DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Amendment filed 02/25/2021 has been received and considered.
Claims 1-20 are pending.
This action is Final.
Information Disclosure Statement
2.	The information disclosure statement (IDS) submitted on 05/28/2021 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, an initialed and dated copy of the Applicant’s IDS form 1449 filed on 05/28/2021 is attached to this office action. 

Response to Arguments
3.	Applicant's arguments filed 02/25/2021 have been fully considered but they do not apply to the newly cited reference below. 
4. 	The rejections under 35 U.S.C. 101 are withdrawn based on the filed amendments.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


s 1, 7-8, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. US 2016/0028764 A1 to Vasseur, (hereinafter “Vasseur”) in view of US Pub. No. US 2017/0126718 A1 to Baradaran, (hereinafter, “Baradaran”) and in further view of US Pub. No. US 2013/0117817 A1 to Gantman, (hereinafter, “Gantman”).

As per claims 1 and 14, Vasseur teaches a method and an apparatus, respectively, comprising:
one or more computer-readable storage media; a processing system operatively coupled with the one or more computer-readable storage media (Vasseur, para. [0027] FIG. 2 is a schematic block diagram of an example node/device 200 (e.g., a server/controller 102, a node/device 104, etc.) that may be used with one or more embodiments described herein, e.g., as any of the devices shown in FIG. 1 above. The device may comprise one or more network interfaces 210 (e.g., wired, wireless, PLC, etc.), at least one processor 220, and a memory 240 interconnected by a system bus 250, as well as a power supply 260 (e.g., battery, plug-in, etc.).”); and 
program instructions stored on the one or more computer-readable storage media that, when executed by the processing system, direct the processing system to facilitate prevention of malicious attacks on a web service (Vasseur, para. [0029] “The memory 240 comprises a plurality of storage locations that are addressable by the processor 220 and the network interfaces 210 for storing software programs and data structures…The processor 220 may comprise hardware elements or hardware logic adapted to execute the software programs and manipulate the data structures 245. These software processes and/or services may comprise routing process/services 244, an attack mimicking process 247, and/or an attack detection process 248”), the method comprising:
when the web request is identified as malicious, preventing the web request from reaching the web server and instead redirecting the web request to an isolated mitigation server configured to mimic responses of the web server (Vasseaur, para. [0055] “The policy engine may instruct RDEi 410 to redirect the traffic to the TSi 450, and perform NAT (Network Address Translation) to spoof the address of the attacked server, thus making the architecture shown in FIG. 4 highly flexible. In one embodiment, the TSi 450 may purposely mimic the behavior expected from the attack (and potentially running out of resources). Such a behavior is particularly useful for unknown attacks since it may not be possible for the policy engine to indicate how TSi 450 should mimic the attack. Instead, TSi 450 may simply replicate the effect of the attack with no consequence on the actual server, which was originally the target of the attack. In yet another embodiment, if the policy server knows the effect of the identified attack Si, it may indicate to TSi 450 exactly how to mimic the effect of the attack. In either case, the TSi 450 allows for replicating the effect of the attack without any consequence on the actual server, resulting with the attacker not being capable of telling that the attack was detected.”).
in the isolated mitigation server, and presenting the artificial web content to the client in response to the web request  (Vasseaur, para. [0065] “the DoS attack management node may determine attack information relating to the attack traffic. The attack information may include, for example, a type of the DoS attack and an intended target of the DoS attack, in addition to an identity of the attacker, an identity of the RDE 410, an intensity of the DoS attack, and the like. The attack information may be provided to the DoS attack management node by the RDE 410.” And para. [0066] “the DoS attack management node may trigger an attack mimicking action based on the attack information mentioned above…the attack mimicking action mimics a behavior of the intended target of the DoS attack that would be expected by the one or more attacker nodes if the DoS attack were successful. The attack mimicking action may encompass any action in the network which mimics the action of an attacked network resource, such that the attacker believes that the DoS attack was successful.”).



