DETAILED ACTION
Claims 1-20 are pending in this application. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDSs’) submitted on 12/28/2019 and 09/04/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-7, 9, 12-14, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Gurvich et al (“Gurvich,” US 20170339186) and further in view of Dulce et al (“Dulce,” US 20160381023).   

Regarding claim 1, Gurvich discloses a computer-implemented method for intrusion detection in a remote computing resource system, (Gurvich, FIG 1) the method comprising:
identifying one or more tenant resource modules for intrusion detection, where the tenant resource modules are provisioned for a tenant of a remote service provider system; (Gurvich, [0004], allocate resources of the cloud provider system for use by tenants of the cloud provider system & [0013] , servers whose resources are allocated to the cloud provider’s tenants, where tenants may run any suitable applications and implement any suitable business logic using their allocated server resources and IP address ranges; [0034], honeypot addresses are scattered across IP address ranges 28 that are allocated to the tenants; also see FIG 2). 
Gurvich fails to explicitly disclose for each of the one or more identified resource modules: allocating a storage account having a corresponding access credential, deploying the corresponding access credential in the identified resource module, and creating a data entry in a token mapping store, where the data entry identifies the tenant, the access credential, and the identified resource module.
However, in an analogous art, Dulce discloses for each of the one or more identified resource modules: 
(Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc.).
deploying the corresponding access credential in the identified resource module, (Dulce, FIG 6 shows a record with 654 credentials for 658 Resource Identifier (e.g. URL, Path and SPN)). 
and creating a data entry in a token mapping store, (Dulce, FIG 6 shows a record with an entry that is created for token types)
where the data entry identifies the tenant, (Dulce, FIG 6, 602, User Data types; 660, Email address that identifies the tenant)
the access credential, (Dulce, FIG 6 shows a record with 654 credentials for access)
and the identified resource module (Dulce, FIG 6 shows record with 658, Resource Identifier (e.g. URL, Path, SPN))
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dulce with the method and system of Gurvich to include for each of the one or more identified resource modules: allocating a storage account having a corresponding access credential, deploying the corresponding access credential in the identified resource module, and creating a data entry in a token mapping store, where the data entry identifies the tenant, the access credential, and the identified resource module. One would have been motivated to 

Regarding claim 5, Gurvich and Dulce disclose the computer-implemented method of claim 1. 
Shulman further discloses where the provisioned resource comprises a resource provisioned in the remote computing resource system, (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dulce with the method and system of Gurvich to include where the provisioned resource comprises a resource provisioned in the remote computing resource system. One would have been motivated to detect compromised unmanaged client end stations using synchronized tokens from enterprise-managed client end stations (Dulce, [0001]).

Regarding claim 6, Gurvich and Dulce disclose the computer-implemented method of claim 1. 
Dulce further discloses where the one or more tenant resource modules provisioned for a tenant of a remote service provider system comprises 
one or more of 
a key vault, 

a virtual machine, 
an application service, (Dulce, [0134], application service (e.g. data, voice and video)
an application programming interface, (Dulce, [0151], Application Programming Interface (API) control)
a communications store, 
a domain directory, 
and a credential data store (Dulce, 329F, FIG 3, credential store)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dulce with the method and system of Gurvich to include and creating a data entry in a token mapping store, where the data entry identifies the tenant, the access credential, and the identified resource module. One would have been motivated to detect compromised unmanaged client end stations using synchronized tokens from enterprise-managed client end stations (Dulce, [0001]).  

