Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the communication filed on 4/7/2021.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2/14/22 has been entered.
 
Response to Arguments
The examiner has considered the applicants’ arguments and does not find them persuasive.  
The applicants argue that Gilbert and Hebert do not teach the claims, as amended, because they do not teach “that the response is transmitted along the same pathway, albeit with modified performance”.  The examiner notes that this is not what is claimed.  Rather the claim states “modifying performance of a communication channel” and then “transmitting, by the modified communication channel, a response…”.  There is nothing regarding the modified communication channel having the same pathway.  As such, the argument is moot and not persuasive.

Regarding claim 2, the combination of Gilbert and Hebert very clearly teach forwarding the communications to the decoy server such that the decoy server can interact with the attacker via responding to the communications.  
As such, the examiner does not find the arguments and amendments persuasive to overcome the previously relied upon prior art.   
All objections and rejections not set forth below are withdrawn.
Claims 1-20 have been examined.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gilbert (US Patent Application Publication Number 2007/0226796), and further in view of Hebert (US Patent Application Publication Number 2013/0160079).


Regarding claim 1, Gilbert disclosed a computer-implemented method, comprising: receiving a first communication associated with a first type of attack (Gilbert Fig. 4 and Paragraphs 0067-0068 for example); receiving a second communication associated with a second type of attack, the second type of attack different from the first type of attack (Gilbert Fig. 4 and Paragraphs 0067-0068 for example); determining, based at least on the first type of attack and second type of attack, an attack pattern (Gilbert Fig. 4 and Paragraphs 0067-0068 for example); determining that a received third communication is indicative of a behavior that matches the attack pattern (Gilbert Figs. 12-13 and Paragraphs 0130-0134); updating a characteristic of the determined attack pattern to be associated with the behavior indicated by the third communication (Gilbert Figs. 12-13 and Paragraphs 0130-0134, also see claim 16 for example); and transmitting an alert associated with the updated attack pattern to a host computer system (Gilbert Figs. 12-13 and Paragraphs 0130-0134), but Gilbert did not explicitly teach modifying performance of a communication channel that received one or more of the first communication, 
Hebert taught a system which upon detection of suspicious behavior at a host system, the system will alert the host system to reroute the attack communications to a decoy server, and the decoy server then communicating with the attack source in response to the forwarded attack communications (Hebert Fig. 4 and Paragraphs 0064-0069 for example).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Hebert in the attack pattern detection and updating the system of Gilbert by alerting host systems under attack such that the host system reroutes the attack communications to a decoy server for further deception analysis, including the decoy server interacting with the attacker in response to the forwarded attack communications.  This would have been obvious because the person having ordinary skill in the art would have been motivated to waste attacker’s time, while also collecting details regarding the attacks which may enable improved performance in future attempts to detect and respond to attacks.  

Regarding claim 7, Gilbert disclosed a system comprising: at least one processor; and a memory comprising instructions that, in response to execution by the at least one processor, cause the system to at least: determine an attack pattern associated with at least a first communication indicative of a first attack type and a second communication indicative of a second attack type (Gilbert Fig. 4 and Paragraphs 0067-0068 for example); determine that a received third communication indicative of one or more behaviors match the attack pattern 
Hebert taught a system which upon detection of suspicious behavior at a host system, the system will alert the host system to reroute the attack communications to a decoy server, and the decoy server then communicating with the attack source in response to the forwarded attack communications (Hebert Fig. 4 and Paragraphs 0064-0069 for example).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Hebert in the attack pattern detection and updating the system of Gilbert by alerting host systems under attack such that the host system reroutes the attack communications to a decoy server for further deception analysis, including the decoy server interacting with the attacker in response to the forwarded attack communications.  This would have been obvious because the person having ordinary skill in the art would have been motivated to waste attacker’s time, while also collecting details regarding the attacks which may enable improved performance in future attempts to detect and respond to attacks.  
Regarding claim 14, Gilbert disclosed a non-transitory computer-readable storage medium comprising executable instructions that, in response to execution by one or more 
Hebert taught a system which upon detection of suspicious behavior at a host system, the system will alert the host system to reroute the attack communications to a decoy server, and the decoy server then communicating with the attack source in response to the forwarded attack communications (Hebert Fig. 4 and Paragraphs 0064-0069 for example).
It would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed the teachings of Hebert in the attack pattern detection and updating the system of Gilbert by alerting host systems under attack such that the host system reroutes the attack communications to a decoy server for further deception analysis, including the decoy server interacting with the attacker in response to the forwarded 
Regarding claim 2, Gilbert and Hebert taught determining that at least one of the first communication, second communication, or the third communication is indicative of a suspicious behavior (Gilbert Fig. 4 and Paragraphs 0067-0068, and 0130-0134 and Hebert Paragraphs 0064-0069 for example); and generating the response to the one or more of the first communication, the second communication, and the third communication based on at least one of the updated attack pattern or the suspicious behavior (Hebert Paragraph 0062 for example).

