DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the communication filed on 12/30/2019.
Claims 1-20 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
The objection to the Applicant’s disclosure has been withdrawn in light of the amendment filed on 12/21/2021.
The objection the Applicant’s Abstract has been maintained because the Applicant does not address that objection in the amendment filed on 12/21/2021.
The rejection of claims 1-20 under 35 U.S.C. §112(b) has been maintained because the amendment does not resolve the indefiniteness issue.
Applicant's arguments filed 12/21/2021 have been fully considered but they are not persuasive. 
receiving, at a tunnel gateway server within the cloud network that is implemented by one or more electronic devices, a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network”.
In response to the preceding argument, Examiner respectfully disagrees.  Paragraphs 0053-0054 of Shulman teaches the first set of packets (i.e, packets 132) is received at the tunnel gateway server (i.e., security gateway) from the first server (i.e., end station) within the enterprise (See figure 1, item132 
    PNG
    media_image1.png
    620
    949
    media_image1.png
    Greyscale
 ).  Shulman might not explicitly disclose the security gateway resided within a cloud network.  However, the cloud network recited in the claims does not specifically define the specific implementation of how it works.  As a result, the cloud network is broadly 
Applicant argues, on page 11 of the Remarks, that the cited portion of Shulman does not mention a tunnel via which a packet is sent across a public network between an enterprise network and a cloud network in the manner claimed.  Examiner respectfully disagrees.  According to a definition of the tunnel, it is a way to move packets from one network to another.  Expanding from the previous citations, Shulman does teach that the set of packets are transported from one end to another end (paragraphs 0039, 0054-0055 and 0099, “In an embodiment, the security gateway 102 and the server end stations 110 operate within a LAN, and the one or more client end stations 120A-120N also operate within the LAN or connect to the LAN through a WAN (e.g., the Internet) using a VPN.”).  Therefore, Applicant’s arguments are not persuasive.
Applicant further argues, on page 11 of the Remarks, that Shulman fails to teach wherein outside of the enterprise the identifier distinguishes between traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses.  Examiner respectfully disagrees.  Shulman does teach wherein outside of the enterprise the identifier distinguishes between traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses (Shulman: paragraphs 0052-0055, “These reverse honey tokens 130A-130N (e.g., usernames, passwords, server names/addresses, etc.) appear to provide information useful in acquiring enterprise data from one or more of the servers (112, 114, 116) of the server end stations 110.”…“At circle `4`, the intruder 124 attempts to utilize the information from the reverse honey tokens 130A-130N to acquire enterprise data from one or more of the servers (112, 114, 116) of the server end stations 110. For example, the intruder 124--through a "compromised" client end station 120A under complete or partial control of the intruder 124 or through a client end station 125 owned or operated by the intruder 124--may send a set of packets 132 including one or more of the reverse honey tokens (e.g., reverse honey token 130A). The reverse honey token 130A may be a part of a set of packet headers used to transport a payload, or may be carried by the payload itself. For example, a reverse honey token 130A, in an embodiment, could be an illegitimate IP address for a web application server 116, and thus the illegitimate IP address could appear in a destination IP address field of an IP header of the packets 132”).  Therefore, Shulman does teach the disputed limitation.

Specification
Applicant is reminded of the proper content of an abstract of the disclosure.
A patent abstract is a concise statement of the technical disclosure of the patent and should include that which is new in the art to which the invention pertains. The abstract should not refer to purported merits or speculative applications of the invention and should not compare the invention with the prior art.
If the patent is of a basic nature, the entire technical disclosure may be new in the art, and the abstract should be directed to the entire disclosure. If the patent is in the 
Where applicable, the abstract should include the following: (1) if a machine or apparatus, its organization and operation; (2) if an article, its method of making; (3) if a chemical compound, its identity and use; (4) if a mixture, its ingredients; (5) if a process, the steps.
Extensive mechanical and design details of an apparatus should not be included in the abstract. The abstract should be in narrative form and generally limited to a single paragraph within the range of 50 to 150 words in length.
See MPEP § 608.01(b) for guidelines for the preparation of patent abstracts.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/21/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claims 1, 13 and 17, these claims recite the limitation “wherein the presence of the token in the third set of one or more packets allows for an electronic device within the cloud network to determine whether one of the enterprise end station has been compromised”.  It is unclear how the presence of the token is used to determine whether one of the enterprise end station has been compromised.  It makes sense if the token or identifier associated with the traffic gets analyzed to determine whether one of the enterprise end station has been compromised.  In this case, only presence of the token, the electronic device is able to determine whether one of the enterprise end station has been compromised.  The metes and bounds of the identified limitation are entirely unclear and subjective.  According to the Applicant’s disclosure, a compromise is detected through the detection algorithms (paragraphs 0094-0096 and 0126).  Further clarification is required.
Dependent claims 2-12, 14-16 and 18-20 are rejected for the reasons presented above with respect to their respective rejected parent claim(s) in view of their dependence thereon.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may 
Claims 1-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-24 of U.S. Patent No. 10,567,342.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application recite a corresponding method, medium and system of claims 1-24 of the patent application.  For example, see the table below for a claim comparison between the instant application and patent application (bolded text indicates significant similarities of major feature in each invention).
Furthermore, Examiner notes that each and every limitation of the instant claims appear to be substantially anticipated by the corresponding claims of the patent application.

