DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 3/2/2021.
Claims 1, 7 and 13 have been amended.
Claims 1-18 are pending for consideration.

Response to Arguments
The claim objections to claims 1, 7 and 13 have been withdrawn as the claims have been amended.
The claim interpretation under 35 U.S.C. 112(f) of claim 7 has been maintained as the applicant has not addressed this interpretation in the Remarks filed on 3/2/2021.
Applicant's arguments filed on 03/2/2021 have been fully considered but they are not persuasive. 
Applicant argues on page 7 of the Remarks that Tal does not teach or suggest using user identities that are not known to be associated with a legitimate computer user, as claims 1, 7, and 13 recite.
In response to the above argument, Examiner respectfully disagrees.  Tal does teach using user identities that are not known to be associated with a legitimate computer user (Tal: paragraphs 0024 and 0050-0051, “The honeytoken-credentials include an invalid login-credential(s) …. The invalid login-credential(s) fails authentication when used in an attempt to access the service providing server… for example, in comparison to providing invalid login-credentials which are not associated with any valid users”).  As can be seen in the cited paragraphs, the invalid login-credentials fails authentication which means they are not associated with any legitimate users.  Therefore, Tal does teach the disputed limitation.
Applicant argues on page 8 of the Remarks that Tal does not teach or suggest “providing any of the synthetic victim information of the synthetic victims to a computer-hosted phishing site”.
In response to the above argument, Examiner respectfully disagrees.  Tal does teach providing any of the synthetic victim information of the synthetic victims to a computer-hosted phishing site (Tal: see figure 2, items 212, 204 and 218 
    PNG
    media_image1.png
    562
    813
    media_image1.png
    Greyscale
; and paragraphs 0036 and 0060-0061 “System 200 includes a malicious event detection server 202 that detects a malicious attempt by a malicious entity 204 using a network 206 to attempt to access a service providing server 208 using stored honeytoken-credentials 218”).  Expanding from the previous citations, the honeytoken-credentials referenced in the figure 2 and above paragraphs are fake credentials which are used to catch cyber criminals.  In order for the honeytoken-credentials 218 to be stored at the Malicious entity 204, the system has to provide the honeytoken-credentials 218 to the malicious entity, see figure 2.  Examiner notes, the malicious entity is broadly interpreted as the computer-hosted phishing site.  Therefore, Tal does teach the disputed limitation.
Applicant argues on pages 8-9 of the Remarks that Tal does not teach or suggest “receiving from the computer-hosted target site a network address of the requester”.
In response to the above argument, Examiner respectfully disagrees.  Tal does teach receiving from the computer-hosted target site a network address of the requester (Tal: paragraphs 0028, 0068, 0072 and 0080, “Network traffic is monitored to detect a login-failure event, … a malicious entity that achieved unauthorized access to the client terminal, stole the honeytoken-credentials of the valid user from the memory of the client terminal, and tried to obtain authorized access to the service providing server using the valid login-credentials and invalid login-credentials of the honeytoken-credentials”… “An exemplary implementation of code 216 receives a Domain, User (i.e., valid login-credential), and Password (i.e., invalid login-credential) as parameters, initiates an impersonated logon process using the parameters”).  Examiner notes, the domain associated with the requester recited in the referenced paragraphs is broadly interpreted as the network address of the requester recited in the claim.  Therefore, Tal does teach the disputed limitation.
Examiner has cited particular paragraphs in the references applied to the claims above for the convenience of the applicant.  Although the specified citations are representative of the teachings of the art and are applied to specific limitations within the individual claim, other passages and figures may apply as well.  It is respectfully requested from the applicant in preparing responses, to fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner (see MPEP 2141.02 (Vl)).

