Notice of Pre-AIA  or AIA  Status
The present application, filed on or after January 07, 2019, is being examined under the first inventor to file provisions of the AIA .
Detailed action 
Claims 1 and 6-10 are pending and are being considered.
Claims 2-5 have been cancelled.
Claim 1 have been amended.
Claims 6-10 have been newly added.
Claim Objections 
	Claim 7 and 8 recites “threat field includes a threat identifier…..” The examiner suggest to amend the limitation to “threat field includes a threat name” in view of para [42] of spec, because the spec discloses threat filed including name of the threat and there can be more than one threat with same name. Therefore the examiner suggest to amend the “thread identifier” to “threat name”.

Response to 103 
Applicants arguments filled on 05/07/2021 have been fully considered and are partially not persuasive. In response to applicants argument on page 6 of remarks that Kim (i.e. primary reference) and Lee (i.e. secondary reference) fails to teach the amended limitation  (a)“a threat packet generator to receive the simulation packet classified as the threat packet from the threat detector, and to generate the real threat packet including a threat payload based on an event field included in the simulation packet and a real packet transmitter to transmit the real threat packet generated by the threat packet generator to the live-virtual training unit,” (b) “and wherein the live-virtual training unit receives the real 
 	The examiner acknowledges applicants point of view but respectfully disagrees because Kim teaches 
(a) a threat packet generator to receive the simulation packet classified as the threat packet from the threat detector, and to generate the real threat packet including a threat payload based on an event field included in the simulation packet and a real packet transmitter to transmit the real threat packet generated by the threat packet generator to the live-virtual training unit, Kim on [Page 4 text associated with Fig 4] teaches the traffic control agent 300 (i.e. threat packet generator) checks header (i.e. event filed) of the received packet (i.e. simulation packet) to determine the packet is normal or abnormal. if the packet is abnormal than the traffic agent changes to abnormal detection state and generate a warning message to take appropriate control measures (i.e. indicating a real threat packet). Kim on [page 5] discloses the traffic control agent transmitting the threat packet.
Lee teaches (b) and wherein the live-virtual training unit receives the real threat packet from the model conversion unit, and to generate the live-virtual model based cyber training program using the real threat packet, Lee on [page 9 last para] teaches the live-virtual interoperation part is in a structure  and is equipped inside the SITL gateway and compares it with a threat signal DB when it receives an actual cyber threat packet (i.e. real threat packet) and abstracts the relevant threat when it is identified as a threat packet and processes in a form of a cyber threat simulation packet. The cyber threat packet performs a role of threat for cyberwar training as shown Fig 1.
	Rest of applicant’s arguments are moot in view of new grounds of rejection. The arguments do not apply to the current art being used.

CLAIM INTERPRETATION

The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 

Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a constructive training unit, a live virtual training unit, a model conversion unit”, “a packet detector, a threat detector, a threat packet generator” in claim 1, 8-10

Claim limitation(s) “a constructive training unit, a live virtual training unit, a model conversion unit, a packet detector, a threat detector and a threat packet generator” of claims 1 and 8-10 gives their broadest reasonable interpretation of the claim elements with a limited description in the specification. The examiner notes that these elements lie within a model conversion unit having a packet transmitter as the structure between the recited elements. See spec Fig 1-2 and text on [0023, 0040 and 0047-0049]. Accordingly claims 1-5 invoke 35 U.S.C. 112 (f) or sixth paragraph, but the corresponding structure is described.

Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.

If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.


                                               Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al (hereinafter Kim) (KR 2006-0058788) (i.e. provided in IDS) in view of Lee et al (hereinafter Lee) (CYBER ACTUATOR SYSTEM FOR LIVE-VIRTUAL-CONSTRUCTIVE INTER-OPERATIVE CYBERWARFARE SIMULATION) (NPL provided in the IDS, English translation is used for examination purpose).

