Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-20 are pending in this office action. 

Priority
No foreign priority is claimed.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 9 is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.
For claim 9, the specification does not disclose sufficient description with respect to the limitation - “wherein the directory enumeration security application comprises rewrite rules for the file paths on the web server layer, wherein the deploying the first page is performed by the directory enumeration security application using the rewrite rules”, - in which, the definition of ‘rewrite rules’ is not disclosed such that a reasonable clarity may be imparted to the limitation interpretation. As such the limitation, and therefore the claim, are rendered indefinite. The limitation involving ‘rewrite rules’ will be construed as configuration or reconfiguration of the system with respect to setting up of honeypot or response content pages.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Aharoni et al. (US 2020/0089876 A1, hereinafter Aharoni), in view of Rafalovich et al. (US 2009/0328216 A1, Rafalovich hereinafter).
For claim 1, Aharoni teaches a system comprising: a non-transitory memory; and one or more hardware processors coupled to the non-transitory memory and configured to read instructions from the non-transitory memory (para 0012) to cause the system to perform operations comprising: detecting a directory enumeration attempt by a computing device within an internal network associated with the system, wherein the directory enumeration attempt is associated with accessing a directory of files paths for the internal network (para 0007, 0015, 0071, 0080 - directory enumeration or listing event detection associated with directory paths or locations);
deploying an entry at a first file path from the directory of file paths within the internal network, wherein the first file path previously returned a directory specific status code indicating the directory is protected/restricted, and wherein the entry comprises one of a valid page status code or a redirect page status code at the first file path (para 0071-0073 - injecting or deploying fake start or end entries corresponding to the directory status received wherein the directory is deemed protected/restricted, and wherein the entry redirects to a fake or spoofed directory entry); 
detecting a scan of the first page by the computing device using the first file path; and returning the one of the valid page status code or the redirect page status code to the computing device based on the detecting the scan (para 0070-0073, 0080 - directory enumeration scan or listing event, and injecting or deploying fake start or end entries corresponding to the directory status received in response to the scan event, and wherein the entry redirects to a fake or spoofed directory entry).
Although Aharoni discloses presenting fake honeypot entries in response to directory scan events, wherein it would be obvious to incorporate any technique such as presenting of a page as part of presenting the above entry, Aharoni does not appear to explicitly teach, however Rafalovich  teaches deploying a first page (first content) at a first resource location within the internal network, wherein the first content (resource location access) previously returned an invalid content status code, and wherein the first page comprises one of a valid content status code or a redirect content status code at the first file path, and detecting a scan of the first resource or user content by the computing device using the first file path; and returning the one of the valid content status code or the redirect content status code to the computing device based on the detecting the scan (Fig. 3; para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information stored as the first bait or honeypot location, wherein the request to a baited resource (scan) raises an alert or a status indication, which is responded to, by availing the honeypotted resource contents as a valid content availability status). Based on Aharoni in view of Rafalovich, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Rafalovich in the system of Aharoni, in order to incorporate various content presentation methods that are very well-known in the art such as by presenting content page in response to a malicious resource scan request, thereby integrating the same with various attack mitigation mechanisms such as utilization of honeypot-based environments that make the system more secure.

For claim 2, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. The combination of Aharoni and Rafalovich further teaches wherein the first page further comprises a data logging operation when the first page returns the valid page status code, and wherein the data logging operation comprises at least one of an IP address logger, device identifier logger, or a login interface for a user identifier (Aharoni - para 0101-0102, 0109 - logged device attributes and login interface, when a spoofed or honeypotted page is made available as a valid status for the scan request; Rafalovich - Fig. 3; para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information stored as the first bait or honeypot location).

For claim 3, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. The combination of Aharoni and Rafalovich further teaches the system of claim 2, wherein the operations further comprise: detecting a navigation to the first page; and logging information comprising at least one of an IP address, a device identifier, or the user identifier using the data logging operation (Aharoni - para 0070-0073, 0080 - directory enumeration scan or listing event corresponding to the file location; para 0101-0102, 0109 - logging of device attributes and login interface; Rafalovich - para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information).

For claim 4, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. The combination of Aharoni and Rafalovich further teaches the system of claim 3, wherein the operations further comprise: maintaining the first page at the first file path for a time period; detecting an additional navigation to the first page during the time period (Aharoni - para 0012, 0045, 0070-0073, 0080 - directory enumeration scan or listing events corresponding to the file location and detected at  specific times; Rafalovich - para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information); logging additional information from the additional navigation using the data logging operation; and outputting a log history based on the logging the information and the additional information (Aharoni - para 0080, 0101-0102, 0109 - logging of device attributes and alerting with logs).

