DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 1/5/2021 has been entered.
As per Amendment, claims 1, 13 and 16 have been amended; claim 26 has been newly added; claims 1, 13 and 16 are independent claims. Claims 1-7, 12-18 and 20-26 have been examined and are pending. This Action is made Non-Final. 
 
Response to Arguments
Applicant’s arguments with respect to 35 U.S.C. 103 have been considered but are moot because the new ground of rejections.







Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim(s) 1, 2, 5, 6, and 22 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Singh et al. (US 2017/0223037 A1) in view of Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017.


Regarding Claim 1;
Singh discloses a method of detecting malicious interactions in a computer network, the method comprising:
generating, by a processor, at least one decoy segment (FIG. 46 and [0609] - Returning to FIG. 46, the usernames for the decoy email addresses 4630 are typically generated to resemble legitimate email addresses that may be used by the customer network 4602); 
broadcasting, by the processor, the generated at least one decoy segment in a public database (FIG. 46 and [0702] - The decoy email addresses 4630 are meant to attract the attention of malicious actors. The decoy email addresses 4630 are thus made publicly available... by placing them on websites in plain text (i.e., public database)... The decoy email addresses 4630 may be made public by the email address generation engine 4610, or by some other device or process in the customer network 4602.); 
monitoring, by the processor, communication within the computer network to identify interactions associated with the generated at least one decoy segment (FIG. 46 – Email Monitor/Malicious Email detection Engine); 
determining, by the processor, at least one indicator of compromise (IOC) for the identified interactions (FIG. 46 and FIG. 47 and [0726] - The status determined by the decision engine 4722 may be provided to the analytic engine 4724. The analytic engine 4724 may generate indicators 4736 that identify the email 4706. The indicators 4736 may include, for example, values from the email header 4742 such as values indicating the source of the email 4706 and/or a distinct or unique subject string. The indicators 4736 can also include "indicators of compromise" (IOCs). Indicators of compromise are a set of data that describes identified malicious activity. Indicators of compromise can be used to describe virus signatures, Internet Protocol (IP) addresses associated with suspicious activity, Message Data algorithm 5 (MD5) hashes of malware files, or Uniform Resource Locations (URLs) or domain names of botnet command and control servers. Indicators of compromise can be used by intrusion detection systems and anti-virus software to detect attacks on a network. Indicators of compromise may be formatted for both human and machine readers, such as for example using XML.); and 
blocking communication between the computer network and any computer associated with the determined at least one IOC ([0320] – ...an intrusion detection system (IDS), an intrusion prevention system (IPS), and/or some other network security tool or system... The IDS is a system that monitors network and system activities for malicious activities. The IPS also monitors network and system activities for malicious activity, and also actively prevents or blocks intrusions that are detected. [0726] - The indicators 4736 can also include "indicators of compromise" (IOCs). Indicators of compromise are a set of data that describes identified malicious activity. ... Indicators of compromise can be used by intrusion detection systems and anti-virus software to detect attacks on a network. and [0727] - The malicious email detection engine 4712 can send these indicators to the customer network's system administrator and/or to an automated system, either of which can attempt to find computers in the customer network that have the same modifications. Computers in the customer network that match the indicators may have had infected with the same malware and [0729]).
Singh fails to explicitly disclose wherein the at least one decoy segment comprises at least one decoy vulnerability of the computer network, and wherein the decoy segment is broadcast such that the at least one vulnerability is unusable for automated tools, and wherein an attempt to exploit the at least one decoy vulnerability is identified as an interaction associated the generated at least one decoy segment.
Introduction, p. 1739,  first paragraph - Based on the accessibility of its pages, the Web can be divided in three parts: the Surface Web – which covers everything that can be located through a search engine; the Deep Web – which contains the pages that are not reached by search engine crawlers (for example because they require a registration); and the more recent Dark Web – which is dedicated to websites that are operated over a different infrastructure to guarantee their anonymity, and that often  require specific software to be accessed and Honeypot Setup and Deployment, p. 1741-1742, ¶last paragraph of the page - We started by advertising our honeypot applications in three different ways: (i) by posting their URLs in several Tor network’s forums, channels, search engines and yellow pages, (ii) by visiting (twice a day) the applications via the Tor2Web proxy – which shares the visited URLs with Ahmia [2], a search engine for Tor, and (iii) by posting their URLs to several pages on the Surface Web).  The examiner reasonably constructs by posting the honey pot applications (i.e., decoy) on a Tor network forum this reasonably reads on the concept that a decoy segment that is broadcasted and is unusable for automated tools as Tor guarantees anonymity, and that often  require specific software to be accessed.  This is further affirmed by Catakoglu as they disclose that they block the proxy services of Tor2web  which uses automated scrips and crawlers, see p 1742-1742, Role of Tor Proxies, last paragraph on p. 1742-first paragraph 1742 and further they only enabled services only available on the Tor Network, Role of Tor Proxies second paragraph on 1743 and Web Application, see p. 1741 – “was instead specifically designed to avoid automated scanners.... attackers who may be interested in manually exploiting services hosted in the Dark web.” and Other Services p. 1742 – This machine, reachable only over the Tor Network Further as reasonably constructed the honey pot represents a decoy vulnerability of the computer network and use of the URL represents an interaction associated the generated at least one decoy segment. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Catakoglu the broadcasting of Singh to include wherein the at least one decoy segment comprises at least one decoy vulnerability of the computer network, and wherein the decoy segment is broadcast such that the at least one vulnerability is unusable for automated tools, and wherein an attempt to exploit the at least one decoy vulnerability is identified as an interaction associated the generated at least one decoy segment.
One would have been motivated to combine the teachings of Catakoglu to Singh to provide users with a means for exploring the modus operandi of attackers on the Dark Web (Catakoglu, Conclusions, p. 1745).

