idea on a computer. The collecting of DNS events step is merely insignificant pre-solution activity of data gathering. The performing an action step can be a notification (Specification: Paragraph 0103), which is insignificant post solution activity (MPEP 2106.05). This judicial exception is not integrated into a practical application because there is no recitation of additional elements which would integrate the judicial exception of mental process into a practical application. Describing the collected data as DNS security associated event data, the insights as mass spreading detection insight are both merely types of data as they are both generally described. The memory coupled to the processor is merely generic computing terms and do not render the claim statutory. The collecting step is merely pre-solution activity and the performing an action is merely insignificant post solution activity. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claims do not provide any additional elements which provide an inventive concept. The additional elements of DNS event data and a mass spreading detection insight are generally claimed and do not provide anything beyond the judicial exception. The memory and the processor are both generic computing terms and do not provide anything beyond the judicial exception. There are no details on how the DNS data is collected nor how the mass spreading detection insight is generated. Therefore, the claims are directed towards non-statutory subject matter. The dependent claims 2-14 do not recite any additional elements which individually or in combination with the limitation of claim 1 amount to significantly more than the abstract idea. Claim 2 recites that the insights are automatically generated using the aggregated DNS data using a DNS SOC platform. This is merely state a generic platform which processed the data and does not provide any additional elements that integrate the abstract idea into a practical application. Claim 3 recites that the insights are based on events received from a plurality of detectors. The detectors are merely a generic computing item that can collect data and does not provide any additional elements that integrate the abstract idea into a practical application. Claim 4 discloses that the DNS SOC platform includes an insights platform. This is merely assigning a name to the platform that generates the action and does not provide any additional elements that integrate the abstract idea into a practical application. Claim 5 discloses that the mass spreading detection is based on a threshold. This is merely assigning a number to what defines a mass spreading detection and does not provide any additional elements that integrate the abstract idea into a practical application. Claim 6 discloses that the mass spreading detection is based on an acceleration metric. This is merely assigning a number to what defines a mass spreading detection and does not provide any additional elements that integrate the abstract idea into a practical application. Claim 7 discloses generating a mass spreading detection insight using a DNS SOC. This is merely assigning a name to the party which is generating the insight and does not provide any additional elements that integrate the abstract idea into a practical application. 6. Claims 15-19 are method claims analogous to the system claims 1-7and are rejected under the same rationale. 7. Claim 20 is a computer-readable medium claim analogous to the system claim 1 and is rejected under the same rationale. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 8. Claim(s) 1-5, 7-17, 19 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Doron et al. (U.S. Patent Pub. No. US 2019/0182291) in view of Pathania (U.S. Patent Pub. US 2024/0129740). Regarding claim 1, Doron discloses: A system, comprising: a processor (paragraph 0075: microprocessor) configured to: collect Domain Name System (DNS) security associated events (paragraphs 0029, 0032-0038, 0068: collect data from data sources wherein the sources can be DNS services and data can be DNS queries); generate a plurality of insights based on the collected DNS security associated events (paragraphs 0038-0039: an insights generator is configured to receive the events data from the detector and generate insights based on the events data); and perform an action based on one or more of the insights including the mass spreading detection insight (paragraphs 0049, 0052, 0059: performing mitigation actions including blocking traffic); and a memory coupled to the processor and configured to provide the processor with instructions (paragraph 0074: processing circuitry coupled to memory). Doron does not explicitly disclose wherein at least one of the plurality of insights includes a mass spreading detection insight. However, in an analogous art, Pathania discloses collecting attributes of a compromised service or device (UE) and applies machine-learning and modeling to gather information for analysis (paragraphs 0075). Furthermore, Pathania discloses that the system may determine a velocity metric of a given attack which corresponds to a measure of how dynamic the attack propagation from one or more UEs is to one or more other UEs (mass spreading) (paragraph 0076). It would have been obvious to incorporate the velocity metric of Pathania into the analysis engine of Doron in order to improve detection of dynamic attacks (Pathania: paragraph 0076). Claim 2 is rejected as applied above in rejecting claim 1. Furthermore, Doron discloses: The system recited in claim 1, wherein the plurality of insights is automatically generated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform (paragraph 0034, 0042-0044, 0048: the data ingestion may include aggregating data collected from the data sources including data from SOC/NOC teams and the analytics engine can generate one or more analytics and corresponding insights). Claim 3 is rejected as applied above in rejecting claim 1. Furthermore, Doron discloses: The system recited in claim 1, wherein the plurality of insights are automatically generated and correlated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform, and wherein the DNS SOC platform receives the DNS security associated events from a plurality of DNS security related detectors (paragraph 0034, 0042-0044, 0048: the data ingestion may include aggregating data collected from the data sources including data from SOC/NOC teams and the analytics engine can generate