Regarding claim 3, Gilbert and Hebert taught that determining the attack pattern is based at least in part on one or more received communications associated with the first type of attack, and based at least in part on a weighting value associated with the type of attack (Gilbert Figs. 12-13 and Paragraphs 0131 for example). 
Regarding claim 4, Gilbert and Hebert taught receiving identifying information of one or more attackers associated with at least the first communication and the second communication (Gilbert Paragraphs 0067-0068 and 0071 for example); and determining that the received third communication matches the attack pattern by at least matching the received identifying information with additional identifying information associated with the third communication (Gilbert Paragraphs 0067-0068 and 0071 for example). 

Regarding claim 6, Gilbert and Hebert taught that at least one of the first communication, second communication, or the third communication is associated with one or more connection requests (Gilbert Fig. 4 and Paragraphs 0067-0068 for example). 
Regarding claim 8, Gilbert and Hebert taught that the instructions, in response to execution by the at least one processor, further cause the system to identify one or more attackers associated with at least the one or more behaviors (Gilbert Paragraphs 0009 and 0071 for example). 
Regarding claim 9, Gilbert and Hebert taught that the instructions, in response to execution by the at least one processor, further cause the system to determine that the one or more behaviors match the attack pattern based on a common identifier of one or more attackers associated with the attack pattern and the one or more behaviors (Gilbert Paragraphs 0067-0068 and 0071 for example). 
Regarding claim 10, Gilbert and Hebert taught that the notification is a security alert based at least in part on the attack pattern (Gilbert Figs. 12-13 and Paragraphs 0130-0134). 
Regarding claim 11, Gilbert and Hebert taught that the instructions, in response to execution by the at least one processor, further cause the system to determine potential risk of an attack behavior based at least on an evaluation of the attack behavior relative to one or more tracked behaviors (Gilbert Figs. 12-13 and Paragraphs 0130-0134). 

Regarding claim 13, Gilbert and Hebert taught to communicate with a suspected attacker associated with the determined attack pattern (Hebert Fig. 4 and Paragraphs 0064-0069 for example). 
Regarding claim 15, Gilbert and Hebert taught instructions that, in response to execution by the one or more processors, cause the computer system to at least associate the attack pattern with an identifying characteristic of one or more attackers (Gilbert Paragraph 0009 and 0071 for example). 
Regarding claim 16, Gilbert and Hebert taught that the attack pattern is generated based at least in part on a plurality of previously recognized attack patterns (Gilbert Figs. 12-13 and Paragraphs 0130-0134). 
Regarding claim 17, Gilbert and Hebert taught that the second communication is determined to be associated with the second attack type based at least in part on receiving the second communication more than a threshold number of times (Gilbert Fig. 4 and Paragraphs 0067-0068 for example). 
Regarding claim 18, Gilbert and Hebert taught to identify one or more attacker elements associated with the attack pattern (Gilbert Fig. 4 and Paragraphs 0067-0068 for example). 
Regarding claim 19, Gilbert and Hebert taught to obtain information about software associated with at least one of the first attack type and the second attack type (Hebert Paragraphs, 0019, 0023, 0028, and 0035 for example). 
.

Conclusion
Claims 1-20 have been rejected.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 7,383,577 describes a system which detects an intruder in a communication channel and will modify the communication channel in order to protect against the detected intruder. 

All claims are either identical to or patentably indistinct from claims in the application prior to the entry of the submission under 37 CFR 1.114 (that is, restriction would not be proper) and all claims could have been finally rejected on the grounds and art of record in the next Office action if they had been entered in the application prior to entry under 37 CFR 1.114. Accordingly, THIS ACTION IS MADE FINAL even though it is a first action after the filing of a request for continued examination and the submission under 37 CFR 1.114.  See MPEP § 706.07(b). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW T HENNING whose telephone number is (571)272-3790. The examiner can normally be reached Monday- Thursday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) 





/MATTHEW T HENNING/Primary Examiner, Art Unit 2491