SYSTEMS AND METHODS FOR FILTERING OF MALICIOUS DNS QUERIES

§102 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This communication is in response to Application 18/914,963 filed on 14 October, 2024. This application claims the benefit of U.S. Provisional Application No. 63/595,886 filed November 3, 2023, entitled “Systems and Methods for Filtering of Malicious DNS Queries”. Claims 1-20 are pending. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – Claims 1-7, 10-12, 14-16 and 18-20are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Moore (WO 2021/102414). Regarding claim 1, Moore teaches a domain name system (DNS) filter system (Moore [0003] provides for a "threat intelligence gateway (TIG)", Figs. 2 and 11 elements 200, 250), comprising: at least one processor (Moore fig.2 element 220); and a memory (Moore fig.2 elements 230,233) operatively connected to the at least one processor and storing instructions that, when executed by the at least one processor, cause the DNS filter system to perform a method, the method comprising: receiving a first domain name system (DNS) query from a computing device, wherein the first DNS query comprises a domain name (Moore Fig. 11; "In Step 11-5, TIG 200 (a) may receive and ingest the legitimate DNS query request from 130, In Step 11 -7, TIG 250 (a) may receive and ingest the bogus DNS query request from 134, In Step 11-8, TIG 250 (a) may receive and ingest the bogus DNS query request from 135, par. [153]; "In Step 11-9, TIG 250 (a) may receive and ingest the legitimate DNS query request from 130.", [154]); ; inspecting the DNS query (Moore [153] provides "In Step 11-5, TIG 200 (b) may test B/F-I to determine that domain name www.example-132.net is registered in the DNS, In Step 11-6, TIG 200 (b) may test a DNS probabilistic data structure, B/F-I, to determine that a bogus domain name hyqlyn2c.www.example-133.ne is not registered in the DNS, In Step 11 -7, TIG 250 (b) may test B/F-I to determine that bogus domain name ppk6h0ec. www.example-132.net is not registered in the DNS, In Step 11-8, TIG 250 (b) may test the B/F-I to determine that bogus domain name 61kwrari.www.example-132.ne is not registered in the DNS…In Step 11-9, TIG 250…(b) may test the B/F-I to determine that domain name www.example-132.com is registered in the DNS”) based at least in part on a set of rules (Moore [0136] provides "The first subset SS-1 of packet filtering rules may be represented by a space-efficiency probabilistic data structure or Bloom filter B/F-I and the associated information as discussed below, such as an associated threat indicator type and an associated rule action. The indicators for the rules are the elements of the set of all domain names that are registered in the Internet DNS…The DNS probabilistic data structure B/F-I may be associated with two rule actions. As a first rule, when a membership test returns a TRUE value (e.g. the current domain name is registered in the DNS)…When a membership test returns FALSE (e.g. the domain name is not registered in the DNS), then the associated rule's action may also be a conditional action…When the membership test returns FALSE and IF the current packet does contain a DNS query request (to resolve the domain name to an IP address), THEN the rule actions may be to drop the packet…”); determining that the DNS query is either valid or invalid based at least in part on the inspection (Moore [0136] provides "When the membership test returns FALSE and IF the current packet does contain a DNS query request (to resolve the domain name to an IP address), THEN the rule actions may be to drop the packet"; [0015] provides “When a packet is determined to include a DNS query request, and if it is determined that the domain name of the DNS query request is not represented in the probabilistic data structure, the methods may determine whether the DNS query request indicates a legitimate DNS query request. A DNS query request may include legitimate DNS requests and may include some illegitimate requests. The illegitimate requests may include bad requests, such as requests that are legitimate attempts to resolve a domain name request, as well as bogus requests, such as requests that were submitted in an attempt to deny service to others and/or to exfiltrate information from a compromised system"; [0153] provides "In Step 11-6, TIG 200 (c) may drop DNS query request (packet), In Step 11 -7, TIG 250 (c) may drop the DNS query request (packet), In Step 11-8, TIG 250 (c) may drop the DNS query request (packet)”); dropping the DNS query when the DNS query is invalid (Moore [0136] provides "When the membership test returns FALSE and IF the current packet does contain a DNS query request (to resolve the domain name to an IP address), THEN the rule actions may be to drop the packet"; [0015] provides “When a packet is determined to include a DNS query request, and if it is determined that the domain name of the DNS query request is not represented in the probabilistic data structure, the methods may determine whether the DNS query request indicates a legitimate DNS query request. A DNS query request may include legitimate DNS requests and may include some illegitimate requests. The illegitimate requests may include bad requests, such as requests that are legitimate attempts to resolve a domain name request, as well as bogus requests, such as requests that were submitted in an attempt to deny service to others and/or to exfiltrate information from a compromised system"; [0153] provides "In Step 11-6, TIG 200 (c) may drop DNS query request (packet), In Step 11 -7, TIG 250 (c) may drop the DNS query request (packet), In Step 11-8, TIG 250 (c) may drop the DNS query request (packet)”); generating, when the first DNS query is valid, a second DNS query from the DNS filter system to a DNS server, wherein the second