DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	This office action is responsive to communication filed on 06/21/2021.

Claim Objections
The numbering of claims is not in accordance with 37 CFR 1.126 which requires the original numbering of the claims to be preserved throughout the prosecution.  When claims are canceled, the remaining claims must not be renumbered.  When new claims are presented, they must be numbered consecutively beginning with the number next following the highest numbered claims previously presented (whether entered or not).
Misnumbered claims 7 – 23 have been renumbered 6 - 22.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 5, 6, 9, 11 – 13 are rejected under 35 U.S.C. 103 as being unpatentable over Ettema et al (US 2018/0124069; hereinafter Ettema) in view of Veteikis et al (US 2013/0347103; hereinafter Veteikis).
Regarding claim 1, Ettema discloses a method, comprising:
Identifying a target device (paras [0090], [0148]; Ettema discloses automatic mirroring and synchronization of the honey network configuration to reflect the target network environment is performed using the User-ID for user identification available from data appliance 102); 
receiving, at a compute device (para[0053]), a first set of messages sent to the target device (para [0062]; Ettema discloses that a target enterprise network 302 is scanned using scanning tool 304 to generate results of various scanning operations, which is p provided in an output result that is generally referred to as a network scan survey 306.);
receiving, at a compute device (para[0053]), a second set of messages sent from the target device (para [0063]; Ettema discloses that  cloud security service 310 includes a trigger table 312 and a translation engine 314. Trigger table 312 represents a set of data that indicates responses to a given scanning tool's probes that are expected to generate a particular result, such as responses that can be used by the scanning tool to identify a device type, an operating system type and version, and/or services provided by the device.);	
storing messages as historical data in a memory of the compute device (para (0082]; Ettema discloses that cloud security service 422 includes a device profile data store 440 (e g., device profile data can be stored in memory of a server or using an external data store);
emulating the target device, via a processor of the computing device, based on the historical data (clone, paras [0054], [0147]; Ettema discloses that FIG 10 is a flow diagram illustrating a process for synchronizing a honey network configuration to reflect a target network environment to implement a virtual clone of one or more target devices in accordance with some embodiments), the emulating including:
receiving, from a remote requestor, a signal encoding a request (para (0154]; Ettema discloses that the process begins at 1102 when an email is received and determined to be a malware email (e.g., at an inline data appliance that can perform a security analysis of the email to determine that content of the email or an attachment to the email is malware or suspicious).),
comparing at least a portion of the request to at least a subset of the historical data, to determine a response representative of a response from the target device (para [0155 - 0156], [0159]; Ettema discloses that  "At 1104, a destination email address is extracted. For example, a destination email address(es) can be extracted from an email header of the malware email (e g., using email header extractor 904) At 1106, a lookup operation is performed to determine a user ID(s) associated with the destination email address(es).), and
sending the response to the remote requestor (para [0066]; Ettema discloses that probe responses provided by the honey network emulation engine are generated and sent in order to fool the network scanning tool into determining that an emulated device). 
However, Ettema fails to disclose:
receiving, at a compute device, a copy of a first set of messages sent to the target device;	
receiving, at the compute device, a copy of a second set of messages sent from the target device;	storing the copy of the first set of messages and the copy of the second set of messages as historical data a memory of the compute device.
Veteikis, in an analogous art, discloses:
receiving messages at a compute device (para [0087] “Network testing system 16 may be connected to the test system 18 in any suitable manner, e.g. according to any suitable topology or arrangement in some embodiments or arrangements, network testing system 16 may be connected on both sides oí a system 18 to be tested, e.g., to simulate both clients and servers passing traffic through the test system In other embodiment or arrangements, network testing system 16 may be connected to any entry point to the test system 18. e.g., to act as a client to the test system 18. In some embodiment or arrangements, network testing system 16 may act in both of these modes simultaneously, para (0407) “At step 532, a packet (e.g., pan of a data stream from test network 18 is received at system 16 on a test interlace 101 and forwarded to capture/offload CLD 102A via a physical interface “);
storing messages as historical data m a memory of the compute device (para (0193) "CLO 102A may also provide a tail pointer that can be used to walk backward in the list of packets to find the first 
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to use to received traffic to and from the emulated device at the compute device in the method of Ettema and then store the received traffic in the memory of the said compute device since the traffic flow can be used to simulate or emulate the operations of the emulated device (para [0087], para [0276], Veteikis).
