DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending.
Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/21/2019 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure. See line 2: comprises and line 3: comprising.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.
Claim Objections
Claims 11 and 15-16 are objected to because of the following informalities:  
Claim 11, line 3: “a deception server;” antecedent basis issue due to claim 10, line 10.  
Claim 15, line 2: “a deception server;” antecedent basis issue due to claim 10, line 10.  
Claim 16, line 3: “a deception server;” antecedent basis issue due to claim 10, line 10.  Appropriate correction is required.
Claim Rejections - 35 USC § 101 
Claims 1, 10, and 17 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.            Per the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG) 
101 Flowchart Analysis: 
Step 1: meets the statutory category of a mental process;  Step 2A/Prong 1: recited claims – access information regarding a topology of an arrangement of resources, wherein a resource of the resources comprises a multi-tiered resource comprising a plurality of layers; based on the information regarding the topology of the arrangement of resources, select one or more layers of the multi-tiered resource for deployment of a deception server; and deploy one or more deception servers at the selected one or more layers of the multi-tiered resource 
Step 2B/Prong 2:  recites an additional element in steps (1)-(3) non-transitory machine-readable storage medium to deploy one or more deception servers based on the topology information of resource arrangement access, which are a form of insignificant extra-solution activity.  However, the particular additional element is recited at high level of generality that is no more than merely “apply” the mental step using a generic computer system.  The deploy step (3) is deploying servers at a one or more layers of a resource is also recited at high level of generality, not integrated into a practical application, and amounts to a mere post-solution of deploying that is a form of insignificant extra-solution activity. 
 The additional elements are determined to be no more than insignificant extra-solution activity.  In particular, the processor and computer system are considered conventional and well-understood, and are recited at high level of generality.  As the result, the claim, as a whole, is no more than attempting to broadly cover the concept of using a computer system to implement analysis of what a human security analyst would have performed in the mind. Therefore, the claims 1, 10, and 17 are considered as an abstract idea without significantly more than the judicial exception.
Dependent claim(s) Claims 2-9, 11-16, and 18-20 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reason addressed above. 

	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-4, 6-10, 13, 15, 17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over DiValentin et al, hereinafter (“DiValentin”), European Patent Application (EP2955894 A1), was submitted 06/21/2019 IDS, in view of Madtha et al , hereinafter (“Madtha”), US PG Publication (20180060106 A1).
Regarding claims 1, 10, and 17, DiValentin teaches a non-transitory machine-readable storage medium comprising instructions 2that upon execution cause a system to; a system comprising:  2a processor; and 3a non-transitory storage medium storing instructions executable on the 4processor to; and a method performed by a system comprising a hardware processor, 2comprising:   [DiValentin et al EP2955894 A1 06/21/2019 IDS, ¶0019: Each of the devices 202, 204, 206, and 208 can include one or more processors configured to execute instructions stored by computer-readable media for performing various device operations, such as input/output. ¶¶0018-0020 and 0025: Fig. 2 shows system 200 flow of data within from stages (A) to (K), some may occur concurrently. The system 200 includes a threat intelligence server 202, a management and process orchestration server 204, a software-defined networking controller 206, and an indicator analytics server 208. ¶0056: a tangible non-transitory program carrier; computer storage medium can be a machine-readable storage device] 
¶0012: Upon receiving feed information, the threat intelligence component 102 can identify key indicators and observables (i.e. names, identifiers, and/or hashes of processes, objects, files, applications, or services, Internet Protocol (IP) addresses of devices,); upon which action may be taken. ¶0013: based on one or more indicators of compromise identified by the intelligence component 102, an appropriate plan of action may be generated, selected.]
9deploy one or more deception servers at the selected one or more layers of 10the multi-tiered resource. [Di Valentin, ¶0028:  During stage (H), the software defined networking switch 214 redirects flow to the honeypot environment 212, if an attacker logs in and installs a package. The honeypot environment 212, for example, can use process tracing techniques to identify and provide information associated with an attack. The honeypot environment can identify where the user logs in from, associated process identifiers, etc.]
While Di Valentin teaches information regarding the topology of the arrangement of 7resources [Di Valentin, ¶0032: threat information can be used to direct network topology changes based on observed honeypot activity]; However, DiValentin fails to explicitly teach but Madtha teaches  
3access information regarding a topology of an arrangement of resources, 4wherein a resource of the resources comprises a multi-tiered resource comprising a ¶0124: Communication with different classes of remote computers and with other multi-tiered-application servers; ¶0134: Topology and Orchestration Specification for Cloud Applications (“TOSCA”) Standard developed for specifying multi-tiered-application architectures. The TOSCA standard defines various types of data elements and a set of rules for combining these data elements into a multi-tiered-application specification. ¶0136: A Relationship Type element 2720 represents a generic relationship between 2 components of a multi-tiered application and a Relationship Template 2722 is an instantiation of a Relationship Type element that represents a specific relationship between two specific components of a multi-tiered application. ¶0137: Fig. 27C shows a composition of a Topology Template from Node Templates and Relationship Templates.  Topology Template thus specifies the architecture of a multi-tiered application (a multi-tiered resource) as a tree-like graph of New Templates connected by Relationship Templates (a 5plurality of layers).]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a deception network system of DiValentin before him or her by including the teachings a multi-tiered-application distribution to resource-provider hosts by an automated resource-exchange system of Madtha. The motivation/suggestion would have been obvious to try to modify the system of a system that analyzes threats through deception networks of DiValentin by adding the multi-tiered-application distribution system that analyzes collected metrics and data elements would produces predictable output of 