Instant Application 16/730,768
Patent Application 10,567,342
Claim 1:

A method in a cloud network to detect compromises of enterprise end stations within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network, comprising:



receiving, at a tunnel gateway server within the cloud network that is implemented by one or more electronic devices, a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network, 




wherein the first set of one or more packets were generated by the first server responsive to the first server receiving a second set of one or more packets that originated from within the enterprise network and that included data and a source enterprise network address, 
wherein the first set of one or more packets includes the data and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed outside of the enterprise network, wherein the data includes a token; and 

transmitting, by the tunnel gateway server, the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the third set of one or more packets allows for an electronic device within the cloud network to determine whether one of the enterprise end station has been compromised, wherein outside of the enterprise the identifier distinguishes between traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses.


A method in an enterprise network to detect compromises of enterprise end stations based on tokens tunneled outside the enterprise network while avoiding disclosure of source enterprise network addresses outside the enterprise network, comprising: 

receiving, at a first server within the enterprise network that is implemented by one or more electronic devices, a first set of one or more packets from a source enterprise network address directed to a destination enterprise network address of the enterprise network, wherein the destination enterprise network address is an enterprise network address assigned to the first server, 
wherein the first set of one or more packets includes data comprising a token, wherein the token was placed upon an enterprise end station within the enterprise network and wherein the token appears to be useful for accessing the first server or a resource provided by the first server; and 







transmitting, by the first server, a second set of one or more packets via a tunnel across a public network to a second server that is outside of the enterprise network, wherein the second set of one or more packets includes the data comprising the token and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed to the second server, wherein the second set of one or more packets causes the second server to send the data comprising the token to a third server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the second set of one or more packets allows for determining whether one of the enterprise end stations has been compromised, wherein at least one of the enterprise end station that utilized the 



A non-transitory computer-readable storage medium having stored therein instructions which, when executed by one or more processors of a device, causes the device to implement a tunnel gateway server in a cloud network to detect compromises of enterprise end stations within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network by performing operations comprising: 


receiving a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network, wherein the first set of one or more packets were generated by the first server responsive to the first server receiving a second set of one or more packets that originated from within the enterprise network and that included data and a source enterprise network address, wherein the first set of one or more packets includes the data and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed outside of the enterprise network, wherein the data includes a token; and 

transmitting the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the third set of one or more packets allows for an electronic device within the cloud network to determine whether one of the enterprise end station has been compromised, wherein outside of the enterprise the identifier distinguishes between traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses.


A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of a device, cause the device to implement a first server to act in an enterprise network to detect compromises of enterprise end stations based on tokens tunneled outside the enterprise network while avoiding disclosure of source enterprise network addresses outside the enterprise network by performing operations comprising: 

receiving a first set of one or more packets from a source enterprise network address directed to a destination enterprise network address of the enterprise network, wherein the destination enterprise network address is an enterprise network address assigned to the first server, wherein the first set of one or more packets includes data comprising a token, wherein the token was placed upon an enterprise end station within the enterprise network and wherein the token appears to be useful for accessing the first server or a resource provided by the first server; and 



transmitting a second set of one or more packets via a tunnel across a public network to a second server that is outside of the enterprise network, wherein the second set of one or more packets includes the data comprising the token and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed to the second server, wherein the second set of one or more packets causes the second server to send the data comprising the token to a third server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the second set of one or more packets allows for determining whether one of the enterprise end stations has been compromised, wherein at least one of the enterprise end station that utilized the source enterprise network address or the source enterprise network address can be determined within the enterprise based upon the identifier, wherein outside the enterprise the identifier distinguishes between traffic sent from different source enterprise network addresses without disclosing the different source enterprise network addresses, wherein the transmitting the second set of one or more packets to the second server causes one or more security measures to be deployed in the enterprise network that monitor or block traffic based on receipt of an alert data that was sent to the enterprise network due to detection of 



A network device, comprising: one or more processors; and a non-transitory computer-readable storage medium having instructions stored therein which, when executed by the one or more processors, causes the device to implement a tunnel gateway server in a cloud network to detect compromises of enterprise end stations within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network by being adapted to:

receive a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network, wherein the first set of one or more packets were generated by the first server responsive to the first server receiving a second set of one or more packets that originated from within the enterprise network and that included data and a source enterprise network address, wherein the first set of one or more packets includes the data and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed outside of the enterprise network, wherein the data includes a token and 

transmit the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the third set of one or more packets allows for an electronic device within the cloud network to determine whether one of the enterprise end station has been compromised, wherein outside of the enterprise the identifier distinguishes between traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses.


