DETAILED ACTION
This Non-Final Office Action is in response to the request for continued examination filed on 09/15/2021.  	Claims 1-20 are being considered on the merits.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/15/2021 has been entered.
Response to Arguments
3.	Applicant's arguments filed 09/15/2021 have been fully considered but they are moot because they do not apply to the newly cited reference below. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


s 1, 8, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US Pub. No. US 2016/0028764 A1 to Vasseur, (hereinafter “Vasseur”) in view of US Pub. No. US 2017/0126718 A1 to Baradaran, (hereinafter, “Baradaran”) and in further view of US Pub. No. US 2014/0283028 A1 to Yu, (hereinafter, “Yu”).

As per claims 1 and 14, Vasseur teaches a method and an apparatus, respectively, comprising:
one or more computer-readable storage media; a processing system operatively coupled with the one or more computer-readable storage media (Vasseur, para. [0027] FIG. 2 is a schematic block diagram of an example node/device 200 (e.g., a server/controller 102, a node/device 104, etc.) that may be used with one or more embodiments described herein, e.g., as any of the devices shown in FIG. 1 above. The device may comprise one or more network interfaces 210 (e.g., wired, wireless, PLC, etc.), at least one processor 220, and a memory 240 interconnected by a system bus 250, as well as a power supply 260 (e.g., battery, plug-in, etc.).”); and 
program instructions stored on the one or more computer-readable storage media that, when executed by the processing system, direct the processing system to facilitate prevention of malicious attacks on a web service (Vasseur, para. [0029] “The memory 240 comprises a plurality of storage locations that are addressable by the processor 220 and the network interfaces 210 for storing software programs and data structures…The processor 220 may comprise hardware elements or hardware logic adapted to execute the software programs and manipulate the data structures 245. These software processes and/or services may comprise routing process/services 244, an attack mimicking process 247, and/or an attack detection process 248”), the method comprising:
when the web request is identified as malicious, preventing the web request from reaching the web server and instead redirecting the web request to an isolated mitigation server configured to mimic responses of the web server (Vasseaur, para. [0055] “The policy engine may instruct RDEi 410 to redirect the traffic to the TSi 450, and perform NAT (Network Address Translation) to spoof the address of the attacked server, thus making the architecture shown in FIG. 4 highly flexible. In one embodiment, the TSi 450 may purposely mimic the behavior expected from the attack (and potentially running out of resources). Such a behavior is particularly useful for unknown attacks since it may not be possible for the policy engine to indicate how TSi 450 should mimic the attack. Instead, TSi 450 may simply replicate the effect of the attack with no consequence on the actual server, which was originally the target of the attack. In yet another embodiment, if the policy server knows the effect of the identified attack Si, it may indicate to TSi 450 exactly how to mimic the effect of the attack. In either case, the TSi 450 allows for replicating the effect of the attack without any consequence on the actual server, resulting with the attacker not being capable of telling that the attack was detected.”).
in the isolated mitigation server, and presenting the artificial content to the client in response to the web request  (Vasseaur, para. [0065] “the DoS attack management node may determine attack information relating to the attack traffic. The attack information may include, for example, a type of the DoS attack and an intended target of the DoS attack, in addition to an identity of the attacker, an identity of the RDE 410, an intensity of the DoS attack, and the like. The attack information may be provided to the DoS attack management node by the RDE 410.” And para. [0066] “the DoS attack management node may trigger an attack mimicking action based on the attack information mentioned above…the attack mimicking action mimics a behavior of the intended target of the DoS attack that would be expected by the one or more attacker nodes if the DoS attack were successful. The attack mimicking action may encompass any action in the network which mimics the action of an attacked network resource, such that the attacker believes that the DoS attack was successful.”).