Regarding claim 2, the combination of teach Di Valentin and Madtha claim 1 as described above.
However, DiValentin fails to explicitly teach but Madtha teaches wherein 2accessing the information regarding the topology of the arrangement of resources 3comprises accessing a configuration management database. [Madtha, ¶0124: database servers that carry out database queries against a distributed e-commerce database on behalf of requesting application servers. ¶0143: the components of a multi-tiered application are generally organized into layers, such as the web-server, application-server, and database-server layers; ¶0081: compiled and processed types of analytical data 1422 are stored in a local database 1424; as well as several local databases 1438-1439]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a deception network system of DiValentin before him or her by including the teachings a multi-tiered-application distribution to resource-provider hosts by an automated resource-exchange system of Madtha. The motivation/suggestion would have been obvious to try to the various several databases for storage of compiled, multi-layered application, and analytical data [Madtha, ¶¶0082 and 0143].  


However, DiValentin fails to explicitly teach but Madtha teaches  wherein the 2multi-tiered resource comprises a multi-tiered application. [Madtha, See ¶0143: multi-tiered application are generally organized into layers, such as application-server]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a deception network system of DiValentin before him or her by including the teachings a multi-tiered-application distribution to resource-provider hosts by an automated resource-exchange system of Madtha. The motivation/suggestion would have been obvious to try to the various several databases for storage of compiled, multi-layered application, and analytical data [Madtha, ¶¶0082 and 0143].  

Regarding claim 4, the combination of teach Di Valentin and Madtha claim 3 as described above.
However, DiValentin fails to explicitly teach but Madtha teaches wherein the 2multi-tiered application comprises a multi-tiered web application. [Madtha, See ¶multi-tiered application are generally organized into layers, such as the web-server, application-server]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a deception network system of DiValentin before him or her by including the teachings a multi-tiered-application distribution to resource-provider hosts by an automated 

Regarding claim 6, the combination of teach Di Valentin and Madtha claim 1 as described above.
However, DiValentin fails to explicitly teach but Madtha teaches wherein deploying the virtual machine comprises deploying the virtual machine from a server image. [Madtha, ¶0064: In a virtual machine a virtual-execution environment, one public standard for virtual-machine encapsulation is referred to as the “open virtualization format” (“OVF”); FIG. 9 illustrates an OVF package: one or more disk-image files 910-911.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a deception network system of DiValentin before him or her by including the teachings a multi-tiered-application distribution to resource-provider hosts by an automated resource-exchange system of Madtha. The motivation/suggestion would have been obvious to try to deployment of virtual machines from an open virtualization format of data files [Madtha, ¶0064].  




DiValentin teaches wherein the 2instructions upon execution cause the system to:  3store information gathered by the virtual machine relating to an interaction by 4an entity with the deception server; [DiValentin, ¶0021: threat intelligence information is contextualized and stored ] and  
5detect an attack based on the information relating to the interaction. [DiValentin, ¶¶0023 and 0025: Management & Process Orchestration server 204 can change infrastructure of system 200 automatically and/or manipulate security controls to interfere with an attacker; redirecting traffic on the fly of network topology such that attacker is unaware.]

