Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to an AMENDMENT entered on December 22, 2020 for patent application 15/585,012 filed on May 2, 2017.
 

Claims 1-7, 9-14, 16-19 and 21-23 are pending.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 10 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Sysman et al. (Pub. No.: US 2017/0134423) in view of Kapczynski et al. (Pat. No.: US 10,102,570) and Parker (Pub. No.: US 2013/0312092).
Regarding claim 1, Sysman discloses an apparatus, comprising: a generation module for generating one or more first artificial accounts for a first type of account (paras. [0037]-[0041], Fig. 7, element 704, paras. [0211], [0212] and [0220]), wherein the one or more first artificial accounts are configured to mimic an actual account for the first type of account when interacting with external entities so that the one or more first artificial accounts have the appearance of a valid account of the first type of account to an external entity interacting with the one or more first artificial accounts and so that a set of first hacking behaviors for the first type of account are detectable in actual activity between the one or more first artificial accounts and the external entity (paras. [0088], [0200] and [0212]); a learning module for learning the set of first hacking behaviors for the first type of account (paras. [0031], [0088], [0095], [0096], [0178], [0179], [0228]); analyzing first activity associated with one or more first actual accounts of the first type of account that are known to have not been previously hacked to learn a first set of characteristics in the first activity that define legitimate activity for the first type of account, wherein the first activity is performed by an authorized user for each of the one or more first actual accounts (Fig. 1, element 116, para. [0171]. “The analysis conducted by the campaign manager 216 may include false positive analysis to avoid identification of one or more operations initiated by one or more legitimate users, processes, applications and/or the like as the potential unauthorized operation.” When identifying “potential” unauthorized operations, the system must obviously be able to discern authorized operations.), analyzing second activity associated with one or more deception accounts to learn a second set of characteristics in the second activity that define non-legitimate activity for the first type of account, wherein the second set of characteristics in the second activity are different than and deviate from the first set of characteristics in the first activity performed by the authorized user for each of the one or more first actual accounts (para. [0089]; “The centralized management and monitoring of the deception environment may further simplify tracking the potential unauthorized operations and/or potential attacks;” para. [0104]; “operation(s) in the protected network that use the , utilizing a first set of parameters to define legitimate activity for the first type of account based on the learned first set of characteristics (para. [0209]; “The campaign manager 216 may also apply the linguistic distance comparison with the pre-defined number of characters to determine if the wrong access information is likely to be entered by the certain user or by the potential attacker. For example, assuming a real password of the certain user is GadiDean1, selected based on names of founders of a certain company using the protected network 235. While the certain user may be reasonably expected to make mistakes such as, for example, typing a password GadiDean or GadiDean2 when logging into the privileged resource(s), the certain user is less likely to make mistakes such as, for example, typing a password Shorashim1, selected based on a residence address of the certain user. Typically, assuming the residence address of the certain user is publicly available, for example, on the Internet, the password Shorashim1 is likely to be in the list of the predicted access information candidates. The campaign manager 216 may therefore identify the first incident (GadiDean or GadiDean2) to be an access attempt of the certain user, while the second incident (Shorashim1) may be an attempted access of the potential attacker.” Attempting a password that is inside of a predefined linguistic distance is defined as legitimate activity.), utilizing a second set of parameters that are different than and deviate from the legitimate activity defined for the first type of account to define non-legitimate activity for the first type of account based on the learned second set of characteristics (para. [0209]; “The campaign manager 216 may also apply the linguistic distance comparison with the pre-defined number of characters to determine if the wrong access information is likely to be entered by the certain user or by the potential attacker. For example, assuming a real password of the certain , and defining the set of first hacking behaviors as including a third set of characteristics comprising: any activity that does not match the first set of parameters that define the legitimate activity for the first type of account, and any activity that matches any portion of the second set of parameters that are different than and deviate from the legitimate activity performed by the authorized user for each of the one or more first actual accounts utilized to define the non-legitimate activity for the first type of account (Fig. 1, elements 116 and 118, paras. [0171]-[0182]; Fig. 7, paras. [0221]-[0228]); and a detection module for detecting first cyber-hacks in the one or more first artificial accounts in response to a third set of characteristics in the actual activity between the one or more first artificial accounts and the external entity matching any of the activities in the third set of characteristics defining the set of first hacking behaviors (Fig. 1, elements 116 and 118, paras. [0171]-[0182]; Fig. 7, paras. [0221]-[0228]).
