DETAILED ACTION
Claims 1-20 are pending in this action.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Interview Request
Examiner contacted Applicant’s representative to discuss the novelty of the invention but no interview was conducted before this action. Examiner therefore invites Applicant’s representative to set up an interview at his or her convenience to discuss this rejection and claim amendments to further expedite prosecution.

Claim Objections
Claim 16 is objected to because of the following informalities:  Claim 16 refers to “the database” which is defined in claim 15 even though claim 16 depends on claim 14.  Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 8 and 9 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claims do not fall within at least one of the four categories of patent eligible subject matter because the claimed system claim can be interpreted to be software per se. See MPEP 2106.03. The “storage resource” is not defined in the specification to have hardware and the software component is explicitly software. Examiner suggest including a hardware processor and hardware memory that implements the steps of features described in claim 8.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 10-14 and 18 are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Chari et al. (US PGPUB No. 2006/0161982) [hereinafter “Chari”].

As per claim 10, Chari teaches a computer-implemented method comprising: receiving attacker profile information ([0031], monitoring and analyzing attack to generate an “attack signature” which can be used for subsequent attack identification); monitoring traffic to a network address; comparing the monitored traffic to the attacker profile see also ([0034], predefined honeypot plans would be used to configure honeypots too).

As per claim 11, Chari teaches the method of claim 10, and further comprising the step of directing traffic to the computer decoy ([0025], creating virtual copies of the requested resources which appear to attacker as the actual resources, i.e. attacker is directed to interact with the dynamic honeypot with the virtual resources).

As per claim 12, Chari teaches the method of claim 10, further comprising the step of storing the attacker profile information in a computer-based resource ([0031], “attack signature” are stored for subsequent attack identification).

As per claim 13, Chari teaches the method according to claim 10, wherein the attacker profile information is generated using network traffic data provided by a plurality of users ([0031], monitoring and analyzing attack to generate an “attack signature” which can be used for subsequent attack identification which are collected from network communications from clients/users see [0026]).

As per claim 14, Chari teaches a system, comprising: one or more processors; and memory storing instructions executable by the one or more processors to cause the system to: determine an attacker profile based on network traffic data ([0031], monitoring and analyzing potential attack to generate an “attack signature” which can be used for subsequent attack identification wherein the potential attack comprises network traffic see [0026], monitored requests made by clients across network); determine a configuration of a honeypot or honeynet based on the attacker profile ([0034], predefined honeypot plans selected based on a particular attack); configure a honeypot or honeynet according to the determined configuration ([0031], creating a dynamic honeypot based on the “targets of interest” in the system where the dynamic honeypot includes customized virtual copies of requested resources) see also ([0034], predefined honeypot plans used to create dynamic honeypots); and cause a request associated with the attacker profile to be forwarded to the configured honeypot or honeynet ([0025], creating virtual copies of the requested resources which appear to attacker as the actual resources, i.e. attacker is directed, i.e. forwarded, to interact with the dynamic honeypot with the virtual resources – attackers are identified via attack signatures see [0031]).

As per claim 18, Chari teaches the system according to claim 14, wherein the instructions further cause the system to configure different honeypots or honeynets for different attacker profiles ([0034], predefined honeypot plans selected based on a particular attack which are identified via attack signatures see [0031]).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-4 are rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Giokas (US PGPUB No. 2015/0033340).

As per claim 1, Chari teaches a computer-implemented security method comprising: receiving, processing and logging network traffic data received from a plurality of users ([0026], monitoring communications over network from clients to applications in the system); determining an attacker profile from the network traffic data ([0031], monitoring and analyzing attack to generate an “attack signature” which can be used for subsequent attack identification); determining a configuration of a honeypot or honeynet (Claim interpretation - alternative language therefore only “honeypot” is required – instant application at [0005] as simply one or more honeypots which is taught in Chari at [0028]) based on the attacker profile ([0031], creating a dynamic honeypot based on the “targets of interest” in the system where the dynamic honeypot includes customized virtual copies of requested resources) see also ([0034], predefined honeypot plans selected based on a particular attack).
Chari does not explicitly teach upon receipt of a request from a user of the plurality of users, providing the determined attacker profile and configuration to the user. Giokas teaches upon receipt of a request from a user of the plurality of users, providing the determined attacker profile and configuration to the user ([0110], whereby a main process in a protected system can listen and request for new or updated vulnerabilities which are stored in repositories of the network – in combination, these vulnerabilities would include the attack signatures and customized honeypot configurations taught in Chari) ([0029], the user is ultimately the one who requests and uses the vulnerability information).
	At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari with the teachings of Giokas, upon receipt of a request from a user of the plurality of users, providing the determined attacker profile and configuration to the user, to allow for a need based efficient distribution of attack signatures and remedies including honeypot plans.