Regarding claim 8, the combination of Di Valentin and Madtha teach claim 7 as described above.
DiValentin teaches wherein the 2instructions upon execution cause the system to:  3cause performance of a remedial action in response to the detecting of the 4attack. [DiValentin, ¶0009: combat and improve organizations security posture where honeypots identify indicators of network compromise; incident responses include: incident remediation processes]




However, DiValentin fails to explicitly teach but Madtha teaches wherein the 2multi-tiered resource is to communicate with an entity over an external network, and 3traffic from the entity is processed by the multi-tiered resource. [Madtha, ¶0124: (5) constraints on the ports that can be used by multi-tiered-application servers for communicating with different classes of remote computers and with other multi-tiered-application servers; (6) requirements associated with establishing virtual private networks between multi-tiered-application components and remote computer systems as well as between multi-tiered-application components located in different computing centers; See also ¶0143: multi-tiered application are generally organized into layers, such as the web-server, application-server]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a deception network system of DiValentin before him or her by including the teachings a multi-tiered-application distribution to resource-provider hosts by an automated resource-exchange system of Madtha. The motivation/suggestion would have been obvious to try to modern cloud-computing environments, multi-tiered applications distributed across multiple server computers, often within different cloud-computing facilities by Madtha [¶0124].  


However, DiValentin fails to explicitly teach but Madtha teaches wherein the information regarding the topology of the 2arrangement of resources comprises a configuration management database that 3comprises information of configuration items corresponding to the resources, and 4information of relationships among the configuration items. [Madtha, ¶0124: database servers that carry out database queries against a distributed e-commerce database on behalf of requesting application servers. ¶0136: a generic relationship between 2 components of a multi-tiered application and a Relationship Template 2722 is an instantiation of a Relationship Type element that represents a specific relationship between two specific components of a multi-tiered application.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a deception network system of DiValentin before him or her by including the teachings a multi-tiered-application distribution to resource-provider hosts by an automated resource-exchange system of Madtha. The motivation/suggestion would have been obvious to try to a composition of a Topology Template from Node Templates and Relationship Templates to identify hierarchical tree-like [Madtha, ¶0137].  



Di Valentin teaches wherein the instructions are executable on the 2processor to analyze information relating to interaction between a deception server 3and another entity, and to detect an attack based on the analyzing. [Di Valentin, ¶0024: as part of the stage (E), process mitigation controls to protect endpoint the orchestration server 204 can determine risk; where a snapshot may be taken of a current session of the production environment 210 can be taken and can be for use in threat analysis when rebuilding session in a honeypot environment.]

Regarding claim 19, the combination of teach Di Valentin and Madtha claim 17 as described above.
Di Valentin teaches monitoring traffic with the one or more deception servers; [Di Valentin ¶0014 the security information and analytics component 104 can receive information from internal network data sources 120 (e.g., including information technology data sources 122, operational technology data sources 124, and/or physical data sources 126), and can provide monitoring of patterns and anomalies indicative of threat activity within an organization] and  
3detecting an attack based on the monitoring. [Di Valentin ¶0047  For example, if a particular pattern is observed within a security incident, a response strategy may be influenced by the insight information 116 to determine an appropriate course of action (e.g., repairing damage caused by a security breach). Upon selecting the response strategy, for example, the security information and 

Regarding claim 20, the combination of teach Di Valentin and Madtha claim 19 as described above.
Di Valentin teaches performing an automated remedial action in response to detecting the attack. [Di Valentin, ¶0032 process orchestration server 204, where it can be used to generate another predetermined course of action and/or to block future attacks.]

Claims 5, 11-12, 14, 16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over DiValentin et al, hereinafter (“DiValentin”), European Patent Application (EP2955894 A1), was submitted 06/21/2019 IDS, in view of Madtha et al , hereinafter (“Madtha”), US PG Publication (20180060106 A1), in view of Sysman et al, hereinafter (“Sysman”), US PG Publication (US 20170134423 A1), was submitted 06/21/2019 IDS.

While Di Valentin teaches the one or more deception servers [Di Valentin, ¶0028:  During stage (H), the software defined networking switch 214 redirects flow to the honeypot environment 212,wherein 2deploying the one or more deception servers at the selected one or more layers of 3the multi-tiered resource comprises deploying a virtual machine at a layer of the 4multi-tiered resource. [Sysman et al US 20170134423 A1 IDS, ¶¶0042 and 0106: endpoint 220 may be a virtual machine (VM) executed by the physical device. The virtual device may provide an abstracted and platform-dependent and/or independent program execution environment. ¶0108: The user 260 may further use the campaign manager 216 to create, deploy and/or update a plurality of deception data objects 214 (breadcrumbs) deployed on one or more of the endpoints 220 in the protected network 235. The deployed deception data objects 214 interact with respective one or more of the deception applications 212.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of DiValentin and Madtha before him or her by including the teachings of a decoy and deceptive data object technology of Sysman. The motivation/suggestion would have been obvious to try to a method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment for a plurality of deception data objects deployed in the protected network to emulate usage of the plurality of deception data objects for accessing the deception application(s); wherein 