one or more analytics and corresponding insights). Claim 4 is rejected as applied above in rejecting claim 1. Furthermore, Doron discloses: The system recited in claim 1, wherein the plurality of insights is automatically generated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform, wherein the DNS SOC platform receives the DNS security associated events from a plurality of DNS security related detectors (paragraph 0029, 0039: receiving data from detectors), and wherein the DNS SOC platform includes an insights pipeline (Fig. 2, paragraphs 0042-0048: analytics engine may be configured to generate one or more analytics and corresponding insights). Claim 5 is rejected as applied above in rejecting claim 1. Furthermore, Pathania discloses: The system recited in claim 1, wherein the mass spreading detection is based on a configurable threshold for a DNS security related spreading event (paragraphs 0059-0061, 0065: if the number of compromised UEs satisfies a particular threshold, the system may keep the compromised UEs on the original slice and convert it to a forensic slice while transitioning the other UEs to another slice). Claim 7 is rejected as applied above in rejecting claim 1. Furthermore, Doron discloses: The system recited in claim 1, wherein the processor is further configured to: generate a mass spreading detection insight using a DNS Security Operations Center (SOC) insights platform (paragraphs 0038-0039: an insights generator is configured to receive the events data from the detector and generate insights based on the events data). Claim 8 is rejected as applied above in rejecting claim 1. Furthermore, Doron discloses: The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a detected malicious domain: automatically block the malicious domain (paragraph 0059: mitigation action may include blocking traffic). Claim 9 is rejected as applied above in rejecting claim 1. Furthermore, Doron discloses: The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a domain generation algorithm (DGA) attack: block the DGA attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (paragraph 0059: mitigation action may include blocking traffic). Though the specific attack is not mentioned, it is obvious to one of ordinary skill in the art that a DGA attack could also be detected using the same system provided for by Doron, and in response, the same mitigation response of blocking the traffic could be employed. Claim 10 is rejected as applied above in rejecting claim 1. Furthermore, Doron discloses: The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a DNS tunneling (DNST) attack: block the DNST attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (paragraph 0059: mitigation action may include blocking traffic). Though the specific attack is not mentioned, it is obvious to one of ordinary skill in the art that a DNST attack could also be detected using the same system provided for by Doron, and in response, the same mitigation response of blocking the traffic could be employed. Claim 11 is rejected as applied above in rejecting claim 1. Furthermore, Doron discloses: The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a command and control (C2) attack: block the C2 attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (paragraph 0059: mitigation action may include blocking traffic). Though the specific attack is not mentioned, it is obvious to one of ordinary skill in the art that a C2 attack could also be detected using the same system provided for by Doron, and in response, the same mitigation response of blocking the traffic could be employed. Claim 12 is rejected as applied above in rejecting claim 1. Furthermore, Doron discloses: The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a DNS data exfiltration attack: block the DNS data exfiltration attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (paragraph 0059: mitigation action may include blocking traffic). Claim 13 is rejected as applied above in rejecting claim 1. Furthermore, Doron discloses: The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a phishing attack: block the phishing attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (paragraph 0059: mitigation action may include blocking traffic). Claim 14 is rejected as applied above in rejecting claim 1. Furthermore, Doron discloses: The system recited in claim 1, wherein the processor is further configured to perform the following action in response to identification of a spear phishing attack: block the spear phishing attack at a DNS security platform using a DNS Security Operations Center (SOC) insights platform (paragraph 0059: mitigation action may include blocking traffic). Regarding claim 15, Doron discloses: A method, comprising: collecting Domain Name System (DNS) security associated events (paragraphs 0029, 0032-0038, 0068: collect data from data sources wherein the sources can be DNS services and data can be DNS queries); generating a plurality of insights based on the collected DNS security associated events (paragraphs 0038-0039: an insights generator is configured to receive the events data from the detector and generate insights based on the events data); and performing an action based on one or more of the insights including the mass spreading detection insight (paragraphs 0049, 0052, 0059: performing mitigation actions including blocking traffic). Doron does not explicitly disclose wherein at least one of the plurality of insights includes a mass spreading detection insight. However, in an analogous art, Pathania discloses collecting attributes of a compromised service or device (UE) and applies machine-learning and modeling to gather information for analysis (paragraphs 0075). Furthermore, Pathania discloses that the system may determine a velocity metric of a given attack which corresponds to a measure of how dynamic the attack propagation from one or more UEs is to one or more other UEs (paragraph 0076). It would have been obvious to incorporate the velocity metric of Pathania into the analysis engine of Doron in order to improve detection of dynamic attacks (Pathania: paragraph 0076). Claim 16 is rejected as applied above in rejecting claim 15. Furthermore, Doron discloses: The method of claim 15, wherein the plurality of insights is automatically generated based on aggregated DNS security associated events using a DNS Security Operations Center (SOC) platform (paragraph 0034, 0042-0044, 0048: the data ingestion may include aggregating