Regarding claim 7, Gurvich discloses an intrusion detection system for detecting intrusion in a remote computing resource system, the system comprising:
one or more processors; (Gurvich, [0030], processor) and
one or more memory devices in communication with the one or more processors, the memory devices having computer-readable instructions stored thereupon that, when (Gurvich, [0030], memory and processor)
identifying one or more resource modules for intrusion detection, (Gurvich, FIG 1) where the resource modules are provisioned for a tenant of a remote service provider system; (Gurvich, [0004], allocate resources of the cloud provider system for use by tenants of the cloud provider system & [0013] , servers whose resources are allocated to the cloud provider’s tenants, where tenants may run any suitable applications and implement any suitable business logic using their allocated server resources and IP address ranges; [0034], honeypot addresses are scattered across IP address ranges 28 that are allocated to the tenants; also see FIG 2).
for each of the one or more identified resource modules: (Gurvich, [0004], allocate resources of the cloud provider system for use by tenants of the cloud provider system & [0013] , servers whose resources are allocated to the cloud provider’s tenants, where tenants may run any suitable applications and implement any suitable business logic using their allocated server resources and IP address ranges; [0034], honeypot addresses are scattered across IP address ranges 28 that are allocated to the tenants; also see FIG 2).
allocating a provisioned resource (Gurvich, [0004], allocate resources of the cloud provider system for use by tenants of the cloud provider system & [0013] , servers whose resources are allocated to the cloud provider’s tenants, where tenants may run any suitable applications and implement any suitable business logic using their allocated server resources and IP address ranges; [0034], honeypot addresses are scattered across IP address ranges 28 that are allocated to the tenants; also see FIG 2).
Gurvich fails to explicitly disclose having a corresponding access credential,  deploying the corresponding access credential in the identified resource module, and creating a data entry in a token mapping store, where the data entry identifies the tenant, the access credential, and the identified resource module.
However, in an analogous art, Dulce discloses having a corresponding access credential, (Dulce, FIG 6 shows a record with 654 credentials for 658 Resource Identifier (e.g. URL, Path and SPN))
deploying the corresponding access credential in the identified resource module, (Dulce, FIG 6 shows a record with 654 credentials for 658 Resource Identifier (e.g. URL, Path and SPN)) and 
creating a data entry in a token mapping store, (Dulce, FIG 6 shows entries within a token mapping record)
where the data entry identifies the tenant, (Dulce, FIG 6, 602, User Data types; 660, Email address that identifies the tenant)
the access credential, (Dulce, FIG 6 shows a record with 654 credentials for access)
and the identified resource module, (Dulce, FIG 6 shows record with 658, Resource Identifier (e.g. URL, Path, SPN))
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dulce with the method and system of Gurvich to include for each of the one or more identified resource modules: 

Regarding claim 9, Gurvich and Dulce disclose the system of claim 7. 
Dulce further discloses where: the step of allocating a provisioned resource comprises generating a storage account; (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc.)  and
the corresponding access credential comprises a key to the storage account,  (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc; FIG 6 shows a record with 654 credentials for access; [0058] & [0099] describes the credentials can be a key to provide access)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dulce with the method and system of Gurvich to include where: the step of allocating a provisioned resource comprises generating a storage account; the corresponding access credential 

Regarding claim 12, Gurvich and Dulce disclose the system of claim 7. 
Dulce further discloses where the corresponding access credential for the provisioned resource comprises 
one of a 
connection string, 
an access key, (Dulce, FIG 6 shows a record with 654 credentials for access; [0058] & [0099] describes the credentials can be a key to provide access)
a certificate, 
a service key, 
a management key, 
a storage key, 
or an access token. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dulce with the method and system of Gurvich to include where the corresponding access credential for the provisioned resource comprises one of a connection string, an access key, a certificate, a service key, a management key, a storage key, or an access token. One would have been motivated to detect compromised unmanaged client end stations using synchronized tokens from enterprise-managed client end stations (Dulce, [0001]).
Regarding claim 13, Gurvich and Dulce disclose the system of claim 7. 
Dulce further discloses where the one or more resource modules provisioned for a tenant of a remote service provider system 
comprises one or more of 
a key vault, 
a data store, 
a virtual machine, 
an application service, (Dulce, [0134], application service (e.g. data, voice and video)
an application programming interface, (Dulce, [0151], Application Programming Interface (API) control)
a communications store, 
a domain directory, 
and a credential data store, (Dulce, 329F, FIG 3, credential store)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dulce with the method and system of Gurvich to include and creating a data entry in a token mapping store, where the data entry identifies the tenant, the access credential, and the identified resource module. One would have been motivated to detect compromised unmanaged client end stations using synchronized tokens from enterprise-managed client end stations (Dulce, [0001]).  