For claim 5, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. The combination of Aharoni and Rafalovich further teaches wherein the first content further comprises a modified byte size when the first content (page) returns the one of the valid page status code or the redirect page status code (Aharoni - para 0070-0073, 0080 - directory enumeration scan or listing event, and injecting or deploying fake start or end entries corresponding to the directory status received in response to the scan event, and wherein the entry redirects to a fake or spoofed directory entry, which constitutes different words or attributes that would be different in byte sizes; Rafalovich - para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information).

For claim 6, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. The combination of Aharoni and Rafalovich further teaches the system of claim 5, wherein the first content (page) further comprises a modified page body having a page message when the first page returns the one of the valid page status code or the redirect page status code (Aharoni - para 0036, 0045, 0054, 0070-0073, 0080 - entry redirects to a fake or spoofed entries of set sizes, which constitutes different words or attributes that would be different in byte sizes, wherein the redirected content is made available upon detecting directory enumeration scan or listing events; Rafalovich - para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information).

For claim 7, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. The combination of Aharoni and Rafalovich further teaches the system of claim 5, wherein the modified byte size comprises one of a randomized byte size or a set byte size in place of a standard byte size for an unavailable page within the directory (Aharoni - para 0036, 0045, 0054, 0070-0073, 0080 - entry redirects to a fake or spoofed entries of set sizes, which constitutes different words or attributes that would be different in byte sizes, wherein the content is made available upon detecting directory enumeration scan or listing events; Fig. 3; para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information stored as the first bait or honeypot location, wherein the request to a baited resource (scan) raises an alert or a status indication, which is responded to, by availing the honeypotted resource contents as a valid content availability status; Rafalovich - para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information).

For claim 8, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. Aharoni further teaches wherein the first content page is deployed as a static individual content within a directory structure for the directory of the file paths in the internal network (Aharoni - para 0071-0073 - injecting or deploying fake start or end entries corresponding to the directory status received wherein the directory is deemed protected/restricted, and wherein the entry redirects to a fake or spoofed directory entry). Aharoni does not appear to explicitly teach, however Rafalovich teaches wherein the first page is deployed as a static individual page within a directory structure web server layer in the internal network (para 0029, 0050 - website and underlying web server involved in the process of providing predetermined or static honeypot content pages).

For claim 9, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. Aharoni further teaches the system of claim 8 wherein prior to the deploying the first content (files or pages), the operations further comprise: executing a directory enumeration security application to protect against the directory enumeration by the computing device (Aharoni - para 0054, 0070-0072 - endpoint security provided by security application/process that detects scan attempts), wherein the directory enumeration security application comprises rewrite rules for the file paths in the directory structure, wherein the deploying the first content is performed by the directory enumeration security application using the rewrite rules (Aharoni - para 0007, 0015, 0036, 0043-0044, 0071, 0080 - directory enumeration or listing event detection associated with directory paths or locations, wherein the rewrite or configuration steps are performed based on types of attributes that are desired to be setup in honeypots).
Aharoni does not appear to explicitly teach, however Rafalovich teaches wherein the security application comprises configuration process for the file paths on the web server layer (para 0029, 0050 - website and underlying web server involved in the process of providing predetermined or static honeypot content pages; para 0008, 0012, 0031-0036, 0055 - content or a page configuration with specific user information).

For claim 10, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. The combination of Aharoni and Rafalovich further teaches wherein the first content is deployed by writing the first page to a static file at the first file path and deployed using a template for the system (Aharoni - para 0036, 0071-0073, 0101-0102 - injecting or deploying fake start or end entries with a predetermined types or user attributes representing templated content; Rafalovich - para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information).

For claim 11, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. The combination of Aharoni and Rafalovich further teaches wherein the operations further comprise: deploying a second page having a second file path within the internal network, wherein the second file path previously returned the invalid page status code, and wherein the second page comprises one of a valid page status code or a redirect page status code at the first file path (Aharoni - para 0012, 0045, 0070-0073, 0080 - injecting or deploying multiple fake start or end entries corresponding to the directory status received wherein the directory is deemed protected/restricted, and wherein the entry redirects to a fake or spoofed directory entries corresponding to one of plurality of entries; Rafalovich - para 0008, 0012, 0031-0036, 0055 - deploying content or pages with specific user information).