intercepting a web request from a client directed to a web server providing the web service (Baradaran, para. [0137] “the appliance 200 provides application firewall functionality 290 for communications between the client 102 and server 106…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”); 
identifying whether or not the web request is malicious (Baradaran, para. [0137] “the policy engine 236 provides rules for detecting and blocking illegitimate requests…the application firewall 290 protects against denial of service (DoS) attacks…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”); 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baradaran’s framework for explaining anomalies in accessing web applications into Vasseur’s stealth mitigation with a motivation to improve network security using misuse detection techniques (Baradaran, para. [0002]). 
The combination of Vasseur and Baradaran teaches all the limitations of claims 1 and 14 above, however fails to explicitly teach, but Gantman teaches:
processing the web request to generate artificial web content that appears to be genuine web content provided by the web server based on a type of web page targeted by the web request (Gantman, para. [0052] “FIG. 2 is a diagram illustrating an exemplary network environment in which one or more features to inhibit cross-site request forging attacks may be implemented. A network 202 (e.g., data or communication network, packet-switched network, internet, wireless network, a plurality of networks, etc.) may serve to facilitate communications between multiple devices (e.g., web servers, user computers, etc.). Here, a plurality of web servers 204a, 204b, and/or 204c may provide content to one or more client devices 206a, 206b, and/or 206c (e.g., user laptops/computers, tablets, mobile phones, etc.). For instance, a browser operating at the first client device 206a may request a website content from a first web server A 204a. In response, the first server A 204a sends the requested website content to the first client device 206a where the browser displays such content to a user. Additionally, the browser may also execute instructions/commands received as part of the website content, such as linked content from a second web server B 204b. As previously noted, the second web server 204b may send content (e.g., commands, instructions, etc.) that causes the client browser to perform operations unintended by the first client device 206a. Such unintended operations may include, for example, externally-triggered requests (i.e., cross-site requests). For instance, the content from the second web server 204b may trigger or request a password change for a user of the first client device 206a at the first web server A 204a. However, by using different cookies for requests initiated at the client device (e.g., user triggered/initiated/originated requests) versus requests initiated elsewhere (e.g., externally triggered/initiated/originated requests, request initiated by second web server B 204b), these different requests may be distinguished by the first web server A 204a. Depending on the type of request (e.g., a change password request versus a content delivery request), the first web server A 204a may deny requests that seek a change in, for example, session or account information not accompanied by a cookie that indicates that such request was locally-triggered at the client device 206a (e.g., user-initiated or same-origin initiated) rather than externally-triggered by a different web server 204b or 204c.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gantman’s prevention of cross-site request forgery attacks into Baradaran’s framework for explaining anomalies in accessing web (Gantman, para. [0008]). 
As per claim 7, the combination of Vasseur, Baradaran and Gantman teach the method claim 1 wherein the isolated mitigation server is configured to mimic the responses of the web server based on observations of legitimate behavior associated with the web server (Vasseur, para. [0065] “the DoS attack management node may determine attack information relating to the attack traffic. The attack information may include, for example, a type of the DoS attack and an intended target of the DoS attack, in addition to an identity of the attacker, an identity of the RDE 410, an intensity of the DoS attack, and the like. The attack information may be provided to the DoS attack management node by the RDE 410.” [0066] “the DoS attack management node may trigger an attack mimicking action based on the attack information mentioned above…the attack mimicking action mimics a behavior of the intended target of the DoS attack that would be expected by the one or more attacker nodes if the DoS attack were successful.”).

As per claim 8, Vasseur teaches a network security system to facilitate prevention of malicious attacks on a web service, the system comprising: 
a redirection system (Vasseaur, para. [0055] “The policy engine may instruct RDEi 410 to redirect the traffic to the TSi 450, and perform NAT (Network Address Translation) to spoof the address of the attacked server, thus making the architecture shown in FIG. 4 highly flexible.”); and 
an isolated mitigation server (Vasseaur, Fig. 3B, server/controller 102); and 
the isolated mitigation server configured to process the web request to generate artificial web content that appears to be genuine web content provided by the web server based on a type of web page targeted by the web request, and present the artificial web content to the client in response to the web request  (Vasseaur, para. [0065] “the DoS attack management node may determine attack information relating to the attack traffic. The attack information may include, for example, a type of the DoS attack and an intended target of the DoS attack, in addition to an identity of the attacker, an identity of the RDE 410, an intensity of the DoS attack, and the like. The attack information may be provided to the DoS attack management node by the RDE 410.” And para. [0066] “the DoS attack management node may trigger an attack mimicking action based on the attack information mentioned above…the attack mimicking action mimics a behavior of the intended target of the DoS attack that would be expected by the one or more attacker nodes if the DoS attack were successful. The attack mimicking action may encompass any action in the network which mimics the action of an attacked network resource, such that the attacker believes that the DoS attack was successful.”),
and when the web request is identified as malicious, prevent the web request from reaching the web server and instead redirect the web request to the isolated mitigation server configured to mimic responses of the web server (Vasseaur, para. [0055] “The policy engine may instruct RDEi 410 to redirect the traffic to the TSi 450, and perform NAT (Network Address Translation) to spoof the address of the attacked server, thus making the architecture shown in FIG. 4 highly flexible. In one embodiment, the TSi 450 may purposely mimic the behavior expected from the attack (and potentially running out of resources). Such a behavior is particularly useful for unknown attacks since it may not be possible for the policy engine to indicate how TSi 450 should mimic the attack. Instead, TSi 450 may simply replicate the effect of the attack with no consequence on the actual server, which was originally the target of the attack. In yet another embodiment, if the policy server knows the effect of the identified attack Si, it may indicate to TSi 450 exactly how to mimic the effect of the attack. In either case, the TSi 450 allows for replicating the effect of the attack without any consequence on the actual server, resulting with the attacker not being capable of telling that the attack was detected.”).



the redirection system configured to intercept a web request from a client directed to a web server providing the web service (Baradaran, para. [0137] “the appliance 200 provides application firewall functionality 290 for communications between the client 102 and server 106…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”);
identify whether or not the web request is malicious (Baradaran, para. [0137] “the policy engine 236 provides rules for detecting and blocking illegitimate requests…the application firewall 290 protects against denial of service (DoS) attacks…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”); 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baradaran’s framework for explaining anomalies in accessing web applications into Vasseur’s stealth mitigation with a motivation to improve network security using misuse detection techniques (Baradaran, para. [0002]).

