DETAILED ACTION
This first non-final action is in response to applicants’ filing on 07/14/2020.  Claims 1-20 are currently pending and have been considered as follows.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Drawings
The drawings filed on 07/14/2020 are accepted.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 07/14/2020 and 04/14/2021 have been placed in the application file, and the information referred therein has been considered as to the merits.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 3 and 19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 3 recites the limitation “the historic database" in lines 2-3.  There is insufficient antecedent basis for this limitation in the claim.
Claim 19 recites the limitation “the historic database” in line 4.  There is insufficient antecedent basis for this limitation in the claim.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Parent Patent No. 10,764,755 B2
Claims 1-20 are non-provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over Claims 1-16 of parent U.S. Patent No. 10,764,755 B2 (common inventive entity and assignee).  Although the conflicting claims are not identical, they are not patentably distinct from each other because it is clear that all the elements of the instant application claims 1-20 are to be found in parent patent claims 1-16.  The difference between the application claims and the patent claims lies in the fact that the patent claims include more elements and are non-provisional obviousness-type double patenting because the conflicting claims have been patented.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 6-9, and 14-17 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Gopalakrishna et al. (US 20170310705 A1, ID submitted 07/14/2020, hereinafter Gopalakrishna).
As to Claim 1:
Gopalakrishna discloses a system (e.g. Gopalakrishna “a network deception system can be implemented that dynamically escalates an engagement with a threat source. The network deception system can also dynamically configure deception mechanisms in response to network packets received from a perceived threat source” [0038]; [0039]; [0043]; network threat detection and analysis system [0046]; FIG. 1) 
a sensor (e.g. Gopalakrishna deception sensors installed in the site network [0046]; [0052]; [0069]) configured to
identify and flag a connection request from an unknown network to at least one access point of a secure local area network (SLAN) (e.g. Gopalakrishna site network is a local area network LAN [0050] including routers, wireless base stations [0051]; [0052]; sender initiates a connection attempt to the system [0293]; sender’s connection request is suspect [0294]; redirect communications with the sender to a high interaction deception [0295]; gateway connects network to another network [0072]; security device connects between gateway device and network’s router [0133]; “Once the security device 660 has detected an access to a security mechanism, the security device 660 may next attempt to confirm that an intrusion into the network 600 has taken place” [0143]; [0272]),
establish a pseudo-network and engage with the unknown network (e.g. Gopalakrishna configure an emulated network [0039]-[0043]; [0044]; network emulator can initiate interaction deception to respond to suspect network traffic [0242]; network emulator [0314]; deception mechanism engages the threat source [0328]; [0329]; [0335]) to establish an authenticated connection between the unknown network and the pseudo-network (e.g. Gopalakrishna “Access to an enterprise networks is typically restricted, and may require authorized users to enter a password or otherwise authenticate before using the network” [0087]; [0088]; [0302]; establish a network connection [0332])
interrogate the unknown network using an extracted query package to collect data and information regarding the unknown network and interactions between the unknown network and the pseudo-network (e.g. Gopalakrishna “may monitor activity in the emulated network 116, and look for attacks on the site network 104. For example, the network threat detection engine 140 may look for unexpected access to the emulated computing systems in the emulated network 116. The network threat detection engine 140 may also use information 114 extracted from the site network 104 to adjust the emulated network 116, in order to make the deceptions more attractive to an attack, and/or in response to network activity that appears to be an attack” [0060]), wherein the extracted query package comprises questions and answers from a query database (e.g. Gopalakrishna gather intelligence about the threat source, activity, software, firmware, hardware vulnerability, [0045]; [0061]; “activity captured in the emulated network 116 may be analyzed using a targeted threat analysis engine 160. The threat analysis engine 160 may examine data collected in the emulated network 116 and reconstruct the course of an attack. For example, the threat analysis engine 160 may correlate various events seen during the course of an apparent attack, including both malicious and innocuous events, and determine how an attacker infiltrated and caused harm in the emulated network” [0062]); and
