DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Amendment filed on 1/28/2021.
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative Robert Mazzarese on April 13, 2021

Claims
Please replace claims as following: 
Claim 1 (Currently Amended) A computer program product comprising computer executable code embodied in a non-transitory computer-readable medium that, when executing on one or more computing devices, performs the steps of:
	creating key material for cryptographic handling of a file at a key management system for an enterprise network, the key material including a key pair having a private encryption key and a public decryption key;
	providing a honeypot file containing non-confidential information for the enterprise network and an access control list for the honeypot file modified to attract unauthorized, malicious users of the enterprise network by including an open access user in the access control list;
	cryptographically securing the honeypot file by encrypting the honeypot file with the private encryption key to provide a tagged file;
	storing the tagged file on a data store in the enterprise network;
	storing the public decryption key in a central keystore for the enterprise network;
	detecting a retrieval of the public decryption key from the central keystore, the retrieval associated with an authentication of the tagged file by a device; and


Claim 2 (Currently Amended) A method comprising:
	providing key material for cryptographic handling of a file at a key management system for an enterprise network, the key material including a key pair having a private encryption key and a public decryption key;
	providing a honeypot file containing non-confidential information for the enterprise network and an access control list for the honeypot file modified to attract unauthorized, malicious users of the enterprise network by including an open access user in the access control list;
	cryptographically securing the honeypot file with the key material to provide a tagged file;
	storing the tagged file on a data store in an enterprise network;
	storing at least a portion of the key material in a central keystore for the enterprise network;
	detecting a retrieval of the portion of the key material from the central keystore, the retrieval associated with an authentication of the tagged file by a device; and
	initiating a remedial action responsive to the retrieval associated with the authentication of the tagged file.

Claim 19 (Canceled)







Claim 20 (Currently Amended) A system comprising:
	a data store in an enterprise network;
	a central keystore for the enterprise network; and
	a threat management facility executing on a hardware processor and configured to obtain key material including a key pair having a private encryption key and a public decryption key for cryptographic handling of a file from the central keystore, to provide a honeypot file containing non-confidential information for the enterprise network and an access control list for the honeypot file modified to attract unauthorized, malicious users of the enterprise network by including an open access user in the access control list, to cryptographically secure the honeypot file with the key material to provide a tagged file, to store the tagged file on the data store, to detect a retrieval of at least a portion of the key material from the central keystore, the retrieval associated with a decryption of the tagged file by a device, and to initiate a remedial action responsive to the decryption using the portion of the key material.














Examiner's Statement of Reason for Allowance

Claims 1-18 and 20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is directed to a honeypot file is cryptographically secured with a cryptographic key. The key, or related key material, is then placed on a central keystore and the file is placed on a data store within the enterprise network. Unauthorized access to the honeypot file can then be detecting by monitoring use of the associated key material, which usefully facilitates detection of file access at any time when, and from any location where, cryptographic access to the file is initiated. 
The closest prior art, as previously recited, are Sharifi Mehr (US 10,521,184 A1), Shulman (US 2016/0301712 A1) and Nakamura et al. (US 2012/0030242 A1); in which, Sharifi Mehr discloses a system acquires diagnostic information from event logs, trace files, and other diagnostic sources to reduce a set of event records. The event records are arranged in a graph based on correlations between individual event records. Correlations may be based on time, account, credentials, tags, instance identifiers, or other characteristics. The system analyzes the graph to identify anomalies such as data exfiltration anomalies, system compromises, or security events. In some implementations, the system deploys decoy resources within a customer computing environment. Interactions with the decoy resources are captured as event records and added to the graph; and in which Shulman teaches a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise 






creating key material for cryptographic handling of a file at a key management system for an enterprise network, the key material including a key pair having a private encryption key and a public decryption key; providing a honeypot file containing non-confidential information for the enterprise network and an access control list for the honeypot file modified to attract unauthorized, malicious users of the enterprise network by including an open access user in the access control list; cryptographically securing the honeypot file by encrypting the honeypot file with the private encryption key to provide a tagged file; storing the tagged file on a data store in the enterprise network; storing the public decryption key in a central keystore for the enterprise network; detecting a retrieval of the public decryption key from the central keystore, the retrieval associated with an authentication of the tagged file by a device; and initiating a remedial action responsive to detecting the retrieval associated with the authentication of the tagged file by the device, the remedial action including monitoring subsequent network activity within the enterprise network by the device.; and none of the cited prior art teaches or suggest the steps of Claim 2: providing key material for cryptographic handling of a file at a key management system for an enterprise network, the key material including a key pair having a private encryption key and a public decryption key; providing a honeypot file containing non-confidential information for the enterprise network and an access control list for the honeypot file modified to attract unauthorized, malicious users of the enterprise network by including an open access user in the access control list; cryptographically securing the honeypot file with the key material to provide a tagged file; storing the tagged file on a data store in an enterprise network; storing at least a portion of the key material in a central keystore for the enterprise network; detecting a retrieval of the portion of the key material from the central keystore, the retrieval associated with an authentication of the tagged file by a device; and initiating a remedial action responsive to the retrieval associated with the authentication of the tagged file.; and none of the cited prior art teaches or suggest the steps of Claim 20: a data store in an enterprise network; a central keystore for the enterprise network; and a threat management facility executing on a hardware processor and configured to obtain key material including a key pair having a private encryption key and a public decryption key for cryptographic handling of a file from the central keystore, to provide a honeypot file containing non-confidential information for the enterprise network and an access control list for the honeypot file modified to attract unauthorized, malicious users of the enterprise network by including an open access user in the access control list, to cryptographically secure the honeypot file with the key material to provide a tagged file, to store the tagged file on the data store, to detect a retrieval of at least a portion of the key material from the central keystore, the retrieval associated with a decryption of the tagged file by a device, and to initiate a remedial action responsive to the decryption using the portion of the key material.

Therefore the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 attached.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385.  The examiner can normally be reached on Monday-Friday 10am - 6pm (MDT).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KARI L SCHMIDT/Primary Examiner, Art Unit 2439