As per claim 2, the combination of Chari and Giokas teaches the method of claim 1, wherein the honeypot or honeynet configuration is based on network traffic data of the see also (Giokas; [0029], vulnerability information available to users) (Claim interpretation – a “plurality of user” is interpreted as all user on a network see [0012] of the instant application – based off [0013]-[0016] of the instant application, there is no reason to interpret “plurality of users” in any other way) (Examiner suggests including that the users are registered or authorized on the network as recited in [0015]).

As per claim 3, the combination of Chari and Giokas teaches the method of claim 1, and comprising the step of using a computer-based resource to store: the network traffic data (Chari; [0031], attack statistics are considered network traffic); the attacker profile (Chari; [0031], attack signatures and statistics are collected and saved for subsequent attack identification, i.e. they are stored); the honeypot or honeynet configuration (Chari; Claim 15, storing PVE and honeypot plans); and/or (Claim interpretation – “and/or” will be interpreted as “or”) data relating to the users (Claim interpretation – alternative feature so not given patentable weight however see Abstrasct of Ayyagari in pertinent art below, teaching collecting user behavior information to create user profiles in crafting honeypot environments).

As per claim 4, the combination of Chari and Giokas teaches the method according to claim 1, and comprising the step of directing network traffic to a honeypot or honeynet generated in accordance with, or using, the determined configuration (Chari; [0031], creating a dynamic honeypot based on the “targets of interest” in the system where the see also (Chari; [0034], predefined honeypot plans selected based on a particular attack).

Claims 5-9 are rejected under 35 U.S.C. 103 as being unpatentable over Chari and Giokas in view of Legrand et al. (US PGPUB No. 2010/0274892) [hereinafter “Legrand”[.

As per claim 5, the combination of Chari and Giokas teaches the method according to claim 1.
The combination of Chari and Giokas does not explicitly teach wherein the plurality of users comprises users who are designated as authorised or legitimate users. Legrand teaches wherein the plurality of users comprises users who are designated as authorised or legitimate users ([0248], authentication of a user based on username/password) ([0161], once inside the system, i.e. authenticated, user is considered legitimate unless monitored activity deviates from standard user profile).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari and Giokas with the teachings of Legrand, wherein the plurality of users comprises users who are designated as authorised or legitimate users, to further assist in determining whether abnormal behavior is from a legitimate source or from an attack source which would create an system with less false-positive results.

As per claim 6, the combination of Chari and Giokas teaches the method according to claim 1.

At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari and Giokas with the teachings of Legrand, receiving a request from a user, and determining whether the request is from an authorised user or an attacker, to further assist in determining whether abnormal behavior is from a legitimate source or from an attack source which would create an system with less false-positive results.

As per claim 7, the combination of Chari and Giokas teaches the method according to claim 1.
The combination of Chari and Giokas does not explicitly teach determining a profile for one or more of the users in the plurality of users. Legrand teaches determining a profile for one or more of the users in the plurality of users ([0168], users are labeled “user”, “administrator” or “attacker” based on profiles see [0162]-[0164] – they are further monitored based on the type of activities classified in the profiles as normal/abnormal see id.).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari and Giokas with the teachings of Legrand, determining a profile for one or more of the users in the plurality of users, to further assist in determining whether 

As per claim 8, the combination of Chari and Giokas teaches the method of claim 1, as well as a computer implemented security system arranged to implement the method of claim 1, comprising: a computer-based storage resource, arranged to store network traffic data provided by a plurality of users of the system ([0031], collecting data and attack statistics - considered network traffic); and a software component arranged to provide a honeypot or honeynet configuration (Claim interpretation - alternative language therefore only “honeypot” is required – furthermore honeynet is defined in the specification of the instant application at [0005] as simply one or more honeypots which is taught in Chari at [0028]), wherein the configuration is based upon an attacker profile that based upon, or derived using, the network traffic data  ([0031], creating a dynamic honeypot based on the “targets of interest” in the system where the dynamic honeypot includes customized virtual copies of requested resources) see also ([0034], predefined honeypot plans selected based on a particular attack); and a software component arranged to provide a honeypot or honeynet configurations to one or more users upon request (Giokas; [0110], whereby a main process in a protected system can listen and request for new or updated vulnerabilities, i.e. security configurations, which are stored in repositories of the network – in combination, these vulnerabilities would include the attack signatures and customized honeypot configurations taught in Chari) (Giokas; [0029], the user is ultimately the one who requests and uses the vulnerability information).