intercepting a web request from a client directed to a web server providing the web service (Baradaran, para. [0137] “the appliance 200 provides application firewall functionality 290 for communications between the client 102 and server 106…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”); 
identifying whether or not the web request is malicious (Baradaran, para. [0137] “the policy engine 236 provides rules for detecting and blocking illegitimate requests…the application firewall 290 protects against denial of service (DoS) attacks…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”); 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baradaran’s framework for explaining anomalies in accessing web applications into Vasseur’s stealth mitigation with a motivation to improve network security using misuse detection techniques (Baradaran, para. [0002]). 
The combination of Vasseur and Baradaran teaches all the limitations of claims 1 and 14 above, however fails to explicitly teach, but Yu teaches:
processing the web request to dynamically generate artificial content that mimics legitimate response behavior of the web server based on a type of web page targeted by the web request and filling in data values in a page template of the web page targeted by the web request with false information to dynamically generate the artificial content (Yu, para. [0037] “Referring to FIG. 4B, at step 11, web server 308 may request one or more records associated with the request(s) from data server 310. At step 12, data server 310 may retrieve the requested records associated with the request(s) received from user device 314, and communicate the requested records to web server 308. In some embodiments, a "false" data server (e.g., data server 310) may be used for retrieving requested records associated with request(s) determined to be of a malicious nature.” And para. [0038] “Upon receiving the generated update including the request(s) for obtaining information about the requesting computing device and/or the one or more records (e.g., one or more web pages and/or web page components), the one or more records may appear unusual (e.g., contain one or more "false" data records and/or fail to render properly), and a user of user device 314 may alter one or more subsequent requests of a malicious nature (e.g., cease utilizing an automated script and instead perform one or more manual requests of a malicious nature).” The generation of false variations of data records requested by a client in a web request such that the false variations of the records are provided as a response to the request when the request was determined to be malicious. The generation of false variation information based on the requested information would be considered to be dynamic since the variations are specific to what is being requested.).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yu’s malicious request attribution into Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation for attribution of malicious requests to prevent any unauthorized activity (Yu, para. [0001]). 
As per claim 8, Vasseur teaches a network security system to facilitate prevention of malicious attacks on a web service, the system comprising: 
a redirection system (Vasseaur, para. [0055] “The policy engine may instruct RDEi 410 to redirect the traffic to the TSi 450, and perform NAT (Network Address Translation) to spoof the address of the attacked server, thus making the architecture shown in FIG. 4 highly flexible.”); and 
(Vasseaur, Fig. 3B, server/controller 102); and 
the isolated mitigation server configured to process the web request to generate artificial web content that appears to be genuine web content provided by the web server based on a type of web page targeted by the web request, and present the artificial web content to the client in response to the web request  (Vasseaur, para. [0065] “the DoS attack management node may determine attack information relating to the attack traffic. The attack information may include, for example, a type of the DoS attack and an intended target of the DoS attack, in addition to an identity of the attacker, an identity of the RDE 410, an intensity of the DoS attack, and the like. The attack information may be provided to the DoS attack management node by the RDE 410.” And para. [0066] “the DoS attack management node may trigger an attack mimicking action based on the attack information mentioned above…the attack mimicking action mimics a behavior of the intended target of the DoS attack that would be expected by the one or more attacker nodes if the DoS attack were successful. The attack mimicking action may encompass any action in the network which mimics the action of an attacked network resource, such that the attacker believes that the DoS attack was successful.”),
and when the web request is identified as malicious, prevent the web request from reaching the web server and instead redirect the web request to the isolated mitigation server configured to mimic responses of the web server (Vasseaur, para. [0055] “The policy engine may instruct RDEi 410 to redirect the traffic to the TSi 450, and perform NAT (Network Address Translation) to spoof the address of the attacked server, thus making the architecture shown in FIG. 4 highly flexible. In one embodiment, the TSi 450 may purposely mimic the behavior expected from the attack (and potentially running out of resources). Such a behavior is particularly useful for unknown attacks since it may not be possible for the policy engine to indicate how TSi 450 should mimic the attack. Instead, TSi 450 may simply replicate the effect of the attack with no consequence on the actual server, which was originally the target of the attack. In yet another embodiment, if the policy server knows the effect of the identified attack Si, it may indicate to TSi 450 exactly how to mimic the effect of the attack. In either case, the TSi 450 allows for replicating the effect of the attack without any consequence on the actual server, resulting with the attacker not being capable of telling that the attack was detected.”).

Vasseur teaches all the limitations of claim 8 above, however fails to explicitly teach, but Baradaran teaches:

the redirection system configured to intercept a web request from a client directed to a web server providing the web service (Baradaran, para. [0137] “the appliance 200 provides application firewall functionality 290 for communications between the client 102 and server 106…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”);
identify whether or not the web request is malicious (Baradaran, para. [0137] “the policy engine 236 provides rules for detecting and blocking illegitimate requests…the application firewall 290 protects against denial of service (DoS) attacks…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”); 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baradaran’s framework for explaining anomalies in accessing web applications into Vasseur’s stealth mitigation with a motivation to improve network security using misuse detection techniques (Baradaran, para. [0002]).

The combination of Vasseur and Baradaran teaches all the limitations of claim 8 above, however fails to explicitly teach, but Yu teaches:
(Yu, para. [0037] “Referring to FIG. 4B, at step 11, web server 308 may request one or more records associated with the request(s) from data server 310. At step 12, data server 310 may retrieve the requested records associated with the request(s) received from user device 314, and communicate the requested records to web server 308. In some embodiments, a "false" data server (e.g., data server 310) may be used for retrieving requested records associated with request(s) determined to be of a malicious nature.” And para. [0038] “Upon receiving the generated update including the request(s) for obtaining information about the requesting computing device and/or the one or more records (e.g., one or more web pages and/or web page components), the one or more records may appear unusual (e.g., contain one or more "false" data records and/or fail to render properly), and a user of user device 314 may alter one or more subsequent requests of a malicious nature (e.g., cease utilizing an automated script and instead perform one or more manual requests of a malicious nature).” The generation of false variations of data records requested by a client in a web request such that the false variations of the records are provided as a response to the request when the request was determined to be malicious. The generation of false variation information based on the requested information would be considered to be dynamic since the variations are specific to what is being requested.).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yu’s malicious request attribution into Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation for attribution of malicious requests to prevent any unauthorized activity (Yu, para. [0001]). 
As per claim 20, Vasseur teaches one or more computer-readable storage media to facilitate prevention of malicious attacks on a web service, comprising: first program instructions stored on the one or more computer-readable storage media that, when executed by a computing system, direct the computing system to at least: second program instructions stored on the one or more computer-readable storage media that, when executed by the isolated mitigation server, direct the isolated mitigation server (Vasseur, para. [0029] “The memory 240 comprises a plurality of storage locations that are addressable by the processor 220 and the network interfaces 210 for storing software programs and data structures…The processor 220 may comprise hardware elements or hardware logic adapted to execute the software programs and manipulate the data structures 245. These software processes and/or services may comprise routing process/services 244, an attack mimicking process 247, and/or an attack detection process 248”) to at least: 
present the artificial content to the client in response to the web request (Vasseaur, para. [0065] “the DoS attack management node may determine attack information relating to the attack traffic. The attack information may include, for example, a type of the DoS attack and an intended target of the DoS attack, in addition to an identity of the attacker, an identity of the RDE 410, an intensity of the DoS attack, and the like. The attack information may be provided to the DoS attack management node by the RDE 410.” And para. [0066] “the DoS attack management node may trigger an attack mimicking action based on the attack information mentioned above…the attack mimicking action mimics a behavior of the intended target of the DoS attack that would be expected by the one or more attacker nodes if the DoS attack were successful. The attack mimicking action may encompass any action in the network which mimics the action of an attacked network resource, such that the attacker believes that the DoS attack was successful.”).

