DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2021-11-19 has been entered.

Response to Amendment
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in reply to papers filed on 2021-11-19. Claims 1-2, 4, 6-8, 10, 12-13 are pending, following Applicant's cancellation of claims 3, 5, 9, 11. Claims 1, 7, 13 is/are independent.
The rejection(s) of claims under 35 U.S.C. § 112 are withdrawn in view of Applicant’s amendments.

Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive.
With respect to claim(s) 1 (see page(s) 6-7 of Applicant’s Remarks), Applicant argues that the prior art of record (in particular, U.S. Publication 20170223052 A1 to Stutz (hereinafter "Stutz '052") in view of U.S. Publication 20170019425 to Ettema et al. (hereinafter "Ettema '425") in view of U.S. Publication 20180375897 to Kawasaki et al. (hereinafter "Kawasaki '897")) does not disclose “when a second packet received from the first terminal destined for an external network of the first network, send the second packet without changing a MAC address of the second packet”.  However, Stutz '052 discloses that nodes have MAC addresses [Stutz '052 ¶ 0136, 0083] and further teaches allowing packets to pass from malicious nodes to external Internet addresses, rather than altering such packets to redirect them [Stutz '052 ¶ 0136, 0083].  Thus, the MAC addresses of such packets are unchanged.  For all these reasons, Applicant's argument is unpersuasive.
Applicant’s arguments with respect to the remaining claim(s) is/are based on Applicant’s arguments with respect to claim(s) 1 and have been considered as detailed above.

Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 2021-10-13 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto.

Summary of Claim Rejections under 35 U.S.C. § 103
The following table summarizes the rejections set forth in detail below of the claims over the prior art.

Claim No.
Stutz '052 in view of Ettema '425 in view of Kawasaki '897 
1
[Wingdings font/0xFC]
2
[Wingdings font/0xFC]
3
[Wingdings font/0xFC]
4
[Wingdings font/0xFC]
5
[Wingdings font/0xFC]
6
[Wingdings font/0xFC]
7
[Wingdings font/0xFC]
8
[Wingdings font/0xFC]
9
[Wingdings font/0xFC]
10
[Wingdings font/0xFC]
11
[Wingdings font/0xFC]
12
[Wingdings font/0xFC]
13
[Wingdings font/0xFC]