Regarding Claim 2;
Singh and Catakoglu disclose the method to Claim 1.
	Singh further discloses wherein the processor is external to the computer network ([0693] - Alternatively or additionally, the services provided by the email address generation engine 4610, the malicious email detection engine 4612, and/or the email monitor 4614 may be provided by a cloud service provider).

Regarding Claim 5;
Singh and Catakoglu disclose the method to Claim 1.
Singh further discloses wherein at least one decoy segment comprises information associated with the computer network ([0696] - An email address identifies an individual email user, who is a sender and/or receiver of email. An email address typically consist of a username, followed by an "@" symbol, followed by a domain name (e.g., "John.Doe@receiverdomain.com"), where the domain name is the name of a network (i.e., information associated with the computer network) from which the email user is sending and receiving email.).

Regarding Claim 6;
Singh and Catakoglu disclose the method to Claim 1.
Singh further discloses wherein the at least one decoy segment comprises at least one of: decoy injection or decoy cross-site scripting code ([0067] - For example, deception system 114 can include a decoy information broadcaster to inject decoy traffic information into a communications network and [0076]).

Regarding Claim 22;
Singh and Catakoglu disclose the method to Claim 1.
Singh further discloses wherein the processor is configured to publish ... (FIG. 46 and [0702] - The decoy email addresses 4630 are meant to attract the attention of malicious actors. The decoy email addresses 4630 are thus made publicly available... by placing them on websites in plain text (i.e., public database)... The decoy email addresses 4630 may be made public by the email address generation engine 4610, or by some other device or process in the customer network 4602.); 
Catakoglu wherein the processor is configured to publish at least one of: an address of a dedicated uniform resource locator (URL) of a vulnerable web service, and an outdated version of a content management framework (Catakoglu, Honeypot Setup and Deployment, p. 1741-1742, ¶last paragraph of the page - We started by advertising our honeypot applications in three different ways: (i) by posting their URLs in several Tor network’s forums, channels, search engines and yellow pages, (ii) by visiting (twice a day) the applications via the Tor2Web proxy – which shares the visited URLs with Ahmia [2], a search engine for Tor, and (iii) by posting their URLs to several pages on the Surface Web).












Claims 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017 and further in view of Tock et al. (US 2015/0135316 A1).

Regarding Claim 3;
Singh and Catakoglu disclose the method to Claim 1.
Singh discloses a firewall service of the computer network..., wherein the communication is blocked by the firewall service ([0077] - For example, a site's network typically includes a firewall attached to or incorporated into a gateway device that connects the site's network to outside networks. A firewall generally applies rules to network traffic, and controls what network traffic can come into a network. The firewall also typically controls network traffic that can go out of the network and [0176] – a firewall may block instructions originating from the internet).
Singh and Catakoglu fail to explicitly disclose further comprising updating an IOC database of a firewall service of the computer network with newly identified IOCs, wherein the communication is blocked by the firewall service.
However, in an analogous art, Tock teaches further comprising updating an IOC database of a firewall service of the computer network with newly identified IOCs, wherein the communication is blocked by the firewall service (Tock, FIG. 4 – Firewall “410” and [0049] - The firewall 410 is a program that protects the client computer 210 by selectively blocking connections to specific sites and/or specific types of data and [0075] and [0088] - FIG. 12 conceptually illustrates a process 1200 of some embodiments for re-evaluating previously collected sets of potential IOCs. The process 1200 receives (at 1210) an update to the IOCs. For example, the threat response platform of some embodiments re-evaluates when a new set of actual IOCs are added to the database (e.g., when a new malware or a new version of an old malware is discovered), when a set of IOCs are modified (e.g., when a malware is discovered to have more IOCs than previously realized), and/or when the known actual IOCs are re-weighted (e.g., when a value related to the actual IOCs that is used to calculate a likelihood of malware is changed in such a way that the determined likelihood of malware increases based on that IOC, alone and/or in combination with other actual IOCs).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tock the method of Singh and Catakoglu to include further comprising updating an IOC database of a firewall service of the computer network with newly identified IOCs, wherein the communication is blocked by the firewall service.  Such a combination would provide users with a means for a threat response platform that enables a user to determine whether suspicious activity is a result of malware, or is not the result of malware (Tock, [0024]).