analyzing second activity associated with one or more second actual accounts of the first type of account that are known to have been previously hacked to learn a second set of characteristics in the second activity that define non-legitimate activity for the first type of account. However, in analogous art, Kapczynski discloses a system for issuing account vulnerability alerts, wherein a “user may enter information identifying the account provider of the account that was hacked by selecting option 902. The user may indicate a method used by the hacker to gain access to the account (such as a correctly answered security question, a compromised password, or other method) by selecting from option 904. As illustrated, the user has selected that his account with the SongBuy service was compromised using a correct answer to a security question. The user may enter the security question answered by the hacker in field 906. The user may also indicate via user interface element 908 where the hacker obtained any personal data or other information used in the hacking attempt (such as a second service that the hacker used to find the answer to a security question). In the illustrated example, the hacker may have determined the answer to the user's security question from profile information on a social networking service, SocialSite. Upon completing the form, the user may select submit option 910 in order to submit the entered information to the analysis system 100 to be analyzed and/or for a rule to be generated and stored (col. 9, ln. 37-57; see also figure 9).” Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Sysman to allow for analyzing second activity associated with one or more second actual accounts of the first type of account that are known to have been previously hacked to learn a second set of characteristics in the second activity that define non-legitimate activity for the first type of account. This would 
Although Sysman discloses a learning module, and also discloses analyzing first and second activities as disclosed above, it could be argued that the combination of Sysman and Kapczynski does not explicitly disclose wherein the learning module learns the behaviors by analyzing first and second activities as disclosed above, and defining first and second sets of parameters as disclosed above. However, in analogous art, Parker discloses gathering cyber attack data (Fig. 3, element 200, para. [0076]), analyzing the data to extract quantitative data (EQD) (Fig. 3, element 210, para. [0076]), comparing the EQD with a database of existing adversary and attack data (AAD) (Fig. 3, element 220, para. [0077]), and determining “if the adversary associated with the attack data is a known adversary based on the comparison done at step 220 (Fig. 3, element 230, para. [0077]),” wherein a correlation level between EQD and profiles of known adversaries may also be performed (Figs. 4A and 4B, paras. [0079]-[0094]). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to modify Sysman and Kapczynski to allow for the learning module to learn the behaviors by analyzing first activity associated with one or more actual accounts that have not been previously hacked to identify a first set of characteristics in the first activity that define legitimate activity for the first account type, analyzing second activity associated with one or more actual accounts that were previously hacked to identify a second set of characteristics in the second activity that define non-legitimate activity for the first account type, defining a first set of parameters that define legitimate activity for the first type of account based on the first set of characteristics, and defining a second set of parameters that are outside of the legitimate activity defined for the first type of account based on the second set of characteristics. This would have 
Regarding claim 2, the combination of Sysman, Kapczynski and Parker discloses the apparatus of claim 1, and further discloses wherein the generation module further groups the one or more first artificial accounts in a valid account store comprising a plurality of actual accounts for the first type of account (para. [0104]. Sysman creates “a deception environment that co-exists with a real processing environment.” However, as it could be argued that Sysman does not explicitly disclose this limitation, Examiner will provide a redundant rejection below.), and the one or more first artificial accounts and the plurality of actual accounts appear the same to an external entity interacting with the one or more first artificial accounts and the plurality of actual accounts (para. [0104]; “The deception data objects are updated constantly and dynamically to avoid stagnancy and mimic a real and dynamic environment with the deception data objects appearing as valid data objects such that the potential attacker believes the emulated deception environment is a real one.”)
Regarding claim 10, Sysman discloses a method, comprising: generating, by a processor, one or more first artificial accounts for a first type of account (paras. [0037]-[0041], Fig. 7, element 704, paras. [0211], [0212] and [0220]); wherein the one or more first artificial accounts are configured to mimic an actual account for the first type of account when interacting with external entities so that the one or more first artificial accounts have the appearance of a valid account of the first type of account to an external entity interacting with the one or more first artificial accounts and so that a set of first hacking behaviors for the first type of account are detectable in actual activity between the one or more first artificial accounts and the external entity (paras. [0088], [0200] and [0212]); learning the set of first hacking behaviors for the first type of account by (paras. [0031], [0088], [0095], [0096], [0178], [0179], [0228]): analyzing first activity associated with one or more first actual accounts of the first type of account that are known to have not been previously hacked to learn a first set of characteristics in the first activity that define legitimate activity for the first type of account, wherein the first activity is performed by an authorized user for each of the one or more first actual accounts (Fig. 1, element 116, para. [0171]. “The analysis conducted by the campaign manager 216 may include false positive analysis to avoid identification of one or more operations initiated by one or more legitimate users, processes, applications and/or the like as the potential unauthorized operation.” When identifying “potential” unauthorized operations, the system must obviously be able to discern authorized operations.), analyzing second activity associated with one or more deception accounts to learn a second set of characteristics in the second activity that define non-legitimate activity for the first type of account, wherein the second set of characteristics in the second activity are different than and deviate from the first set of characteristics in the first activity performed by the authorized user for each of the one or more first actual accounts (para. [0089]; “The centralized management and monitoring of the deception environment may further simplify tracking the potential unauthorized operations and/or potential attacks;” para. [0104]; “operation(s) in the protected network that use the deception data object(s) may be considered as potential unauthorized operation(s) that in turn may be indicative of a potential attacker.”), utilizing a first set of parameters to define legitimate activity for the first type of account based on the first set of characteristics (para. [0209]; “The campaign manager 216 may also apply the linguistic distance comparison with the pre-defined number of , utilizing a second set of parameters that are different than and deviate from the legitimate activity defined for the first type of account to define non-legitimate activity for the first type of account based on the second set of characteristics (para. [0209]; “The campaign manager 216 may also apply the linguistic distance comparison with the pre-defined number of characters to determine if the wrong access information is likely to be entered by the certain user or by the potential attacker. For example, assuming a real password of the certain user is GadiDean1, selected based on names of founders of a certain company using the protected network 235. While the certain user may be reasonably expected to make mistakes such as, for example, typing a password GadiDean or GadiDean2 when logging into the privileged resource(s), the certain user is less likely to make mistakes such as, for example, typing a password Shorashim1, selected based on a , and defining the set of first hacking behaviors as including a third set of characteristics comprising: any characteristic in any activity that does not match the first set of parameters that define the legitimate activity for the first type of account, and any characteristic in any activity that matches any portion of the second set of parameters that are different than and deviate from the legitimate activity performed by the authorized user for each of the one or more first actual accounts utilized to define the non-legitimate activity for the first type of account (Fig. 1, elements 116 and 118, paras. [0171]-[0182]; Fig. 7, paras. [0221]-[0228]); and detecting first cyber-hacks in the one or more first artificial accounts in response to a third set of characteristics in the actual activity between the one or more first artificial accounts and the external entity matching any of the activities in the third set of characteristics defining the set of first hacking behaviors (Fig. 1, elements 116 and 118, paras. [0171]-[0182]; Fig. 7, paras. [0221]-[0228]).