Regarding claim 2, Ettema discloses the method of claim 1, wherein the comparing includes comparing a byte distribution of the portion of the request to a byte distribution of the subset of historical data (para [0125]; Ettema discloses that these techniques can be used to determine which dient devices or other endpoints have been exposed to the malware (e.g., received the email) such that these devices can be remediated using various malware remediation techniques. As yet another example, these techniques can be used to examine other email header data, such as x-mailers and/or patterns in email address extensions used by, for example. APT attacker(s).).	
Regarding claim 3, Ettema discloses the method of claim 1, wherein the comparing includes:	
comparing an operational stage of the request to an operational stage of the at least a subset of the historical data (infected by that email, para [0124]; Ettema discloses that the intelligent detonation of the email malware sample in the virtual dient of the target client A can be monitored to detect, for example. C8C network traffic, which can be correlated to the malware sample As a result, once such C&C network traffic is correlated with that malware sample), and 
Ettema discloses that the email malware sample can then be detonated in the virtual done of Client A in the VM environment At this point, behavior, including network and/or other activities, can be monitored and logged using a honey network log 746.).
	Regarding claim 4, Ettema discloses the method of claim 1, wherein the emulating further includes:
detecting, based on the historical data, an operating system of the target device (para [0064]), and 
exhibiting at least one behavior associated with the operating system (para [0097] "For instance. if the device profile data indicates that the target device is a device executing Ramanathan Windows XP with Service Pack 3 (SP3), Ramanathan internet Explorer Version 7, and Adobe Acrobat Version 8, then an appropriate VM image from a VM library can be selected and/or a base VM image can be customized to instantiate and execute a VM instance with the same executing software environment. In addition, various other configurations and/or settings can also be configured in the VM image to emulate the current target device operating environment (e.g., logged on user, IP address, time since last reboot, default printer, configured ONS server, configured email server, etc.).").
Regarding claim 5, Ettema discloses the method of claim 1, wherein the emulating further includes:
detecting, based on the historical data, at least one device operably coupled to the target device (subset of devices, paras [0044], [0067]; Ettema discloses techniques described herein can be used to analyze malware (e g . a malware sample) and/or associated attacker activities in a honey network that can emulate, for example, a target device, such as a target host, in a target network environment that provides for more realistic interactions with a done of the target device and its relevant target network environment.), and 
exhibiting at least one behavior associated with being operably coupled to the at least one device (interactions, para (0044]; Ettema discloses that the devices are implemented as VM instances that can support high-level interactions to facilitate realistic interactions with an attacker and/or malware executed on such VM instances that clone an actual target device).
Regarding claim 6, Ettema discloses the method of daim 1, wherein the emulating further includes: 
detecting, based on the historical data, at least one service run by the target device (para [0064]), and 
exhibiting at least one behavior associated with running the service (para [0044]).
Regarding claim 8, Ettema discloses a method, comprising:
identifying a target device, based on an identifier of the target device (para [0090]);
emulating the target device, via a processor of the compute device, (clone, paras [0054], [0147]; Ettema discloses that FIG. 10 is a flow diagram illustrating a process for synchronizing a honey network configuration to reflect a target network environment to implement a virtual done of one or more target devices in accordance with some embodiments), based on the historical data (profile data, para [0147]; Ettema discloses that the process begins at 1002 when device profile data of a plurality of devices on a target network (e.g., the device profile data can be collected and reported using the various techniques disclosed herein, such as described above with respect to FIG. 4) is received), without communicating with the target device and without interacting with the target device during the emulating (standalone VM environment, para [0036]).