Claims 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017 and further in view of Nachenberg et al. (US 2018/0191747 A1).

Regarding Claim 4;
Singh and Catakoglu disclose the method to Claim 1.
Singh and Catakoglu fail to explicitly disclose further comprising filtering out non-malicious registers form the determined at least one IOC based on predetermined whitelists.
However, in an analogous art, Nachenberg teaches filtering out non-malicious registers form the determined at least one IOC based on predetermined whitelists (Nachenberg, [0032] - For example, the IOC gathering server 112 may compare a received IOC 142 and/or its provider to a whitelist that specifies legitimate software and/or trusted IOC providers. If the received IOC matches a file in the whitelist of legitimate software, or the IOC provider does not match an IOC provider specified by the whitelist, the IOC gathering server 112 may discard the received IOC).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nachenberg the method of Singh and Catakoglu to include filtering out non-malicious registers form the determined at least one IOC based on predetermined whitelists. Such a combination would provide users with a means for detecting presence of security threats in ... computer systems using the indicators of compromise (Nachenberg, [0003]).

Claims 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017 and further in view of Lee (US 7,917,593 B1).

Regarding Claim 7; 
Singh and Catakoglu disclose the method to Claim 1.
Singh and Catakoglu fail to explicitly disclose further comprising generating at least one decoy information within an email message, wherein the generated at least one decoy segment comprises at least one email address associated with the generated at least one decoy information.
However, in an analogous art, Lee teaches further comprising generating at least one decoy information within an email message, wherein the generated at least one decoy segment comprises at least one email address associated with the generated at least one decoy information (Lee, FIG. 4 – 413 Generate a fabricated reply e-mail to the given scam e-mail that includes one or more mechanisms (i.e., decoy information within an email message) →  417 Capture... → 419 Store the captured IP address and/or browser information associated with the sensor of the given scam e-mail and col. 17, lines 15-35 and col. 17 lines 55-col., 18, lines 3).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lee the method of Singh and Catakoglu to include further comprising generating at least one decoy information within an email message, wherein the generated at least one decoy segment comprises at least one email address associated with the generated at least one decoy information. Such a (Lee, col. 3, lines 5-36).

Claims 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017 and further in view of Ettema et al. (US 2017/0019425 A1).

Regarding Claim 12;
Singh and Catakoglu disclose the method to Claim 1.
Singh discloses ... wherein the at least one decoy segment comprises information associated with the ... computer network (FIG. 46 – Email Monitor/Malicious Email detection Engine); and monitoring the ... computer network to identify interactions associated with the generated at least one decoy segment (FIG. 46 – Email Monitor/Malicious Email detection Engine);
Singh and Catakoglu fails to explicitly disclose creating a virtual computer network corresponding to the computer network.../virtual computer network; and monitoring the virtual computer network to identify interactions associated with... 
However, in an analogous art, Ettema teaches creating a virtual computer network corresponding to the computer network.../virtual computer network ([0044] - In either use case scenario, a clone of Alice's targeted host device can be instantiated as a customized VM instance in a VM environment (e.g., instrumented VM environment), along with instances for emulating a subset of devices from the target network environment (e.g., email server, DNS server, printer, etc.) in the VM environment (e.g., using a cloud security service or on a data appliance deployed on the target network environment). In particular, the VM environment can be configured to automatically synchronize with relevant portions of the target network (e.g., network layout, IP addresses, customized host images, etc.) to implement a honey network for the target network. The malware sample (e.g., malware URL, malware file/web download, malware email, and/or malware email attachment, etc.); and monitoring the virtual computer network to identify interactions associated with [malware] ([0044] -  The behavior of the malware and any subsequent activities on the virtual clone of Alice's target host on the device and/or network interactions with other devices emulated in the honey network implemented in the VM environment and/or, in some cases, external network activities, such as over the Internet and/or with other devices on the actual target network, can also be monitored and logged to gain competitive analysis and to facilitate advanced threat prevention, as further described below.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ettema the method of Singh and Catakoglu to include creating a virtual computer network corresponding to the computer network...; and monitoring the virtual computer network to identify interactions associated withSuch a combination would provide users with a means for [a] new and improved virtual machine (VM) techniques for advanced security threats (Ettema, [0037]).