For claim 12, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. Aharoni teaches directory enumeration attempt is detected from a device (para 0070-0073, 0080 - directory enumeration scan or listing event). Aharoni does not appear to explicitly teach, however Rafalovich teaches wherein the directory or resource enumeration or access attack attempt is detected from an IP address used by the computing device and associated with the internal network, and wherein the IP address is shared by multiple devices on the internal network (para 0008, 0012, 0055 - IP address associated with each access request (or attack), and dynamic IP address use implying an IP may be used by multiple sources in the network).

For claim 13, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. Aharoni teaches directory enumeration attempt is detected from a device (para 0070-0073, 0080 - directory enumeration scan or listing event). Aharoni does not appear to explicitly teach, however Rafalovich teaches wherein the detecting the directory enumeration attempt comprises at least one of detecting a number of scan attempts of file paths within the directory meets or exceeds a first threshold over a time period or detecting a number of returned page error codes meets or exceeds a second threshold within the time period (para 0034-0036 - number of resource accesses including file-holding memory devices that triggers increasing honeypots, implying that a limit is checked for number of scans leading to adding more honeypots).

For claim 14, Aharoni teaches a method comprising: determining a scan is being performed by a device or resource location of a directory comprising file paths to internal pages of a networked system (para 0007, 0015, 0071, 0080 - directory enumeration or listing event detection associated with directory paths or locations); determining a navigation to a first internal content of the internal pages using a first file path of the file paths, wherein the first internal content provides a modified status for the first internal content location (para 0070-0073, 0080 - directory enumeration scan or listing event corresponding to the file path/location navigation, where injecting or deploying fake start or end entries pertains to the directory status received in response to the scan event wherein the directory status is deemed protected/restricted, and wherein the entry redirects to a fake or spoofed directory entry based on the received status, wherein returning of contents correspond to a modified or different status other than the content restricted or the content not found), and wherein the first internal content (page) comprises a modified page byte size of the first internal content or a source logging process of the first internal content (page); and in response to the determining the navigation, providing the first internal page in place of a previous invalid status for the first file path (para 0101-0102, 0109 - logged device attributes and login interface; also additionally, para 0070-0073, 0080 - directory enumeration scan or listing event, wherein the entry redirects to a fake or spoofed directory entry in place of protected/restricted directory, wherein the fake content is presented as a valid response status, and which constitutes different words or attributes that would be different in byte sizes). 
Although Aharoni discloses presenting fake honeypot entries in response to directory scan events, wherein it would be obvious to incorporate any technique such as presenting of a page as part of presenting the above entry, Aharoni does not appear to explicitly teach, however Rafalovich teaches navigation to a first internal page, wherein the first internal page provides a modified status, and a scan is being performed by an internal IP address of the directory (Fig. 3; para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information (including IP addresses) stored as the first bait or honeypot location, wherein the request to a baited resource (scan) raises an alert or a status indication, which is responded to, by availing the honeypotted resource contents as a valid content availability status). Based on Aharoni in view of Rafalovich, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Rafalovich in the system of Aharoni, in order to incorporate various content presentation methods that are very well-known in the art such as by presenting content page in response to a malicious resource scan request, thereby integrating the same with various attack mitigation mechanisms such as utilization of honeypot-based environments that make the system more secure.

For claim 15, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. The combination of Aharoni and Rafalovich further teaches wherein prior to determining the scan, the method further comprises: providing the first internal content (page) with a subset of internal pages at a subset of the file paths, wherein the subset of internal pages provides the modified status and comprise the one of the redirect status for the modified page byte size or the valid status for the one of the source logging process or the modified page byte size (Aharoni - para 0036, 0045, 0054, 0070-0073, 0080 - entry redirects to a fake or spoofed entries of set sizes, which constitutes different words or attributes that would be different in byte sizes, wherein the spoofed content is partially or completely (combination of attributes as subset of attributes) made available upon detecting directory enumeration scan or listing events, and wherein injecting or deploying fake start or end entries pertains to the directory status received in response to the scan event wherein the directory status is deemed protected/restricted, and wherein the entry redirects to a fake or spoofed directory entry based on the received status, wherein returning of contents correspond to a modified or different status other than the content restricted or the content not found; Rafalovich - para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information).

For claim 16, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. Aharoni teaches directory enumeration attempt (as network traffic) is detected from a device (para 0070-0073, 0080 - directory enumeration scan or listing event). Aharoni does not appear to explicitly teach, however Rafalovich teaches wherein the determining the scan comprises detecting an increase in network traffic within the networked system over a threshold, and wherein the providing the first internal page comprises deploying a plurality of internal pages including the first internal page and comprising the process (para 0034-0036 - number of resource accesses including file-holding memory devices that triggers increasing honeypots, implying that a limit is checked for number of scans corresponding to increased access traffic leading to adding more honeypots).