data collected from the data sources including data from SOC/NOC teams and the analytics engine can generate one or more analytics and corresponding insights). Claim 17 is rejected as applied above in rejecting claim 15. Furthermore, The method of claim 15, wherein the mass spreading detection is based on a configurable threshold for a DNS security related spreading event (paragraphs 0038-0039: an insights generator is configured to receive the events data from the detector and generate insights based on the events data). Claim 19 is rejected as applied above in rejecting claim 15. Furthermore, Doron discloses: The method of claim 15, further comprising: generating a mass spreading detection insight using a DNS Security Operations Center (SOC) insights platform (paragraphs 0038-0039: an insights generator is configured to receive the events data from the detector and generate insights based on the events data). Regarding claim 20, Doron discloses: A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: collecting Domain Name System (DNS) security associated events (paragraphs 0029, 0032-0038, 0068: collect data from data sources wherein the sources can be DNS services and data can be DNS queries); generating a plurality of insights based on the collected DNS security associated events (paragraphs 0038-0039: an insights generator is configured to receive the events data from the detector and generate insights based on the events data); and performing an action based on one or more of the insights including the mass spreading detection insight (paragraphs 0049, 0052, 0059: performing mitigation actions including blocking traffic). Doron does not explicitly disclose wherein at least one of the plurality of insights includes a mass spreading detection insight. However, in an analogous art, Pathania discloses collecting attributes of a compromised service or device (UE) and applies machine-learning and modeling to gather information for analysis (paragraphs 0075). Furthermore, Pathania discloses that the system may determine a velocity metric of a given attack which corresponds to a measure of how dynamic the attack propagation from one or more UEs is to one or more other UEs (paragraph 0076). It would have been obvious to incorporate the velocity metric of Pathania into the analysis engine of Doron in order to improve detection of dynamic attacks (Pathania: paragraph 0076). 9. Claim(s) 6 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Doron et al. (U.S. Patent Pub. No. US 2019/0182291) in view of Pathania (U.S. Patent Pub. US 2024/0129740) in further in view of ACM CCS 2017 (“Analyzing the Propagation of IoT Botnets from DNS Leakage”). Claim 6 is rejected as applied above in rejecting claim 1. Furthermore, the combination of Doron and Pathania does not explicitly disclose wherein the mass spreading detection is based on an acceleration metric for a DNS security related spreading event. Pathania discloses that the system may determine a velocity metric of a given attack which corresponds to a measure of how dynamic the attack propagation from one or more UEs is to one or more other UEs (paragraph 0076) but does not explicitly disclose an acceleration metric. In an analogous art, ACM discloses tracking the number of active bots over time, their rate of infection and their geographic spread of their infection (page 1, column 2, paragraph 5). ACM further discloses tracking a growth rate and rate of spread (acceleration) (page 4, section 4.1). Therefore, ACM discloses tracking and analyzing the rate of infection and the number of infected devices over time using DNS data. It would have been obvious to utilize ACM’s propagation rate calculations in the system of Doron-Pathania in order to detect dynamically spreading attacks by using the change of rate along with the velocity metrics. Claim 18 is rejected as applied above in rejecting claim 15. Furthermore, the combination of Doron and Pathania does not explicitly disclose wherein the mass spreading detection is based on an acceleration metric for a DNS security related spreading event. Pathania discloses that the system may determine a velocity metric of a given attack which corresponds to a measure of how dynamic the attack propagation from one or more UEs is to one or more other UEs (paragraph 0076) but does not explicitly disclose an acceleration metric. In an analogous art, ACM discloses tracking the number of active bots over time, their rate of infection and their geographic spread of their infection (page 1, column 2, paragraph 5). ACM further discloses tracking a growth rate and rate of spread (acceleration) (page 4, section 4.1). Therefore, ACM discloses tracking and analyzing the rate of infection and the number of infected devices over time using DNS data. It would have been obvious to utilize ACM’s propagation rate calculations in the system of Doron-Pathania in order to detect dynamically spreading attacks by using the change of rate along with the velocity metrics. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAVEH ABRISHAMKAR whose telephone number is (571)272-3786. The examiner can normally be reached M-F 9-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached at 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KAVEH ABRISHAMKAR/ 04/10/2026Primary Examiner, Art Unit 2494
Read full office action

Prosecution Timeline

Sep 24, 2024
Application Filed
May 13, 2025
Response after Non-Final Action
Apr 21, 2026
Non-Final Rejection mailed — §101, §103
Jul 14, 2026
Examiner Interview Summary
Jul 14, 2026
Applicant Interview (Telephonic)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12683787
METHOD AND SYSTEM OF ASSESSING, REMEDIATING, AND MAINTAINING NON-FUNGIBLE TOKENS (NFTS)
2y 2m to grant Granted Jul 14, 2026
Patent 12684018
CLOUD SECURITY VISUAL DASHBOARD
2y 1m to grant Granted Jul 14, 2026
Patent 12675570
TRIGGERING AND DOWNSELECTION OF VOLATILE MEMORY SCANNING
2y 11m to grant Granted Jul 07, 2026
Patent 12676848
PERMISSIONS ENFORCEMENT BETWEEN FIRST AND THIRD PARTY PLATFORMS
2y 3m to grant Granted Jul 07, 2026
Patent 12671585
SYSTEMS AND METHODS FOR GOVERNING USE RIGHTS OF DIGITAL ASSETS ACROSS HETEROGENEOUS VIRTUAL PLATFORMS
2y 4m to grant Granted Jun 30, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

1-2
Expected OA Rounds
78%
Grant Probability
95%
With Interview (+17.2%)
3y 0m (~1y 3m remaining)
Median Time to Grant
Low
PTA Risk
Based on 1035 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month