Claims 13-15 and 24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Tock et al. (US 2015/0135316 A1) and Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017.

Regarding Claim 13;
Singh discloses a system for detecting malicious interactions in a computer network with at least one blocking service ([0320], [0726]. [0727], and [0729]), the system method comprising:
a non-transitory processor, in communication with the computer network (FIG. 46 and [0693]); 
...wherein the processor is configured to: 
generate at least one decoy segment (FIG. 46 and [0609] - Returning to FIG. 46, the usernames for the decoy email addresses 4630 are typically generated to resemble legitimate email addresses that may be used by the customer network 4602); 
broadcast the generated at least one decoy segment in a public database (FIG. 46 and [0702] - The decoy email addresses 4630 are meant to attract the attention of malicious actors. The decoy email addresses 4630 are thus made publicly available... by placing them on websites in plain text (i.e., public database)... The decoy email addresses 4630 may be made public by the email address generation engine 4610, or by some other device or process in the customer network 4602.);
monitor the computer network to identify interactions associated with the generated at least one decoy segment (FIG. 46 – Email Monitor/Malicious Email detection Engine);; 
(FIG. 46 and FIG. 47 and [0726] - The status determined by the decision engine 4722 may be provided to the analytic engine 4724. The analytic engine 4724 may generate indicators 4736 that identify the email 4706. The indicators 4736 may include, for example, values from the email header 4742 such as values indicating the source of the email 4706 and/or a distinct or unique subject string. The indicators 4736 can also include "indicators of compromise" (IOCs). Indicators of compromise are a set of data that describes identified malicious activity. Indicators of compromise can be used to describe virus signatures, Internet Protocol (IP) addresses associated with suspicious activity, Message Data algorithm 5 (MD5) hashes of malware files, or Uniform Resource Locations (URLs) or domain names of botnet command and control servers. Indicators of compromise can be used by intrusion detection systems and anti-virus software to detect attacks on a network. Indicators of compromise may be formatted for both human and machine readers, such as for example using XML.);; 
...block communication between the computer network and any computer associated with the determined at least one IOC ([0320] – ...an intrusion detection system (IDS), an intrusion prevention system (IPS), and/or some other network security tool or system... The IDS is a system that monitors network and system activities for malicious activities. The IPS also monitors network and system activities for malicious activity, and also actively prevents or blocks intrusions that are detected. [0726] - The indicators 4736 can also include "indicators of compromise" (IOCs). Indicators of compromise are a set of data that describes identified malicious activity. ... Indicators of compromise can be used by intrusion detection systems and anti-virus software to detect attacks on a network. and [0727] - The malicious email detection engine 4712 can send these indicators to the customer network's system administrator and/or to an automated system, either of which can attempt to find computers in the customer network that have the same modifications. Computers in the customer network that match the indicators may have had infected with the same malware and [0729]).
Singh fails to explicitly disclose
...a first non-transitory database, coupled to the processor and comprising indicator of compromise (IOC) registers, wherein the processor is configured to: 
store the determined IOC in the first database; and 
15P-577698-USshare the first database with the at least one blocking service in order to block communication between the computer network and any computer associated with the determined at least one IOC,
wherein the at least one decoy segment comprises at least one decoy vulnerability of the computer network, and wherein the decoy segment is broadcast such that the at least one vulnerability is unusable for automated tools, and wherein an attempt to exploit the at least one decoy vulnerability is identified as an interaction associated the generated at least one decoy segment.
However, in an analogous art, Tock teaches:
...a first non-transitory database, coupled to the processor and comprising indicator of compromise (IOC) registers (Tock, FIG. 4), wherein the processor is configured to: 
store the determined IOC in the first non-transitory database (Tock, FIG. 4 and [0088]); and 