It could be argued that Sysman does not explicitly disclose analyzing second activity associated with one or more second actual accounts of the first type of account that are known to have been previously hacked to learn a second set of characteristics in the second activity that define non-legitimate activity for the first type of account. However, in analogous art, Kapczynski discloses a system for issuing account vulnerability alerts, wherein a 
Although Sysman discloses learning hacking behaviors, and also discloses analyzing first and second activities as disclosed above, it could be argued that the combination of Sysman and Kapczynski does not explicitly disclose wherein the learning of the behaviors is performed by analyzing first and second activities as disclosed above, and defining first and second sets of 
Regarding claim 16, Sysman discloses a computer program product comprising a computer readable storage medium (Examiner is interpreting the “computer readable storage medium” as non-transitory, based on Applicant’s comments in para. [0019] of the specification.) having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to: generate one or more first artificial accounts for a first type of account (paras. [0037]-[0041], Fig. 7, element 704, paras. [0211], [0212] and [0220]); wherein the one or more first artificial accounts are configured to mimic an actual account for the first type of account when interacting with external entities so that the one or more first artificial accounts have the appearance of a valid account of the first type of account to an external entity interacting with the one or more first artificial accounts and so that a set of first hacking behaviors for the first type of account are detectable in actual activity between the one or more first artificial accounts and the external entity (paras. [0088], [0200] and [0212]); learn the set of first hacking behaviors for the first type of account (paras. [0031], [0088], [0095], [0096], [0178], [0179], [0228]); analyzing first activity associated with one or more first actual accounts of the first type of account that are known to have not been previously hacked to learn a first set of characteristics in the first activity that define legitimate activity for the first type of account, wherein the first activity is performed by an authorized user for each of the one or more first actual accounts (Fig. 1, element 116, para. [0171]. “The analysis conducted by the campaign manager 216 may include false positive analysis to avoid identification of one or more operations initiated by one or more legitimate users, processes, applications and/or the like as the potential unauthorized operation.” When identifying “potential” unauthorized operations, the system must obviously be able to discern authorized operations.), analyzing second activity associated with one or more deception accounts to learn a second set of characteristics in the second activity that define non-legitimate activity for the first type of account, wherein the second set of characteristics in the second activity are different than and deviate from the first set of characteristics in the first activity performed by the authorized user for each of the one or more first actual accounts (para. [0089]; “The centralized management and monitoring of the deception environment may further simplify tracking the potential unauthorized operations and/or potential attacks;” para. [0104]; “operation(s) in the protected network that use the deception data object(s) may be considered as potential unauthorized operation(s) that in turn may be indicative of a potential attacker.”), utilizing a first set of parameters to define legitimate activity for the first type of account based on the first set of characteristics (para. [0209]; “The campaign manager 216 may also apply the linguistic distance comparison with the pre-defined number of characters to determine if the wrong access information is likely to be entered by the certain user or by the potential attacker. For example, assuming a real password of the certain user is GadiDean1, selected based on names of founders of a certain company using the protected network 235. While the certain user may be reasonably expected to make mistakes such as, for example, typing a password GadiDean or GadiDean2 when logging into the privileged resource(s), the certain user is less likely to make mistakes such as, for example, typing a password Shorashim1, selected based on a residence address of the certain user. Typically, assuming the residence address of the certain user is publicly available, for example, on the Internet, the password Shorashim1 is likely to be in the list of the predicted access information candidates. The campaign manager 216 may therefore identify the first incident (GadiDean or GadiDean2) to be an access attempt of the certain user, while the second incident (Shorashim1) may be an attempted access of the potential attacker.” Attempting a password that is inside of a predefined linguistic distance is defined as legitimate activity.), utilizing a second set of parameters that are different than and deviate from the legitimate activity defined for the first type of account to define non-legitimate activity for the first type of account based on the second set of characteristics (para. [0209]; “The campaign manager 216 may also apply the linguistic distance comparison with the pre-defined number of characters to determine if the wrong access information is likely to be entered by the certain user or by the potential attacker. For example, assuming a real password of the certain user is GadiDean1, selected based on names of founders of a certain company using the protected network 235. While the certain user may be reasonably expected to make mistakes such as, for example, typing a password GadiDean or GadiDean2 when logging into the privileged resource(s), the certain user is less likely to make mistakes such as, for example, typing a password Shorashim1, selected based on a residence address of the certain user. Typically, assuming the residence address of the certain user is publicly available, for example, on the Internet, the password Shorashim1 is likely to be in the list of the predicted access information candidates. The campaign manager 216 may therefore identify the first incident (GadiDean or GadiDean2) to be an access attempt of the certain user, while the second incident (Shorashim1) may be an attempted access of the potential attacker.” Attempting a password that is outside of a predefined linguistic distance is defined as outside of legitimate activity.), and defining the set of first hacking behaviors as including a third set of characteristics comprising: any characteristic in any activity that does not match the first set of parameters that define the legitimate activity for the first type of account, and any characteristic in any activity that matches any portion of the second set of parameters that are different than and deviate from the legitimate activity performed by the authorized user for each of the one or more first actual accounts utilized to define the non-legitimate activity for the first type of account (Fig. 1, elements 116 and 118, paras. [0171]-[0182]; Fig. 7, paras. [0221]-[0228]); and detect first cyber-hacks in the one or more first artificial accounts in response to a third set of characteristics in the actual activity between the one or more first artificial accounts and the external entity matching any activities in the third set of characteristics defining the set of first hacking behaviors (Fig. 1, elements 116 and 118, paras. [0171]-[0182]; Fig. 7, paras. [0221]-[0228]).