a central console (e.g. Gopalakrishna deception center [0046]; “the homeowner may be provided with a software application that can be installed on a smartphone, tablet, desktop, and/or laptop computer. The software application may receive information from the security device 660 over a wired or wireless connection. Alternatively or additionally, the homeowner may be able to access information about his network through a web browser, where the security device 660 formats webpages for displaying the information. Alternatively or additionally, the security device 660 may itself have a touchscreen or a screen and key pad that provide information about the network 600 to the homeowner” [0147]; [0148]; [0174]) coupled to the sensor and configured to
identify at least one marker for classification of the unknown network (e.g. Gopalakrishna profile the site network, analyze the suspected threat [0057]; deception profiler [0058]) and extract the query package (e.g. Gopalakrishna “questionable emails, files, and/or links may be released into the emulated network 116 to confirm that they are malicious, and/or to see what effect they have. Outside actors can also be allowed to access emulated system, steal data and user credentials, download malware, and conduct any other malicious activity. In this way, the emulated network 116 not only isolated a suspected attack from the site network 104, but can also be used to capture information about an attack. Any activity caused by suspect network activity may be captured in, for example, a history of sent and received network packets, log files, and memory snapshots” [0061]; the low-interaction and high-interaction deception mechanisms may have pre-determined configurations [0312])
use the collected data and information to evaluate an operational security status of the unknown network (e.g. Gopalakrishna “A snapshot can include information such as data present on a network device, running processes, log files, logged in user accounts, contents of memory and/or disk, and so on, as of the time at which the snapshot was taken. Using a snapshot from an actual network device (or drawing from snapshots from multiple actual network devices) can make the high-interaction deception 1336 appear authentic and "lived in," meaning in active use” [0265]; “once a threat source is engaged with the high-interaction deception 1336, his activity can be closely monitored in order to learn his methods, motivation, and possibly also his identity. The high-interaction deception 1336 can be configured to log all of the threat source's activity” [0279]), and
transmit a result of the evaluation to the sensor (e.g. Gopalakrishna “once the network deception system determines that the sender 1544 is suspect, the network deception system can redirect communications with the sender 1544 to a high-interaction deception 1536” [0295]);
wherein, based on the result of the evaluation, the sensor enables or denies the connection request of the unknown network to the SLAN (e.g. Gopalakrishna when intrusion occurs, disconnecting the compromised devices [0146]; avoid letting the connection attempt to complete [0275]).
As to Claim 6:
Gopalakrishna discloses the system of claim 1, wherein the pseudo-network has a STA MAC address resembling a STA MAC address of a known secure local area (e.g. Gopalakrishna emulated network comprises interactive deception mechanisms which include Media Access Control (MAC) address [0003]; “the deception mechanisms can be assigned distinct and authentic-seeming MAC addresses, as well as legitimate IP addresses. When a low -interaction deception is initiated, in response to suspect network traffic, a MAC address and its associated IP address can be de-assigned from a super-low deception and can be reassigned to the low -interaction deception” [0042]).
As to Claim 7:
Gopalakrishna discloses the system of claim 6 wherein the sensor interrogates the unknown network by mimicking behavior of known platforms and random actions simulating a human person within the pseudo-network (e.g. Gopalakrishna “when the network owner removes a device from the network 600, the security device 660 may add a security mechanism that mimics the device that was removed. As another example, the security device may change the activity of a security mechanism, for example, to reflect changes in the normal activity of the home, changes in the weather, the time of year, the occurrence of special events, and so on” [0141]; [0234]; “Normal network activity can also include the non-business-related, casual activity of users of a network, such as accessing personal email and visiting websites on personal time, or using network resources for personal use” [0029]).
As to Claim 8:
Gopalakrishna discloses the system of claim 7, wherein the collected data and information comprise response characteristics of the unknown network including (e.g. Gopalakrishna “In an actual attack, there may be delays between the packets, either because a malicious system attempting to make a connection is watching for a particular response, or because the packets are being initiated by a human being” [0273]; “once a threat source is engaged with the high-interaction deception 1336, his activity can be closely monitored in order to learn his methods, motivation, and possibly also his identity. The high-interaction deception 1336 can be configured to log all of the threat source's activity” [0279]; [0284]-[0289]).