15P-577698-USshare the first non-transitory database with the at least one blocking service in order to block communication between the computer network and any computer associated with the determined at least one IOC (Tock, FIG. 4 – Firewall “410” and [0049] - The firewall 410 is a program that protects the client computer 210 by selectively blocking connections to specific sites and/or specific types of data and [0075] and [0088] - FIG. 12 conceptually illustrates a process 1200 of some embodiments for re-evaluating previously collected sets of potential IOCs. The process 1200 receives (at 1210) an update to the IOCs. For example, the threat response platform of some embodiments re-evaluates when a new set of actual IOCs are added to the database (e.g., when a new malware or a new version of an old malware is discovered), when a set of IOCs are modified (e.g., when a malware is discovered to have more IOCs than previously realized), and/or when the known actual IOCs are re-weighted (e.g., when a value related to the actual IOCs that is used to calculate a likelihood of malware is changed in such a way that the determined likelihood of malware increases based on that IOC, alone and/or in combination with other actual IOCs).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tock the method of Singh to include ...a non-transitory first database, coupled to the processor and comprising indicator of compromise (IOC) registers, wherein the processor is configured to: store the determined IOC in the first non-transitory database; and 15P-577698-USshare the first non-transitory database with the at least one blocking service in order to block communication between the computer network and any computer associated with the determined at least one IOC. 
One would have been motivated to combine the teachings of Tock to Singh to enable a user to determine whether suspicious activity is a result of malware, or is not the result of malware (Tock, [0024]).
However, in an analogous art, Catakoglu wherein the at least one decoy segment comprises at least one decoy vulnerability of the computer network, and wherein the decoy Introduction, p. 1739,  first paragraph - Based on the accessibility of its pages, the Web can be divided in three parts: the Surface Web – which covers everything that can be located through a search engine; the Deep Web – which contains the pages that are not reached by search engine crawlers (for example because they require a registration); and the more recent Dark Web – which is dedicated to websites that are operated over a different infrastructure to guarantee their anonymity, and that often  require specific software to be accessed and Honeypot Setup and Deployment, p. 1741-1742, ¶last paragraph of the page - We started by advertising our honeypot applications in three different ways: (i) by posting their URLs in several Tor network’s forums, channels, search engines and yellow pages, (ii) by visiting (twice a day) the applications via the Tor2Web proxy – which shares the visited URLs with Ahmia [2], a search engine for Tor, and (iii) by posting their URLs to several pages on the Surface Web).  The examiner reasonably constructs by posting the honey pot applications (i.e., decoy) on a Tor network forum this reasonably reads on the concept that a decoy segment that is broadcasted and is unusable for automated tools as Tor guarantees anonymity, and that often  require specific software to be accessed.  This is further affirmed by Catakoglu as they disclose that they block the proxy services of Tor2web  which uses automated scrips and crawlers, see p 1742-1742, Role of Tor Proxies, last paragraph on p. 1742-first paragraph 1742 and further they only enabled services only available on the Tor Network, Role of Tor Proxies second paragraph on 1743 and Web Application, see p. 1741 – “was instead specifically designed to avoid automated scanners.... attackers who may be interested in manually exploiting services hosted in the Dark web.” and Other Services p. 1742 – This machine, reachable only over the Tor Network Further as reasonably constructed the honey pot represents a decoy vulnerability of the computer network and use of the URL represents an interaction associated the generated at least one decoy segment.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Catakoglu the broadcasting of Singh and Tock to include wherein the at least one decoy segment comprises at least one decoy vulnerability of the computer network, and wherein the decoy segment is broadcast such that the at least one vulnerability is unusable for automated tools, and wherein an attempt to exploit the at least one decoy vulnerability is identified as an interaction associated the generated at least one decoy segment.
One would have been motivated to combine the teachings of Catakoglu to Singh and Tock to provide users with a means for exploring the modus operandi of attackers on the Dark Web (Catakoglu, Conclusions, p. 1745).

