DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on 2021-03-04 has been entered.


Response to Amendment
The amendment filed 2021-03-04 has been entered and fully considered.

In light of applicant’s amendment, filed 2021-03-04, the 35 U.S.C. § 112(b) rejection has been withdrawn.

Applicant’s arguments, see pp. 13-16, filed 2021-03-04, with respect to the claim amendments overcoming the prior art of the rejection of claims 1-28 under 35 U.S.C. § 103 have been fully considered and are persuasive. 


Information Disclosure Statement
The information disclosure statements (IDS) submitted on 2021-03-29 (2x) and 2021-07-16 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.


Examiner’s Amendment
An examiner’s amendment to the record appears below.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with John Branch (Reg. 41633) on 2021-07-06.

Please replace the Claims as follows:


monitoring network traffic associated with a plurality of entities in one or more networks;
classifying one or more anomalous events based on the monitored network traffic and one or more attack models, wherein the classification determines that one or more targets of the one or more anomalous events are currently subject to one or more attacks by one or more entities communicating on the one or more networks, and wherein one or more attack profiles are mapped to the one or more anomalous events; 
determining network environment information associated with the one or more anomalous events;
determining one or more response profiles based on the one or more attack profiles and additional information that includes the network environment information, authorized applications, authorized activities, and other previously determined response profiles;   
providing a honeypot trap in the one or more networks based on the one or more classified events and the one or more response profiles, wherein the honeypot trap mimics one or more characteristics of the one or more targets;
monitoring one or more portions of the network traffic associated with the honeypot trap;
providing one or more other honeypot traps based on the monitored network traffic; 
deploying the one or more other honeypot traps based on the monitored network traffic;
correlating one or more metrics associated with the honeypot trap and one or more metrics associated with the one or more other honeypot traps;
determining one or more characteristics of the one or more attacks based on the monitored one or more portions of network traffic, wherein the honeypot trap is separate and isolated from the one or more network computers; 
modifying the honeypot trap based on the network environment information; and
generating one or more reports that include information based on the one or more characteristics of the one or more attacks. 

2. (Currently Amended) The method of Claim 1, wherein providing the honeypot trap further comprises:


deploying the further modified honeypot trap based on the network environment information.

3. (Currently Amended) The method of Claim 1, further comprising:



including the one or more correlated metrics in the one or more reports.

4. (Original) The method of Claim 1, wherein determining the one or more targets of the one or more anomalous events, further comprises:
determining one or more of one or more target network addresses, one or more target applications, one or more target users, one or more target user roles, one or more target assets, one or more target data stores, or one or more target file systems.

5. (Original) The method of Claim 1, further comprising: 
generating false information based on one or more characteristics of the one or more targets, wherein the false information includes one or more of, email addresses, location 
deploying the false information on the honeypot trap.

6. (Original) The method of Claim 1, further comprising:
predicting one or more subsequent anomalous events based on the one or more anomalous events based on the one or more attack models; 
providing one or more secondary honeypot traps that are associated with the honeypot trap based on the one or more predicted subsequent anomalous events; and
monitoring one or more portions of the network traffic that are associated with the one or more secondary honeypot traps.

7. (Original) The method of Claim 1, wherein monitoring the one or more portions of the network traffic associated with the honeypot trap, further comprises:
determining a number of the one or more attacks that are attracted to one or more honeypot trap; and
scoring the one or more honeypot traps based on the number of attracted attacks, wherein each honeypot trap is scored higher than the one or more honeypot traps that attract fewer attackers, and wherein each honeypot trap is scored lower than the one or more honeypot traps that attract more attackers. 

8. (Currently Amended) A processor readable non-transitory storage media that includes instructions for monitoring network traffic using one or more network monitoring computers, wherein execution of the instructions by the one or more networking monitoring computers perform the method comprising:
monitoring network traffic associated with a plurality of entities in one or more networks;

determining network environment information associated with the one or more anomalous events;
determining one or more response profiles based on the one or more attack profiles and additional information that includes the network environment information, authorized applications, authorized activities, and other previously determined response profiles;   
providing a honeypot trap in the one or more networks based on the one or more classified events and the one or more response profiles, wherein the honeypot trap mimics one or more characteristics of the one or more targets;
monitoring one or more portions of the network traffic associated with the honeypot trap;
providing one or more other honeypot traps based on the monitored network traffic; 
deploying the one or more other honeypot traps based on the monitored network traffic;
correlating one or more metrics associated with the honeypot trap and one or more metrics associated with the one or more other honeypot traps;
determining one or more characteristics of the one or more attacks based on the monitored one or more portions of network traffic, wherein the honeypot trap is separate and isolated from the one or more network computers; 
modifying the honeypot trap based on the network environment information; and
generating one or more reports that include information based on the one or more characteristics of the one or more attacks. 




deploying the further modified honeypot trap based on the network environment information.