Regarding claim 1 Kim teaches An apparatus for providing a training program against a cyber threat, the apparatus comprising (Kim on [page 2] teaches a network simulation apparatus and method to be constructed to understand and evaluate performance  for analyzing abnormal traffic in  cyber-attack);
and a model conversion unit to generate a real threat packet based on a simulation packet received from the constructive training unit and to provide the real threat packet to the live- virtual training unit (Kim Fig 1 and associated text [Page 3 para 1-3] teaches a traffic collection unit 100 collects real time traffic from the network to be converted into suitable format, wherein the traffic includes normal and abnormal packet and generating result/data based on current real-time traffic volume. See also page 5 text related to Fig 6 teaches collector collecting real time traffic information and converting it according to simulation environment. See also on [page 4] teaches generating normal and abnormal packet based on amount of real time traffic of the network. Further determines if the packet is normal or abnormal based on header information included in the packet and transmit the generated virtual traffic to target node);
 wherein the model conversion unit comprises: a packet detector to detect the simulation packet received from the constructive training unit (Kim on [page 3 last two para] teaches the virtual network components include a traffic generation unit for generating virtual traffic, a security management node constituting a virtual network simulation environment, and a traffic control node for detecting and controlling abnormal traffic);
 a threat detector to classify the simulation packet into one of a generic packet and a threat packet, based on a threat field included in the simulation packet (Kim on [page 4] traffic control node 330 determines if the packet is normal or abnormal based on header information included in the packet);
a threat packet generator to receive the simulation packet classified as the threat packet from the threat detector, and to generate the real threat packet including a threat payload based on an event field included in the simulation packet (Kim [Page 4 text associated with Fig 4] teaches the traffic control agent 300 checks header of the received packet to determine the packet is normal or abnormal. if the packet is abnormal than the traffic agent changes to abnormal detection state and generate a warning message to take appropriate control measures (i.e. indicating a real threat packet )).
and a real packet transmitter to transmit the real threat packet generated by the threat packet generator to the live-virtual training unit (Kim on [page 5] teaches the traffic control agent transmitting the threat packet).
Although Kim teaches collector for collecting real time traffic information and simulator module 110 for receiving the converted information, however Kim fails to explicitly teach a constructive training unit to provide a constructive model based cyber training program, a live-virtual training unit to provide a live-virtual model based cyber training program, but Lee from analogous art teaches a constructive training unit to provide a constructive model based cyber training program (Lee Fig 1 and text on [page 5] teaches establishing constructive simulation environment for cyber training);
a live-virtual training unit to provide a live-virtual model based cyber training program (Lee Fig 1 and text on [page 5] teaches establishing live-virtual operating environment for cyber training);
and wherein the live-virtual training unit receives the real threat packet from the model conversion unit, and to generate the live-virtual model based cyber training program using the real threat packet (Lee on [page 9 last para] teaches the live-virtual interoperation part is in a structure  and is equipped inside the SITL gateway and compares it with a threat signal DB when it receives an actual cyber threat packet (i.e. real threat packet) and abstracts the relevant threat when it is identified as a threat packet and processes in a form of a cyber threat simulation packet. The cyber threat packet performs a role of threat for cyberwar training as shown Fig 1).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Lee into the teaching of Kim by having live and virtual constructive model based cyber training program. One would be motivated to do so in order to analyze the effect of cyber-attack on large scale network (Lee on [page 4 last para]).

Regarding claim 6 the combination of Kim and Lee teaches all the limitations of claim 1 above, Kim further teaches wherein the packet detector receives a plurality of simulation packets and detects the simulation packet to be converted into the real threat packet among the plurality of simulation packets (Kim Fig 1 and associated text [Page 3 para 1-3] teaches a traffic collection unit 100 collects real time traffic from the network to be converted into suitable format, wherein the traffic includes normal and abnormal packet  (i.e. traffic containing plurality of packets) and generating result/data based on current real-time traffic volume).

Claims 7-10 are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al (hereinafter Kim) (KR 2006-0058788) (i.e. provided in IDS) in view of Lee et al (hereinafter Lee) (CYBER ACTUATOR SYSTEM FOR LIVE-VIRTUAL-CONSTRUCTIVE INTER-OPERATIVE CYBERWARFARE SIMULATION) (NPL provided in the IDS, English translation is used for examination purpose) and further in view of Manadhata et al (hereinafter Manadhata) (US 20170163670).

Regarding claim 7 the combination of Kim and Lee teaches all the limitations of claim 1 above, the combination fails to explicitly teach wherein the threat field includes a threat identifier, and wherein the threat detector classifies the simulation packet as the threat packet when the threat identifier included in the threat field of the simulation packet is the same as a predetermined threat identifier, and otherwise, classifies the simulation packet as a the generic packet, however Manadhata from analogous art teach wherein the threat field includes a threat identifier, and wherein the threat detector classifies the simulation packet as the threat packet when the threat identifier included in the threat field of the simulation packet is the same as a predetermined threat identifier, and otherwise, classifies the simulation packet as a the generic packet (Manadhata on [0040-0042] teaches classifying the packet as malicious packet based on attribute associated with packet, the attribute may be signature associated with packet. See also on [0028] teaches a pointer loop is detected in packet 132, which has been identified in the blacklist as being associated with a malicious event. This may cause packet classifier to classify packet 132 as malicious, and an alert may be generated. See on [0016] teaches DNS packets may include known attack signatures such as a pointer loop, a time to live (TTL) of zero, a malformed header, a mismatch in packet length and a length designated in a head of the packet, and so forth. When an attack signature is detected, the packet may also be flagged so that a remedial measure may be taken in response to the packet).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Manadhata into the combined teaching of Kim and Lee by classifying packet into real threat packet based on threat filed in a packet. One would be motivated to do so in order to detect and prevent security events (Manadhata on [0009]).
Regarding claim 8 the combination of Kim, Lee and Manadhata teaches all the limitations of claim 1 above, Manadhata  further teaches wherein the event field includes a threat parameter information related to the threat identifier, wherein the model conversion unit further comprises a packet database to the threat payload for generating the real threat packet based on the threat parameter information, wherein the threat packet generator extracts the threat parameter information from the event field of the simulation packet classified as the threat packet, receive the threat payload corresponding to the threat parameter information from the packet database, and generates the real threat packet including the threat payload (Manadhata on [0028] teaches if packet 132 included DNS information related to the Zeus command and control server instead of a pointer loop, the SIEM may tell the administrator that client 195 is infected with the Zeus malware so that the administrator can take steps to mitigate the infection (e.g., obtain and reimage the machine). See on [0036] teaches when the packet tests positive against the blacklist, method 200 includes logging the packet at 230. Logging the packet may include extracting security information from the packet and storing the packet and the extracted security information for future analysis. When method 200 is integrated with a specific security system (e.g., a security information and event manager (SIEM)), logging the packet may include collecting and formatting information associated with the packet into a data format).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Manadhata into the combined teaching of Kim and Lee by classifying packet into real threat packet based on threat filed in a packet. One would be motivated to do so in order to detect and prevent security events (Manadhata on [0009]).

