DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-2, 7-12, and 17-20 have been examined and are rejected.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/11/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Allowable Subject Matter
Claims 3-6, and 13-16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be 




 	Claims 11-20 are rejected under 35 U.S.C. 112 second paragraph as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor(s) or applicant regards as the invention.
	As per claim 11 limitations like “a bridge for receiving”, and “one or more decoy virtual machines for receiving” are limitations that invokes 35 U.S.C. 112, sixth paragraph. The written disclosure fails to disclose the corresponding structure, material, or acts for the claimed function. Applicant's specification is devoid of sufficient disclosure of structure for these terms as required by 112 second paragraph.
	
Rationale for invoking §112 6¶
Examiners will apply § 112, ¶ 6 to a claim limitation that meets the following conditions:
(1) The claim limitation uses the phrase ‘‘means for’’ or ‘‘step for’’ or a non-structural term that does not have a structural modifier;
(2) The phrase ‘‘means for’’ or ‘‘step for’’ or the non-structural term recited in the claim is modified by functional language; and
(3) The phrase ‘‘means for’’ or ‘‘step for’’ or the non-structural term recited in the claim is not modified by sufficient structure, material, or acts for achieving the specified function.
This modifies the 3-prong analysis in MPEP § 2181, which will be revised in due course.  See Supplemental Examination, 76 FR at 7167.
	“When the claim limitation does not use the phrase ‘‘means for’’ or ‘‘step for,’’ examiners should determine whether the claim limitation uses a nonstructural term (a term that is simply a substitute for the term ‘‘means for’’).  Examiners will apply § 112, ¶6 to a claim limitation that uses a nonstructural term associated with functional language, unless the nonstructural term is 

Applicant is required to:

(a) Amend the claim so that the claim limitation will no longer be a means (or step, or non-structure terms) plus function limitation under 35 U.S.C. 112, sixth paragraph; or
(b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the claimed function without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant is required to clarify the record by either:
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 7-12, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Takemori et al. (U.S. PGPub 2002/0046351) in view of Vissamsetty et al. (U.S. PGPub 2017/0331856).

As per claim 1, Takemori teaches a method for expanding a fake attack surface using a deception network (Takemori, see paragraph [0010], regular region of the regular data storage means is attacked by intruders, intruding region can be changed secretly for a decoy region so that the regular region can be protected from an intrusion or invasion) comprising: 
determining, by a protected server, whether a packet is a target to be processed when the packet is received (Takemori, see paragraph [0032], On the other hand, as shown in FIG. 4, when an access command is one from an intruder, such a fact is detected at the monitoring section 47 to be notified to the converting section 44)
 when the packet is determined not to be the target to be processed, converting, by the protected server, the packet and transmitting, by the protected server, the converted packet to a decoy apparatus of the deception network (Takemori, see paragraph [0032], The destination rewriting section 41 of the converting section 44 rewrites directory [regular] designating the directory of the decoy region 41 contained in the access command [http. . . /regular/doc] to [decoy] designating the directory of the decoy region 42)
receiving, by the protected server, a response packet from decoy apparatus as a reply to the converted packet (Takemori, see paragraph [0032], When succeeding in accessing, the communication application 43 creates a response command [success/decoy/doc] to return it back to the converting section 44) and
 in order to expand the fake attack surface, modifying, by the protected server, the response packet and transmitting, by the protected server, the modified response packet to a source from which the packet determined not to be the target to be processed was transmitted (Takemore, see paragraph [0032], The response command is changed to [http. . . /regular/doc] so that it becomes the same as the response returned back to the innocent user 5 from the converting section 44 in FIG. 3. The intruders misunderstand that intrusion to the regular region 41 has been succeeded though they have intruded the decoy region 42).
Takemore doesn’t explicitly teach a decoy virtual machine included in the decoy apparatus.
In analogous art Vissamsetty teaches a decoy virtual machine included in the decoy apparatus (Vissamsetty, see paragraph [0061], A single decoy virtual machine executing on the deception server 102 can therefore appear as hundreds of hosts when attackers discover machines using network discovery commands like "net view").
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to take the teaching of Vissamsetty and apply them on the teaching of Takemore as doing so would ensure that an attacker who tries to communicate with the acquired internet protocol (IP) address is successfully engaged with an engagement server. (Vissamsetty, see paragraph [0053]).