At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari and Giokas with the teachings of Legrand, legitimate users, to further assist in determining whether abnormal behavior is from a legitimate source or from an attack source which would create an system with less false-positive results.

As per claim 9, the combination of Chari, Giokas and Legrand teaches the system according to claim 8, wherein the storage resource is also arranged to store: profile(s) relating to one or more of the plurality of users (Legrand; [0162], profiles related to users which can be customized for instances of specific users see [0168]); profile(s) relating to one or more attackers or groups or types of attacker (Chari; [0031], “attack signature” are stored for subsequent attack identification) see also (Legrand; [0164], profiles related to attackers); and/or honeypot/honeynet configuration parameters (Chari; [0034], predefined honeypot plans selected based on a particular attack).

Claims 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Wang et al. (US PGPUB No. 2013/0145465) [hereinafter “Wang”].

As per claim 15, Chari teaches the system according to claim 14.
Claim interpretation - multilayer deception system with multiple honey servers and computers interpreted to be a “honeynet”) (Wang; Abstract, generating a honey database on a honey server or honey computer see also [0046]) (Claim interpretation - multilayer deception system with multiple honey servers and computers interpreted to be a “honeynet” see specification of instant application at [0006]).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari with the teachings of Wang, wherein the instructions further cause the system to generate a database for the honeypot or honeynet, to lure and analyze attacker behavior without jeopardizing sensitive data.

As per claim 16, Chari teaches the system according to claim 14.
Chari does not explicitly teach wherein the database is an altered or false database. Wang teaches wherein the database is an altered or false database ([0046], honey database contain completely fake databases or individual components, i.e. tables, rows, columns, etc.).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari with the teachings of Wang, wherein the database is an altered or false database. Wang teaches wherein the database is an altered or false database, to lure and analyze attacker behavior without jeopardizing sensitive data.

.

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Ahmadzadeh et al. (US PGPUB No. 2017/0134405) [hereinafter “Ahmadzadeh”].

As per claim 19, Chari teaches the system according to claim 14.
Chari does not explicitly teach wherein the instructions cause the system to determine the configuration of the honeypot or honeynet using a machine learning model. Ahmadzadeh teaches wherein the instructions cause the system to determine the configuration of the honeypot or honeynet using a machine learning model ([0046]-[0047], honeypot system uses machine learning and prediction modeling to determine potential attacks and crafting triggering conditions).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari with the teachings of Ahmadzadeh, wherein the instructions cause the system to determine the configuration of the honeypot or honeynet using a machine learning model, to allow for an adaptive and dynamic approach to recognizing and handling attack behavior.

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Chari and Ahmadzadeh in view of Rounthwaite et al. (US PGPUB No. 2004/0177110) [hereinafter “Rounthwaite”].

As per claim 20, the combination of Chari and Ahmadzadeh teaches the system according to claim 19.
The combination of Chari and Ahmadzadeh does not explicitly teach wherein the machine learning model is a neural network. Rounthwaite teaches wherein the machine learning model is a neural network (Claim interpretation – it is well known that machine learning includes neural network) ([0011], defining machine learning systems to include neural networks).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari and Ahmadzadeh with the teachings of Rounthwaite, wherein the machine learning model is a neural network, to allow for an adaptive and dynamic approach to recognizing and handling attack behavior.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Wei et al. (CN 101087196 A) discloses formulating attack characteristics and threat levels. El-Moussa et al. (US PGPUB No. 2010/0122342) discloses determining legitimate users. Bufford et al. (CN 102546621 A) discloses honeypot profiles. Hazzani et al. (EP 2 657 880 A1) and Ayyagari et al. (US PGPUB No. 2013/0305357) discloses activity/baseline profiles of users. Tian et al. ("A Study of .

Any inquiry concerning this communication or earlier communications from the examiner should be directed to PETER C SHAW whose telephone number is (571)270-7179. The examiner can normally be reached Max Flex.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 





/PETER C SHAW/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        January 16, 2022