10. (Currently Amended) The media of Claim 8, further comprising:



including the one or more correlated metrics in the one or more reports.

11. (Original) The media of Claim 8, wherein determining the one or more targets of the one or more anomalous events, further comprises:
determining one or more of one or more target network addresses, one or more target applications, one or more target users, one or more target user roles, one or more target assets, one or more target data stores, or one or more target file systems.

12. (Original) The media of Claim 8, further comprising: 
generating false information based on one or more characteristics of the one or more targets, wherein the false information includes one or more of, email addresses, location names, street addresses, telephone numbers, payroll information, product descriptions, network address information, or hostname information, that are based on an organization that is a target of the one or more anomalous events; and
deploying the false information on the honeypot trap.

13. (Original) The media of Claim 8, further comprising:
predicting one or more subsequent anomalous events based on the one or more anomalous events based on the one or more attack models; 
providing one or more secondary honeypot traps that are associated with the honeypot trap based on the one or more predicted subsequent anomalous events; and
monitoring one or more portions of the network traffic that are associated with the one or more secondary honeypot traps.

14. (Original) The media of Claim 8, wherein monitoring the one or more portions of the network traffic associated with the honeypot trap, further comprises:
determining a number of the one or more attacks that are attracted to one or more honeypot trap; and
scoring the one or more honeypot traps based on the number of attracted attacks, wherein each honeypot trap is scored higher than the one or more honeypot traps that attract fewer attackers, and wherein each honeypot trap is scored lower than the one or more honeypot traps that attract more attackers. 

15. (Currently Amended) A system for monitoring network traffic in a network:
one or more network monitoring computers (NMCs), comprising:
a memory that stores at least instructions; and
one or more processors that execute instructions that perform actions, including:
monitoring network traffic associated with a plurality of entities in one or more networks;
classifying one or more anomalous events based on the monitored network traffic and one or more attack models, wherein the classification determines that one or more targets of the one or more anomalous events are currently subject to one or more attacks by one or more entities communicating on the one or more networks, and wherein one or more attack profiles are mapped to the one or more anomalous events; 
determining network environment information associated with the one or more anomalous events;
determining one or more response profiles based on the one or more attack profiles and additional information that includes the network environment information, authorized applications, authorized activities, and other previously determined response profiles;   
providing a honeypot trap in the one or more networks based on the one or more classified events and the one or more response profiles, wherein the honeypot trap mimics one or more characteristics of the one or more targets;
monitoring one or more portions of the network traffic associated with the honeypot trap;
providing one or more other honeypot traps based on the monitored network traffic; 
deploying the one or more other honeypot traps based on the monitored network traffic;
correlating one or more metrics associated with the honeypot trap and one or more metrics associated with the one or more other honeypot traps;
determining one or more characteristics of the one or more attacks based on the monitored one or more portions of network traffic, wherein the honeypot trap is separate and isolated from the one or more network computers; 
modifying the honeypot trap based on the network environment information; and
generating one or more reports that include information based on the one or more characteristics of the one or more attacks; and
one or more client computers, comprising:
a memory that stores at least instructions; and
one or more processors that execute instructions that perform actions, including:


16. (Currently Amended) The system of Claim 15, wherein providing the honeypot trap further comprises:


deploying the further modified honeypot trap based on the network information.

17. (Currently Amended) The system of Claim 15, wherein the one or more NMC processors execute instructions that perform actions, further comprising:



including the one or more correlated metrics in the one or more reports.

18. (Original) The system of Claim 15, wherein determining the one or more targets of the one or more anomalous events, further comprises:
determining one or more of one or more target network addresses, one or more target applications, one or more target users, one or more target user roles, one or more target assets, one or more target data stores, or one or more target file systems.

19. (Original) The system of Claim 15, wherein the one or more NMC processors execute instructions that perform actions, further comprising: 
generating false information based on one or more characteristics of the one or more targets, wherein the false information includes one or more of, email addresses, location 
deploying the false information on the honeypot trap.

20. (Original) The system of Claim 15, wherein the one or more NMC processors execute instructions that perform actions, further comprising:
predicting one or more subsequent anomalous events based on the one or more anomalous events based on the one or more attack models; 
providing one or more secondary honeypot traps that are associated with the honeypot trap based on the one or more predicted subsequent anomalous events; and
monitoring one or more portions of the network traffic that are associated with the one or more secondary honeypot traps.