The combination of Vasseur and Baradaran teaches all the limitations of claim 8 above, however fails to explicitly teach, but Gantman teaches:
process the web request to generate artificial web content that appears to be genuine web content provided by the web server based on a type of web page targeted by the web request (Gantman, para. [0052] “FIG. 2 is a diagram illustrating an exemplary network environment in which one or more features to inhibit cross-site request forging attacks may be implemented. A network 202 (e.g., data or communication network, packet-switched network, internet, wireless network, a plurality of networks, etc.) may serve to facilitate communications between multiple devices (e.g., web servers, user computers, etc.). Here, a plurality of web servers 204a, 204b, and/or 204c may provide content to one or more client devices 206a, 206b, and/or 206c (e.g., user laptops/computers, tablets, mobile phones, etc.). For instance, a browser operating at the first client device 206a may request a website content from a first web server A 204a. In response, the first server A 204a sends the requested website content to the first client device 206a where the browser displays such content to a user. Additionally, the browser may also execute instructions/commands received as part of the website content, such as linked content from a second web server B 204b. As previously noted, the second web server 204b may send content (e.g., commands, instructions, etc.) that causes the client browser to perform operations unintended by the first client device 206a. Such unintended operations may include, for example, externally-triggered requests (i.e., cross-site requests). For instance, the content from the second web server 204b may trigger or request a password change for a user of the first client device 206a at the first web server A 204a. However, by using different cookies for requests initiated at the client device (e.g., user triggered/initiated/originated requests) versus requests initiated elsewhere (e.g., externally triggered/initiated/originated requests, request initiated by second web server B 204b), these different requests may be distinguished by the first web server A 204a. Depending on the type of request (e.g., a change password request versus a content delivery request), the first web server A 204a may deny requests that seek a change in, for example, session or account information not accompanied by a cookie that indicates that such request was locally-triggered at the client device 206a (e.g., user-initiated or same-origin initiated) rather than externally-triggered by a different web server 204b or 204c.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gantman’s prevention of cross-site request forgery attacks into Baradaran’s framework for explaining anomalies in accessing web (Gantman, para. [0008]). 

As per claim 20, Vasseur teaches one or more computer-readable storage media to facilitate prevention of malicious attacks on a web service, comprising: first program instructions stored on the one or more computer-readable storage media that, when executed by a computing system, direct the computing system to at least: second program instructions stored on the one or more computer-readable storage media that, when executed by the isolated mitigation server, direct the isolated mitigation server (Vasseur, para. [0029] “The memory 240 comprises a plurality of storage locations that are addressable by the processor 220 and the network interfaces 210 for storing software programs and data structures…The processor 220 may comprise hardware elements or hardware logic adapted to execute the software programs and manipulate the data structures 245. These software processes and/or services may comprise routing process/services 244, an attack mimicking process 247, and/or an attack detection process 248”) to at least: 
present the artificial content to the client in response to the web request (Vasseaur, para. [0065] “the DoS attack management node may determine attack information relating to the attack traffic. The attack information may include, for example, a type of the DoS attack and an intended target of the DoS attack, in addition to an identity of the attacker, an identity of the RDE 410, an intensity of the DoS attack, and the like. The attack information may be provided to the DoS attack management node by the RDE 410.” And para. [0066] “the DoS attack management node may trigger an attack mimicking action based on the attack information mentioned above…the attack mimicking action mimics a behavior of the intended target of the DoS attack that would be expected by the one or more attacker nodes if the DoS attack were successful. The attack mimicking action may encompass any action in the network which mimics the action of an attacked network resource, such that the attacker believes that the DoS attack was successful.”).

when the web request is identified as malicious, prevent the web request from reaching the web server and instead redirect the web request to an isolated mitigation server configured to mimic responses of the web server (Vasseaur, para. [0055] “The policy engine may instruct RDEi 410 to redirect the traffic to the TSi 450, and perform NAT (Network Address Translation) to spoof the address of the attacked server, thus making the architecture shown in FIG. 4 highly flexible. In one embodiment, the TSi 450 may purposely mimic the behavior expected from the attack (and potentially running out of resources). Such a behavior is particularly useful for unknown attacks since it may not be possible for the policy engine to indicate how TSi 450 should mimic the attack. Instead, TSi 450 may simply replicate the effect of the attack with no consequence on the actual server, which was originally the target of the attack. In yet another embodiment, if the policy server knows the effect of the identified attack Si, it may indicate to TSi 450 exactly how to mimic the effect of the attack. In either case, the TSi 450 allows for replicating the effect of the attack without any consequence on the actual server, resulting with the attacker not being capable of telling that the attack was detected.”).

