DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Amendment
This is a reply to the amendment filed on 04/27/2021, in which, claim(s) 1-20 are pending. Claim(s) 1 and 11 are independent. Claim(s) 3, 5, and 11-20 are amended. No claim(s) are cancelled or newly added.

Response to Arguments
Specification Objection: 
Applicant’s arguments with respect to specification objection have been considered. The specification objection have been withdrawn in view of the amendment to the specification.

Claim Objection: 
Applicant’s arguments with respect to objection of claim(s) 5 and 15 have been considered. The objection of claim(s) 5 and 15 have been withdrawn in view of the amendment to claim.

Claim Rejections - 35 U.S.C. § 112:
Applicants’ arguments with respect to 112 (b) with rejection of claim(s) 3 and 13 have been fully considered and are persuasive.  The rejection of 112 (b) of claim(s) 3 
Applicants’ arguments with respect to claim(s) 5, 11-12 and 14-20 have been fully considered but they are not persuasive since there are no amendment found.  

Claim Rejections - 35 U.S.C. § 101:
Applicants’ arguments with respect to claim(s) 11-20 have been fully considered and are persuasive.  The rejection of 35 USC §101 regarding claim(s) 11-20 have been withdrawn in view of the amendment to claim. 

Double Patenting (DP):
Applicant submitted an eTD on 04/27/2021 to overcome DP rejection issued in the previous office action. The eTD has been approved. The DP rejection issued in the previous action has been withdrawn.

Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicants’ arguments, see pages 10-19, filed 04/27/2021, regarding the U.S.C. 102 and 103 rejections of Claims 1-20 have been fully considered and are not persuasive.
Applicants argue that “Adams make no reference to a response from an active directory server”. 
Applicant’s interpretation of the reference has been noted; however, examiner respectfully disagrees.  Adams teaches a reference to a response from a server ([0057], the server is an active directory server (Col 25 Lines 28-31). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ettema with the disclosure of Adams. The motivation/suggestion would have been such that certain traffic from a suspicious/compromised device in the target network can be routed to one of the emulated devices in dynamic and intelligent ways (Ettema, Col 25 Lines 34-39) to efficiently and effectively identify such new and evolving advanced threats (Ettema, Col 4 Lines 44-46).
Applicants further argue that the combination of Adams and Ettema would therefore fails to disclose the limitations of the claims 1, 3 and 14 (see pages 15-19 of Remarks).
Applicant’s interpretation of the reference has been noted; however, examiner respectfully disagrees.  In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Therefore, the rejection is maintained.

Applicant is encouraged to schedule an interview with the Examiner prior to the next communication to compact prosecution of the case.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 5, 11-12 and 14-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention
Claims 5 and 15 recite “credential  is effective to”. Claim 11 recites “storing executable code effective to”. Claims 12, 14 and 16-20 recite “wherein the executable code is further effective to cause the one or more processing devices to”. It cannot be ascertained from the scope of the claim what the metes and bounds of the term “effective” are.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1, 3-5, 11 and 13-15 are rejected under 35 U.S.C. 103 as being unpatentable over Adams et al. (US 2011/0214182 A1) in view of Ettema et al. (US 10,044,675 B1).
Regarding Claims 1, and 11, Adams discloses
receiving, by a computer system ([0014], “Referring to FIG. 1, an exemplary , a first response from a server ([0057], “receives one or more responses from one or more of the server devices”); 
(a) replacing, by the computer system, a first reference in the response with a second reference referencing a decoy server to obtain a modified response ([0062], “injects respective logic into responses or alters the handling of traffic”, “By way of example only, this logic basically is a modification of the response”, [0046], “injection of decoy 300 (e.g., a fake vulnerability)…fake server”, i.e. refers to a decoy server); 
(b) returning, by the computer system, the modified response to a source application referenced by the first response ([0015], “proactively securing applications executing for client devices”, [0021], “Each of the client devices 14(1)-14(n) enables a user to request, obtain, and interact with one or more applications”, [0068], “returns the modified response to the end user”).  
Adams does not explicitly teach the server is an active directory server.
Ettema teaches the server is an active directory server (Col 25 Lines 28-31, “if a target device 404 is in communication with a server 408, such as an Active Directory (AD) server”).
Adams and Ettema are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to return a modified response from a server to a source application (as disclosed by Adams) wherein the server is an active directory server (as taught by Ettema). The motivation/suggestion would have been such that certain traffic from a suspicious/compromised device in the target network can be routed to one of the emulated devices in dynamic and intelligent ways 

Regarding Claims 3 and 13, the combined teaching of Adams and Ettema teaches wherein the second reference is a credential to authenticate with respect to the decoy server (Adams, [0046], “injection of decoy 300 (e.g., a fake vulnerability) for a basic authentication process” with a “fake server”, [0047], “it will return a response containing a fake implementation of the configuration file ".htaccess."”, “".htpasswd" file will be purposely injected with fake user credentials”).