A device, comprising: one or more processors; and a non-transitory computer-readable storage medium having instructions which, when executed by the one or more processors, cause the device to implement a first server to act in an enterprise network to detect compromises of enterprise end stations based on tokens tunneled outside the enterprise network while avoiding disclosure of source enterprise network addresses outside the enterprise network by being adapted to: 

receive a first set of one or more packets from a source enterprise network address directed to a destination enterprise network address of the enterprise network, wherein the destination enterprise network address is an enterprise network address assigned to the first server, wherein the first set of one or more packets includes data comprising a token, wherein the token was placed upon an enterprise end station within the enterprise network and wherein the token appears to be useful for accessing the first server or a resource provided by the first server; and 



transmit a second set of one or more packets via a tunnel across a public network to a second server that is outside of the enterprise network, wherein the second set of one or more packets includes the data comprising the token and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed to the second server, wherein the second set of one or more packets causes the second server to send the data comprising the token to a third server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the second set of one or more packets allows for determining whether one of the enterprise end stations has been compromised, wherein at least one of the enterprise end station that utilized the source enterprise network address or the source enterprise network address can be determined within the enterprise based upon the identifier, wherein outside the enterprise the identifier distinguishes between traffic sent from different source enterprise network addresses without disclosing the different source enterprise network addresses, wherein the transmission of the second set of one or more packets to the second server causes one or more security measures to be deployed in the enterprise network that monitor or block traffic based on receipt of an alert data that was sent to the enterprise network due to detection of a use of the token in the data sent by the second server to the third server.


The dependent claims 2-12, 14-16 and 18-20 of the instant application recite language similar to the dependent claims of the patent application and are covered by the patent application.