Vasseur teaches all the limitations of claim 20 above, however fails to explicitly teach, but Baradaran teaches:
intercept a web request from a client directed to a web server providing the web service (Baradaran, para. [0137] “the appliance 200 provides application firewall functionality 290 for communications between the client 102 and server 106…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”); 
(Baradaran, para. [0137] “the policy engine 236 provides rules for detecting and blocking illegitimate requests…the application firewall 290 protects against denial of service (DoS) attacks…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”); 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baradaran’s framework for explaining anomalies in accessing web applications into Vasseur’s stealth mitigation with a motivation to improve network security using misuse detection techniques (Baradaran, para. [0002]). 
The combination of Vasseur and Baradaran teaches all the limitations of claim 20 above, however fails to explicitly teach, but Gantman teaches:
process the web request to generate artificial web content that appears to be genuine web content provided by the web server based on a type of web page targeted by the web request (Gantman, para. [0052] “FIG. 2 is a diagram illustrating an exemplary network environment in which one or more features to inhibit cross-site request forging attacks may be implemented. A network 202 (e.g., data or communication network, packet-switched network, internet, wireless network, a plurality of networks, etc.) may serve to facilitate communications between multiple devices (e.g., web servers, user computers, etc.). Here, a plurality of web servers 204a, 204b, and/or 204c may provide content to one or more client devices 206a, 206b, and/or 206c (e.g., user laptops/computers, tablets, mobile phones, etc.). For instance, a browser operating at the first client device 206a may request a website content from a first web server A 204a. In response, the first server A 204a sends the requested website content to the first client device 206a where the browser displays such content to a user. Additionally, the browser may also execute instructions/commands received as part of the website content, such as linked content from a second web server B 204b. As previously noted, the second web server 204b may send content (e.g., commands, instructions, etc.) that causes the client browser to perform operations unintended by the first client device 206a. Such unintended operations may include, for example, externally-triggered requests (i.e., cross-site requests). For instance, the content from the second web server 204b may trigger or request a password change for a user of the first client device 206a at the first web server A 204a. However, by using different cookies for requests initiated at the client device (e.g., user triggered/initiated/originated requests) versus requests initiated elsewhere (e.g., externally triggered/initiated/originated requests, request initiated by second web server B 204b), these different requests may be distinguished by the first web server A 204a. Depending on the type of request (e.g., a change password request versus a content delivery request), the first web server A 204a may deny requests that seek a change in, for example, session or account information not accompanied by a cookie that indicates that such request was locally-triggered at the client device 206a (e.g., user-initiated or same-origin initiated) rather than externally-triggered by a different web server 204b or 204c.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gantman’s prevention of cross-site request forgery attacks into Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to prevent malicious exploit of a website (Gantman, para. [0008]). 

6.	Claims 2-4, 9-11 and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Vasseur in view of Baradaran and Gantman, as disclosed above, and in further view of US Pub. No. US 2008/0282339 A1 to Nakae, (hereinafter, “Nakae”), as disclosed in 04/12/2018.