Veteikis, in an analogous art, discloses monitoring, at a compute device, network traffic (para [0087]; Veteikis discloses that Network testing system 16 may be connected to the test system 18 in any suitable manner, e g., according to any suitable topology or arrangement In some embodiments or arrangements, network testing system 16 may be connected on both sides of a system 18 to be tested, e.g., to simulate both clients and servers passing traffic through the test 11 system in other embodiment or arrangements, network testing system 16 may be connected to any entry point to the test system 18 e.g., to act as a client to the test system 18 in some embodiment or arrangements, network testing system 16 may act in both of these modes simultaneously para [0407] “At step 532, a packet (e.g., part of a data stream from test network 18 is received at system 16 on a test interlace 101 and forwarded to capture/offload CLD 102A via a physical interface.");
storing, based on the monitoring, network traffic data (para (0193) "CLD 102A may also provide a tail pointer that can be used to walk backward in the list of packets to find the first captured packet once the first captured packet is located, the control software 132 can read the capture memory 103A and generate a diagnostic file, called a PCAP (Packet CAPture) file, which can be sent to the user and/or stored in disk 109 This file may be downloaded and analyzed by a user using a third-party tool.. .).
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to use to received traffic to and from the emulated device at the compute device m the method of Palo Alto and then store the received traffic m the memory of the said compute device since the traffic flow can be used to simulate or emulate the operations of the emulated device (para [0087], para [0276), Veteikis).

Regarding claim 11, Ettema discloses the method of claim 8, wherein the compute device is a first compute device, the method further composing receiving a signal at the first compute device, the signal originating at a second compute device (email is the signal, para [0154]), the emulating including:
identifying, in response to receiving the signal, a response based on at least a portion of the stored network traffic data (paras [0155] - [0156]); and 
sending the response to the second compute device (para [0066]).
Regarding claim 12, Ettema and Veteikis disclose the method of claim 8, wherein the network traffic does not include network traffic that was neither sent directly to the target device nor sent directly from the target device (Ettema: paragraphs [0062 - 0063]).
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Ettema et al (US 2018/0124069; hereinafter Ettema) in view of Veteikis et al (US 2013/0347103; hereinafter Veteikis), and further in view of Ramanathan (US 2005/0066086; hereinafter Ramanathan).
Regarding claim 9, Ettema, as modified by Veteikis discloses the method of claim 8, but fails to specifically disclose wherein the emulating is performed without knowledge of a firmware or hardware of the target device.
Ramanathan, in an analogous art, discloses the emulating is performed without knowledge of a firmware or hardware of the target device (paras [0013], [0031 – 0033]; Ramanathan discloses that the generic device emulator thus facilitates development of devices in the protocol. The device developer has only to define the description of the device and the Services thereof. The generic device emulator a device connectivity or other communications protocol as specified in the description).
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to use a generic emulator to emulate the target device without knowledge of a firmware or hardware of the target device as per Ramanathan in the method of Ettema as modified by Veteikis since it will make the emulation flexible by using a generic device to emulate multiple behavior, allowing quick prototyping and testing (para (0008), para (0014), Ramanathan ).
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Ettema et al (US 2018/0124069; hereinafter Ettema) in view of Veteikis et al (US 2013/0347103; hereinafter Veteikis), and further in view of Jha et al (US 2013/0247194; hereinafter Jha).
Regarding claim 7, Ettema as modified by Veteikis disclose that the request is a cybersecurity request (Nmap, para [0066]; Ettema discloses that probe responses provided by the honey network emulation engine are generated and sent in order to fool the network scanning tool into determining that an emulated device. IP address, and/or services are present in the honey network (e.g., particular devices with various attributes, IP address, OS type and version, and/or services on certain ports are present based on the probe responses received by the network scanning tool from the honey network emulation engine)."), but fails to specifically disclose that the target device is a device that should not receive cybersecurity requests.
Jha, in an analogous art, discloses that the target device is a device that should not receive cybersecurity requests (para [0009] "A medical device monitor (MedMon), method and computer readable medium is disclosed. The MedMon is configured to operate in a system having communications between a first medical device associated with a patient and a second device The MedMon includes a receiver configured to snoop on communications between the first medical device 
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to use to emulate a device that should not receive cybersecurity requests in the method of Ettema as modified by Veteikis since it would allow to detect attacks on the said emulated device by observing anomalies such as cybersecurity requests in the requests as per Jha (para [0009], Jha).
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Ettema et al (US 2018/0124069; hereinafter Ettema) in view of Veteikis et al (US 2013/0347103; hereinafter Veteikis), and further in view of Matthew Andriani (US 2018/0046811; hereinafter Andriani).