As to Claim 9:
Gopalakrishna discloses a method for assessing operational security of an unknown network requesting a connection to an access point of a secure local area network (SLAN): (e.g. Gopalakrishna “Provided are methods, network devices, and computer-program products for dynamically configuring a deception mechanism in response to network traffic from a possible network threat. In various implementations, a network deception system can receive a packet from a network. The network deception system can determine an intent associated with the packet by examining the contents of the packet. The network deception system can further configure a deception mechanism to respond to the intent, for example with the appropriate network communications, software or hardware configuration, and/or data” [Abstract])
identifying and flagging a connection request from the unknown network to the SLAN, wherein the unknown network comprises one or more devices (e.g. Gopalakrishna site network is a local area network LAN [0050] including routers, wireless base stations [0051]; [0052]; sender initiates a connection attempt to the system [0293]; sender’s connection request is suspect [0294]; redirect communications with the sender to a high interaction deception [0295]; gateway connects network to another network [0072]; security device connects between gateway device and network’s router [0133]; “Once the security device 660 has detected an access to a security mechanism, the security device 660 may next attempt to confirm that an intrusion into the network 600 has taken place” [0143]; [0272]);
collecting data and information regarding the unknown network (e.g. Gopalakrishna “may monitor activity in the emulated network 116, and look for attacks on the site network 104. For example, the network threat detection engine 140 may look for unexpected access to the emulated computing systems in the emulated network 116. The network threat detection engine 140 may also use information 114 extracted from the site network 104 to adjust the emulated network 116, in order to make the deceptions more attractive to an attack, and/or in response to network activity that appears to be an attack” [0060]);
identifying at least one marker for classification of the unknown network (e.g. Gopalakrishna profile the site network, analyze the suspected threat [0057]; deception profiler [0058])
extracting a query package for classification of the unknown network from a query database to evaluate an operational security status of the unknown network, the query package including queries and answers (e.g. Gopalakrishna “questionable emails, files, and/or links may be released into the emulated network 116 to confirm that they are malicious, and/or to see what effect they have. Outside actors can also be allowed to access emulated system, steal data and user credentials, download malware, and conduct any other malicious activity. In this way, the emulated network 116 not only isolated a suspected attack from the site network 104, but can also be used to capture information about an attack. Any activity caused by suspect network activity may be captured in, for example, a history of sent and received network packets, log files, and memory snapshots” [0061]; the low-interaction and high-interaction deception mechanisms may have pre-determined configurations [0312]);
establishing a pseudo-network to engage with the unknown network (e.g. Gopalakrishna configure an emulated network [0039]-[0043]; [0044]; network emulator can initiate interaction deception to respond to suspect network traffic [0242]; network emulator [0314]; deception mechanism engages the threat source [0328]; [0329]; [0335]);
establishing an authenticated connection between the pseudo-network and the unknown network (e.g. Gopalakrishna “Access to an enterprise networks is typically restricted, and may require authorized users to enter a password or otherwise authenticate before using the network” [0087]; [0088]; [0302]; establish a network connection [0332]);
collecting data and information regarding interactions between the unknown network and the pseudo-network (e.g. Gopalakrishna “may monitor activity in the emulated network 116, and look for attacks on the site network 104. For example, the network threat detection engine 140 may look for unexpected access to the emulated computing systems in the emulated network 116. The network threat detection engine 140 may also use information 114 extracted from the site network 104 to adjust the emulated network 116, in order to make the deceptions more attractive to an attack, and/or in response to network activity that appears to be an attack” [0060]);
evaluating the operational security status of the unknown network using the collected data and information regarding the unknown network and the collected data and information regarding the interactions between the unknown network and the pseudo-network (e.g. Gopalakrishna “A snapshot can include information such as data present on a network device, running processes, log files, logged in user accounts, contents of memory and/or disk, and so on, as of the time at which the snapshot was taken. Using a snapshot from an actual network device (or drawing from snapshots from multiple actual network devices) can make the high-interaction deception 1336 appear authentic and "lived in," meaning in active use” [0265]; “once a threat source is engaged with the high-interaction deception 1336, his activity can be closely monitored in order to learn his methods, motivation, and possibly also his identity. The high-interaction deception 1336 can be configured to log all of the threat source's activity” [0279]);
based on a result of the evaluation, enabling or denying the connection request of the unknown network to the SLAN (e.g. Gopalakrishna “once the network deception system determines that the sender 1544 is suspect, the network deception system can redirect communications with the sender 1544 to a high-interaction deception 1536” [0295]; when intrusion occurs, disconnecting the compromised devices [0146]; avoid letting the connection attempt to complete [0275]).