Regarding claim 9 the combination of Kim and Lee teaches all the limitations of claim 1 above, the combination fails to explicitly teach wherein the model conversion unit further comprises a generic packet generator to receive the simulation packet classified as the generic packet from the threat detector and to generate a real generic packet based on the event field included in the simulation packet wherein the event field included in the simulation packet classified as the generic packet includes a protocol type and a destination IP address, and wherein the real packet transmitter transmits the real generic packet generated by the generic packet generator to the live-virtual training unit, however Manadhata from analogous art teaches wherein the model conversion unit further comprises a generic packet generator to receive the simulation packet classified as the generic packet from the threat detector and to generate a real generic packet based on the event field included in the simulation packet (Manadhata on [0025-0026] teaches the whitelist may be generated automatically over time by examining packets and noting which domains are not associated with malicious events. Whitelist 110 may also specify that certain clients, IP addresses, applications, and other packet attributes indicate that a packet is benign. As with whitelist 110 (i.e. generic packet), blacklist 120 may be generated based on input from a network administrator, or automatically based on analysis of packets. See on [0031] teaches The packet may be tested against a whitelist and a blacklist. The whitelist may include benign domains, benign IP addresses, low priority clients, low priority applications, benign packet signatures, and so forth. Benign domains and IP addresses may be, for example, domains and IP addresses associated with a company performing method 200, domains and IP addresses culled from a list of known reliable domains)
3wherein the event field included in the simulation packet classified as the generic packet includes a protocol type and a destination IP address, and wherein the real packet transmitter transmits the real generic packet generated by the generic packet generator to the live-virtual training unit (Manadhata on [0025-0026] teaches the whitelist may be generated automatically over time by examining packets and noting which domains are not associated with malicious events. Whitelist 110 may also specify that certain clients, IP addresses, applications, and other packet attributes indicate that a packet is benign. As with whitelist 110 (i.e. generic packet), blacklist 120 may be generated based on input from a network administrator, or automatically based on analysis of packets. See on [0031] teaches the packet may be tested against a whitelist and a blacklist. The whitelist may include benign domains, benign IP addresses, low priority clients, low priority applications, benign packet signatures, and so forth. Benign domains and IP addresses may be, for example, domains and IP addresses associated with a company).
Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Manadhata into the combined teaching of Kim and Lee by classifying packet into real threat packet based on threat filed in a packet. One would be motivated to do so in order to detect and prevent security events (Manadhata on [0009]).

Regarding claim 10 the combination of Kim, Lee and Manadhata teaches all the limitations of claim 1 above, Manadhata  further teaches wherein the threat packet generator transmits the simulation packet classified as the generic packet to the generic packet generator, and transmits the simulation packet classified as the threat packet to the threat packet generator (Manadhata Fig 1-2 and text on [0023-0025 and 0031-0032] teaches packet classifier receives network traffic and classifies the network traffic containing packets into blacklist and whitelist packets (i.e. threat packet and generic packet) and transmit the packet based on if the packet is malicious (i.e. threat packet) to blacklist or not malicious (i.e. generic packet) to whitelist).

Thus, it would have been obvious to one ordinary skill in the art before the effective filing date to implement the teaching of Manadhata into the combined teaching of Kim and Lee by classifying packet into real threat packet based on threat filed in a packet. One would be motivated to do so in order to detect and prevent security events (Manadhata on [0009]).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOEEN KHAN whose telephone number is (571)272-3522.  The examiner can normally be reached on 7AM-5PM EST M-TH Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MOEEN KHAN/               Examiner, Art Unit 2436       
/KENDALL DOLLY/               Primary Examiner, Art Unit 2436