As per claim 2, the combination of Vasseur, Baradaran and Gantman teach the method of claim 1, however fail to explicitly teach, but Nakae teaches: wherein processing the web request to generate the artificial web content based on the type of web page targeted by the web request comprises processing the web request to generate the artificial web content that mimics the password reset page that would be served by the web server in response to the web request (Nakae, para. [0029] “at least one attack detecting system is provided in at least one of the internal network and the external network. The firewall device receives an attack detection alert from the at least one attack detecting system and transforms it to an alert including at least an attack-source IP address and an attack-target IP address.” And para. [0140] “It is furthermore assumed that the attack-source host 301 is infected with a worm having an automatic infection function to WWW services, wherein the worm is aiming at "1. 2. 3. x/24" corresponding to the internal network 4 as a next infection target and selects "1. 2. 3. 1" as the first infection target. In this case, a SYN packet (source IP address: 12. 34. 56. 78, destination IP address: 1. 2. 3. 1) is transmitted from the attack-source host 301 toward the internal network 4.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Gantman’s prevention of cross-site request forgery attacks, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 
wherein the type of web page targeted by the web request comprises a password reset page (Gantman, para. [0052] “FIG. 2 is a diagram illustrating an exemplary network environment in which one or more features to inhibit cross-site request forging attacks may be implemented. A network 202 (e.g., data or communication network, packet-switched network, internet, wireless network, a plurality of networks, etc.) may serve to facilitate communications between multiple devices (e.g., web servers, user computers, etc.). Here, a plurality of web servers 204a, 204b, and/or 204c may provide content to one or more client devices 206a, 206b, and/or 206c (e.g., user laptops/computers, tablets, mobile phones, etc.). For instance, a browser operating at the first client device 206a may request a website content from a first web server A 204a. In response, the first server A 204a sends the requested website content to the first client device 206a where the browser displays such content to a user. Additionally, the browser may also execute instructions/commands received as part of the website content, such as linked content from a second web server B 204b. As previously noted, the second web server 204b may send content (e.g., commands, instructions, etc.) that causes the client browser to perform operations unintended by the first client device 206a. Such unintended operations may include, for example, externally-triggered requests (i.e., cross-site requests). For instance, the content from the second web server 204b may trigger or request a password change for a user of the first client device 206a at the first web server A 204a. However, by using different cookies for requests initiated at the client device (e.g., user triggered/initiated/originated requests) versus requests initiated elsewhere (e.g., externally triggered/initiated/originated requests, request initiated by second web server B 204b), these different requests may be distinguished by the first web server A 204a. Depending on the type of request (e.g., a change password request versus a content delivery request), the first web server A 204a may deny requests that seek a change in, for example, session or account information not accompanied by a cookie that indicates that such request was locally-triggered at the client device 206a (e.g., user-initiated or same-origin initiated) rather than externally-triggered by a different web server 204b or 204c.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gantman’s prevention of cross-site request forgery attacks into Nakae’s attack defending system, Baradaran’s framework for explaining (Gantman, para. [0008]). 
As per claim 3, the combination of Vasseur, Baradaran and Gantman teach the method of claim 1, however fail to explicitly teach, but Nakae teaches: wherein processing the web request to generate the artificial web content comprises generating the artificial web content based on an attack type associated with the web request (Nakae, para. [0113] “FIG. 6 shows an example of a defense rule script held in the defense rule determination section 107. Describing later in detail, the defense rule determination section 107 lists the defense rules for each attack type such as reconnaissance (RECON), INTRUSION, or DESTRUCTION and holds them in, for example, a file form. Each defense rule uses a description for designating a model of one access control rule in such a form that each rule is in a one-to-one correspondence to a predetermined attack category.” And para. [0128] “The type of an attack is determined under a classification, which is sufficient for deriving out a defending method against the attack.” And para. [0134] “defense rule scripts as shown in FIG. 6 are set in advance for each attack type. In each defense rule scrip, a combination of an attack type and a model of an access control rule to be updated is described according to the form as shown in FIG. 6. A variable to which information described in an alert is assigned can be described in a model of an access control rule.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 
As per claim 4, the combination of Vasseur, Baradaran, Gantman and Nakae teach the method of claim 3, wherein the attack type associated with the web request comprises a credential attack, and (Nakae, para. [0124] “After receiving the IP packet, the decoy unit 2 provides one or more arbitrary service(s), for example, WWW and Telnet. However, in the present embodiment, it is enough that at least the communication protocol is appropriately processed. There is no need of providing services such as accessing file systems and database processing as provided in actual services. For example, in the case of Telnet service, it may be designed to permit log-in for all of arbitrary inputs to Login/Password prompt and start up a counterfeit shell that responds to the user with a counterfeit response.”).

