DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on March 9, 2021 has been entered.
Remarks
In a response filed on March 9, 2021, Applicant amends claims 1, 4, 7, 8, 11, 14, 15, 18 and 21.
Claims 1-19 and 21 are presented for examination.
Allowable Subject Matter
Claims 1-19 and 21 are allowed.
Reasons for Allowance
According to 37 CFR 1.104(e), if the examiner believes that the record of the prosecution as a whole does not make clear his or her reasons for allowing a claim or claims, the examiner may set forth such reasoning. Accordingly, Examiner concludes that, for clarity, the record requires that Examiner set forth reasons for the allowance of claims 1-25. The applicant or patent owner may file a statement commenting on the 
The following is an examiner’s statement of reasons for allowance.
For example, the cited prior art of record comprises inter alia the following references:
US 2017/0126706 A1		Minea et al.
US 10,574,698 B1			Sharifi Mehr
US 2018/0375897 A1		Kawasaki et al.

Regarding claims 1, 8 and 15, Minea teaches an apparatus (11, FIG. 1 / 713, FIG. 3B) (¶ 25, 32 “DGA detection system 11”; ¶ 34 “computer system 713”) comprising:
a communication interface (142, FIG. 2B) configured to enable network communications (¶ 32 “Network adapters 142 enable the server to connect to…network 12”);
a processing device (132, FIG. 2B) coupled (144, FIG. 2B) with the communication interface (¶ 32 “server processor 132…and a set of network adapters 142, all connected by…buses 144”), and configured to:
obtain first network traffic (702, FIG. 3B) from a network device (10, FIG. 1 / 711’, FIG. 3B) destined for a potential attacker (14, FIG. 1 / 714, FIG. 3B) (¶ 25, 34 “analyzes external access requests 702 sent”; ¶ 48 “parse [] external access request”; note: in order for request 702 to be analyzed or parsed, it must be “obtained” [see ¶ 34, 48]); 

obtain (502, FIG. 5A/5B), from the potential attacker, third network traffic (715, FIG. 3B) (¶ 34 “original answers 715 may be modified”; ¶ 48 “intercept 502 an original answer”); and
designate (527-531, FIG. 5C) the potential attacker as malicious based on the third network traffic (¶ 52 “potential attacker/domain…designated/added to a blacklist/malicious”; note: the “computer systems” of Minea’s blacklisted “domain names” read on the phrase “potential attacker” [see step 530 of FIG. 5C]).
However, Minea does not explicitly disclose: when the first network traffic is determined to be suspicious: generating a plurality of virtual traffic decoy profiles, each including a different set of security vulnerabilities not present in the first network traffic from the network device; generate second network traffic based on the first network traffic, a context of the network device, and contextual information of the potential attacker, wherein the second network traffic includes a plurality of second network traffic flows generated using the plurality of virtual traffic decoy profiles such that each of the plurality of second network traffic flows is generated using a different one of the plurality of the virtual traffic decoy profiles; provide the second network traffic to the potential attacker; obtain, from the potential attacker, third network traffic in response to the second network traffic.
Sharifi Mehr teaches when first network traffic is determined (604, FIG. 6) (col. 28, ln. 56 through col. 29, ln. 3 “determine/gather 604 network traffic”):
generate (608, FIG. 6) second network traffic based on the first network traffic, a context of a network device (102, FIG. 1A), and contextual information of the potential attacker (col. 29, lns. 16-28 “generate decoy content based on…context/information about the first network traffic/traffic over the communication channels being used to transmit information in the user’s network”; col. 18, lns. 42-55 “an attacker 152 that intercepted communications over at least a portion of network 104”; col. 5, lns. 26-56 “resources 102 can include physical computing devices associated with a user”; col. 5, lns. 57-60 “networks 104…can be owned and/or operated by the user associated with [] resources 102”; note: Sharifi Mehr’s “information about traffic...used to transmit information in the user’s network” is “contextual information” of both a “network device” and “potential attacker” because Sharifi Mehr discloses that its user resources 102 and its attacker 152 may send and receive communications, respectively, within the context of the traffic of the user’s network [see: col. 29, lns. 16-28; col. 18, lns. 42-55]);
provide (612, FIG. 6) the second network traffic to the potential attacker (example: 152, FIG. 1B) (col. 29, lns. 39-54 “cause…content generated at 608 to be communicated/provided 612”; col. 18, lns. 42-55 “an attacker 152”); and
obtain, from the potential attacker, third network traffic in response to the second network traffic (col. 29, ln. 55 through col. 30, ln. 3 “obtain/monitor…third traffic/ information that is submitted to an authentication system”; col. 30, lns. 4-11 “use of the bait information is detected/obtained”).
 generating a plurality of virtual traffic decoy profiles, each including a different set of security vulnerabilities not present in the first network traffic from the network device, wherein the second network traffic includes a plurality of second network traffic flows generated using the plurality of virtual traffic decoy profiles such that each of the plurality of second network traffic flows is generated using a different one of the plurality of the virtual traffic decoy profiles.
In an analogous art, Kawasaki teaches:
generating a plurality of virtual traffic decoy profiles, each including a set of security vulnerability not present in a first network traffic from a network device (¶ 11 “honeypots comprise...virtual traffic decoy/virtual machine (VM) instances, which instantiate simulated (fake) computers or network devices...Each [] VM instance... referred to [] as a ‘VM’”; ¶ 17 “VMs can [] simulate...network services [e.g., HTTP, SSH, SMTP, etc.]...emulated services enable[] the VMs to simulate services that attackers expect to see in a specific device, and can include simulated vulnerabilities”; ¶ 63 “generate/create and deploy VMs 120”; ¶ 75 “generate virtual traffic decoy profiles/ create [] service files to be used by the virtual machines”; note: Kawasaki’s “simulated vulnerabilities” [see ¶ 17], i.e., “fake content” [see ¶ 119] is not included in Kawasaki’s first network traffic/captured “network services responses from real network devices” [see ¶ 75]),
wherein network traffic includes a plurality of network traffic flows generated using the plurality of virtual traffic decoy profiles (¶ 119 “communicating...using 
However, the prior art of record, alone or in combination, does not explicitly disclose: generating a plurality of virtual traffic decoy profiles, each including a different set of security vulnerabilities not present in the first network traffic from the network device, wherein the second network traffic includes a plurality of second network traffic flows generated using the plurality of virtual traffic decoy profiles such that each of the plurality of second network traffic flows is generated using a different one of the plurality of the virtual traffic decoy profiles.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kalish Bell whose telephone number is (571) 272-5294.  The examiner can normally be reached on 9am-5pm, M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/KALISH K BELL/Examiner, Art Unit 2432


/MORSHED MEHEDI/Primary Examiner, Art Unit 2432