DNS query comprises the domain name and sending the second DNS query (Moore [0152] provides "In Step 11-3, host 130 may generate and send a legitimate DNS query request to resolve domain name www.example-132.net towards DNS server 13”; [0153] provides "In Step 11-5, TIG 200 (c) forwards the DNS query request towards DNS server 132"; [0154] provides "In Step 11-9, TIG 250 (c) may forward the DNS query request towards DNS server 132”). Regarding claim 2, the system of claim 1, wherein when the first DNS query is invalid, the method further comprises: logging the first DNS query (Moore [0070], [0096], [0137], [0139]-[0141], [0180]; "16-6F", Fig. 16, Fig. 8); and providing the first DNS query to a security analysis service (Moore [0070], [0096], [0137], [0139]-[0141], [0180]; "16-6F", Fig. 16, Fig. 8). Regarding claim 3, the system of claim 2, wherein the security analysis service is configured to update the set of rules based on external data, log analysis data, internal data, or a combination thereof (Moore [0070], [0096], [0137], [0139]-[0141], [0180]; "16-6F", Fig. 16, Fig. 8). Regarding claim 4, the system of claim 1, wherein when the first DNS query is valid, the method further comprises rewriting a source address of the second DNS query to an original source address of the first DNS query (Moore 11-09 and 11-10, Fig. 11; [0154]). Regarding claim 5, the system of claim 1, wherein the DNS filter system is implemented as a container or a virtual machine (VM) running on a same computing system as the DNS (Moore [0035], [0102], [0175] provides "The system components of the DNS-G/K 150 may be any combination of (e.g., co-resident) processes or applications executing on the same host, processes executing on different hosts, processes executing on virtual infrastructure, such as a hypervisor, or other arrangement of components and software.") Regarding claim 6, the system of claim 1, wherein the set of rules comprises one or more criteria for the validity or invalidity of one or more DNS query attributes, the one or more DNS query attributes comprising a query type, a DNS query payload, a source address of the first DNS query, or a combination thereof (Moore [0048-0052]). Regarding claim 7, the system of claim 6, wherein dropping the first DNS query is based at least in part on determining that the one or more DNS query attributes are indicative of a DNS related attack (Moore [0048-0052]). Regarding claim 10, this claim contains limitations found within those of claim 1, and the same rationale of rejection applies, where applicable. Regarding claim 11, this claim contains limitations found within those of claim 2, and the same rationale of rejection applies, where applicable. Regarding claim 12, this claim contains limitations found within those of claim 3, and the same rationale of rejection applies, where applicable. Regarding claim 14, this claim contains limitations found within those of claim 5, and the same rationale of rejection applies, where applicable. Regarding claim 15, this claim contains limitations found within those of claim 6, and the same rationale of rejection applies, where applicable. Regarding claim 16, this claim contains limitations found within those of claim 7, and the same rationale of rejection applies, where applicable. Regarding claim 18, this claim contains limitations found within those of claims 1 and 4, and the same rationale of rejection applies, where applicable. Regarding claim 19, this claim contains limitations found within those of claim 2, and the same rationale of rejection applies, where applicable. Regarding claim 20, this claim contains limitations found within those of claim 6, and the same rationale of rejection applies, where applicable. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 8-9, 13 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Moore (WO 2021/102414), in view of Kagan (US 2018/0041466). Regarding claim 8, Moore has taught the system of claim 1, but Moore does not explicitly teach wherein the DNS server is a DNS cache server or a DNS authoritative server. However, in a similar field of endeavor, Kagan teaches wherein the DNS server is a DNS cache server or a DNS authoritative server (Kagan fig.1 element 26 and corresponding description). One of ordinary skill in the art before the effective filing date of Applicant’s claimed invention would have recognized the utility of a DNS cache server as taught by Kagan, in the Moore system, in order to enhance speed, efficiency, and performance by storing previous query results, reducing the need for repetitive, slow lookups to authoritative servers. Regarding claim 9, Moore-Kagan teaches the system of claim 1, wherein the DNS server is a DNS cache server, and wherein when the first DNS query is valid, the method further comprises sending the second DNS query to a second system configured to implement a second DNS filter, a DNS authoritative server, or both (Kagan Fig. 1 element 26; fig.2 element 310; [0025], [0029]-[0030], [0046]-[0047]). Motivation provided with reference to claim 8. Regarding claim 13, this claim contains limitations found within those of claim 9, and the same rationale of rejection applies, where applicable. Regarding claim 17, this claim contains limitations found within those of claim 8, and the same rationale of rejection applies, where applicable. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Manadhata et al US 2020/0204581. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ISHRAT RASHID whose telephone number is (571)272-5372. The examiner can normally be reached 10AM-6PM EST M-F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tonia L Dollinger can be reached at 571-272-4170. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /I.R/ Examiner, Art Unit 2459 /TONIA L DOLLINGER/ Supervisory Patent Examiner, Art Unit 2459