	As per claim 2, Takemore teaches the method of claim 1, wherein the deception network that is located at a reverse-side of the protected server comprises: one or more switches (Takemore, see paragraph [0045], A path switching section 82 transfers a received packet to the regular server 6, the decoy server 7 or the both on the basis of its destination).
Takemore doesn’t explicitly teach the decoy apparatus including the one or more decoy virtual machines.
In analogous art Vissamsetty teaches the decoy apparatus including the one or more decoy virtual machines (Vissamsetty, see paragraph [0061], A single decoy virtual machine executing on the deception server 102 can therefore appear as hundreds of hosts when attackers discover machines using network discovery commands like "net view").
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to take the teaching of Vissamsetty and apply them on the teaching of Takemore as doing so would ensure that an attacker who tries to communicate with the acquired internet protocol (IP) address is successfully engaged with an engagement server. (Vissamsetty, see paragraph [0053]).
	
	As per claim 7, Takemore-Vissamsetty the method of claim 1, wherein converting the packet and transmitting the converted packet to the decoy apparatus of the deception network is configured to change a network address of the packet to a network address of the deception network and transmit the packet, the network address of which is changed, to the decoy apparatus (Takemore, see paragraph [0032], The communication application 43 accesses the decoy region 42 designated by the directory [decoy] which has been registered in the access command. When succeeding in accessing, the communication application 43 creates a response command [success/decoy/doc] to return it back to the converting section 44. When the returned response command relates to the decoy region 42, the response rewriting section 442 of the converting section 44 rewrites [decoy] to [regular]. The response command is changed to [http. . . /regular/doc] so that it becomes the same as the response returned back to the innocent user 5 from the converting section 44 in FIG. 3. The intruders misunderstand that intrusion to the regular region 41 has been succeeded though they have intruded the decoy region 42).

	As per claim 8, Takemore-Vissamsetty teaches the method of claim 7, wherein a network band of the deception network has a same size as a network address band of the protected server. (Takemore, see paragraph [0039], such a configuration can be employed that all access commands whose IP addresses are the server 4, namely all access commands directed to the server 4, are rewritten such that their destinations are directed to the decoy region).

	As per claim 9, Takemore doesn’t explcity teaches the method of claim 7, wherein receiving the response packet is configured to receive the response packet for a service corresponding to the packet from the decoy virtual machine included in the decoy apparatus.
	In analogous art Vissamsetty teaches the method of claim 7, wherein receiving the response packet is configured to receive the response packet for a service corresponding to the packet from the decoy virtual machine included in the decoy apparatus (Vissamsetty, see paragraph [0063], routing 312 packets addressed to the IP addresses acquired at step 302 to the deception server 102, such as to a VM of the deception server 302 configured to receive packets addressed to a particular IP address acquired at step 302. As noted above, this may include performing NAT to address packets including an acquired 302 IP address to the deception server 102, such as to a particular VM executing on the deception server 102. The manner in which an attacker learns of the IP address may include accessing a connection table of an endpoint populated with the IP address according to the approach of FIG. 2 or finding the IP address in data generated according to step 310).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to take the teaching of Vissamsetty and apply them on the teaching of Takemore as doing so would ensure that an attacker who tries to communicate with the acquired internet protocol (IP) address is successfully engaged with an engagement server. (Vissamsetty, see paragraph [0053]).