(Vasseaur, para. [0055] “The policy engine may instruct RDEi 410 to redirect the traffic to the TSi 450, and perform NAT (Network Address Translation) to spoof the address of the attacked server, thus making the architecture shown in FIG. 4 highly flexible. In one embodiment, the TSi 450 may purposely mimic the behavior expected from the attack (and potentially running out of resources). Such a behavior is particularly useful for unknown attacks since it may not be possible for the policy engine to indicate how TSi 450 should mimic the attack. Instead, TSi 450 may simply replicate the effect of the attack with no consequence on the actual server, which was originally the target of the attack. In yet another embodiment, if the policy server knows the effect of the identified attack Si, it may indicate to TSi 450 exactly how to mimic the effect of the attack. In either case, the TSi 450 allows for replicating the effect of the attack without any consequence on the actual server, resulting with the attacker not being capable of telling that the attack was detected.”).

Vasseur teaches all the limitations of claim 20 above, however fails to explicitly teach, but Baradaran teaches:
intercept a web request from a client directed to a web server providing the web service (Baradaran, para. [0137] “the appliance 200 provides application firewall functionality 290 for communications between the client 102 and server 106…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”); 
identify whether or not the web request is malicious (Baradaran, para. [0137] “the policy engine 236 provides rules for detecting and blocking illegitimate requests…the application firewall 290 protects against denial of service (DoS) attacks…the appliance inspects the content of intercepted requests to identify and block application-based attacks.”); 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Baradaran’s framework for explaining anomalies in accessing web applications into Vasseur’s stealth mitigation with a motivation to improve network security using misuse detection techniques (Baradaran, para. [0002]). 
The combination of Vasseur and Baradaran teaches all the limitations of claim 20 above, however fails to explicitly teach, but Yu teaches:
process the web request to dynamically generate artificial content that mimics legitimate response behavior of the web server based on a type of web page targeted by the web request and filling in data values in a page template of the web page targeted by the web request with false information to dynamically generate the artificial content (Yu, para. [0037] “Referring to FIG. 4B, at step 11, web server 308 may request one or more records associated with the request(s) from data server 310. At step 12, data server 310 may retrieve the requested records associated with the request(s) received from user device 314, and communicate the requested records to web server 308. In some embodiments, a "false" data server (e.g., data server 310) may be used for retrieving requested records associated with request(s) determined to be of a malicious nature.” And para. [0038] “Upon receiving the generated update including the request(s) for obtaining information about the requesting computing device and/or the one or more records (e.g., one or more web pages and/or web page components), the one or more records may appear unusual (e.g., contain one or more "false" data records and/or fail to render properly), and a user of user device 314 may alter one or more subsequent requests of a malicious nature (e.g., cease utilizing an automated script and instead perform one or more manual requests of a malicious nature).” The generation of false variations of data records requested by a client in a web request such that the false variations of the records are provided as a response to the request when the request was determined to be malicious. The generation of false variation information based on the requested information would be considered to be dynamic since the variations are specific to what is being requested.).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yu’s malicious request attribution into Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation for attribution of malicious requests to prevent any unauthorized activity (Yu, para. [0001]). 

5.	Claims 2, 9 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Vasseur in view of Baradaran and Yu, as disclosed above, and in further view of US Pub. No. US 2008/0282339 A1 to Nakae, (hereinafter, “Nakae”), as disclosed in 04/12/2018 and US Pub. No. US 2013/0117817 A1 to Gantman, (hereinafter, “Gantman”).