It could be argued that Sysman does not explicitly disclose analyzing second activity associated with one or more second actual accounts of the first type of account that are known to have been previously hacked to learn a second set of characteristics in the second activity that define non-legitimate activity for the first type of account. However, in analogous art, Kapczynski discloses a system for issuing account vulnerability alerts, wherein a “user may enter information identifying the account provider of the account that was hacked by selecting option 902. The user may indicate a method used by the hacker to gain access to the account (such as a correctly answered security question, a compromised password, or other method) by selecting from option 904. As illustrated, the user has selected that his account with the SongBuy service was compromised using a correct answer to a security question. The user may enter the security question answered by the hacker in field 906. The user may also indicate via user interface element 908 where the hacker obtained any personal data or other information used in the hacking attempt (such as a second service that the hacker used to find the answer to a security question). In the illustrated example, the hacker may have determined the answer to the user's security question from profile information on a social networking service, SocialSite. Upon completing the form, the user may select submit option 910 in order to submit the entered information to the analysis system 100 to be analyzed and/or for a rule to be generated and stored (col. 9, ln. 37-57; see also figure 9).” Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Sysman to allow for analyzing second activity associated with one or more second actual accounts of the first type 
Although Sysman discloses a learning module, and also discloses analyzing first and second activities as disclosed above, it could be argued that the combination of Sysman and Kapczynski does not explicitly disclose wherein the learning module learns the behaviors by analyzing first and second activities as disclosed above, and defining first and second sets of parameters as disclosed above. However, in analogous art, Parker discloses gathering cyber attack data (Fig. 3, element 200, para. [0076]), analyzing the data to extract quantitative data (EQD) (Fig. 3, element 210, para. [0076]), comparing the EQD with a database of existing adversary and attack data (AAD) (Fig. 3, element 220, para. [0077]), and determining “if the adversary associated with the attack data is a known adversary based on the comparison done at step 220 (Fig. 3, element 230, para. [0077]),” wherein a correlation level between EQD and profiles of known adversaries may also be performed (Figs. 4A and 4B, paras. [0079]-[0094]). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to modify Sysman and Kapczynski to allow for the learning module to learn the behaviors by analyzing first activity associated with one or more actual accounts that have not been previously hacked to identify a first set of characteristics in the first activity that define legitimate activity for the first account type, analyzing second activity associated with one or more actual accounts that were previously hacked to identify a second set of characteristics in the second activity that define non-legitimate activity for the first account type, defining a first set of parameters that define legitimate activity for the first type of account based on the first set of .


Claims 2, 3, 11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Sysman et al. (Pub. No.: US 2017/0134423) in view of Kapczynski et al. (Pat. No.: US 10,102,570) and Parker (Pub. No.: US 2013/0312092), and further in view of Shabtai et al. (Pub. No.: US 2015/0326608).
Regarding claim 2, the combination of Sysman, Kapczynski and Parker discloses the apparatus of claim 1, wherein the one or more first artificial accounts and the plurality of actual accounts appear the same to an external entity interacting with the one or more first artificial accounts and the plurality of actual accounts (para. [0104]; “The deception data objects are updated constantly and dynamically to avoid stagnancy and mimic a real and dynamic environment with the deception data objects appearing as valid data objects such that the potential attacker believes the emulated deception environment is a real one.”), but it could be argued that Sysman does not explicitly disclose wherein the generation module further groups the one or more first artificial accounts in a valid account store comprising a plurality of actual accounts for the first type of account. However, in analogous art, Shabtai discloses “[a]n SN Crawler module 20 whose main function is to manage the extraction of SN profiles from selected SNs (in this example LinkedIn and XING) and the insertion of the 
Regarding claim 3, the combination as stated above discloses the apparatus of claim 2, and further discloses wherein the one or more first artificial accounts comprise a portion of the valid account store in the range of one percent to twenty-five percent (Shabtai, paras. [0091], [0092]. The “massive numbers of artificial profiles” generated could obviously be in the range of one percent to twenty-five percent of the valid accounts. This would have produced predictable and desirable results, in that it would allow for the artificial accounts to be a large enough portion of the total accounts to yield helpful results, while not being so large that they .