As to Claim 14:
Gopalakrishna discloses the method of claim 9, wherein the pseudo-network has a STA MAC address emulating a known secure network (e.g. Gopalakrishna emulated network comprises interactive deception mechanisms which include Media Access Control (MAC) address [0003]; “the deception mechanisms can be assigned distinct and authentic-seeming MAC addresses, as well as legitimate IP addresses. When a low -interaction deception is initiated, in response to suspect network traffic, a MAC address and its associated IP address can be de-assigned from a super-low deception and can be reassigned to the low -interaction deception” [0042]).
As to Claim 15:
Gopalakrishna discloses the method of claim 9, wherein the unknown network is interrogated by mimicking behavior of known platforms and random actions simulating a human behavior (e.g. Gopalakrishna “when the network owner removes a device from the network 600, the security device 660 may add a security mechanism that mimics the device that was removed. As another example, the security device may change the activity of a security mechanism, for example, to reflect changes in the normal activity of the home, changes in the weather, the time of year, the occurrence of special events, and so on” [0141]; [0234]; “Normal network activity can also include the non-business-related, casual activity of users of a network, such as accessing personal email and visiting websites on personal time, or using network resources for personal use” [0029]).
As to Claim 16:
Gopalakrishna discloses the method of claim 15, wherein the collected data and information comprise response characteristics of the unknown network that include behavior patterns relating to the interactions of the unknown network with the SLAN and the random actions simulating the human behavior (e.g. Gopalakrishna “In an actual attack, there may be delays between the packets, either because a malicious system attempting to make a connection is watching for a particular response, or because the packets are being initiated by a human being” [0273]; “once a threat source is engaged with the high-interaction deception 1336, his activity can be closely monitored in order to learn his methods, motivation, and possibly also his identity. The high-interaction deception 1336 can be configured to log all of the threat source's activity” [0279]; [0284]-[0289]).
As to Claim 17:
Gopalakrishna discloses a non-transitory computer-readable storage medium storing computer-executable instructions, the instructions when executed by a machine causing (e.g. Gopalakrishna “Provided are methods, network devices, and computer-program products for dynamically configuring a deception mechanism in response to network traffic from a possible network threat. In various implementations, a network deception system can receive a packet from a network. The network deception system can determine an intent associated with the packet by examining the contents of the packet. The network deception system can further configure a deception mechanism to respond to the intent, for example with the appropriate network communications, software or hardware configuration, and/or data” [Abstract]; “computer-readable medium may include a non-transitory medium in which data can be stored” [0340]), the process comprising:
identifying and flagging a connection request from an unknown network to at least one access point of a secured local area network (SLAN) to collect data and information regarding the unknown network (e.g. Gopalakrishna site network is a local area network LAN [0050] including routers, wireless base stations [0051]; [0052]; sender initiates a connection attempt to the system [0293]; sender’s connection request is suspect [0294]; redirect communications with the sender to a high interaction deception [0295]; gateway connects network to another network [0072]; security device connects between gateway device and network’s router [0133]; “Once the security device 660 has detected an access to a security mechanism, the security device 660 may next attempt to confirm that an intrusion into the network 600 has taken place” [0143]; [0272]; “may monitor activity in the emulated network 116, and look for attacks on the site network 104. For example, the network threat detection engine 140 may look for unexpected access to the emulated computing systems in the emulated network 116. The network threat detection engine 140 may also use information 114 extracted from the site network 104 to adjust the emulated network 116, in order to make the deceptions more attractive to an attack, and/or in response to network activity that appears to be an attack” [0060]);
identifying at least one marker for classification of the unknown network (e.g. Gopalakrishna profile the site network, analyze the suspected threat [0057]; deception profiler [0058]); 