Regarding Claim 4, the combined teaching of Adams and Ettema teaches
the first response is a response to a request for session data received from an active directory server (Adams, [0024], “to input selections, such as requests for a network resource (data)”, [0068], “returns the modified response”, Ettema, Col 25 Lines 28-31, “if a target device 404 is in communication with a server 408, such as an Active Directory (AD) server”); and 
wherein the first reference is an address of an endpoint logged in to an administrator account on the active directory server (Adams, [0008], “application administrators can identify track and respond”, [0068], “the proxy server device 12 executing proactive security administrator module 21 returns the modified response”, Ettema, Col 25 Lines 28-31, “if a target device 404 is in communication with a server 408, such as an Active Directory (AD) server”).

Regarding Claims 5 and 15, the combined teaching of Adams and Ettema teaches wherein the second reference is effective to authenticate with respect to a service executing on the decoy server (Adams, [0046], “injection of decoy 300 (e.g., a fake vulnerability) for a basic authentication process” with a “fake server”, [0047], “it will return a response containing a fake implementation of the configuration file ".htaccess."”, “".htpasswd" file will be purposely injected with fake user credentials”); and
receiving, by the decoy server, an attempt to access the service by the source application using the second reference; in response to the attempt, performing, by the decoy server, access of the service; and monitoring, by the decoy server, activities of the source application with respect to the service (Adams, [0046], “For basic authentication, proactive security administration module 21 with processor or CPU 13 is responsible for emulating (and monitoring) a vulnerable authentication mechanism in an executing application”, “To the attacker, the website will appear to be exposing a sensitive administrative script on the website, with weak password protection”).

Regarding Claim 14, the combined teaching of Adams and Ettema teaches
(c) detect that the first response is a response to a request for session data from an active directory server, the session data indicating endpoints currently logged in to the active directory server (Adams, [0024], “to input selections, such as requests for a network resource (data)”, [0049], “An example of the request is an HTTP request” indicating endpoints, [0068], “returns the modified response”, Ettema, Col 25 Active Directory (AD) server”); and 
in response to (c), replace an address of an endpoint logged in to an administrator account on the active directory server with the second reference, the address being the first reference (Adams, [0008], “application administrators can identify track and respond”, [0046], “injection of (i.e. replacing with) decoy 300 (e.g., a fake vulnerability) for a basic authentication process can be used. Such an injection of decoy 300 can be an example of exposing a non-existent site resource”, i.e. a fake address, [0068], “the proxy server device 12 executing proactive security administrator module 21 returns the modified response”, Ettema, Col 25 Lines 28-31, “if a target device 404 is in communication with a server 408, such as an Active Directory (AD) server”).

Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Adams et al. (US 2011/0214182 A1) in view of Ettema et al. (US 10,044,675 B1) further in view of Eyal Dotan (US 2005/0223239 A1).
Regarding Claims 2 and 12, the combined teaching of Adams and Ettema teaches the server is an active directory server (Col 25 Lines 28-31, “if a target device 404 is in communication with a server 408, such as an Active Directory (AD) server”).
The combined teaching of Adams and Ettema does not explicitly teach but Dotan teaches intercepting, by an agent executing on the computer system, the first response from a function of an operating system on the computer system that is programmed to interface with the server ([0098] [0097], “when any of the OS envelopes intercepts a new program, it can send a notice to the client control program”).
Adams, Ettema and Dotan are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to return a modified response from a server to a source application wherein the server is an active directory server (as taught by the combined teaching of Adams and Ettema) and intercept the server (as taught by Dotan). The motivation/suggestion would have been for protecting computer data and programs, and more generally to computer system and network security (Dotan, [0002] [0001]).