Regarding claim 11, the combination of Sysman, Kapczynski and Parker discloses the method of claim 10, but it could be argued that Sysman does not explicitly disclose further comprising: grouping the one or more first artificial accounts in a valid account store comprising a plurality of actual accounts for the first type of account, wherein the one or more first artificial accounts comprise a portion of the valid account store in the range of one percent to twenty-five percent. However, in analogous art, Shabtai discloses “[a]n SN Crawler module 20 whose main function is to manage the extraction of SN profiles from selected SNs (in this example LinkedIn and XING) and the insertion of the extracted profile data into a generic database of profiles 22. Every selected SN will be crawled by a designated plugin 20a, 20b, . . . 20n. [0068] A Profiles Database 22 containing actual profiles extracted from selected SNs. [0069] A Honeypot Manager module 24, which comprises: [0070] An Artificial Profile Generator module 26, which is a wizard for generation of artificial profile records using actual profiles in the profiles database 22. The artificial profile generator implements the main algorithm for generating artificial profiles (honeytokens). This module is used to create honeypots that will blend well into the target SN (paras. [0067]-[0070]; Fig. 3),” which means that all of the actual profiles and the artificial profiles will be stored alongside each other in the respective databases of the relevant social network, wherein a “massive numbers of artificial 
Regarding claim 17, the combination of Sysman, Kapczynski and Parker discloses the computer program product of claim 16, but it could be argued that Sysman does not explicitly disclose wherein the program instructions further cause the processor to: group the one or more first artificial accounts in a valid account store comprising a plurality of actual accounts for the first type of account, wherein the one or more first artificial accounts comprise a portion of the valid account store in the range of one percent to twenty-five percent. However, in analogous art, Shabtai discloses “[a]n SN Crawler module 20 whose main function is to manage the extraction of SN profiles from selected SNs (in this example LinkedIn and XING) and the insertion of the extracted profile data into a generic database of profiles 22. Every selected SN will be crawled by a designated plugin 20a, 20b, . . . 20n. [0068] A Profiles Database 22 containing actual profiles extracted from selected SNs. [0069] A Honeypot Manager module 24, which comprises: [0070] An Artificial Profile Generator module 26, which is a wizard for generation of artificial profile records using actual profiles in the profiles database 22. The artificial profile generator implements the main algorithm for generating artificial profiles (honeytokens). This module is used to create honeypots that will blend well into the target SN (paras. [0067]-[0070]; Fig. 3),” which means that all of the actual profiles and the artificial profiles will be stored alongside each other in the respective databases of the relevant social network, wherein a “massive numbers of artificial profiles” may be generated (Shabtai, paras. [0091], [0092]), which could obviously be in the range of one percent to twenty-five percent of the valid accounts. Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to modify Sysman, Kapczynski and Parker to allow for grouping the one or more first artificial accounts in a valid account store comprising a plurality of actual accounts for the first type of account, wherein the one or more first artificial accounts comprise a portion of the valid account store in the range of one percent to twenty-five percent. This would have produced predictable and desirable results, in that it would avoid alerting a potential hacker to the illegitimacy of the artificial accounts that may occur if said artificial accounts were stored differently or in a different location than the valid accounts, which could increase the effectiveness of the system, while also allowing for the artificial accounts to be a large enough portion of the total accounts to yield helpful results, while not being so large that they would be .


Claims 4 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Sysman et al. (Pub. No.: US 2017/0134423) in view of Kapczynski et al. (Pat. No.: US 10,102,570) and Parker (Pub. No.: US 2013/0312092), and further in view of Zimmerman et al. (Pub. No.: US 2018/0027006).
Regarding claim 4, the combination of Sysman, Kapczynski and Parker discloses the apparatus of claim 1, wherein: the generation module further generates one or more second artificial accounts associated with one or more additional types of account; each of the one or more additional type of account includes a respective second plurality of actual accounts (para. [0212]), but it could be argued that Sysman does not explicitly disclose wherein the learning module further learns one or more second hacking behaviors for each second type of account; and the detection module further detects second cyber-hacks in second activity in the one or more second artificial accounts based on the one or more second hacking behaviors. However, in analogous art, Zimmerman discloses detecting threats in cyber security situations by monitoring user behavior and activities and “correlating, comparing, and otherwise identifying patterns and irregularities in activities, such as comparing across various users, groups and enterprises. This can be important since a very small level of activity may not 
Regarding claim 12, the combination of Sysman, Kapczynski and Parker discloses the method of claim 10, but it could be argued that Sysman does not explicitly disclose further comprising: generating, by the processor, one or more second artificial accounts associated with one or more additional types of account, wherein each of the one or more additional type of account includes a respective second plurality of actual accounts (para. [0212]), but it could be argued that Sysman does not explicitly disclose wherein learning one or more second hacking behaviors for each additional type of account; and detecting second cyber-hacks in second activity in the one or more second artificial accounts based on the one or more second hacking behaviors. However, in analogous art, Zimmerman discloses detecting threats 


Claims 5, 6, 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Sysman et al. (Pub. No.: US 2017/0134423) in view of Kapczynski et al. (Pat. No.: US 10,102,570) and Parker (Pub. No.: US 2013/0312092), and further in view of Zimmerman et al. (Pub. No.: US 2018/0027006) and Scheidell (Pub. No.: US 2004/0098623). 
the apparatus of claim 4, and further discloses wherein: the generation module further groups the one or more first artificial accounts and the one or more second artificial accounts in a valid account store comprising a first plurality of actual accounts and a second plurality of actual accounts for the first type of account; the first plurality of actual accounts are managed by a first entity; the second plurality of actual accounts are managed by a second entity (Sysman, para. [0104]. It would have been a matter of obvious design choice as to how the accounts are stored and managed.); and although Zimmerman discloses that “[a]dditional opportunities for the application of cyber intelligence based on UBA may include community intelligence (including intelligence relating to threats that affect multiple enterprises, including across different applications and platforms (para. [0131]; see also paras. [0150], [0180] and [0243]-[0245]),” it could be argued that Sysman and Zimmerman do not explicitly disclose wherein the detection module further distinguishes between a general cyber-hack and a specific cyber-hack, wherein: the general cyber-hack is detected based on a first frequency of access for the first type of account, and the specific cyber-hack is detected based on one of a second frequency of access for the first entity and a third frequency of access for the second entity. However, in analogous art, Scheidell discloses intrusion detection capabilities such as “allowing an attack on a client network to be distinguished between a general attack on multiple clients on the network or a specific attack directed at the particular client. Furthermore, the edge network allows for the determination of new attack processes prior to an attack upon a client network in order that the vulnerability of the client network may be ascertained and preemptive measures taken (para. [0054]),” which teaches that security systems can be taught to distinguish between general and specific attacks, wherein a “third alert is generated in response to an increase in rate 