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: 
a computer-hosted protector configured to in claim 7.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification (see page 2 of the applicant’s specification, “In the system of Fig. 1, a computer, referred to herein as protector 100, is configured to communicate via a computer network 102, such as the Internet, with one or more phishing sites and target sites in the manner described hereinbelow, such as with a phishing site 104 and a target site 106”) as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 6-7, 12-13 and 18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by BE’ERY et al. (US 20170195346) (hereinafter Tal).
Regarding claim 1, Tal discloses a method for countering phishing attacks, the method comprising: 
generating a plurality of synthetic victims (Tal: paragraphs 0030 and 0051, “The honeytoken-credentials include one or more invalid login-credentials, which may be randomly generated, manually selected, and/or created using code instructions based on an algorithm. The invalid login-credentials may be obtained and/or based on previously valid login-credentials, which may be currently invalid, for example, currently expired old passwords of the user, and/or passwords that have been leaked, for example, a list of stolen and/or leaked passwords”), wherein each of the synthetic victims includes synthetic victim information that represents a computer user identity and includes associated sensitive information, wherein the computer user identity and its associated sensitive information are fictitious in that they are not known to be associated with a legitimate computer user (Tal: paragraphs 0024 and 0051-0052, “The honeytoken-credentials include an invalid login-credential(s) …. The invalid login-credential(s) fails authentication when used in an attempt to access the service providing server… for example, in comparison to providing invalid login-credentials which are not associated with any valid users” …“The invalid login-credentials may be obtained and/or based on previously valid login-credentials, which may be currently invalid, for example, currently expired old passwords of the user, and/or passwords that have been leaked, for example, a list of stolen and/or leaked passwords (which may be obtained from a server or from another source). The leaked passwords may have been detected and designated as being currently invalid. Use of the leaked passwords and/or old user passwords as the invalid login-credentials may allow for a quick sunset on the leaked passwords and/or helping to identify the entity that stole and/or leaked the passwords”); 
providing any of the synthetic victim information of the synthetic victims to a computer-hosted phishing site (Tal: see figure 2, items 212, 204 and 218 
    PNG
    media_image1.png
    562
    813
    media_image1.png
    Greyscale
; and paragraphs 0036 and 0060-0061 “System 200 includes a malicious event detection server 202 that detects a malicious attempt by a malicious entity 204 using a network 206 to attempt to access a service providing server 208 using stored honeytoken-credentials 218”), Note: Expanding from the previous citations, the honeytoken-credentials referenced in the figure 2 and above paragraphs are fake credentials which are used to catch cyber criminals.  In order for the honeytoken-credentials 218 to be stored at the Malicious entity 204, the system has to provide the honeytoken-credentials 218 to the malicious entity, see figure 2.  The malicious entity is broadly interpreted as the computer-hosted phishing site); 
storing the synthetic victim information in a computer-accessible database (Tal: paragraphs 0063 and 0066-0067, “Honeytoken-credential storing code 216 includes instructions to store the both the invalid login-credential and the valid login-credential within the local memory of the respective client terminal. The invalid login-credential is stored in a location in the local memory designed to store the corresponding valid version of the invalid login-credentials”); 
receiving from a computer-hosted target site, information provided to the computer-hosted target site by a requestor (Tal: paragraphs0083-0085, “The packets may include login-credentials (optionally the honeytoken-credentials) of client terminal 210 requesting authorization to access service providing server 208”); 
identifying in the computer-accessible database synthetic victim information matching the requestor information (Tal: paragraphs 0087 and 0092, “The login-failure event may be identified based on an analysis (by malicious event detection server 202) of data extracted from the monitored and/or intercepted packet(s).”… “the received login-credentials (e.g., login-failure-credential(s)) are analyzed (optionally by malicious event detection server 202) to determine whether the login-failure-credential match honeytoken-credentials.”); and 
notifying the computer-hosted target site that the requestor information is of a synthetic victim (Tal: paragraphs 0093-0101, “transmission of a message for display on a screen of a computing device of an administrator, which may alert the network administrator that further investigation is required. The indication may be transmitted to another server, for example, to security server 226, which may initiate manual and/or automatic security processes, for example, isolation of malicious entity 204 and/or client 210. The indication may be stored in an event log (on a local and/or remote storage device)”).
Regarding claim 7, claim 7 discloses a system claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 7 and rejected for the same reasons.
Regarding claim 13, claim 13 discloses a medium claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 13 and rejected for the same reasons.
Regarding claims 6, 12 and 18, Tal further discloses receiving from the computer-hosted target site a network address of the requestor (Tal: paragraphs 0028, 0068, 0072 and 0080, “Network traffic is monitored to detect a login-failure event, … a malicious entity that achieved unauthorized access to the client terminal, stole the honeytoken-credentials of the valid user from the memory of the client terminal, and tried to obtain authorized access to the service providing server using the valid login-credentials and invalid login-credentials of the honeytoken-credentials”… “An exemplary implementation of code 216 receives a Domain, User (i.e., valid login-credential), and Password (i.e., invalid login-credential) as parameters, initiates an impersonated logon process using the parameters”, Examiner notes, the domain associated with the requester recited in the referenced paragraphs is broadly interpreted as the network address of the requester recited in the claim); storing in the computer-accessible database, in association with the synthetic victim information, the network address of the requestor and a timestamp (Tal: paragraphs 0028, 0053, 0068 and 0072, “Analyzing data extracted from network traffic (e.g., tickets, responses to challenges) allows identification of malicious events based on password related or derived data (e.g., a hash using the password, or a password used to encrypt a timestamp), for example, in comparison to analyzing logs which may not contain such password related or derived data”… “for example, by using the time that the entity is looking around the fake server to identify the entity. The sophistication of the invalid passwords may be designed according to the fake services hosted by the fake service providing server”); and making any information stored in the computer-accessible database available to parties for security purposes (Tal: paragraphs 0072, 0080 and 0096-0097, “The extracted login-failure-credential includes a password used to encrypt a timestamp in the AS-REQ. In such a case, the honeytoken-credential stored on client terminal 204 includes an invalid login-credential in the form of a honeytoken-password. Malicious event detection server 202 checks whether the stored honeytoken-password matches the password used to encrypt the timestamp, by decrypting the encrypted timestamp in the AS-REQ using the honeytoken-password”).

Allowable Subject Matter
Claims 2-5, 8-11 and 14-17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter: As to claims 2-5, 8-11 and 14-17, none of the art of reference, discloses, individually or in reasonable combination, the features disclosed in claims 1, 7 and 13 if written in independent form.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form, e.g., 
Dawson (US 20180262503) discloses a user generates a single session passcode after a normal authentication has been used to access a system. This single session passcode thereafter is used to re-authenticate the user during the session without requiring the repeated use of the normal authentication.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TRANG T DOAN/Primary Examiner, Art Unit 2431