Regarding claim 11, the combination of teach Di Valentin and Madtha claim 10 as described above.
While Di Valentin teaches a deception server [Di Valentin ¶0028:  honeypot environment 212]; however Di Valentin fails to explicitly teach but Sysman teaches wherein the instructions are executable on the 2processor to:  3select plural layers of the multi-tiered resource for deployment of a deception 4server; [Sysman, ¶¶0056-0057: one or more modes of potential attackers: series or parallel execution; a structure of the deception environment and deployment environments can be updated dynamically] and  
5cause deployment of plural deception servers at the selected plural layers of 6the multi-tiered resource. [Sysman, ¶0122: the process 100 for launching one or more deception campaigns starts with the user 260 using the campaign manager 216 to create one or more images of the decoy OSs 210. The decoy OS 210 is a full stack operating system that contains baseline configurations and states that are relevant to the protected network 235 in which the decoy OS(s) 210 is deployed.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of DiValentin and Madtha before him or her by including the teachings of a decoy and deceptive data object technology of Sysman. The motivation/suggestion would have 

Regarding claim 12, the combination of teach Di Valentin and Madtha claim 11 as described above.
While Di Valentin teaches a deception server [Di Valentin ¶0028:  honeypot environment 212]; however Di Valentin fails to explicitly teach but Sysman teaches wherein the plural deception servers deployed at the 2selected plural layers of the multi-tiered resource are to collect data relating to 3attacks of the plural layers of the multi-tiered resource. [¶0088: The activity pattern may be collected and analyzed to adapt the deception environment accordingly; where deception environment is transparent to legitimate users in the protected network, any operations involving the decoy OSs, the deception applications and/or the deception data objects may accurately indicate a potential attacker thus avoiding false positive alerts.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of DiValentin and Madtha before him or her by including the teachings of a decoy and deceptive data object technology of Sysman. The motivation/suggestion would have 
Regarding claim 14, the combination of teach Di Valentin and Madtha claim 10 as described above.
While Di Valentin teaches virtual a deception server [Di Valentin ¶0009: leveraging application and network virtualization capabilities, for example, an organization can meet the adversary's tactics; ¶0028:  honeypot environment 212]; however Di Valentin fails to explicitly teach but Sysman teaches wherein a given deception server of the one or more 2deception servers is in a virtual machine. [Sysman, ¶¶0042 and 0106: endpoint 220 may be a virtual machine (VM) executed by the physical device.
 	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a deception network system of DiValentin and Madtha before him or her by including the teachings of a Decoy and deceptive data object technology of Sysman. The motivation/suggestion would have been obvious to try the deployed VM functionality as taught by Sysman [Sysman, ¶¶0042 and 0016].  
Regarding claim 16, the combination of teach Di Valentin and Madtha claim 10 as described above.
¶0028:  honeypot environment 212]; however Di Valentin fails to explicitly teach but Sysman teaches wherein causing the deployment of the one or more 2deception servers at the selected one or more layers of the multi-tiered resource comprises causing deployment of a virtual machine comprising a deception server, the virtual machine based on a predefined template. [Sysman, ¶0089:The templates for creating the decoy OS(s) and/or the deception application(s) coupled with the automated tools to create and launch the decoy OS(s) and/or the deception application(s) as well as automatically deploy the deception data objects...]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a deception network system of DiValentin and Madtha before him or her by including the teachings of a Decoy and deceptive data object technology of Sysman. The motivation/suggestion would have been obvious to try templates for creating decoys created by an IT person and/or system administrator for the deception environment taught by Sysman [Sysman, ¶¶0085 and 0089].  

Regarding claim 18, the combination of teach Di Valentin and Madtha claim 17 as described above.
While Di Valentin teaches the one or more 2deception servers [Di Valentin ¶0028:  honeypot environment 212]; however Di Valentin fails to explicitly teach wherein deploying the one or more deception servers 2comprises deploying a virtual machine comprising a deception server, the virtual 3machine created from a ¶0089:The templates for creating the decoy OS(s) and/or the deception application(s)]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of a deception network system of DiValentin and Madtha before him or her by including the teachings of a Decoy and deceptive data object technology of Sysman. The motivation/suggestion would have been obvious to try templates for creating decoys created by an IT person and/or system administrator for the deception environment taught by Sysman [Sysman, ¶¶0085 and 0089].  

	
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Suit (9,588,821 B2) discloses an automatic determination of required resource allocation of virtual machines.
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682.  The examiner can normally be reached on Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Sakinah White Taylor/Examiner, Art Unit 2497