Regarding Claim 14;
Singh and Tock and Catakoglu discloses the system to Claim 13.
	Singh further discloses wherein the processor is embedded within the computer network (FIG. 46 and [0693]).





Regarding Claim 15; 
Singh and Tock and Catakoglu discloses the system to Claim 13.
Catakoglu teaches further discloses comprising a second database coupled to the processor and comprising a list of public databases for broadcasting of the generated decoy segments (Catakoglu, Honeypot Setup and Deployment, p. 1741-1742, ¶last paragraph of the page - We started by advertising our honeypot applications in three different ways: (i) by posting their URLs in several Tor network’s forums, channels, search engines and yellow pages, (ii) by visiting (twice a day) the applications via the Tor2Web proxy – which shares the visited URLs with Ahmia [2], a search engine for Tor, and (iii) by posting their URLs to several pages on the Surface Web and Other Services p. 1742 – This machine, reachable only over the Tor Network, ran the following... also advertised all he previously described channels...).

Regarding Claim 24;
Singh and Tock and Catakoglu disclose the method to Claim 13.
Singh further discloses wherein the processor is configured to publish ... (FIG. 46 and [0702] - The decoy email addresses 4630 are meant to attract the attention of malicious actors. The decoy email addresses 4630 are thus made publicly available... by placing them on websites in plain text (i.e., public database)... The decoy email addresses 4630 may be made public by the email address generation engine 4610, or by some other device or process in the customer network 4602.); 
Catakoglu wherein the processor is configured to publish at least one of: an address of a dedicated uniform resource locator (URL) of a vulnerable web service, and an outdated version (Catakoglu, Honeypot Setup and Deployment, p. 1741-1742, ¶last paragraph of the page - We started by advertising our honeypot applications in three different ways: (i) by posting their URLs in several Tor network’s forums, channels, search engines and yellow pages, (ii) by visiting (twice a day) the applications via the Tor2Web proxy – which shares the visited URLs with Ahmia [2], a search engine for Tor, and (iii) by posting their URLs to several pages on the Surface Web).

Claims 16-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Lee (US 7,917,593 B1) and Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017.

Regarding Claim 16;
Singh discloses a method of detecting malicious interactions ..., the method comprising:
publishing, by a processor, at least one decoy data item in at least one publically accessible database (FIG. 46 and [0609] - Returning to FIG. 46, the usernames for the decoy email addresses 4630 are typically generated to resemble legitimate email addresses that may be used by the customer network 4602 and [0702] - The decoy email addresses 4630 are meant to attract the attention of malicious actors. The decoy email addresses 4630 are thus made publicly available... by placing them on websites in plain text (i.e., public database)... The decoy email addresses 4630 may be made public by the email address generation engine 4610, or by some other device or process in the customer network 4602.);
(FIG. 46 – Email Monitor/Malicious Email detection Engine); 
Singh fails to explicitly disclose a method of detecting attacks on a target computer, the method comprising:
monitoring, by the processor, a communication to the target computer to identify interactions associated with the at least one decoy data item;
determining, by the processor, at least one attribute for the identified interactions; and
blocking communication between the target computer and any external computer, the communication associated with the determined at least one attribute,
wherein the at least one decoy segment comprises at least one decoy vulnerability of the computer network, and wherein the decoy segment is broadcast such that the at least one vulnerability is unusable for automated tools, and wherein an attempt to exploit the at least one decoy vulnerability is identified as an interaction associated the generated at least one decoy segment.
However, in an analogous art, Lee teaches a method of detecting attacks on a target computer (Lee, FIG. 3), the method comprising:
monitoring, by the processor, a communication to the target computer to identify interactions associated with the at least one decoy data item (Lee, FIG. 3 and FIG. 4 – Generate a fabricated reply email... that includes one or more mechanism for obtaining the IP address and/or browser information associated with the sender of the given scam e-mail);
 (Lee, FIG. 3 and FIG. 4 – 415 Send the generated fabricated reply e-mail... → 417 Capture the IP address and/or browser information associated with the sender of the given scam e-mail);  and
blocking communication between the target computer and any external computer, the communication associated with the determined at least one attribute (Lee, FIG. 4 – 421 ...Block).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lee the method of Singh to include a method of detecting attacks on a target computer, the method comprising: monitoring, by the processor, a communication to the target computer to identify interactions associated with the at least one decoy data item; determining, by the processor, at least one attribute for the identified interactions; and blocking communication between the target computer and any external computer, the communication associated with the determined at least one attribute.
One would have been motivated to combine the teachings of Lee to Singh to provide users with a means for fabricating reply emails for ascertaining... the scammer (Lee, col. 3, lines 5-36).
However, in an analogous art, Catakoglu wherein the at least one decoy segment comprises at least one decoy vulnerability of the computer network, and wherein the decoy segment is broadcast such that the at least one vulnerability is unusable for automated tools, and wherein an attempt to exploit the at least one decoy vulnerability is identified as an interaction associated the generated at least one decoy segment (Introduction, p. 1739,  first paragraph - Based on the accessibility of its pages, the Web can be divided in three parts: the Surface Web – which covers everything that can be located through a search engine; the Deep Web – which contains the pages that are not reached by search engine crawlers (for example because they require a registration); and the more recent Dark Web – which is dedicated to websites that are operated over a different infrastructure to guarantee their anonymity, and that often  require specific software to be accessed and Honeypot Setup and Deployment, p. 1741-1742, ¶last paragraph of the page - We started by advertising our honeypot applications in three different ways: (i) by posting their URLs in several Tor network’s forums, channels, search engines and yellow pages, (ii) by visiting (twice a day) the applications via the Tor2Web proxy – which shares the visited URLs with Ahmia [2], a search engine for Tor, and (iii) by posting their URLs to several pages on the Surface Web).  The examiner reasonably constructs by posting the honey pot applications (i.e., decoy) on a Tor network forum this reasonably reads on the concept that a decoy segment that is broadcasted and is unusable for automated tools as Tor guarantees anonymity, and that often  require specific software to be accessed.  This is further affirmed by Catakoglu as they disclose that they block the proxy services of Tor2web  which uses automated scrips and crawlers, see p 1742-1742, Role of Tor Proxies, last paragraph on p. 1742-first paragraph 1742 and further they only enabled services only available on the Tor Network, Role of Tor Proxies second paragraph on 1743 and Web Application, see p. 1741 – “was instead specifically designed to avoid automated scanners.... attackers who may be interested in manually exploiting services hosted in the Dark web.” and Other Services p. 1742 – This machine, reachable only over the Tor Network Further as reasonably constructed the honey pot represents a decoy vulnerability of the computer network and use of the URL represents an interaction associated the generated at least one decoy segment. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Catakoglu the 
One would have been motivated to combine the teachings of Catakoglu to Singh and Lee to provide users with a means for exploring the modus operandi of attackers on the Dark Web (Catakoglu, Conclusions, p. 1745).