Regarding claim 6, the combination as stated above discloses the apparatus of claim 4, and further discloses wherein: the generation module further: groups the one or more first artificial accounts in a first valid account store comprising a first plurality of actual accounts for the first type of account, and groups the one or more second artificial accounts in a second valid account store comprising a second plurality of actual accounts for the second type of account; the first type of account and the second type of account are different types of account; the first plurality of actual accounts and the second plurality of actual accounts are managed by a same entity (Sysman, para. [0104]. It would have been a matter of obvious design choice as to how the accounts are stored and managed.); and although Zimmerman discloses that “[a]dditional opportunities for the application of cyber intelligence  the detection module further distinguishes between a general cyber-hack and a specific cyber-hack, wherein: the general cyber-hack is detected based on a first frequency of access for the entity, and the specific cyber-hack is detected based on one of a second frequency of access for the first type of account and a third frequency of access for the second type of account. However, in analogous art, Scheidell discloses intrusion detection capabilities such as “allowing an attack on a client network to be distinguished between a general attack on multiple clients on the network or a specific attack directed at the particular client. Furthermore, the edge network allows for the determination of new attack processes prior to an attack upon a client network in order that the vulnerability of the client network may be ascertained and preemptive measures taken (para. [0054]),” which teaches that security systems can be taught to distinguish between general and specific attacks, wherein a “third alert is generated in response to an increase in rate or frequency of attacks of that characteristic exceeding a predetermined rate or frequency. Other methods of determining the rate or frequency of events known to those familiar with the art are also anticipated. Furthermore, the predetermined rate or frequency may be varied deterministically as deterministic variations of thresholds are known to those familiar with the art (para. [0048]),” which teaches that frequency of access is a well-known factor used in evaluating attacks. Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to modify the detection module as disclosed by the above art to allow for it to distinguish between a general cyber-hack and a specific cyber-hack, wherein the general cyber-
Regarding claim 13, the combination as stated above discloses the method of claim 12, and further discloses further comprising: grouping the one or more first artificial accounts and the one or more second artificial accounts in a valid account store comprising a first plurality of actual accounts and a second plurality of actual accounts for the first type of account, wherein the first plurality of actual accounts are managed by a first entity and the second plurality of actual accounts are managed by a second entity (Sysman, para. [0104]. It would have been a matter of obvious design choice as to how the accounts are stored and managed.); and although Zimmerman discloses that “[a]dditional opportunities for the application of cyber intelligence based on UBA may include community intelligence (including intelligence relating to threats that affect multiple enterprises, including across different applications and platforms (para. [0131]; see also paras. [0150], [0180] and [0243]-[0245]),” it could be argued that Sysman and Zimmerman do not explicitly disclose distinguishing between a general cyber-hack based on the first type of account and a specific cyber-hack based on one of the first entity and the second entity. However, in analogous art, Scheidell discloses intrusion detection capabilities such as “allowing an attack on a client network to be distinguished between a general attack on multiple clients on the network or a specific attack directed at the particular client. Furthermore, the edge network allows for the determination of new attack processes prior to an attack upon a client network in order that the vulnerability of the 
Regarding claim 14, the combination as stated above discloses the method of claim 12, and further discloses further comprising: grouping the one or more first artificial accounts in a first valid account store comprising a first plurality of actual accounts for the first type of account; grouping the one or more second artificial accounts in a second valid account store comprising a second plurality of actual accounts for an additional type of account, wherein the first type of account and the additional type of account are different types of account, and the first plurality of actual accounts and the second plurality of actual accounts are managed by a same entity (Sysman, para. [0104]. It would have been a matter of obvious design choice as to how the accounts are stored and managed.); and although Zimmerman discloses that “[a]dditional opportunities for the application of cyber intelligence based on UBA may include community intelligence (including intelligence relating to threats that affect multiple enterprises, including across different applications and platforms (para. [0131]; see also paras. [0150], [0180] and [0243]-[0245]),” it could be argued that Sysman and Zimmerman do not explicitly disclose distinguishing between a general cyber-hack based on the entity and a specific cyber- hack based on one of the first type of account and the additional type of account. However, in analogous art, Scheidell discloses intrusion detection capabilities such as “allowing an attack on a client network to be distinguished between a general attack on multiple clients on the network or a specific attack directed at the particular client. Furthermore, the edge network allows for the determination of new attack processes prior to an attack upon a client network in order that the vulnerability of the client network may be ascertained and preemptive measures taken (para. [0054]),” which teaches that security systems can be taught to distinguish between general and specific attacks. Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to modify the detection module as disclosed by the above art to allow for it to distinguish between a general cyber-hack based on the entity and a specific cyber-hack based on one of the first type of account and the additional type of account. This would have produced predictable and desirable results, in that it would allow for the cyber intelligence platform to better adapt and prepare to meet future potential attacks.


Claims 7, 21 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Sysman et al. (Pub. No.: US 2017/0134423) in view of Kapczynski et al. (Pat. No.: US 10,102,570) and Parker (Pub. No.: US 2013/0312092), and further in view of Sudia (Pub. No.: US 2013/0263226).
Regarding claim 7, the combination of Sysman, Kapczynski and Parker discloses the apparatus of claim 1, further comprising: a monitoring module for monitoring the one or more first artificial accounts for the first activity (Sysman, para. [0104]), and although Sysman and Parker disclose accounts with financial associations, it could be argued that Sysman wherein: the first type of account is a financial account, the first activity is at least one of sign-in activity and transaction activity for the one or more first artificial accounts, and the detection module detects a first cyber-hack in response to an artificial account experiencing the one or more first hacking behaviors. However, in analogous art, Sudia discloses a false banking, credit card, and ecommerce system “that can a) generate and distribute seemingly valid false credentials that are made available to be "stolen" by criminals, b) provide an assortment of seemingly valid websites, business servers, or ecommerce sites that will apparently accept the false credentials, and c) track each use and provide trace information for use by law enforcement to apprehend and prosecute cyber offenders (Abstract),” wherein the system will detect various sign-in and transaction activity when looking for potential malicious activity (paras. [0122]-[0127], [0140]-[0152], [0174]). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to modify Sysman, Kapczynski and Parker to allow for the first type of account to be a financial account, the first activity to be at least one of sign-in activity and transaction activity for the one or more first artificial accounts, and the detection module detects a first cyber-hack in response to an artificial account experiencing the one or more first hacking behaviors. This would have produced predictable and desirable results, in that it would allow for the system of Sysman and Parker to be used to detect potential fraud in a larger array of activities, which could increase the scope and usefulness of the system.