As per claim 2, the combination of Vasseur, Baradaran and Yu teach the method of claim 1, however fail to explicitly teach, but Nakae teaches: wherein processing the web request to dynamically generate the artificial content based on the type of web page targeted by the web request comprises processing the web request to dynamically generate the artificial content that mimics the password reset page that would be served by the web server in response to the web request (Nakae, para. [0029] “at least one attack detecting system is provided in at least one of the internal network and the external network. The firewall device receives an attack detection alert from the at least one attack detecting system and transforms it to an alert including at least an attack-source IP address and an attack-target IP address.” And para. [0140] “It is furthermore assumed that the attack-source host 301 is infected with a worm having an automatic infection function to WWW services, wherein the worm is aiming at "1. 2. 3. x/24" corresponding to the internal network 4 as a next infection target and selects "1. 2. 3. 1" as the first infection target. In this case, a SYN packet (source IP address: 12. 34. 56. 78, destination IP address: 1. 2. 3. 1) is transmitted from the attack-source host 301 toward the internal network 4.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 
The combination of Vasseur, Baradaran, Yu and Nakae teach all the limitations of claim 2 above, however fail to explicitly teach, but Gantman teaches:
wherein the type of web page targeted by the web request comprises a password reset page (Gantman, para. [0052] “FIG. 2 is a diagram illustrating an exemplary network environment in which one or more features to inhibit cross-site request forging attacks may be implemented. A network 202 (e.g., data or communication network, packet-switched network, internet, wireless network, a plurality of networks, etc.) may serve to facilitate communications between multiple devices (e.g., web servers, user computers, etc.). Here, a plurality of web servers 204a, 204b, and/or 204c may provide content to one or more client devices 206a, 206b, and/or 206c (e.g., user laptops/computers, tablets, mobile phones, etc.). For instance, a browser operating at the first client device 206a may request a website content from a first web server A 204a. In response, the first server A 204a sends the requested website content to the first client device 206a where the browser displays such content to a user. Additionally, the browser may also execute instructions/commands received as part of the website content, such as linked content from a second web server B 204b. As previously noted, the second web server 204b may send content (e.g., commands, instructions, etc.) that causes the client browser to perform operations unintended by the first client device 206a. Such unintended operations may include, for example, externally-triggered requests (i.e., cross-site requests). For instance, the content from the second web server 204b may trigger or request a password change for a user of the first client device 206a at the first web server A 204a. However, by using different cookies for requests initiated at the client device (e.g., user triggered/initiated/originated requests) versus requests initiated elsewhere (e.g., externally triggered/initiated/originated requests, request initiated by second web server B 204b), these different requests may be distinguished by the first web server A 204a. Depending on the type of request (e.g., a change password request versus a content delivery request), the first web server A 204a may deny requests that seek a change in, for example, session or account information not accompanied by a cookie that indicates that such request was locally-triggered at the client device 206a (e.g., user-initiated or same-origin initiated) rather than externally-triggered by a different web server 204b or 204c.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gantman’s prevention of cross-site request forgery attacks into Nakae’s attack defending system, Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to prevent malicious exploit of a website (Gantman, para. [0008]). 
As per claim 9, the combination of Vasseur, Baradaran and Yu teach the network security system of claim 8, however fail to explicitly teach, but Nakae teaches: wherein processing the web request to generate the artificial web content based on the type of web page targeted by the web (Nakae, para. [0029] “at least one attack detecting system is provided in at least one of the internal network and the external network. The firewall device receives an attack detection alert from the at least one attack detecting system and transforms it to an alert including at least an attack-source IP address and an attack-target IP address.” And para. [0140] “It is furthermore assumed that the attack-source host 301 is infected with a worm having an automatic infection function to WWW services, wherein the worm is aiming at "1. 2. 3. x/24" corresponding to the internal network 4 as a next infection target and selects "1. 2. 3. 1" as the first infection target. In this case, a SYN packet (source IP address: 12. 34. 56. 78, destination IP address: 1. 2. 3. 1) is transmitted from the attack-source host 301 toward the internal network 4.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 
The combination of Vasseur, Baradaran, Yu and Nakae teach all the limitations of claim 9 above, however fail to explicitly teach, but Gantman teaches:
wherein the type of web page targeted by the web request comprises a password reset page (Gantman, para. [0052] “FIG. 2 is a diagram illustrating an exemplary network environment in which one or more features to inhibit cross-site request forging attacks may be implemented. A network 202 (e.g., data or communication network, packet-switched network, internet, wireless network, a plurality of networks, etc.) may serve to facilitate communications between multiple devices (e.g., web servers, user computers, etc.). Here, a plurality of web servers 204a, 204b, and/or 204c may provide content to one or more client devices 206a, 206b, and/or 206c (e.g., user laptops/computers, tablets, mobile phones, etc.). For instance, a browser operating at the first client device 206a may request a website content from a first web server A 204a. In response, the first server A 204a sends the requested website content to the first client device 206a where the browser displays such content to a user. Additionally, the browser may also execute instructions/commands received as part of the website content, such as linked content from a second web server B 204b. As previously noted, the second web server 204b may send content (e.g., commands, instructions, etc.) that causes the client browser to perform operations unintended by the first client device 206a. Such unintended operations may include, for example, externally-triggered requests (i.e., cross-site requests). For instance, the content from the second web server 204b may trigger or request a password change for a user of the first client device 206a at the first web server A 204a. However, by using different cookies for requests initiated at the client device (e.g., user triggered/initiated/originated requests) versus requests initiated elsewhere (e.g., externally triggered/initiated/originated requests, request initiated by second web server B 204b), these different requests may be distinguished by the first web server A 204a. Depending on the type of request (e.g., a change password request versus a content delivery request), the first web server A 204a may deny requests that seek a change in, for example, session or account information not accompanied by a cookie that indicates that such request was locally-triggered at the client device 206a (e.g., user-initiated or same-origin initiated) rather than externally-triggered by a different web server 204b or 204c.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gantman’s prevention of cross-site request forgery attacks into Nakae’s attack defending system, Yu’s malicious request attribution, (Gantman, para. [0008]).
As per claim 15, the combination of Vasseur, Baradaran and Yu teach the apparatus of claim 14, however fail to explicitly teach, but Nakae teaches: wherein processing the web request to generate the artificial web content based on the type of web page targeted by the web request comprises processing the web request to generate the artificial web content that mimics the password reset page that would be served by the web server in response to the web request (Nakae, para. [0029] “at least one attack detecting system is provided in at least one of the internal network and the external network. The firewall device receives an attack detection alert from the at least one attack detecting system and transforms it to an alert including at least an attack-source IP address and an attack-target IP address.” And para. [0140] “It is furthermore assumed that the attack-source host 301 is infected with a worm having an automatic infection function to WWW services, wherein the worm is aiming at "1. 2. 3. x/24" corresponding to the internal network 4 as a next infection target and selects "1. 2. 3. 1" as the first infection target. In this case, a SYN packet (source IP address: 12. 34. 56. 78, destination IP address: 1. 2. 3. 1) is transmitted from the attack-source host 301 toward the internal network 4.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 
The combination of Vasseur, Baradaran, Yu and Nakae teach all the limitations of claim 15 above, however fail to explicitly teach, but Gantman teaches:
(Gantman, para. [0052] “FIG. 2 is a diagram illustrating an exemplary network environment in which one or more features to inhibit cross-site request forging attacks may be implemented. A network 202 (e.g., data or communication network, packet-switched network, internet, wireless network, a plurality of networks, etc.) may serve to facilitate communications between multiple devices (e.g., web servers, user computers, etc.). Here, a plurality of web servers 204a, 204b, and/or 204c may provide content to one or more client devices 206a, 206b, and/or 206c (e.g., user laptops/computers, tablets, mobile phones, etc.). For instance, a browser operating at the first client device 206a may request a website content from a first web server A 204a. In response, the first server A 204a sends the requested website content to the first client device 206a where the browser displays such content to a user. Additionally, the browser may also execute instructions/commands received as part of the website content, such as linked content from a second web server B 204b. As previously noted, the second web server 204b may send content (e.g., commands, instructions, etc.) that causes the client browser to perform operations unintended by the first client device 206a. Such unintended operations may include, for example, externally-triggered requests (i.e., cross-site requests). For instance, the content from the second web server 204b may trigger or request a password change for a user of the first client device 206a at the first web server A 204a. However, by using different cookies for requests initiated at the client device (e.g., user triggered/initiated/originated requests) versus requests initiated elsewhere (e.g., externally triggered/initiated/originated requests, request initiated by second web server B 204b), these different requests may be distinguished by the first web server A 204a. Depending on the type of request (e.g., a change password request versus a content delivery request), the first web server A 204a may deny requests that seek a change in, for example, session or account information not accompanied by a cookie that indicates that such request was locally-triggered at the client device 206a (e.g., user-initiated or same-origin initiated) rather than externally-triggered by a different web server 204b or 204c.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gantman’s prevention of cross-site request forgery attacks into Nakae’s attack defending system, Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to prevent malicious exploit of a website (Gantman, para. [0008]). 
6.	Claims 3-4, 10-11 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Vasseur in view of Baradaran and Yu, and in further view of Nakae, as disclosed above. 