Claim Rejections - 35 U.S.C. § 103
The following is a quotation of the appropriate paragraphs of AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of AIA  35 U.S.C. 103 that forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s)  1-2, 4, 6-8, 10, 12-13 is/are rejected under 35 U.S.C. § 103 as being unpatentable over U.S. Publication 20170223052 A1 to Stutz (hereinafter "Stutz '052") in view of U.S. Publication 20170019425 to Ettema et al. (hereinafter "Ettema '425") in view of U.S. Publication 20180375897 to Kawasaki et al. (hereinafter "Kawasaki '897"). Stutz '052 is prior art to the claims under 35 U.S.C. § 102(a)(2). Ettema '425 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2). Kawasaki '897 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).
Stutz '052 discloses a malware inspection apparatus (honey network emulates defended network [Stutz '052 ¶ 0114, 0115, 0152])
Stutz '052 discloses one or more memories; one or more processors coupled to the one or more memories and the one or more processors configured to perform operations (processor(s), memory, computer readable media, storage, executable instructions [Stutz '052 ¶ 0081-0082])
Stutz '052 discloses identify a first terminal belonging to a first system which includes a first network, and a second terminal belonging to a first system (detects malware activity on first device and isolates first device [Stutz '052 ¶ 0058, 0136]; identifies second device at address targeted by malicious activity and redirects malicious activity to a node on the honey network [Stutz '052 ¶ 0097, 0117-0121])
Stutz '052 does not disclose identify a third terminal belonging to a second system, an Internet Protocol (IP) address of the second terminal and the IP address of the third terminal being a same, a Media Access Control (MAC) address of the second terminal and the MAC address of the third terminal being different
However, Stutz '052 discloses identify a third terminal belonging to a second system, an Internet Protocol (IP) address of the second terminal and the IP address of the third terminal being, a Media Access Control (MAC) address of the second terminal and the MAC address of the third terminal being different (redirects malicious activity to a node on the honey network [Stutz '052 ¶ 0117-0121, 0166-0169]; nodes have MAC addresses [Stutz '052 ¶ 0136])
Stutz '052 does not disclose when the first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for the second terminal belonging to the first system, change the MAC address of the first packet to the MAC address of a third terminal belonging to a second system, and send the changed first packet to the third terminal
However, Stutz '052 discloses when the first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for the second terminal belonging to the first system, change the address of the first packet to the address of a third terminal belonging to a second system, and send the changed first packet to the third terminal (detects malware activity on first device and isolates first device [Stutz '052 ¶ 0058, 0136]; identifies second device at address targeted by malicious activity and redirects malicious activity to a node on the honey network [Stutz '052 ¶ 0097, 0117-0121])
Stutz '052 discloses when a second packet received from the first terminal destined for an external network of the first network, send the second packet without changing a MAC address of the second packet (upon conviction, the WiFi access point may allow connection from the convicted network device but block all or a subset of network communication with the convicted network device, e.g. the WiFi access point may allow connection to the internet, but block communication with local network devices [Stutz '052 ¶ 0156]; nodes have MAC addresses [Stutz '052 ¶ 0136, 0083])
Further:
Ettema '425 discloses identify a third terminal belonging to a second system, an Internet Protocol (IP) address of the second terminal and the IP address of the third terminal being a same, a Media Access Control (MAC) address of the second terminal and the MAC address of the third terminal being different (creates honeynet with same IP addresses as defended network [Ettema '425 ¶ 0044, 0070])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Stutz '052 with the emulated IP addresses of Ettema '425 to arrive at an apparatus, method, and product including:
identify a third terminal belonging to a second system, an Internet Protocol (IP) address of the second terminal and the IP address of the third terminal being a same, a Media Access Control (MAC) address of the second terminal and the MAC address of the third terminal being different
A person having ordinary skill in the art would have been motivated to combine them at least because Ettema '425 teaches that emulating the IP addresses of the defended nodes helps to prevent an attacker from discovering the presence of the honey net [Ettema '425 ¶ 0044, 0070].
Further:
Kawasaki '897 discloses when the first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for the second terminal belonging to the first system, change the MAC address of the first packet to the MAC address of a third terminal belonging to a second system, and send the changed first packet to the third terminal (forwards malicious traffic to honey network node via MAC address change [Kawasaki '897 ¶ 0115])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Stutz '052 with the MAC address based forwarding of Kawasaki '897 to arrive at an apparatus, method, and product including:
when the first terminal belonging to a first system is infected with malware, in response to receiving, from the first terminal, a first packet destined for the second terminal belonging to the first system, change the MAC address of the first packet to the MAC address of a third terminal belonging to a second system, and send the changed first packet to the third terminal
A person having ordinary skill in the art would have been motivated to combine them at least because the MAC address based forwarding of Kawasaki '897 would provide a quick and efficient method of forwarding the malicious traffic to the honey net of Stutz '052 without disturbing the IP addresses being attacked and without the complicated overhead of tunneling protocols.
Per claim 2 (dependent on claim 1):
Stutz '052 in view of Ettema '425 in view of Kawasaki '897 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Stutz '052 discloses the one or more processors configured to when the first terminal is infected with malware, in response to receiving, from the third terminal or a fourth terminal belonging to the second system, a second packet destined for the first terminal, change a source address of the second packet to an address of a fifth terminal belonging to the first system, and send the changed second packet to the first terminal (honeypot network service may offer content, including files and data, to an attacker [Stutz '052 ¶ 0110]; honeypot network service is be presented for a predetermined period of time, and during that time, an attacker may conduct network service discovery, and then return after evaluating results of network service discovery to plan an attack [Stutz '052 ¶ 0122]; if a device attempts to authenticate to the honeypot network service or attempts to exploit the honeypot network service, a determination of compromise of the initiating device is made [Stutz '052 ¶ 0124]; based on information communicated by the network monitor, the server determines what addresses to present the honeypot network services to the suspected device by configuring its network interfaces, NAT, or both, and then sends to the suspect node response packets seeming to come from the selected presentation addresses [Stutz '052 ¶ 0153])
Per claim 4 (dependent on claim 1):
Stutz '052 in view of Ettema '425 in view of Kawasaki '897 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Stutz '052 discloses the second system is a system that mimics the first system, and the third terminal is a terminal that mimics the second terminal (honeypot network service has characteristics to make it an attractive target, and it can have known vulnerabilities, security flaws, and offer content (files or data) to attract an attacker [Stutz '052 ¶ 0110]; honeypot gives the appearance of an application server with a particular operating system and network service [Stutz '052 ¶ 0115]; a set of one or more honeypot network services may simulate a type of network device, including an application server, a user device, etc. [Stutz '052 ¶ 0112])
Per claim 6 (dependent on claim 1):
Stutz '052 in view of Ettema '425 in view of Kawasaki '897 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Stutz '052 discloses communication of a packet between the first system and the second system is inhibited until infection by malware is detected (a device determined to be compromised may be isolated from the network [Stutz '052 ¶ 0136]).
Per claim 7 (independent):
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 8 (dependent on claim 7):
Stutz '052 in view of Ettema '425 in view of Kawasaki '897 discloses the elements detailed in the rejection of claim 7 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 2 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 10 (dependent on claim 7):
Stutz '052 in view of Ettema '425 in view of Kawasaki '897 discloses the elements detailed in the rejection of claim 7 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 4 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 12 (dependent on claim 7):
Stutz '052 in view of Ettema '425 in view of Kawasaki '897 discloses the elements detailed in the rejection of claim 7 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 6 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 13 (independent):
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE C PARSONS whose telephone number is (571)270-1475.  The examiner can normally be reached on MTWRF 7:30-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THEODORE C PARSONS/Primary Examiner, Art Unit 2494