Regarding Claim 17;
Singh and Lee and Catakoglu discloses the method to Claim 16.
	Lee further teaches updating a database of a block service of the target computer with newly identified attributes, wherein the communications blocked by the blocking service (Lee, FIG. 3 – 355 Scam e-mail filter module and FIG. 4 – 421 Use the captured the [sic] IP address and/or browser information associated with the sensor of the given scam e-mail to filter/block future scam e-mails).

Regarding Claim 18;
Singh and Lee and Catakoglu discloses the method to Claim 16.
	Singh teaches 	wherein the at least one decoy data item comprises information associated with the... computer ([0693] - The decoy email addresses' 4630 domain name is typically one that is used by the customer network 4602, so that the decoy email addresses 4630 further resemble actual email addresses that may be used by the customer network 4602).
(Abstract – e-mail address and FIG. 3 – Decoy e-mail receiving module and col. 11, lines 26-32).

Claims 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Lee (US 7,917,593 B1) and Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017 and further in view of Ettema et al. (US 2017/0019425 A1).

Regarding Claim 20;
Singh and Lee and Catakoglu discloses the method to Claim 16.
Singh further discloses ...wherein the at least one decoy item comprises information corresponding with the [computer network] (FIG. 46 – Email Monitor/Malicious Email detection Engine); and monitoring the [computer network] to identify interactions associated with the generated at least one decoy item (FIG. 46 – Email Monitor/Malicious Email detection Engine);
	Lee discloses monitoring the [target computer] to identify interactions associated with the generated at least one decoy item (Lee, FIG. 3 and FIG. 4).
Singh and Lee and Catakoglu fails to explicitly disclose creating a virtual computer associated with the garget computer...; and monitoring the virtual computer to identify interactions associated with... 
However, in an analogous art, Ettema teaches creating a virtual computer associated with the garget computer... ([0044] - In either use case scenario, a clone of Alice's targeted host device can be instantiated as a customized VM instance in a VM environment (e.g., instrumented VM environment), along with instances for emulating a subset of devices from the target network environment (e.g., email server, DNS server, printer, etc.) in the VM environment (e.g., using a cloud security service or on a data appliance deployed on the target network environment). In particular, the VM environment can be configured to automatically synchronize with relevant portions of the target network (e.g., network layout, IP addresses, customized host images, etc.) to implement a honey network for the target network. The malware sample (e.g., malware URL, malware file/web download, malware email, and/or malware email attachment, etc.); monitoring the virtual computer to identify interactions associated with [malware] ([0044] -  The behavior of the malware and any subsequent activities on the virtual clone of Alice's target host on the device and/or network interactions with other devices emulated in the honey network implemented in the VM environment and/or, in some cases, external network activities, such as over the Internet and/or with other devices on the actual target network, can also be monitored and logged to gain competitive analysis and to facilitate advanced threat prevention, as further described below.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ettema the method of Singh and Lee and Catakoglu to include creating a virtual computer network corresponding to the computer network...; and monitoring the virtual computer network to identify interactions associated with.... Such a combination would provide users with a means for [a] new and improved virtual machine (VM) techniques for advanced security threats (Ettema, [0037]).

Claims 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017 and further in view of Zhao et al. (US 9,954,893 B1).