21. (Original) The system of Claim 15, wherein monitoring the one or more portions of the network traffic associated with the honeypot trap, further comprises:
determining a number of the one or more attacks that are attracted to one or more honeypot trap; and
scoring the one or more honeypot traps based on the number of attracted attacks, wherein each honeypot trap is scored higher than the one or more honeypot traps that attract fewer attackers, and wherein each honeypot trap is scored lower than the one or more honeypot traps that attract more attackers. 

22. (Currently Amended) A network monitoring computer (NMC) for monitoring network traffic between one or more computers, comprising:
a memory that stores at least instructions; and
one or more processors that execute instructions that perform actions, including:
monitoring network traffic associated with a plurality of entities in one or more networks;

determining network environment information associated with the one or more anomalous events; 
determining one or more response profiles based on the one or more attack profiles and additional information that includes the network environment information, authorized applications, authorized activities, and other previously determined response profiles;   
providing a honeypot trap in the one or more networks based on the one or more classified events and the one or more response profiles, wherein the honeypot trap mimics one or more characteristics of the one or more targets; 
monitoring one or more portions of the network traffic associated with the honeypot trap;
providing one or more other honeypot traps based on the monitored network traffic; 
deploying the one or more other honeypot traps based on the monitored network traffic;
correlating one or more metrics associated with the honeypot trap and one or more metrics associated with the one or more other honeypot traps;
determining one or more characteristics of the one or more attacks based on the monitored one or more portions of network traffic, wherein the honeypot trap is separate and isolated from the one or more network computers; 
modifying the honeypot trap based on the network environment information; and


23. (Currently Amended) The NMC of Claim 22, wherein providing the honeypot trap further 


deploying the further modified honeypot trap based on the network environment information.  

24. (Currently Amended) The NMC of Claim 22, wherein the one or more processors execute instructions that perform actions, further comprising:



including the one or more correlated metrics in the one or more reports.

25. (Original) The NMC of Claim 22, wherein determining the one or more targets of the one or more anomalous events, further comprises:
determining one or more of one or more target network addresses, one or more target applications, one or more target users, one or more target user roles, one or more target assets, one or more target data stores, or one or more target file systems.

26. (Original) The NMC of Claim 22, wherein the one or more processors execute instructions that perform actions, further comprising: 

deploying the false information on the honeypot trap.

27. (Original) The NMC of Claim 22, wherein the one or more processors execute instructions that perform actions, further comprising:
predicting one or more subsequent anomalous events based on the one or more anomalous events based on the one or more attack models; 
providing one or more secondary honeypot traps that are associated with the honeypot trap based on the one or more predicted subsequent anomalous events; and
monitoring one or more portions of the network traffic that are associated with the one or more secondary honeypot traps.

28. (Original) The NMC of Claim 22, wherein monitoring the one or more portions of the network traffic associated with the honeypot trap, further comprises:
determining a number of the one or more attacks that are attracted to one or more honeypot trap; and
scoring the one or more honeypot traps based on the number of attracted attacks, wherein each honeypot trap is scored higher than the one or more honeypot traps that attract fewer attackers, and wherein each honeypot trap is scored lower than the one or more honeypot traps that attract more attackers.


Allowable Subject Matter
Claims 1-28 are allowed.

The following is a statement of reasons for the indication of allowable subject matter:
In interpreting the currently amended claims, in light of the specification as well arguments presented in the responses to the Office actions, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.  First, Applicant’s arguments with respect to the claim amendments traversing the prior art of record are persuasive.  In addition, based on an updated search and further consideration, the Examiner has been unable to locate prior art that would anticipate or render obvious the claimed invention as a whole.  
For example, although “user information, flow profiles for the monitored network traffic, the network environment information, authorized applications, authorized activities, and other previously determined response profiles” are known identifying factors for determining response profiles to an attack, the prior art does not disclose “providing one or more other honeypot traps based on the monitored network traffic; deploying the one or more other honeypot traps based on the monitored network traffic; correlating one or more metrics associated with the honeypot trap and one or more metrics associated with the one or more other honeypot traps; … modifying the honeypot trap based on the network environment information” as required by the amended claims.  More specifically, although the individual features are known in the art, the Examiner finds that the particular arrangement within the context of the claimed invention as a whole is novel and non-obvious. 


Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”



Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Kevin Bechtel/
Primary Examiner, Art Unit 2491