	As per claim 10, Takemore doesn’t explicitly teach the method of claim 9, wherein modifying the response packet and transmitting the modified response packet is configured to change a source address of the response packet, received from the decoy virtual machine, to a destination address of the packet received by the protected server and to transmit the response packet to the source from which the packet was transmitted.
	In analogous art Vissamsetty teaches the method of claim 9, wherein modifying the response packet and transmitting the modified response packet is configured to change a source address of the response packet, received from the decoy virtual machine, to a destination address of the packet received by the protected server and to transmit the response packet to the source from which the packet was transmitted (Vissamsetty, see paragraph [0063], routing 312 packets addressed to the IP addresses acquired at step 302 to the deception server 102, such as to a VM of the deception server 302 configured to receive packets addressed to a particular IP address acquired at step 302. As noted above, this may include performing NAT to address packets including an acquired 302 IP address to the deception server 102, such as to a particular VM executing on the deception server 102. The manner in which an attacker learns of the IP address may include accessing a connection table of an endpoint populated with the IP address according to the approach of FIG. 2 or finding the IP address in data generated according to step 310).
(Vissamsetty, see paragraph [0053]).

	As per claim 11, Takemore teaches a decoy apparatus, (Takemore, see paragraph [0009], [0010]) comprising:
 a bridge for receiving, from a protected server, a packet that is converted because the packet is determined not to be a target to be processed by the protected server; (Takemori, see paragraph [0032], On the other hand, as shown in FIG. 4, when an access command is one from an intruder, such a fact is detected at the monitoring section 47 to be notified to the converting section 44) and
 one or more decoy for receiving the converted packet from the bridge, generating a response packet as a reply to the converted packet, and transmitting the generated response packet to the protected server via the bridge (Takemori, see paragraph [0032], The destination rewriting section 41 of the converting section 44 rewrites directory [regular] designating the directory of the decoy region 41 contained in the access command [http. . . /regular/doc] to [decoy] designating the directory of the decoy region 42)
wherein the response packet is modified by the protected server and transmitted to a source from which the packet was transmitted (Takemore, see paragraph [0032], The response command is changed to [http. . . /regular/doc] so that it becomes the same as the response returned back to the innocent user 5 from the converting section 44 in FIG. 3. The intruders misunderstand that intrusion to the regular region 41 has been succeeded though they have intruded the decoy region 42).
Takemore doesn’t explicitly teach a decoy virtual machine.
(Vissamsetty, see paragraph [0061], A single decoy virtual machine executing on the deception server 102 can therefore appear as hundreds of hosts when attackers discover machines using network discovery commands like "net view").
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to take the teaching of Vissamsetty and apply them on the teaching of Takemore as doing so would ensure that an attacker who tries to communicate with the acquired internet protocol (IP) address is successfully engaged with an engagement server. (Vissamsetty, see paragraph [0053]).

As per claim 12, Takemore-Vissamsetty teaches the decoy apparatus of claim 11, wherein the decoy apparatus is included in a deception network located at a reverse-side of the protected server (Takemore, see paragraph [0045], A path switching section 82 transfers a received packet to the regular server 6, the decoy server 7 or the both on the basis of its destination).

As per claim 17, Takemore-Vissamsetty teaches the decoy apparatus of claim 12, wherein the converted packet is generated in such a way that the protected server changes a network address of the packet to a network address of the deception network. (Takemore, see paragraph [0032], The communication application 43 accesses the decoy region 42 designated by the directory [decoy] which has been registered in the access command. When succeeding in accessing, the communication application 43 creates a response command [success/decoy/doc] to return it back to the converting section 44. When the returned response command relates to the decoy region 42, the response rewriting section 442 of the converting section 44 rewrites [decoy] to [regular]. The response command is changed to [http. . . /regular/doc] so that it becomes the same as the response returned back to the innocent user 5 from the converting section 44 in FIG. 3. The intruders misunderstand that intrusion to the regular region 41 has been succeeded though they have intruded the decoy region 42).

As per claim 18, Takemore-Vissamsetty teaches the decoy apparatus of claim 17, wherein a network band of the deception network has a same size as a network address band of the protected server. (Takemore, see paragraph [0039], such a configuration can be employed that all access commands whose IP addresses are the server 4, namely all access commands directed to the server 4, are rewritten such that their destinations are directed to the decoy region).

As per claim 19, 
		[Rejection rational for claim 9 is applicable]. 

As per claim 20, 
		[Rejection rational for claim 9 is applicable]. 

Conclusion

		
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HERMON ASRES whose telephone number is (571)272-4257. The examiner can normally be reached Monday to Friday 9AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HERMON ASRES/Primary Examiner, Art Unit 2449