As per claim 3, the combination of Vasseur, Baradaran and Yu teach the method of claim 1, however fail to explicitly teach, but Nakae teaches: wherein processing the web request to dynamically generate the artificial content comprises generating the artificial content based on an attack type associated with the web request (Nakae, para. [0113] “FIG. 6 shows an example of a defense rule script held in the defense rule determination section 107. Describing later in detail, the defense rule determination section 107 lists the defense rules for each attack type such as reconnaissance (RECON), INTRUSION, or DESTRUCTION and holds them in, for example, a file form. Each defense rule uses a description for designating a model of one access control rule in such a form that each rule is in a one-to-one correspondence to a predetermined attack category.” And para. [0128] “The type of an attack is determined under a classification, which is sufficient for deriving out a defending method against the attack.” And para. [0134] “defense rule scripts as shown in FIG. 6 are set in advance for each attack type. In each defense rule scrip, a combination of an attack type and a model of an access control rule to be updated is described according to the form as shown in FIG. 6. A variable to which information described in an alert is assigned can be described in a model of an access control rule.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 
As per claim 4, the combination of Vasseur, Baradaran, Yu and Nakae teach the method of claim 3, wherein the attack type associated with the web request comprises a credential attack, and wherein generating the artificial content based on the attack type comprises generating a false successful login page (Nakae, para. [0124] “After receiving the IP packet, the decoy unit 2 provides one or more arbitrary service(s), for example, WWW and Telnet. However, in the present embodiment, it is enough that at least the communication protocol is appropriately processed. There is no need of providing services such as accessing file systems and database processing as provided in actual services. For example, in the case of Telnet service, it may be designed to permit log-in for all of arbitrary inputs to Login/Password prompt and start up a counterfeit shell that responds to the user with a counterfeit response.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 