As per claim 9, the combination of Vasseur, Baradaran and Gantman teach the network security system of claim 8, however fail to explicitly teach, but Nakae teaches: wherein processing the web request to generate the artificial web content based on the type of web page targeted by the web request comprises processing the web request to generate the artificial web content that mimics the password reset page that would be served by the web server in response to the web request (Nakae, para. [0029] “at least one attack detecting system is provided in at least one of the internal network and the external network. The firewall device receives an attack detection alert from the at least one attack detecting system and transforms it to an alert including at least an attack-source IP address and an attack-target IP address.” And para. [0140] “It is furthermore assumed that the attack-source host 301 is infected with a worm having an automatic infection function to WWW services, wherein the worm is aiming at "1. 2. 3. x/24" corresponding to the internal network 4 as a next infection target and selects "1. 2. 3. 1" as the first infection target. In this case, a SYN packet (source IP address: 12. 34. 56. 78, destination IP address: 1. 2. 3. 1) is transmitted from the attack-source host 301 toward the internal network 4.”).
(Nakae, para. [0018]). 
wherein the type of web page targeted by the web request comprises a password reset page (Gantman, para. [0052] “FIG. 2 is a diagram illustrating an exemplary network environment in which one or more features to inhibit cross-site request forging attacks may be implemented. A network 202 (e.g., data or communication network, packet-switched network, internet, wireless network, a plurality of networks, etc.) may serve to facilitate communications between multiple devices (e.g., web servers, user computers, etc.). Here, a plurality of web servers 204a, 204b, and/or 204c may provide content to one or more client devices 206a, 206b, and/or 206c (e.g., user laptops/computers, tablets, mobile phones, etc.). For instance, a browser operating at the first client device 206a may request a website content from a first web server A 204a. In response, the first server A 204a sends the requested website content to the first client device 206a where the browser displays such content to a user. Additionally, the browser may also execute instructions/commands received as part of the website content, such as linked content from a second web server B 204b. As previously noted, the second web server 204b may send content (e.g., commands, instructions, etc.) that causes the client browser to perform operations unintended by the first client device 206a. Such unintended operations may include, for example, externally-triggered requests (i.e., cross-site requests). For instance, the content from the second web server 204b may trigger or request a password change for a user of the first client device 206a at the first web server A 204a. However, by using different cookies for requests initiated at the client device (e.g., user triggered/initiated/originated requests) versus requests initiated elsewhere (e.g., externally triggered/initiated/originated requests, request initiated by second web server B 204b), these different requests may be distinguished by the first web server A 204a. Depending on the type of request (e.g., a change password request versus a content delivery request), the first web server A 204a may deny requests that seek a change in, for example, session or account information not accompanied by a cookie that indicates that such request was locally-triggered at the client device 206a (e.g., user-initiated or same-origin initiated) rather than externally-triggered by a different web server 204b or 204c.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gantman’s prevention of cross-site request forgery attacks into Nakae’s attack defending system, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to prevent malicious exploit of a website (Gantman, para. [0008]). 
As per claim 10, the combination of Vasseur, Baradaran and Gantman teach the network security system of claim 8, however fail to explicitly teach, but Nakae teaches: wherein the isolated mitigation server configured to process the web request to generate the artificial web content comprises the isolated mitigation server configured to generate the artificial web content based on an attack type associated with the web request (Nakae, para. [0113] “FIG. 6 shows an example of a defense rule script held in the defense rule determination section 107. Describing later in detail, the defense rule determination section 107 lists the defense rules for each attack type such as reconnaissance (RECON), INTRUSION, or DESTRUCTION and holds them in, for example, a file form. Each defense rule uses a description for designating a model of one access control rule in such a form that each rule is in a one-to-one correspondence to a predetermined attack category.” And para. [0128] “The type of an attack is determined under a classification, which is sufficient for deriving out a defending method against the attack.” And para. [0134] “defense rule scripts as shown in FIG. 6 are set in advance for each attack type. In each defense rule scrip, a combination of an attack type and a model of an access control rule to be updated is described according to the form as shown in FIG. 6. A variable to which information described in an alert is assigned can be described in a model of an access control rule.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 
As per claim 11, the combination of Vasseur, Baradaran, Gantman and Nakae teach the network security system of claim 10 wherein the attack type associated with the web request comprises a credential attack, and wherein the isolated mitigation server configured to generate the artificial web content based on the attack type comprises the isolated mitigation server configured to generate a false successful login page (Nakae, para. [0124] “After receiving the IP packet, the decoy unit 2 provides one or more arbitrary service(s), for example, WWW and Telnet. However, in the present embodiment, it is enough that at least the communication protocol is appropriately processed. There is no need of providing services such as accessing file systems and database processing as provided in actual services. For example, in the case of Telnet service, it may be designed to permit log-in for all of arbitrary inputs to Login/Password prompt and start up a counterfeit shell that responds to the user with a counterfeit response.”).

As per claim 15, the combination of Vasseur, Baradaran and Gantman teach the apparatus of claim 14, however fail to explicitly teach, but Nakae teaches: wherein processing the web request to (Nakae, para. [0029] “at least one attack detecting system is provided in at least one of the internal network and the external network. The firewall device receives an attack detection alert from the at least one attack detecting system and transforms it to an alert including at least an attack-source IP address and an attack-target IP address.” And para. [0140] “It is furthermore assumed that the attack-source host 301 is infected with a worm having an automatic infection function to WWW services, wherein the worm is aiming at "1. 2. 3. x/24" corresponding to the internal network 4 as a next infection target and selects "1. 2. 3. 1" as the first infection target. In this case, a SYN packet (source IP address: 12. 34. 56. 78, destination IP address: 1. 2. 3. 1) is transmitted from the attack-source host 301 toward the internal network 4.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Gantman’s prevention of cross-site request forgery attacks, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 
wherein the type of web page targeted by the web request comprises a password reset page (Gantman, para. [0052] “FIG. 2 is a diagram illustrating an exemplary network environment in which one or more features to inhibit cross-site request forging attacks may be implemented. A network 202 (e.g., data or communication network, packet-switched network, internet, wireless network, a plurality of networks, etc.) may serve to facilitate communications between multiple devices (e.g., web servers, user computers, etc.). Here, a plurality of web servers 204a, 204b, and/or 204c may provide content to one or more client devices 206a, 206b, and/or 206c (e.g., user laptops/computers, tablets, mobile phones, etc.). For instance, a browser operating at the first client device 206a may request a website content from a first web server A 204a. In response, the first server A 204a sends the requested website content to the first client device 206a where the browser displays such content to a user. Additionally, the browser may also execute instructions/commands received as part of the website content, such as linked content from a second web server B 204b. As previously noted, the second web server 204b may send content (e.g., commands, instructions, etc.) that causes the client browser to perform operations unintended by the first client device 206a. Such unintended operations may include, for example, externally-triggered requests (i.e., cross-site requests). For instance, the content from the second web server 204b may trigger or request a password change for a user of the first client device 206a at the first web server A 204a. However, by using different cookies for requests initiated at the client device (e.g., user triggered/initiated/originated requests) versus requests initiated elsewhere (e.g., externally triggered/initiated/originated requests, request initiated by second web server B 204b), these different requests may be distinguished by the first web server A 204a. Depending on the type of request (e.g., a change password request versus a content delivery request), the first web server A 204a may deny requests that seek a change in, for example, session or account information not accompanied by a cookie that indicates that such request was locally-triggered at the client device 206a (e.g., user-initiated or same-origin initiated) rather than externally-triggered by a different web server 204b or 204c.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gantman’s prevention of cross-site request forgery attacks into Nakae’s attack defending system, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to prevent malicious exploit of a website (Gantman, para. [0008]). 