Claims 6, 10 and 16, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Adams et al. (US 2011/0214182 A1) in view of Ettema et al. (US 10,044,675 B1) further in view of Lee et al. (US 2013/0052992 A1).
Regarding Claims 6 and 16, the combined teaching of Adams and Ettema teaches a source application (Adams, [0021], “interact with one or more applications”) and performing (a) and (b) (Adams, [0014], [0057] and [0068], Ettema, Col 25 Lines 28-31).
The combined teaching of Adams and Ettema does not explicitly teach but Lee teaches performing in response to determining that the source application is not in a list of sanctioned applications ([0068], “If the application is not included in the list of allowed or authorized applications”).


Regarding Claims 10 and 20, the combined teaching of Adams and Ettema teaches the active directory server (Ettema, Col 25 Lines 28-31, “if a target device 404 is in communication with a server 408, such as an Active Directory (AD) server”).
The combined teaching of Adams and Ettema does not explicitly teach but Lee teaches receiving a third response from the server; (c) determining that the third response is addressed to a first sanctioned application that is one of the sanctioned applications; and in response to (c), returning data from the third response to the first sanctioned application ([0066], “If the execution command is found in the execution command management table, the determining module A determines whether the application that has issued the command execution request is included in the list of allowed or authorized applications on the execution command management table”, [0073], “so that the service unit 220 executes the corresponding service or application in response to the command execution request).  
Adams, Ettema and Lee are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in .

Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Adams et al. (US 2011/0214182 A1) in view of Ettema et al. (US 10,044,675 B1) further in view of Lee et al. (US 2013/0052992 A1) and further in view of Eyal Dotan (US 2005/0223239 A1).
Regarding Claims 7 and 17, The combined teaching of Adams, Ettema and Lee does not explicitly teach but Dotan teaches determining that the source application does not have a certificate matching one of the sanctioned applications ([0093], [0092], “when a new program is intercepted, the users' computers perform a check to determine whether the intercepted new program has been certified by at least one recognized authority… As is known, when such a certifying authority certifies a program, it embeds in the program a machine-recognizable indication that the program has been certified and an indication of the certifying authority…when the OS envelope intercepts a new program, it checks to see whether the program includes the certificate and, if so, it classifies the program as trusted and allows the program to install, run, and use all available resources”, therefore if the program does not includes the certificate, it would not allow the program to run).
.

Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Adams et al. (US 2011/0214182 A1) in view of Ettema et al. (US 10,044,675 B1) further in view of Lee et al. (US 2013/0052992 A1) and further in view of Pettigrew et al. (US 2013/0290729 A1).
Regarding Claims 8 and 18, The combined teaching of Adams, Ettema and Lee does not explicitly teach but Pettigrew teaches determining that a hash of binary code for the source application does not match a hash of one of the sanctioned applications ([0031], “If the input hash key value does not match the value from the whitelist file 102… the executable file 95 may also be blocked from executing”).
Adams, Ettema, Lee and Pettigrew are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to return a modified response from a server to a source application if it is not in a list of sanctioned applications (as taught by the combined teaching of Adams, Ettema and Lee) without a matching hash of binary code (as taught by Pettigrew). The motivation/suggestion .

Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Adams et al. (US 2011/0214182 A1) in view of Ettema et al. (US 10,044,675 B1) further in view of Lee et al. (US 2013/0052992 A1) and further in view of Mendel et al. (US 2013/0061097 A1).
Regarding Claims 9 and 19, The combined teaching of Adams, Ettema and Lee does not explicitly teach but Mendel teaches determining that a path to binary code corresponding the source application does not match a path to one of the sanctioned applications ([0033], “where the actual order of routines or application path tracked in the program counter 318 does not match the authorized order of routines or application path, the checkpoint module 310 may detect a checkpoint error and may initiate or perform one or more security actions”).
Adams, Ettema, Lee and Mendel are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to return a modified response from a server to a source application if it is not in a list of sanctioned applications (as taught by the combined teaching of Adams, Ettema and Lee) without a matching path (as taught by Mendel). The motivation/suggestion would have been to provide increased security and protection for the application, and may prevent thieves and hacker who may otherwise try to manipulate an application (Mendel, [0033]).

Conclusion
Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186.  The examiner can normally be reached on Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHENG-FENG HUANG/Examiner, Art Unit 2497