As per claim 10, the combination of Vasseur, Baradaran and Yu teach the network security system of claim 8, however fail to explicitly teach, but Nakae teaches: wherein the isolated mitigation server configured to process the web request to dynamically generate the artificial content comprises the isolated mitigation server configured to generate the artificial content based on an attack type associated with the web request (Nakae, para. [0113] “FIG. 6 shows an example of a defense rule script held in the defense rule determination section 107. Describing later in detail, the defense rule determination section 107 lists the defense rules for each attack type such as reconnaissance (RECON), INTRUSION, or DESTRUCTION and holds them in, for example, a file form. Each defense rule uses a description for designating a model of one access control rule in such a form that each rule is in a one-to-one correspondence to a predetermined attack category.” And para. [0128] “The type of an attack is determined under a classification, which is sufficient for deriving out a defending method against the attack.” And para. [0134] “defense rule scripts as shown in FIG. 6 are set in advance for each attack type. In each defense rule scrip, a combination of an attack type and a model of an access control rule to be updated is described according to the form as shown in FIG. 6. A variable to which information described in an alert is assigned can be described in a model of an access control rule.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 
As per claim 11, the combination of Vasseur, Baradaran, Yu and Nakae teach the network security system of claim 10 wherein the attack type associated with the web request comprises a (Nakae, para. [0124] “After receiving the IP packet, the decoy unit 2 provides one or more arbitrary service(s), for example, WWW and Telnet. However, in the present embodiment, it is enough that at least the communication protocol is appropriately processed. There is no need of providing services such as accessing file systems and database processing as provided in actual services. For example, in the case of Telnet service, it may be designed to permit log-in for all of arbitrary inputs to Login/Password prompt and start up a counterfeit shell that responds to the user with a counterfeit response.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 

As per claim 16, the combination of Vasseur, Baradaran and Yu teach the apparatus of claim 14, however fail to explicitly teach, but Nakae teaches: wherein the isolated mitigation server is configured to process the web request to dynamically generate the artificial content comprises the isolated mitigation server configured to generate the artificial content based on an attack type associated with the web request (Nakae, para. [0113] “FIG. 6 shows an example of a defense rule script held in the defense rule determination section 107. Describing later in detail, the defense rule determination section 107 lists the defense rules for each attack type such as reconnaissance (RECON), INTRUSION, or DESTRUCTION and holds them in, for example, a file form. Each defense rule uses a description for designating a model of one access control rule in such a form that each rule is in a one-to-one correspondence to a predetermined attack category.” And para. [0128] “The type of an attack is determined under a classification, which is sufficient for deriving out a defending method against the attack.” And para. [0134] “defense rule scripts as shown in FIG. 6 are set in advance for each attack type. In each defense rule scrip, a combination of an attack type and a model of an access control rule to be updated is described according to the form as shown in FIG. 6. A variable to which information described in an alert is assigned can be described in a model of an access control rule.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nakae’s attack defending system and method into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to allow effective defense against attacks from external networks (Nakae, para. [0018]). 
As per claim 17, the combination of Vasseur, Baradaran, Yu and Nakae teach the apparatus of claim 16 wherein the attack type associated with the web request comprises a credential attack, and wherein the isolated mitigation server configured to generate the artificial content based on the attack type comprises the isolated mitigation server configured to generate a false successful login page (Nakae, para. [0124] “After receiving the IP packet, the decoy unit 2 provides one or more arbitrary service(s), for example, WWW and Telnet. However, in the present embodiment, it is enough that at least the communication protocol is appropriately processed. There is no need of providing services such as accessing file systems and database processing as provided in actual services. For example, in the case of Telnet service, it may be designed to permit log-in for all of arbitrary inputs to Login/Password prompt and start up a counterfeit shell that responds to the user with a counterfeit response.”).
(Nakae, para. [0018]). 

7.	Claims 5-7, 12-13 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Vasseur in view of Baradaran and Yu, as disclosed above, and in further view of US Pub. No. US 2015/0326588 A1 to Vissamsetty, (hereinafter, “Vissamsetty”), as disclosed in 04/12/2018.