As per claim 16, the combination of Vasseur, Baradaran and Gantman teach the apparatus of claim 14, however fail to explicitly teach, but Nakae teaches: wherein the isolated mitigation server is configured to process the web request to generate the artificial web content comprises the isolated mitigation server configured to generate the artificial web content based on an attack type associated with the web request (Nakae, para. [0113] “FIG. 6 shows an example of a defense rule script held in the defense rule determination section 107. Describing later in detail, the defense rule determination section 107 lists the defense rules for each attack type such as reconnaissance (RECON), INTRUSION, or DESTRUCTION and holds them in, for example, a file form. Each defense rule uses a description for designating a model of one access control rule in such a form that each rule is in a one-to-one correspondence to a predetermined attack category.” And para. [0128] “The type of an attack is determined under a classification, which is sufficient for deriving out a defending method against the attack.” And para. [0134] “defense rule scripts as shown in FIG. 6 are set in advance for each attack type. In each defense rule scrip, a combination of an attack type and a model of an access control rule to be updated is described according to the form as shown in FIG. 6. A variable to which information described in an alert is assigned can be described in a model of an access control rule.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 
As per claim 17, the combination of Vasseur, Baradaran, Gantman and Nakae teach the apparatus of claim 16 wherein the attack type associated with the web request comprises a credential (Nakae, para. [0124] “After receiving the IP packet, the decoy unit 2 provides one or more arbitrary service(s), for example, WWW and Telnet. However, in the present embodiment, it is enough that at least the communication protocol is appropriately processed. There is no need of providing services such as accessing file systems and database processing as provided in actual services. For example, in the case of Telnet service, it may be designed to permit log-in for all of arbitrary inputs to Login/Password prompt and start up a counterfeit shell that responds to the user with a counterfeit response.”).

7.	Claims 5-6, 12-13 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Vasseur in view of Baradaran and Gantman, as disclosed above, and in further view of US Pub. No. US 2015/0326588 A1 to Vissamsetty, (hereinafter, “Vissamsetty”), as disclosed in 04/12/2018.