extracting, from a query database, a query package for the classification of the unknown network, the query package including queries and answers for interrogating the unknown network (e.g. Gopalakrishna “questionable emails, files, and/or links may be released into the emulated network 116 to confirm that they are malicious, and/or to see what effect they have. Outside actors can also be allowed to access emulated system, steal data and user credentials, download malware, and conduct any other malicious activity. In this way, the emulated network 116 not only isolated a suspected attack from the site network 104, but can also be used to capture information about an attack. Any activity caused by suspect network activity may be captured in, for example, a history of sent and received network packets, log files, and memory snapshots” [0061]; the low-interaction and high-interaction deception mechanisms may have pre-determined configurations [0312]);
establishing a pseudo-network emulating a known secure network (e.g. Gopalakrishna configure an emulated network [0039]-[0043]; [0044]; network emulator can initiate interaction deception to respond to suspect network traffic [0242]; network emulator [0314]; deception mechanism engages the threat source [0328]; [0329]; [0335]) to establish an authenticated connection between the unknown network and the pseudo-network (e.g. Gopalakrishna “Access to an enterprise networks is typically restricted, and may require authorized users to enter a password or otherwise authenticate before using the network” [0087]; [0088]; [0302]; establish a network connection [0332]);
interrogating the unknown network using the query package (e.g. Gopalakrishna “questionable emails, files, and/or links may be released into the emulated network 116 to confirm that they are malicious, and/or to see what effect they have. Outside actors can also be allowed to access emulated system, steal data and user credentials, download malware, and conduct any other malicious activity. In this way, the emulated network 116 not only isolated a suspected attack from the site network 104, but can also be used to capture information about an attack. Any activity caused by suspect network activity may be captured in, for example, a history of sent and received network packets, log files, and memory snapshots” [0061]; the low-interaction and high-interaction deception mechanisms may have pre-determined configurations [0312]);
collecting data and information regarding an interaction of the unknown network with the pseudo-network (e.g. Gopalakrishna “may monitor activity in the emulated network 116, and look for attacks on the site network 104. For example, the network threat detection engine 140 may look for unexpected access to the emulated computing systems in the emulated network 116. The network threat detection engine 140 may also use information 114 extracted from the site network 104 to adjust the emulated network 116, in order to make the deceptions more attractive to an attack, and/or in response to network activity that appears to be an attack” [0060]);
using the collected data and information regarding the interaction of the unknown network with the pseudo-network including results of the interrogation to evaluate an operational security status of the unknown network (e.g. Gopalakrishna “A snapshot can include information such as data present on a network device, running processes, log files, logged in user accounts, contents of memory and/or disk, and so on, as of the time at which the snapshot was taken. Using a snapshot from an actual network device (or drawing from snapshots from multiple actual network devices) can make the high-interaction deception 1336 appear authentic and "lived in," meaning in active use” [0265]; “once a threat source is engaged with the high-interaction deception 1336, his activity can be closely monitored in order to learn his methods, motivation, and possibly also his identity. The high-interaction deception 1336 can be configured to log all of the threat source's activity” [0279]); and
transmitting a result of the evaluation of the operational security status of the unknown network to a sensor (e.g. Gopalakrishna “once the network deception system determines that the sender 1544 is suspect, the network deception system can redirect communications with the sender 1544 to a high-interaction deception 1536” [0295]);
wherein the sensor, based on the result of the evaluation, enables or denies the connection request of the unknown network to the at least one access point of the SLAN (e.g. Gopalakrishna when intrusion occurs, disconnecting the compromised devices [0146]; avoid letting the connection attempt to complete [0275]).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly 
Claims 3 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Gopalakrishna in view of Sauder et al. (US 20160105802 A1, hereinafter Sauder).