As per claim 5, the combination of Vasseur, Baradaran and Yu teach the method of claim 1, however fail to explicitly teach, but Vissamsetty teaches: wherein the page template comprises a page structure of the web page targeted by the web request that identifies areas where the data values may be filled in with the false information (Vissamsetty, para. [0118] “For example, if the outbound traffic uses the HTTP protocol, the Sinkhole VM may host an Apache web server (e.g. provisioned on-the-fly to host an Apache web server) to respond to the Bot's web-page requests and serve up pages that may trap the Bot into continuing the engagement, giving the Bot detection system 100 more opportunities to learn about and log the Bot's behaviors and what it is ultimately looking for.” And para. [0132] “a schema is a multi-element template for summarizing information, and a signature is a schema that is populated with a particular set of values. A schema may have just one or a few elements. However, an aspect of the invention is to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions across various VMs, services, and applications across multiple subnets. Thus, the schema for describing a particular Bot may have many elements corresponding to the many dimensions, and the values that populate the elements may capture the behaviors of many instances of the Bot.” and para. [0187] “The example schema's list of elements continues in this manner, with each element specifying a value to be matched.” And para. [0298] “Generating the credentials to transmit at step 814 may include retrieving a template for a credential having the fields and format for a given service and populating the template with data referencing the port, IP address, server name, version, and the like for the instance of that service implemented on the BotSink 300.").
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for directing malicious activity to a monitoring system into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions (Vissamsetty, para. [0132]). 
As per claim 6, the combination of Vasseur, Baradaran and Yu teach the method of claim 1, however fail to explicitly teach, but Vissamsetty teaches: further comprising interacting with the web server to observe and learn the legitmate response behavior of the web server, and providing the legitimate response behavior of the web server to the isolated mitigation server (Vissamsetty, para. [0119] “the outbound traffic may be a port scan that has been initiated by the Bot 125 in the GuestOS VM. In this case, the software in the Sinkhole 190 may ensure that all port scans are directed to one or more Sinkhole VMs, e.g. one or more other Sinkhole VMs, that offer various services and applications. Thus, the Bot 125 in the local GuestOS VM may be tricked into engaging with a service running on a Sinkhole VM. This provides more opportunities for the Bot Detection System 100 to observe and log the behavior of the Bot 125” and para. [0120] “software in the Sinkhole VM may engage with the Bot using the IRC protocol and attempt to learn valuable information about the Bot. For example, it may be able to learn the URL (uniform resource locator) of C&C facility, or the identity of the Bot. If the outbound traffic includes a DNS request to learn the IP address associated with the C&C's URL, a DNS service in the Sinkhole VM may respond with the IP address of the Sinkhole VM itself, thereby fooling the Bot into communicating directly with the Sinkhole VM as if it were the C&C facility” and para.  [0298] “The method 800 may further include generating and transmitting credentials 724 referencing the BotSink 300 by the BotSink 300 to the client device 702. As noted above, the credentials may mimic the data contained in the credentials returned by the server system 704.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for directing malicious activity to a monitoring system into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions (Vissamsetty, para. [0132]). 
As per claim 7, the combination of Vasseur, Baradaran and Yu teach the method claim 1, however fail to explicitly teach, but Vissamsetty teaches: wherein processing the web request to dynamically generate the artificial content comprises generating the artificial content based on an identification of an attack tool associated with the web request (Vissamsetty, para. [0189] “One function of the MDCE may be to correlate multi-dimension individual events collected across various modules across different VMs to generate a multi-dimension schema and signature corresponding to a Bot 125. That is, the MDCE observes Bot behavior and thereby generates a "Bot Lifecycle Signature" using a schema. The MDCE 185, 455 can import various signatures/schemas from other MDCEs 185, 187, and 188 and from the cloud, as well as transform these schemas for export in various standard formats. The MDCE can reduce false positives by dynamic learning and incorporating other information like white lists and so on.” And para. [0190] “The MDCE can classify as well as group the events according to the type of Bot infection phases such as those described in the section on Lifecycle of Bot Detection.” And para. [0191] “Bot related data like signatures, traffic, events, pcap (packet capture) and so on can be transformed into various formats for exporting to other systems. Some of the input/output formats supported are listed below: [0192] 1. Open Framework for Sharing Threat Intelligence (OpenIOC) format [0193] 2. Structured Threat Information eXpression (STIX) format [0194] 3. SNORT rules/signatures [0195] 4. other industry-standard formats that may exist or be developed [0196] 5. customized and proprietary formats”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for directing malicious activity to a monitoring system into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions (Vissamsetty, para. [0132]). 

As per claim 12, the combination of Vasseur, Baradaran and Yu teach the network security system of claim 8, however fail to explicitly teach, but Vissamsetty teaches: wherein the page template comprises a page structure of the web page targeted by the web request that identifies areas where the data values may be filled in with false information (Vissamsetty, para. [0118] “For example, if the outbound traffic uses the HTTP protocol, the Sinkhole VM may host an Apache web server (e.g. provisioned on-the-fly to host an Apache web server) to respond to the Bot's web-page requests and serve up pages that may trap the Bot into continuing the engagement, giving the Bot detection system 100 more opportunities to learn about and log the Bot's behaviors and what it is ultimately looking for.” And para. [0132] “a schema is a multi-element template for summarizing information, and a signature is a schema that is populated with a particular set of values. A schema may have just one or a few elements. However, an aspect of the invention is to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions across various VMs, services, and applications across multiple subnets. Thus, the schema for describing a particular Bot may have many elements corresponding to the many dimensions, and the values that populate the elements may capture the behaviors of many instances of the Bot.” and para. [0187] “The example schema's list of elements continues in this manner, with each element specifying a value to be matched.” And para. [0298] “Generating the credentials to transmit at step 814 may include retrieving a template for a credential having the fields and format for a given service and populating the template with data referencing the port, IP address, server name, version, and the like for the instance of that service implemented on the BotSink 300.").
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for directing malicious activity to a monitoring system into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions (Vissamsetty, para. [0132]). 