Regarding claim 13, Ettema and Veteikis disclose all the limitations in claim 8, but fails to specifically disclose that the monitoring of the network traffic associated with the target device is performed via a SPAN port of a network of the target device.
Andriani, in an analogous art, discloses that the monitoring of the network traffic associated with the target device is performed via a SPAN port of a network of the target device (paras. [0059], [0154], [0283]; Andriani discloses that port mirroring is one way the coordination device 220 can receive a copy of all incoming traffic towards the production services 124. Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Ettema and Veteikis by monitoring network traffic associated with the target device via a SPAN port of a network of the target device as evidenced by Andriani for the purpose of sending a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port.
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Ettema et al (US 2018/0124069; hereinafter Ettema) in view of Veteikis et al (US 2013/0347103; hereinafter Veteikis), and further in view of Helfinstine et al (US 2005/0066088; hereinafter Helfinstine).
Regarding claim 14, Ettema and Veteikis disclose all the limitations in claim 8, but fails to specifically disclose that the target device is a medical device.
Helfinstine, in an analogous art, discloses that the target device is a medical device (abstract; paras. [0004], [0007]; Helfinstine discloses an implantable medical device to be configured to perform medical device functions with an internal processor and perform testing and diagnostics in another fashion).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Ettema and Veteikis by showing that the target device is a medical device as evidenced by Helfinstine for the purpose of enhancing diagnostic testing by capabilities such as faster testing and more realistic testing.
Claims 15, and 17 - 22 are rejected under 35 U.S.C. 103 as being unpatentable over Ettema et al (US 2018/0124069; hereinafter Ettema) in view of Veteikis et al (US 2013/0347103; hereinafter Veteikis), and further in view of Ramanathan (US 2005/0066086; hereinafter Ramanathan).
4) is received "), but fails to receive, at the compute device, a copy of a first set of messages sent to the target device, receive, at the compute device, a copy of a second set of messages sent from the target device;
store the copy of the first set of messages and the copy of the second set of messages as historical data in a memory of the compute device.
Veteikis, in an analogous art, discloses:
receiving messages at a compute device (para (0067] “Network testing system 16 may be connected to the test system 18 in any suitable manner, e g., according to any suitable topology or arrangement In some embodiments or arrangements, network testing system 16 may, be connected on both sides of a system 18 to be tested, e.g., to simulate both clients and servers passing traffic through the test system In other embodiment or arrangements, network testing system 16 may be connected to any entry point to the test system 18, e.g, to act as a dient to the test system 18 In some embodiment or arrangements, network testing system 16 may act m both of these modes simultaneously“; para (0407] ‘At step 532, a packet (e g., part of a data stream from test network 18 is received at system 16 on a test interface 101 and forwarded to capture/offload CLD 102A via a physical interface.“);

It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to received traffic to and from the emulated device at the compute device in the method of Palo Alto and then store the received traffic In the memory of the said compute device since the traffic flow can be I used to simulate or emulate the operations of the emulated device (para (0087), para (0276). Veteikis).
Ettema as modified by Veteikis fails to disclose that the generation of an emulator to mimic an output of the target device is based without knowledge of a firmware or hardware of the target device.
Ramanathan, in an analogous art, discloses that the emulating is performed without knowledge of a firmware or hardware of the target device (paras [0013], [0031 – 0033]; Ramanathan discloses that the generic device emulator thus facilitates development of devices in the protocol. The device developer has only to define the description of the device and the Services thereof. The generic device emulator then provides an operational emulation of the behavior of the device within a device connectivity or other communications protocol as specified in the description).
It would have been obvious to a person with ordinary skill in the art before the effective filing date of the invention to use a generic emulator to emulate the target device without knowledge of a firmware or hardware of the target device as per Ramanathan in the method of Ettema as modified by 
Regarding claim 17, Ettema, as modified by Veteikis and Ramanathan discloses the non-transitory processor readable medium of claim 15, further discloses wherein the code further represents instructions to cause the processor to perform a vulnerability scan on the emulator (Ettema: paras. [0028], [0033]). 