As per claim 5, the combination of Vasseur, Baradaran and Gantman teach the method of claim 1, however fail to explicitly teach, but Vissamsetty teaches: wherein processing the web request to generate the artificial web content comprises generating the artificial web content using a page template associated with the type of web page targeted by the web request (Vissamsetty, para.  [0298] “The method 800 may further include generating and transmitting 814 credentials 724 referencing the BotSink 300 by the BotSink 300 to the client device 702. As noted above, the credentials may mimic the data contained in the credentials returned by the server system 704. These credentials transmitted 814 form the BotSink 300 may then be stored 816 by the client device 702 in the same cache as the credentials at step 808, i.e. place the credentials transmitted at step 814 in a place in a file system that corresponds to the storage location for credentials such as those received at step 808. Generating the credentials to transmit at step 814 may include retrieving a template for a credential having the fields and format for a given service and populating the template with data referencing the port, IP address, server name, version, and the like for the instance of that service implemented on the BotSink 300.").
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for directing malicious activity to a monitoring system into Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions (Vissamsetty, para. [0132]). 
As per claim 6, the combination of Vasseur, Baradaran and Gantman teach the method of claim 5, however fail to explicitly teach, but Vissamsetty teaches: wherein generating the artificial web content using the page template associated with the type of web page targeted by the web request comprises filling in values in the page template with false information to dynamically generate the artificial web content (Vissamsetty, para.  [0298] “The method 800 may further include generating and transmitting 814 credentials 724 referencing the BotSink 300 by the BotSink 300 to the client device 702. As noted above, the credentials may mimic the data contained in the credentials returned by the server system 704. These credentials transmitted 814 form the BotSink 300 may then be stored 816 by the client device 702 in the same cache as the credentials at step 808, i.e. place the credentials transmitted at step 814 in a place in a file system that corresponds to the storage location for credentials such as those received at step 808. Generating the credentials to transmit at step 814 may include retrieving a template for a credential having the fields and format for a given service and populating the template with data referencing the port, IP address, server name, version, and the like for the instance of that service implemented on the BotSink 300.").
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for directing malicious activity to a monitoring system into Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions (Vissamsetty, para. [0132]). 
As per claim 12, the combination of Vasseur, Baradaran and Gantman teach the network security system of claim 8, however fail to explicitly teach, but Vissamsetty teaches: wherein the isolated mitigation server configured to process the web request to generate the artificial web content comprises the isolated mitigation server configured to generate the artificial web content using a page template associated with the type of web page targeted by the web request (Vissamsetty, para.  [0298] “The method 800 may further include generating and transmitting 814 credentials 724 referencing the BotSink 300 by the BotSink 300 to the client device 702. As noted above, the credentials may mimic the data contained in the credentials returned by the server system 704. These credentials transmitted 814 form the BotSink 300 may then be stored 816 by the client device 702 in the same cache as the credentials at step 808, i.e. place the credentials transmitted at step 814 in a place in a file system that corresponds to the storage location for credentials such as those received at step 808. Generating the credentials to transmit at step 814 may include retrieving a template for a credential having the fields and format for a given service and populating the template with data referencing the port, IP address, server name, version, and the like for the instance of that service implemented on the BotSink 300.").
(Vissamsetty, para. [0132]). 
As per claim 13, the combination of Vasseur, Baradaran and Gantman teach the network security system of claim 12, however fail to explicitly teach, but Vissamsetty teaches: wherein the isolated mitigation server configured to generate the artificial web content using the page template associated with the type of web page targeted by the web request comprises the isolated mitigation server configured to fill in values in the page template with false information to dynamically generate the artificial web content (Vissamsetty, para.  [0298] “The method 800 may further include generating and transmitting 814 credentials 724 referencing the BotSink 300 by the BotSink 300 to the client device 702. As noted above, the credentials may mimic the data contained in the credentials returned by the server system 704. These credentials transmitted 814 form the BotSink 300 may then be stored 816 by the client device 702 in the same cache as the credentials at step 808, i.e. place the credentials transmitted at step 814 in a place in a file system that corresponds to the storage location for credentials such as those received at step 808. Generating the credentials to transmit at step 814 may include retrieving a template for a credential having the fields and format for a given service and populating the template with data referencing the port, IP address, server name, version, and the like for the instance of that service implemented on the BotSink 300.").
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for (Vissamsetty, para. [0132]). 
As per claim 18, the combination of Vasseur, Baradaran and Gantman teach the apparatus of claim 14, however fail to explicitly teach, but Vissamsetty teaches: wherein the isolated mitigation server is configured to process the web request to generate the artificial web content comprises the isolated mitigation server configured to generate the artificial web content using a page template associated with the type of web page targeted by the web request (Vissamsetty, para.  [0298] “The method 800 may further include generating and transmitting 814 credentials 724 referencing the BotSink 300 by the BotSink 300 to the client device 702. As noted above, the credentials may mimic the data contained in the credentials returned by the server system 704. These credentials transmitted 814 form the BotSink 300 may then be stored 816 by the client device 702 in the same cache as the credentials at step 808, i.e. place the credentials transmitted at step 814 in a place in a file system that corresponds to the storage location for credentials such as those received at step 808. Generating the credentials to transmit at step 814 may include retrieving a template for a credential having the fields and format for a given service and populating the template with data referencing the port, IP address, server name, version, and the like for the instance of that service implemented on the BotSink 300.").
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for directing malicious activity to a monitoring system into Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to base Bot detection (Vissamsetty, para. [0132]). 
As per claim 19, the combination of Vasseur, Baradaran and Gantman teach the apparatus of claim 18, however fail to explicitly teach, but Vissamsetty teaches: wherein the isolated mitigation server configured to generate the artificial web content using the page template associated with the type of web page targeted by the web request comprises the isolated mitigation server configured to fill in values in the page template with false information to dynamically generate the artificial web content (Vissamsetty, para.  [0298] “The method 800 may further include generating and transmitting 814 credentials 724 referencing the BotSink 300 by the BotSink 300 to the client device 702. As noted above, the credentials may mimic the data contained in the credentials returned by the server system 704. These credentials transmitted 814 form the BotSink 300 may then be stored 816 by the client device 702 in the same cache as the credentials at step 808, i.e. place the credentials transmitted at step 814 in a place in a file system that corresponds to the storage location for credentials such as those received at step 808. Generating the credentials to transmit at step 814 may include retrieving a template for a credential having the fields and format for a given service and populating the template with data referencing the port, IP address, server name, version, and the like for the instance of that service implemented on the BotSink 300.").
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for directing malicious activity to a monitoring system into Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions (Vissamsetty, para. [0132]). 
Conclusion
8.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20060147043 A1 - Method to support security policy maintenance and distribution.
US 9148424 B1 - Methods for IP-based intrusion detection.
	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ZOHA PIYADEHGHIBI TAFAGHODI/Examiner, Art Unit 2437       

/SAMSON B LEMMA/Primary Examiner, Art Unit 2498