As to Claim 3:
Gopalakrishna discloses the system of claim 1, but does not specifically disclose:
compare the identified at least one marker against a plurality of existing classifications stored in the historic database to determine whether the identified at least one marker falls within one of the plurality of existing classifications stored in the historic database, and when the identified at least one marker is not determined to fall within one of the plurality of existing classifications, generate a new classification based on the identified at least one marker and the collected data and information regarding the unknown network.
However, the analogous art Sauder does disclose compare the identified at least one marker against a plurality of existing classifications stored in the historic database to determine whether the identified at least one marker falls within one of the plurality of existing classifications stored in the historic database (e.g. Sauder signaling traffic from unknown network element is monitored to generate a profile which is then compared to a database of previous profiles and a statistical test [0037]; [0038]), and when the identified at least one marker is not determined to fall within one of the plurality of existing classifications (e.g. Sauder the unknown network function is not a good match for any known function [0040]), generate a new classification based (e.g. Sauder “detailed logs kept with the aim of sufficient information being recorded for manual analysis and potentially a new profile being defined” [0043]; [0040]).  Gopalakrishna and Sauder are analogous art because they are from the same field of endeavor in unknown network threat monitoring.
(e.g. see Sauder, “Once a suitably large `known` profile database has been created, the system can be turned into a monitoring mode. In this mode, all inbound and outbound SS7 traffic may be monitored and for each network function (based on SCCP Global Title), a profile may be generated. Referring to FIG. 3, there is shown a schematic example of profile monitoring (and/or management or enforcement). As will be explained below, the signalling traffic to and from the unknown network element is monitored to generate a profile which is then compared to a database of previous profiles and a statistical test (e.g. the Chi-Squared test) used to categorise the goodness of fit. Based on this categorisation, automatic or manual enforcement of a signalling policy can be imposed” [0037]; “Based on this categorisation, a decision can be made: [0040]; [0041] White list: Mark the function with the node type it matches with. No further action required. Potentially the new function can be used to update the database profile for the node type to account for changes (e.g. due to a software update). [0042] Black list: Mark the function with the node type it matches with. Possible further actions include: Allow traffic but log/alarm activity for manual intervention, or block all further traffic from the GT [0043] Grey list: The unknown function is  “Note that the two P-values between +1 and -1 used to separate white, grey and black lists may be for further study, based on live network testing. For new GTs, once a sufficient sample size of messages have been monitored, a profile for the `unknown` function can be created and this compared to the previously learnt `known` profiles” [0044]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Gopalakrishna and Sauder before him or her, to modify the disclosure of Gopalakrishna with the teachings of Sauder to include compare the identified at least one marker against a plurality of existing classifications stored in the historic database to determine whether the identified at least one marker falls within one of the plurality of existing classifications stored in the historic database, and when the identified at least one marker is not determined to fall within one of the plurality of existing classifications, generate a new classification based on the identified at least one marker and the collected data and information regarding the unknown network as claimed because Gopalakrishna provides a method and system for interaction with network threats by an emulated network with a deception system that analyzes threat source activity (Gopalakrishna [Abstract]-[0335]) which could be compared to a database of previous profiles which if not sufficiently matched therein could be used to define a new network profile (Sauder [0037]-[0044]).  The suggestion/motivation for doing so would have been to allow (Sauder [0049]; [0050]).  Therefore, it would have been obvious to combine Gopalakrishna and Sauder to obtain the invention as specified in the instant claim(s).