Regarding claim 18, Ettema, Veteikis, and Ramanathan disclose the non-transitory processor-readable medium of claim 15, wherein the code represents instructions to cause the processor to:
identify a plurality of target devices including the target device (para [0148]; Ettema discloses that at 10004, one or more of the plurality of devices is selected as a target device to a clone); and
emulate each target device from the plurality of target devices via the processor of the compute device (para [0041]; Ettema discloses that the plurality of virtual clones executed in the instrumented VM environment correspond to the honey network that emulates a plurality of devices in an enterprise network).
	Regarding claim 19, Ettema, Veteikis, and Ramanathan disclose the non-transitory processor-readable medium of claim 15, wherein the code further represents instructions to cause the processor to:
detect that the emulator is ready for testing (para [0044]; Ettema discloses that a clone of Alice's targeted host device can be instantiated as a customized VM instance in a VM environment (e.g., instrumented VM environment), along with instances for emulating a subset of devices from the target network environment); and
in response to detecting that the emulator is ready for testing, perform a vulnerability scan on the emulator (para [0044]; Ettema discloses that the malware sample (e.g., malware URL, malware file/web download, malware email, and/or malware email attachment, etc.) can be routed to the VM environment and then detonated using the virtual clone of Alice's target host in the VM environment that implements the above-described honey network emulation of (a subset) of the ACME enterprise network).
	Regarding claim 20, Ettema, Veteikis, and Ramanathan disclose the non-transitory processor-readable medium of claim 15, wherein the code further represents instructions to cause the processor to:
detect that the emulator is ready for testing (Ettema: para [0044]); and
in response to detecting that the emulator is ready for testing, perform a device fingerprinting operation at the emulator (Ettema: para [0044]).
Regarding claim 21, Ettema, Veteikis, and Ramanathan disclose the non-transitory processor-readable medium of claim 15, wherein the code further represents instructions to cause the processor to:
receive, at the compute device, a signal originating at a remote compute device (para [0154]; Ettema discloses that the process begins at 1102 when an email is received and determined to be a malware email (e.g., at an inline data appliance that can perform a security analysis of the email to determine that content of the email or an attachment to the email is malware or suspicious) );
identify, via the emulator and in response to receiving the signal, a response based on at least a portion of the historical data (paras. [0155 - 0156], [0159]);
identify a response sequencing based on the historical data (paras. [0060 - 0061]); and
send the response to the remote compute device in accordance with the response sequencing (para [0066]).
Regarding claim 22, Ettema, Veteikis, and Ramanathan disclose the method of claim 21, wherein the target device is a medical device (para [0044]).
16 is rejected under 35 U.S.C. 103 as being unpatentable over Ettema, Veteikis, Ramanathan, and further in view of FRATTURA et al (US 2010/0268933; hereinafter FRATTURA).
Regarding claim 16, Ettema, Veteikis, and Rmanathan disclose all the limitations in claim 15, but fails to specifically disclose that the code further represents instructions to cause the processor to:
detect sensitive data in at least one of the copy of the first set of messages or the copy of the second set of messages; and one of modify or delete the sensitive data to define message information.
FRATTURA, in analogous art, discloses detect sensitive data in at least one of the copy of the first set of messages or the copy of the second set of messages (para [0044]; FRATTURA discloses that the mirrored network traffic may comprise data that may be considered confidential, secret, classified, privileged, private, or otherwise sensitive data. For example, the data payload of a frame of mirrored network traffic may include private Voice over IP (VoIP) communications between users on one or more networks) and 
one of modify or delete the sensitive data to define message information (para [0049]; FRATTURA discloses that the blanking technique replaces all or a portion of the data contents of the frame, e.g., the data payload, with a random binary pattern or a predefined binary pattern. In other embodiments, the data may be replaced with other data that is valid but not private).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the teachings of Ettema, Veteikis, and Ramanathan by detecting sensitive data in at least one of the copy of the first set of messages or the copy of the second set of messages; and one of modifying or deleting the sensitive data to define message information as evidenced by FRATTURA for the purpose of securing sensitive data in a safe and reliable manner.



Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YVES DALENCOURT whose telephone number is (571)272-3998. The examiner can normally be reached M-F 8AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ario Etienne can be reached on 571-272-4001. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/YVES DALENCOURT/Primary Examiner, Art Unit 2457