Regarding Claim 21;
Singh and Catakoglu discloses the method to Claim 1.
Singh further discloses at least one decoy segment (FIG. 46 and [0609] - Returning to FIG. 46, the usernames for the decoy email addresses 4630 are typically generated to resemble legitimate email addresses that may be used by the customer network 4602).
	Catakoglu further teaches wherein the interaction associated with the generated at least one decoy segment is an attempt ... at least one decoy vulnerability at a ... web page (Catakoglu, Web Applications, p. 1741 – three different templates).
	Singh and Catakoglu fail to explicitly disclose wherein the interaction associated with the generated at least one decoy segment is an attempt to enter the at least one decoy vulnerability at a dedicated decoy web page.
However, in an analogous art, Zhao teaches wherein the interaction associated with the generated at least one decoy segment is an attempt to enter the at least one decoy vulnerability at a dedicated decoy web page (Zhao, FIG. 3 – Detect injected code in the decoy code and col. 1, lines 46-51). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhao the method of Singh and Catakoglu to include wherein the interaction associated with the generated at least one (Zhao, col. 2, lines 47-52).

Claims 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Tock et al. (US 2015/0135316 A1) and Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017 and further in view of Zhao et al. (US 9,954,893 B1).

Regarding Claim 23;
Singh and Tock and Catakoglu discloses the system of Claim 13.
Singh further discloses at least one decoy segment (FIG. 46 and [0609] - Returning to FIG. 46, the usernames for the decoy email addresses 4630 are typically generated to resemble legitimate email addresses that may be used by the customer network 4602).
Catakoglu further teaches wherein the interaction associated with the generated at least one decoy segment is an attempt ... at least one decoy vulnerability at a ... web page (Catakoglu, Web Applications, p. 1741 – three different templates).
	Singh and Tock and Catakoglu fail to explicitly disclose wherein the interaction associated with the generated at least one decoy segment is an attempt to enter the at least one decoy vulnerability at a dedicated decoy web page.
However, in an analogous art, Zhao teaches wherein the interaction associated with the generated at least one decoy segment is an attempt to enter the at least one decoy vulnerability at (Zhao, FIG. 3 – Detect injected code in the decoy code and col. 1, lines 46-51). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhao the method of Singh and Tock and Catakoglu to include wherein the interaction associated with the generated at least one decoy segment is an attempt to enter the at least one decoy vulnerability at a dedicated decoy web page. Such a combination would provide users with a means for combatting MiTB attacks (Zhao, col. 2, lines 47-52).


Claims 25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Lee (US 7,917,593 B1) and Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017 and further in view of Zhao et al. (US 9,954,893 B1).

Regarding Claim 25;
Singh and Lee and Catakoglu discloses the method to Claim 16.
Singh further discloses at least one decoy segment (FIG. 46 and [0609] - Returning to FIG. 46, the usernames for the decoy email addresses 4630 are typically generated to resemble legitimate email addresses that may be used by the customer network 4602).
 (Catakoglu, Web Applications, p. 1741 – three different tempaltes).
	Singh and Lee and Catakoglu fail to explicitly disclose wherein the interaction associated with the generated at least one decoy segment is an attempt to enter the at least one decoy vulnerability at a dedicated decoy web page.
However, in an analogous art, Zhao teaches wherein the interaction associated with the generated at least one decoy segment is an attempt to enter the at least one decoy vulnerability at a dedicated decoy web page (Zhao, FIG. 3 – Detect injected code in the decoy code and col. 1, lines 46-51). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Zhao the method of Singh and Lee and Catakoglu to include wherein the interaction associated with the generated at least one decoy segment is an attempt to enter the at least one decoy vulnerability at a dedicated decoy web page. Such a combination would provide users with a means for combatting MiTB attacks (Zhao, col. 2, lines 47-52).






Claims 26 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Tock et al. (US 2015/0135316 A1) and Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017 and further in view of Herath, H. M. N. B. Web information extraction system to sense information leakage. Diss. University of Moratuwa Sri Lanka, 2017.

Regarding Claim 26;
Singh and Tock and Catakoglu discloses the method to Claim 13.
Singh further discloses “generating” at least one decoy segment... wherein the at least one decoy segment comprises a decoy...  (FIG. 46 and [0609] - Returning to FIG. 46, the usernames for the decoy email addresses 4630 are typically generated to resemble legitimate email addresses that may be used by the customer network 4602)	
	Singh and Tock and Catakoglu fail to explicitly disclose wherein at least one... segment comprises... cross-site scripting code.
However, in an analogous art, Herath teaches wherein at least one... segment comprises... cross-site scripting code (Herath, Abstract – Pastebin monitoring and page 65 - When a security vulnerability is mentioned, there is a high possibility that the post is published in the context of data leakage or hacking attack. For example, a post may mention about system vulnerabilities such as Cross-Site Scripting or SQL injection, which infer a possible exploitation of vulnerability).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hearth the decoy (Herath, Introduction, Page 1).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 attached.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385.  The examiner can normally be reached on Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to 






/KARI L SCHMIDT/Primary Examiner, Art Unit 2439