As to Claim 19:
Gopalakrishna discloses the non-transitory computer-readable storage medium of claim 17, but does not specifically disclose:
determining whether the identified at least one marker for classification of the unknown network falls within one of the plurality of existing classifications stored in the historic database by comparing the identified at least one marker against the plurality of existing classifications stored in the historic database.
However, the analogous art Sauder does disclose determining whether the identified at least one marker for classification of the unknown network falls within one of the plurality of existing classifications stored in the historic database by comparing the identified at least one marker against the plurality of existing classifications stored in the historic database (e.g. Sauder “By learning the signalling profiles of many known network nodes, it is possible to build a database of profiles which are related to MAP functions. The profile database may then be used as a point of comparison when an unknown network node commences signalling via the SS7 transit network. The comparison can be made by statistical treatment of the newly generated profile such as by performing a goodness-of-fit test (for instance, a Chi-Squared test) relative to those stored in the profile database” [0027]; signaling traffic from unknown network element is monitored to generate a profile which is then compared to a database of previous profiles and a statistical test [0037]; [0038]; the unknown network function is not a good match for any known function [0040]).  Gopalakrishna and Sauder are analogous art because they are from the same field of endeavor in unknown network threat monitoring.
(e.g. see Sauder, “Once a suitably large `known` profile database has been created, the system can be turned into a monitoring mode. In this mode, all inbound and outbound SS7 traffic may be monitored and for each network function (based on SCCP Global Title), a profile may be generated. Referring to FIG. 3, there is shown a schematic example of profile monitoring (and/or management or enforcement). As will be explained below, the signalling traffic to and from the unknown network element is monitored to generate a profile which is then compared to a database of previous profiles and a statistical test (e.g. the Chi-Squared test) used to categorise the goodness of fit. Based on this categorisation, automatic or manual enforcement of a signalling policy can be imposed” [0037]; “Based on this categorisation, a decision can be made: [0040]; [0041] White list: Mark the function with the node type it matches with. No further action required. Potentially the new function can be used to update the database profile for the node type to account for changes (e.g. due to a software update). [0042] Black list: Mark the function with the node type it matches with. Possible further actions include: Allow traffic but log/alarm activity for manual intervention, [0043] Grey list: The unknown function is not a good match for any known function. Further traffic from the GT should be allowed, but detailed logs kept with the aim of sufficient information being recorded for manual analysis and potentially a new profile being defined (either for white or black-listing)”; “Note that the two P-values between +1 and -1 used to separate white, grey and black lists may be for further study, based on live network testing. For new GTs, once a sufficient sample size of messages have been monitored, a profile for the `unknown` function can be created and this compared to the previously learnt `known` profiles” [0044]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Gopalakrishna and Sauder before him or her, to modify the disclosure of Gopalakrishna with the teachings of Sauder to include determining whether the identified at least one marker for classification of the unknown network falls within one of the plurality of existing classifications stored in the historic database by comparing the identified at least one marker against the plurality of existing classifications stored in the historic database as claimed because Gopalakrishna provides a method and system for interaction with network threats by an emulated network with a deception system that analyzes threat source activity (Gopalakrishna [Abstract]-[0335]) which could be compared to a database of previous profiles which if not sufficiently matched therein could be used to define a new network profile (Sauder [0037]-[0044]).  The suggestion/motivation for doing so would have been to allow comparison and confidence test relative to known external network nodes stored in a profile database to determine a categorisation and (Sauder [0049]; [0050]).  Therefore, it would have been obvious to combine Gopalakrishna and Sauder to obtain the invention as specified in the instant claim(s).
Allowable Subject Matter
Claims 2, 4, 5, 10-13, 18, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and subject to overcoming the non-statutory double patenting rejection.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure.
Staniford et al. (US 20110247072 A1)
WHELAN et al. (US 20110314147 A1) 
SCHWARTZ et al. (US 20180124093 A1)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth W Chang whose telephone number is (571)270-7530.  The examiner can normally be reached on Monday - Friday 9-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/KENNETH W CHANG/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
    PNG
    media_image1.png
    35
    280
    media_image1.png
    Greyscale

09/09/2021