Regarding claim 21, the combination of Sysman, Kapczynski and Parker discloses the method of claim 10, further comprising: monitoring the one or more first artificial accounts for the first activity (Sysman, para. [0104]), and although Sysman and Parker disclose accounts with financial associations, it could be argued that Sysman does not explicitly disclose wherein: the first type of account is a financial account, and the first activity is at least one of sign-in activity and transaction activity for the one or more first artificial accounts; and detecting a first cyber-hack in response to an artificial account experiencing the one or more first hacking behaviors. However, in analogous art, Sudia discloses a false banking, credit card, and ecommerce system “that can a) generate and distribute seemingly valid false credentials that are made available to be "stolen" by criminals, b) provide an assortment of seemingly valid websites, business servers, or ecommerce sites that will apparently accept the false credentials, and c) track each use and provide trace information for use by law enforcement to apprehend and prosecute cyber offenders (Abstract),” wherein the system will detect various sign-in and transaction activity when looking for potential malicious activity (paras. [0122]-[0127], [0140]-[0152], [0174]). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to modify Sysman, Kapczynski and Parker to allow for the first type of account to be a financial account, and the first activity to be at least one of sign-in activity and transaction activity for the one or more first artificial accounts, and detecting a first cyber-hack in response to an artificial account experiencing the one or more first hacking behaviors. This would have produced predictable and desirable results, in that it would allow for the system of Sysman and Parker to be used to detect potential fraud in a larger array of activities, which could increase the scope and usefulness of the system.
Regarding claim 23, the combination of Sysman, Kapczynski and Parker discloses the computer program product of claim 16, wherein the program instructions further cause the processor to: monitor the one or more first artificial accounts for the first activity (Sysman, para. [0104]), and although Sysman and Parker disclose accounts with financial associations, it could be argued that Sysman does not explicitly disclose wherein: the first type of account is a financial account, and the first activity is at least one of sign-in activity and transaction activity for the one or more first artificial accounts; and detect a first cyber-hack in response to an artificial account experiencing the one or more first hacking behaviors. However, in analogous art, Sudia discloses a false banking, credit card, and ecommerce system “that can a) generate and distribute seemingly valid false credentials that are made available to be "stolen" by criminals, b) provide an assortment of seemingly valid websites, business servers, or ecommerce sites that will apparently accept the false credentials, and c) track each use and provide trace information for use by law enforcement to apprehend and prosecute cyber offenders (Abstract),” wherein the system will detect various sign-in and transaction activity when looking for potential malicious activity (paras. [0122]-[0127], [0140]-[0152], [0174]). Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to modify Sysman, Kapczynski and Parker to allow for the first type of account to be a financial account, and the first activity to be at least one of sign-in activity and transaction activity for the one or more first artificial accounts, and detect a first cyber-hack in response to an artificial account experiencing the one or more first hacking behaviors. This would have produced predictable and desirable results, in that it would allow for the system of Sysman and Parker to be used to detect potential fraud in a larger array of activities, which could increase the scope and usefulness of the system.


Claims 9, 18 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Sysman et al. (Pub. No.: US 2017/0134423) in view of Kapczynski et al. (Pat. No.: US 10,102,570) and .
Regarding claim 9, the combination of Sysman, Kapczynski and Parker discloses the apparatus of claim 1, further comprising: a monitoring module for monitoring the one or more first artificial accounts for the first activity (para. [0104]), but does not explicitly disclose wherein: the first type of account is an email account, the first activity is at least one of sign-in activity and mailbox activity for the one or more first artificial accounts, the sign-in activity comprises at least one of one or more login dates, one or more real-world locations from which the one or more logins originated, and an internet protocol (IP) number for each device utilized for the one or more logins, the mailbox activity comprises email activity in at least one of a mail sent folder, a mail received folder, and a trash folder, for sign-in activity, the detection module determines a first cyber hack if the at least one of determined one or more login dates, the determined one or more real-world locations, and the determined IP number for each device matches the one or more first hacking behaviors, and for mailbox activity, the detection module: compares email activity in the at least one of the mail sent folder, the mail received folder, and the trash folder to known email activity in the at least one of the mail sent folder, the mail received folder, and the trash folder, and determines the first cyber hack if the email activity matches the one or more first hacking behaviors. However, in analogous art, Shabtai discloses “extracting actual user profiles from social networks; b. generating artificial profiles for artificial users from the extracted actual user profiles; c. creating artificial user accounts for the artificial users; d. adding the artificial user accounts to social networks and to employee contact lists; e. creating email accounts for each of the artificial users; f. monitoring the activity of the artificial user accounts in 
	Further, in analogous art, Zimmerman discloses that “[s]ome incidents may be associated with data from multiple vendors, however may be linked into a single entity from a single vendor. For example, a user may log into their Dropbox account from the US and into their Google account from the UK in a short time interval. This may present a condition that may not be detected based on data from a single vendor, but may indicate a suspicious pattern as a result of having access to data across different accounts for the same user (para. [0243]),” which teaches that the location of log in data can be tracked to help determine a potential cyber hack. Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to modify the above art to allow for the first activity to be sign-in activity, the sign-in activity comprises one or more real-world locations from which the one or more logins originated, and the detection module determines a first cyber hack if the email activity matches the one or more first hacking behaviors. This would have produced predictable and desirable results, in that it would allow for this particular type of suspicious activity to trigger a potential hacking alert, which could improve the performance of the system.