As per claim 13, the combination of Vasseur, Baradaran and Yu teach the network security system of claim 12, however fail to explicitly teach, but Vissamsetty teaches: wherein the redirection system is further configured to interact with the web server to observe and learn the legitimate response behavior of the web server, and provide the legitimate response behavior of the web server to the isolated mitigation server (Vissamsetty, para. [0119] “the outbound traffic may be a port scan that has been initiated by the Bot 125 in the GuestOS VM. In this case, the software in the Sinkhole 190 may ensure that all port scans are directed to one or more Sinkhole VMs, e.g. one or more other Sinkhole VMs, that offer various services and applications. Thus, the Bot 125 in the local GuestOS VM may be tricked into engaging with a service running on a Sinkhole VM. This provides more opportunities for the Bot Detection System 100 to observe and log the behavior of the Bot 125” and para. [0120] “software in the Sinkhole VM may engage with the Bot using the IRC protocol and attempt to learn valuable information about the Bot. For example, it may be able to learn the URL (uniform resource locator) of C&C facility, or the identity of the Bot. If the outbound traffic includes a DNS request to learn the IP address associated with the C&C's URL, a DNS service in the Sinkhole VM may respond with the IP address of the Sinkhole VM itself, thereby fooling the Bot into communicating directly with the Sinkhole VM as if it were the C&C facility” and para.  [0298] “The method 800 may further include generating and transmitting credentials 724 referencing the BotSink 300 by the BotSink 300 to the client device 702. As noted above, the credentials may mimic the data contained in the credentials returned by the server system 704.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for directing malicious activity to a monitoring system into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions (Vissamsetty, para. [0132]). 
As per claim 18, the combination of Vasseur, Baradaran and Yu teach the apparatus of claim 14, however fail to explicitly teach, but Vissamsetty teaches: wherein the page template comprises a page structure of the web page targeted by the web request that identifies areas where the data values may (Vissamsetty, para. [0118] “For example, if the outbound traffic uses the HTTP protocol, the Sinkhole VM may host an Apache web server (e.g. provisioned on-the-fly to host an Apache web server) to respond to the Bot's web-page requests and serve up pages that may trap the Bot into continuing the engagement, giving the Bot detection system 100 more opportunities to learn about and log the Bot's behaviors and what it is ultimately looking for.” And para. [0132] “a schema is a multi-element template for summarizing information, and a signature is a schema that is populated with a particular set of values. A schema may have just one or a few elements. However, an aspect of the invention is to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions across various VMs, services, and applications across multiple subnets. Thus, the schema for describing a particular Bot may have many elements corresponding to the many dimensions, and the values that populate the elements may capture the behaviors of many instances of the Bot.” and para. [0187] “The example schema's list of elements continues in this manner, with each element specifying a value to be matched.” And para. [0298] “Generating the credentials to transmit at step 814 may include retrieving a template for a credential having the fields and format for a given service and populating the template with data referencing the port, IP address, server name, version, and the like for the instance of that service implemented on the BotSink 300.").
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for directing malicious activity to a monitoring system into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with a motivation to base Bot detection not just on one or a few individual events like network behavior or signature but across multiple dimensions (Vissamsetty, para. [0132]). 

As per claim 19, the combination of Vasseur, Baradaran and Yu teach the apparatus of claim 18, however fail to explicitly teach, but Vissamsetty teaches: wherein the program instructions further direct the processing system to interact with the web server to observe and learn the legitimate response behavior of the web server, and provide the legitimate response behavior of the web server to the isolated mitigation server (Vissamsetty, para. [0119] “the outbound traffic may be a port scan that has been initiated by the Bot 125 in the GuestOS VM. In this case, the software in the Sinkhole 190 may ensure that all port scans are directed to one or more Sinkhole VMs, e.g. one or more other Sinkhole VMs, that offer various services and applications. Thus, the Bot 125 in the local GuestOS VM may be tricked into engaging with a service running on a Sinkhole VM. This provides more opportunities for the Bot Detection System 100 to observe and log the behavior of the Bot 125” and para. [0120] “software in the Sinkhole VM may engage with the Bot using the IRC protocol and attempt to learn valuable information about the Bot. For example, it may be able to learn the URL (uniform resource locator) of C&C facility, or the identity of the Bot. If the outbound traffic includes a DNS request to learn the IP address associated with the C&C's URL, a DNS service in the Sinkhole VM may respond with the IP address of the Sinkhole VM itself, thereby fooling the Bot into communicating directly with the Sinkhole VM as if it were the C&C facility” and para.  [0298] “The method 800 may further include generating and transmitting credentials 724 referencing the BotSink 300 by the BotSink 300 to the client device 702. As noted above, the credentials may mimic the data contained in the credentials returned by the server system 704.”).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty’s system and method for directing malicious activity to a monitoring system into Yu’s malicious request attribution, Baradaran’s framework for explaining anomalies in accessing web applications and Vasseur’s stealth mitigation with (Vissamsetty, para. [0132]). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20170104785 A1 – Generating highly realistic decoy email and documents.
US 20130160120 A1 – Protect end users from malware.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZOHA P TAFAGHODI whose telephone number is (571)272-5199.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer 

/ZOHA PIYADEHGHIBI TAFAGHODI/               Examiner, Art Unit 2437   

/KRISTINE L KINCAID/               Supervisory Patent Examiner, Art Unit 2437