Regarding claim 14, claim 14 is directed to one or more computer storage media. Claim 14 is similar in scope to claim 7 and is therefore rejected under similar rationale.

Regarding claim 19, Gurvich and Dulce disclose the one or more computer storage media of claim 14. 
Dulce further discloses where the corresponding access credential for the provisioned resource comprises 
one of a 
connection string, 
an access key, (Dulce, FIG 6 shows a record with 654 credentials for access; [0058] & [0099] describes the credentials can be a key to provide access)
a certificate, 
a service key, 
a management key, 
a storage key, 
or an access token
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dulce with the method and system of Gurvich to include where the corresponding access credential for the provisioned resource comprises one of a connection string, an access key, a certificate, a service key, a management key, a storage key, or an access token. One would 

Regarding claim 20, claim 20 is directed to the one or more computer storage media of claim 14. Claim 20 is similar in scope to claim 13 and is therefore rejected under similar rationale.


Claims 2, 8, 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Gurvich et al (“Gurvich,” US 20170339186) in view of Dulce et al (“Dulce,” US 20160381023) in view of Shulman et al (“Shulman,” US 20170244672). 

Regarding claim 2, Gurvich and Dulce disclose the computer-implemented method of claim 1. 
Gurvich and Dulce fail to explicitly disclose where the method includes: scanning one or more access logs for the remote computing resource system to detect one or more resource access attempts, each access attempt including an access credential for the access attempt; for each resource access attempt: searching the token mapping store for a matching data entry where the access credential of the data entry matches the access credential for the access attempt, and if the matching data entry is found, generating an alert that includes the identified resource module of the matching data entry. 
(Shulman, [0062], scan these log files or data for tokens; [0043], an attacker may discover one or more of the placed tokens and attempt to exploit them by using them to access what appears to be an enterprise resource)
for each resource access attempt: searching the token mapping store for a matching data entry where the access credential of the data entry matches the access credential for the access attempt, (Shulman, [0161], With access to the compromised client end station 110, the attacker/intruder 106 may then attempt to access enterprise data of the enterprise using information and/or credentials granted to the client end station or authorized user that is stored on the client end station-notably, this can include the tokens 130, which lead the attacker/ intruder to the trap servers 152 utilizing techniques as described herein)
and if the matching data entry is found, generating an alert that includes the identified resource module of the matching data entry, (Shulman, [0063], the TMM can be configured to utilize rules/logic to detect an alert triggering event (e.g. the use of a token within traffic destined to the trap server such as a token carried in the payload)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Shulman with the method and system of Gurvich and Dulce to include where the method includes: scanning one or more access logs for the remote computing resource system to detect one or more resource access attempts, each access attempt including an access credential for the 

Regarding claim 8, claim 8 is directed to the system of claim 8. Claim 8 is similar in scope to claim 2 and is therefore rejected under similar rationale.

Regarding claim 15, claim 15 is directed to the one or more computer storage media of claim 14. Claim 15 is similar in scope to claim 2 and is therefore rejected under similar rationale.

Regarding claim 16, Gurvich, Dulce and Shulman disclose the one or more computer storage media of claim 15. 
Dulce further discloses where: the step of allocating a provisioned resource comprises generating a storage account; (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc; FIG 6 shows a record with 654 credentials for access; [0058] & [0099] describes the credentials can be a key)
and the corresponding access credential comprises a key to the storage account, (Dulce, [0003] & [0030], user account; [0081], cloud storage application 326E providing users the ability to store data at and/or retrieve data from one or more remote servers (e.g., Google Drive™, Dropbox™, iCloud™, OneDrive™, Box™, etc; FIG 6 shows a record with 654 credentials for access; [0058] & [0099] describes the credentials can be a key)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dulce with the method and system of Gurvich to include where: the step of allocating a provisioned resource comprises generating a storage account; and the corresponding access credential comprises a key to the storage account. One would have been motivated to detect compromised unmanaged client end stations using synchronized tokens from enterprise-managed client end stations (Dulce, [0001]).

Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Gurvich et al (“Gurvich,” US 20170339186) in view of Dulce et al (“Dulce,” US 20160381023) and further in view of Ahmadzadeh et al (“Ahmadzedeh,” US 20170134405). 

Regarding claim 3, Gurvich and Dulce fail to explicitly disclose the computer-implemented method of claim 1. 
Gurvich further discloses a resource allocated for the tenant (Gurvich, [0004], allocate resources of the cloud provider system for use by tenants of the cloud provider system & [0013] , servers whose resources are allocated to the cloud provider’s tenants, where tenants may run any suitable applications and implement any suitable business logic using their allocated server resources and IP address ranges; [0034], honeypot addresses are scattered across IP address ranges 28 that are allocated to the tenants; also see FIG 2).
Gurvich and Dulce fail to explicitly disclose where the provisioned resource comprises one of an unused resource. 
However, in an analogous art, Ahmadzadeh discloses where the provisioned resource comprises one of an unused resource (Ahmadzadeh, [0022], The honeypot system may then provision new resources and continue monitoring to determine whether or not the applications begin acting maliciously; [0022] users [tenant]; [0040]-[0041], resources with remote servers)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ahmadzadeh with the method and system of Gurvich and Dulce to include where the provisioned resource comprises one of an unused resource. One would have been motivated to trigger malicious activities by the application (Ahmadzadeh, [0002]).  

Regarding claim 10, Gurvich and Dulce disclose the system of claim 7. 
Gurvich further discloses a resource allocated for the tenant (Gurvich, [0004], allocate resources of the cloud provider system for use by tenants of the cloud provider system & [0013] , servers whose resources are allocated to the cloud provider’s tenants, where tenants may run any suitable applications and implement any suitable business logic using their allocated server resources and IP address ranges; [0034], honeypot addresses are scattered across IP address ranges 28 that are allocated to the tenants; also see FIG 2).
Gurvich and Dulce fail to explicitly disclose the provisioned resource comprises an unused resource and a resource provisioned in the remote computing resource system. 
However, in an analogous art, Ahmadzadeh discloses the provisioned resource comprises an unused resource allocated for the tenant and a resource provisioned in the remote computing resource system (Ahmadzadeh, [0022], The honeypot system may then provision new resources and continue monitoring to determine whether or not the applications begin acting maliciously; [0022] users [tenant]; [0040]-[0041], resources with remote servers)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ahmadzadeh with the method and system of Gurvich and Dulce to include the provisioned resource comprises an unused resource and a resource provisioned in the remote computing resource system. One would have been motivated to trigger malicious activities by the application (Ahmadzadeh, [0002]).  

Regarding claim 17, Gurvich and Dulce disclose the one or more computer storage media of claim 14. 
Gurvich further discloses a resource allocated for the tenant (Gurvich, [0004], allocate resources of the cloud provider system for use by tenants of the cloud provider system & [0013] , servers whose resources are allocated to the cloud provider’s tenants, where tenants may run any suitable applications and implement any suitable business logic using their allocated server resources and IP address ranges; [0034], honeypot addresses are scattered across IP address ranges 28 that are allocated to the tenants; also see FIG 2).
Gurvich and Dulce fail to explicitly disclose where the provisioned resource comprises an unused resource and a resource provisioned in the remote computing resource system. 
However, in an analogous art, Ahmadzadeh discloses where the provisioned resource comprises an unused resource and a resource provisioned in the remote computing resource system (Ahmadzadeh, [0022], The honeypot system may then provision new resources and continue monitoring to determine whether or not the applications begin acting maliciously; [0022] users [tenant]; [0040]-[0041], resources with remote servers)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Ahmadzadeh with the method and system of Gurvich and Dulce to include where the provisioned resource comprises an unused resource and a resource provisioned in the remote computing resource system. One would have been motivated to trigger malicious activities by the application (Ahmadzadeh, [0002]).  



Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Gurvich et al (“Gurvich,” US 20170339186), Dulce et al (“Dulce,” US 20160381023), Ahmadzadeh . 

Regarding claim 4, Gurvich, Dulce and Ahmadzedeh and disclose the computer-implemented method of claim 3. 
Gurvich further discloses a resource allocated for the tenant (Gurvich, [0004], allocate resources of the cloud provider system for use by tenants of the cloud provider system & [0013] , servers whose resources are allocated to the cloud provider’s tenants, where tenants may run any suitable applications and implement any suitable business logic using their allocated server resources and IP address ranges; [0034], honeypot addresses are scattered across IP address ranges 28 that are allocated to the tenants; also see FIG 2).
Gurvich, Dulce and Ahmadzedeh fail to explicitly disclose where the unused resource comprises a container with restricted access permissions. 
However, in an analogous art, Dargude discloses where the unused resource comprises a container with restricted access permissions (Dargude, Col. 17, Line 65, tenants; Col. 11, Lines 15-18, determination module 110 may determine the number of shared data containers, folders, and/or files of the organization on which the member has read and/or write permissions).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dargude with the method and system of Gurvich, Dulce and Ahmadzedeh to include where the unused resource comprises a container with restricted access permissions. Thus the combination of . 

Claims 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gurvich et al (“Gurvich,” US 20170339186), Dulce et al (“Dulce,” US 20160381023), Ahmadzadeh et al (“Ahmadzedeh,” US 20170134405) in view of Dargude et al (“Dargude,” US 9900330) and further in view of Johnson et al (“Johnson,” US 20200153836). 

Regarding claim 11, Gurvich, Dulce and Ahmadzedeh discloses the system of claim 10. 
Gurvich further discloses a resource allocated for the tenant (Gurvich, [0004], allocate resources of the cloud provider system for use by tenants of the cloud provider system & [0013] , servers whose resources are allocated to the cloud provider’s tenants, where tenants may run any suitable applications and implement any suitable business logic using their allocated server resources and IP address ranges; [0034], honeypot addresses are scattered across IP address ranges 28 that are allocated to the tenants; also see FIG 2).
Gurvich, Dulce and Ahmadzedeh fail to explicitly disclose where the unused resource comprises one of a container with restricted access permissions. 
(Dargude, Col. 17, Line 65, tenants; Col. 11, Lines 15-18, determination module 110 may determine the number of shared data containers, folders, and/or files of the organization on which the member has read and/or write permissions).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Dargude with the method and system of Gurvich, Dulce and Ahmadzedeh to include where the unused resource comprises one of a container with restricted access permissions. Thus the combination of references Gurvich, Dulce, Ahmadzedah and Dargrude would teach the combination of wherein the unused resource allocated for the tenant. One would have been motivated to identify potentially risky data users within organizations (Dargude, Col. 1, Lines 23-24). 
Gurvich further disclose in a domain corresponding to the tenant (Gurvich, [0004] cloud provider system corresponding to the tenant)
Gurvich, Dulce, Ahmadzedeh and Dargude fail to explicitly disclose and a fictitious user account. 
However, in an analogous art, Johnson discloses and a fictitious user account, (Johnson, [0056], The fictitious account may also be previously generated prior to the login attempt in order to act as a " honeypot" type security measure and may be identified and accessed at operation 440). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Johnson with the method and 

Regarding claim 18, claim 18 is directed to the one or more computer storage media of claim 17. Claim 18 is similar in scope to claim 11 and is therefore rejected under similar rationale.


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774.  The examiner can normally be reached on M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 






/JAMES J WILCOX/Examiner, Art Unit 2439   



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439