For claim 17, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. Aharoni further teaches directory enumeration attempt (as network traffic) is detected from a device (para 0070-0073, 0080 - directory enumeration scan or listing event). Aharoni does not appear to explicitly teach, however Rafalovich teaches wherein the deploying the plurality of internal pages is scaled based on an amount of the increase in the network traffic (para 0034-0036 - number of resource accesses including file-holding memory devices that triggers scaling the number of honeypots deployed, implying that a limit is checked for number of scans corresponding to increased access traffic leading to adding more honeypots).

For claim 18, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. The combination of Aharoni and Rafalovich further teaches wherein prior to the determining the navigation, the method further comprises: providing the first internal page with a subset of internal pages at a subset of the file paths, wherein the subset of internal pages provides the modified status and comprise the one of the redirect status for the modified page byte size or the valid status for the one of the source logging process or the modified page byte size (Aharoni - para 0036, 0045, 0054, 0070-0073, 0080 - entry redirects to a fake or spoofed entries of set sizes, which constitutes different words or attributes that would be different in byte sizes, wherein the spoofed content is partially or completely (combination of attributes as subset of attributes) made available upon detecting directory enumeration scan or listing events, and wherein injecting or deploying fake start or end entries pertains to the directory status received in response to the scan event wherein the directory status is deemed protected/restricted, and wherein the entry redirects to a fake or spoofed directory entry based on the received status, wherein returning of contents correspond to a modified or different status other than the content restricted or the content not found; Rafalovich - para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information).

For claim 19, Aharoni in view of Rafalovich teaches the claimed subject matter as discussed above. Aharoni further teaches wherein the modified status comprises one of a redirect status or a valid status (para 0070-0073, 0080 - directory enumeration scan or listing event, and injecting or deploying fake start or end entries corresponding to the directory status received in response to the scan event, and wherein the entry redirects to a fake or spoofed directory entry as a valid status for the access request received).

For claim 20, Aharoni teaches a non-transitory machine-readable medium having stored thereon machine-readable instructions executable (para 0012)  to cause a machine to perform operations comprising: detecting a directory enumeration attack associated with a plurality of honeypot contents (files or pages) by a computing device over a network with a service provider, wherein the directory enumeration attack attempts to enumerate active content locations within a directory of the network (para 0007, 0015, 0070-0074, 0080 - directory enumeration or listing event detection corresponding to ransomware and associated with directory paths or locations, injecting or deploying of fake start or end entries corresponding to honeypot entries), and wherein the plurality of honeypot contents each comprise one of a randomized response to a scan of the honeypot contents or a valid response having a logging mechanism for at least one of a network address, a device identifier, or a user identifier (para 0070-0073, 0080 - injected or deployed fake start or end entries corresponding to honeypot entries, and wherein the entry redirects to a fake or spoofed directory entry; para 0101-0102, 0109 - logged device attributes and login interface, when a spoofed or honeypotted page is made available as a valid status for the scan request); 
detecting a navigation to one of the plurality of honeypot contents by the computing device; and providing the one of the plurality of honeypot contents to the computing device (para 0070-0073, 0080 - directory enumeration scan or listing event detection, and injected or deployed fake start or end entries are received in response to the scan event, and wherein the entry redirects to a fake or spoofed directory entry).
Although Aharoni discloses presenting fake honeypot contents/entries in response to directory scan events, wherein it would be obvious to incorporate any technique such as presenting of a page as part of presenting the above entry, Aharoni does not appear to explicitly teach, however Rafalovich  teaches detecting a directory enumeration attack associated with a plurality of honeypot pages, and wherein the plurality of honeypot pages each comprise one of a randomized page response to a scan of the honeypot page or a valid page response, and detecting a navigation to one of the plurality of honeypot pages by the computing device; and providing the one of the plurality of honeypot pages to the computing device (Fig. 3; para 0008, 0012, 0031-0036, 0055 - content or a page with specific user information stored as the first bait or honeypot location, wherein the request to a baited resource (scan) raises an alert or a status indication, which is responded to, by availing the honeypotted resource contents as a valid content availability status). Based on Aharoni in view of Rafalovich, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Rafalovich in the system of Aharoni, in order to incorporate various content presentation methods that are very well-known in the art such as by presenting content page in response to a malicious resource scan request, thereby integrating the same with various attack mitigation mechanisms such as utilization of honeypot-based environments that make the system more secure.

    
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433