the computer program product of claim 17, and Sysman further discloses wherein the program instructions further cause the processor to: generate one or more second artificial accounts associated with one or more additional types of account, wherein each of the one or more additional type of account includes a respective second plurality of actual accounts (para. [0212]), but it could be argued that Sysman and Shabtai do not explicitly disclose wherein the program instructions further cause the processor to learn one or more second hacking behaviors for each additional type of account; and detect second cyber-hacks in second activity in the one or more second artificial accounts based on the one or more second hacking behaviors. However, in analogous art, Zimmerman discloses detecting threats in cyber security situations by monitoring user behavior and activities and “correlating, comparing, and otherwise identifying patterns and irregularities in activities, such as comparing across various users, groups and enterprises. This can be important since a very small level of activity may not be detected in a context of one user, but if the system sees small patterns repeating in a wide range of users, it might be an indicator of compromise (para. [0137]),” wherein “the cyber intelligence platform 6500 may use machine learning and natural language processing (NLP) to programmatically learn what topics are sensitive topics for an organization (para. [0570]).” Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to modify the above art to allow for the processor to be caused to further learn one or more second hacking behaviors for each additional type of account, and detect second cyber-hacks in second activity in the one or more second artificial accounts based on the one or more second hacking behaviors. This would have produced predictable and desirable results, in that it would allow for “an organization [to] easily deploy multiple important security solutions across disparate platforms, 
Regarding claim 22, the combination of Sysman, Kapczynski and Parker discloses the method of claim 10, further comprising: monitoring the one or more first artificial accounts for the first activity (Sysman, para. [0104]), but does not explicitly disclose wherein: the first type of account is an email account, the first activity is at least one of sign-in activity and mailbox activity for the one or more first artificial accounts, the sign-in activity comprises at least one of one or more login dates, one or more real-world locations from which the one or more logins originated, and an internet protocol (IP) number for each device utilized for the one or more logins, the mailbox activity comprises email activity in at least one of a mail sent folder, a mail received folder, and a trash folder, for sign-in activity, determining a first cyber hack if the at least one of determined one or more login dates, the determined one or more real-world locations, and the determined IP number for each device matches the one or more first hacking behaviors, and for mailbox activity, detecting comprises: comparing email activity in the at least one of the mail sent folder, the mail received folder, and the trash folder to known email activity in the at least one of the mail sent folder, the mail received folder, and the trash folder, and determining the first cyber hack if the email activity matches the one or more first hacking behaviors. However, in analogous art, Shabtai discloses “extracting actual user profiles from social networks; b. generating artificial profiles for artificial users from the extracted actual user profiles; c. creating artificial user accounts for the artificial users; d. adding the artificial user accounts to social networks and to employee contact lists; e. creating email accounts for each of the artificial users; 
	Further, in analogous art, Zimmerman discloses that “[s]ome incidents may be associated with data from multiple vendors, however may be linked into a single entity from a single vendor. For example, a user may log into their Dropbox account from the US and into their Google account from the UK in a short time interval. This may present a condition that may not be detected based on data from a single vendor, but may indicate a suspicious pattern as a result of having access to data across different accounts for the same user (para. [0243]),” which teaches that the location of log in data can be tracked to help determine a potential cyber hack. Therefore, it would have been obvious to one of ordinary skill in the art at the time of the invention to modify the above art to allow for the first activity to be sign-in activity, the sign-in activity comprises one or more real-world locations from which the one or more logins originated, and detecting a first cyber hack if the email activity matches the one or more first hacking behaviors. This would have produced predictable and desirable results, in that it would allow for this particular type of suspicious activity to trigger a potential hacking alert, which could improve the performance of the system.


Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Sysman et al. (Pub. No.: US 2017/0134423) in view of Kapczynski et al. (Pat. No.: US 10,102,570) and Parker (Pub. No.: US 2013/0312092), and further in view of Shabtai et al. (Pub. No.: US 2015/0326608) and Scheidell (Pub. No.: US 2004/0098623).
Regarding claim 19, the combination as stated above discloses the computer program product of claim 17, and further discloses wherein the program instructions further cause the processor to: group the one or more first artificial accounts in a first valid account store comprising a first plurality of actual accounts for the first type of account; group the one or more second artificial accounts in a second valid account store comprising a second plurality of actual accounts for an additional type of account, wherein the first type of account and the additional type of account are different types of account, and the first plurality of actual accounts and the second plurality of actual accounts are managed by a same entity (Sysman, para. [0104]. It would have been a matter of obvious design choice as to how the accounts are stored and managed.); but it could be argued that Sysman and Shabtai do not explicitly disclose wherein the processor is caused to distinguish between a general cyber-hack based on the entity and a specific cyber- hack based on one of the first type of account and the additional type of account. However, in analogous art, Scheidell discloses intrusion detection capabilities such as “allowing an attack on a client network to be distinguished between a general attack on multiple clients on the network or a specific attack directed at the particular client. Furthermore, the edge network allows for the determination of new attack processes prior to an attack upon a client network in order that the vulnerability of the client network may be ascertained and preemptive measures taken (para. [0054]),” which teaches that security systems .


Response to Arguments
Applicant's arguments filed December 22, 2020 have been fully considered, but they are moot in view of the new grounds of rejection in view of Kapczynski.


Conclusion
Claims 1-7, 9-14, 16-19 and 21-23 are rejected.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Joshua D Taylor whose telephone number is (571)270-3755.  The examiner can normally be reached on Monday - Friday 8 am - 6 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nasser Goodarzi can be reached on 571-272-4195.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.