Claim Rejections - 35 USC § 102

A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-2 and 6-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Shulman et al. (US 20150013006) (hereinafter Shulman).
Regarding claim 1, Shulman discloses a method in a cloud network to detect compromises of enterprise end stations within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network (Shulman: paragraphs 0004 and 0025, “a compromise of the server (i.e., a data breach) can be identified when a honey token is detected outside of the server's data repository, or when an access to the honey token within the server data repository occurs”), comprising: 
receiving, at a tunnel gateway server within the cloud network that is implemented by one or more electronic devices, a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network, wherein the first set of one or more packets were generated by the first server responsive to the first server receiving a second set of one or more packets that originated from within the enterprise network and that included data and a source enterprise network address, wherein the first set of one or more packets includes the data and an identifier but does not include the source enterprise network address so that the source enterprise network address is not Shulman: paragraphs 0053 and 0054, “the intruder 124 attempts to utilize the information from the reverse honey tokens 130A-130N to acquire enterprise data from one or more of the servers (112, 114, 116) of the server end stations 110. For example, the intruder 124--through a "compromised" client end station 120A under complete or partial control of the intruder 124 or through a client end station 125 owned or operated by the intruder 124--may send a set of packets 132 including one or more of the reverse honey tokens (e.g., reverse honey token 130A).”); and 
transmitting, by the tunnel gateway server, the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the third set of one or more packets allows for an electronic device within the cloud network to determine whether one of the enterprise end station has been compromised (Shulman: paragraphs 0054-0055 and 0060, “maintains a record of the dates/times that each reverse honey token 130A was placed on a client end station 120A. Then, upon the security gateway 102 detecting the use of a reverse honey token 130A within a set of packets 132, the RHT central module 105 is notified (of the time of detection, the received RHT 130A, and other metadata such as the source IP address of the packet) and can determine, using the record of RHT placement, one or both of which client end station (e.g., 120A) was compromised, as well as what approximate time (or range of times) of the compromise (as the detected reverse honey token 130A only existed on that client end station 120A for a known period of time, during which the compromise must have occurred).”), wherein outside of the enterprise the identifier distinguishes between traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses Shulman: paragraphs 0052-0055, “These reverse honey tokens 130A-130N (e.g., usernames, passwords, server names/addresses, etc.) appear to provide information useful in acquiring enterprise data from one or more of the servers (112, 114, 116) of the server end stations 110.”…“At circle `4`, the intruder 124 attempts to utilize the information from the reverse honey tokens 130A-130N to acquire enterprise data from one or more of the servers (112, 114, 116) of the server end stations 110. For example, the intruder 124--through a "compromised" client end station 120A under complete or partial control of the intruder 124 or through a client end station 125 owned or operated by the intruder 124--may send a set of packets 132 including one or more of the reverse honey tokens (e.g., reverse honey token 130A). The reverse honey token 130A may be a part of a set of packet headers used to transport a payload, or may be carried by the payload itself. For example, a reverse honey token 130A, in an embodiment, could be an illegitimate IP address for a web application server 116, and thus the illegitimate IP address could appear in a destination IP address field of an IP header of the packets 132”)
Regarding claim 13, claim 13 discloses a medium claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 13 and rejected for the same reasons.
Regarding claim 17, claim 17 discloses a device claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 17 and rejected for the same reasons.
Regarding claims 2 and 14, Shulman further discloses identifying, by the tunnel gateway server, one trap server of a plurality of trap servers, based on the first set of one or more packets, to be the second server to which the data is transmitted (Shulman: paragraphs 0029 and 0092, “setting a trap to detect if an intruder has compromised a client end station to gain unauthorized access to enterprise data provided by a server executing on a server end station according to certain embodiments of the invention”).
Regarding claims 6 and 15, Shulman further discloses receiving, at the tunnel gateway server, a fourth set of one or more packets carrying response data that was generated by the second server based at least in part on the data included within the third set of one or more packets, wherein the fourth set of one or more packets does not include the source enterprise network address (Shulman: paragraphs 0060 and 0068, “upon reconstructing the IP address of the client end station 120A, the RHT detection module 104 generates an alert 140, which may comprise transmitting 230 a notification to a user or transmitting a notification or command to another device (e.g., client end station 120A, other client end stations 120B-120N, one or more server end stations 110, a network management server end station 1320 implementing the RHT distribution module 106, and/or a management server end station 1360 implementing the RHT maintenance module 107, RHT central module 105, and/or security management module”).  
Regarding claims 7 and 16, Shulman further discloses transmitting, by the tunnel gateway server, a fifth set of one or more packets carrying the response data that was generated by the second server to the first server via the tunnel across the public network, wherein the first server can determine the source enterprise network address to be used as a destination for the response data and can transmit the response data accordingly using the source enterprise network address as a destination address (Shulman: paragraph 0090, “In this embodiment, a trick network address 1002 (i.e., a URL) as well as a trick encrypted username 1004 and trick encrypted password 1006 are placed in the moz_logins table on a client end station, and any detected use of the trick network address 1002 (e.g., an HTTP GET request to that address) and/or the encrypted username and password or the unencrypted versions of the username and password will cause the security gateway 102 to trigger the alert, since the authorized user 122 cannot access this database record as the trick network address does not exist.”).
Regarding claims 8 and 18, Shulman further discloses wherein the token was placed upon an enterprise end station within the enterprise network that originated the second set of one or more packets, wherein the token appears to be useful for accessing the first server or a resource provided by the first server (Shulman: paragraphs 0005 and 0026-0027, “honey tokens are typically pieces of information placed in server data repositories that are easy to detect when used, and are rarely (if ever) used by an authorized user”).
Regarding claim 9, Shulman further discloses monitoring, by a traffic monitoring module within the cloud network that is implemented by one or more electronic devices, traffic transmitted to the second server, including the third set of one or more packets transmitted to the second server; and providing, by the traffic monitoring module, alert data to the enterprise network in response to detecting, based on the monitoring, use of the token in the third set of one or more packets (Shulman: paragraphs 0027 and 0049-0050, “Upon this detection, network traffic from the client attempting to utilize the reverse honey token can be monitored, regulated, and/or blocked from reaching the targeted server, the client end station determined to be compromised can be taken offline or repaired, and/or the client end station(s) responsible for transmitting the traffic having the reverse honey token can be sought, analyzed, and/or blocked from further network access”).
Regarding claim 10, Shulman further discloses wherein the providing the alert data to the enterprise network causes one or more security measures to be deployed in the enterprise network that monitor or block traffic, increase an amount of logging or monitoring, or notify a particular enterprise user (Shulman: paragraphs 0035 and 0049, “to monitor network traffic for attempted use of the reverse honey token as evidenced by receipt of a set of one or more packets that include the reverse honey token, and then generate an alert 140.”).
Regarding claims 11 and 19, Shulman further discloses wherein the identifier is an encrypted version of the source enterprise network address (Shulman: paragraph 0062, “the prefix value 204 is prepended to the beginning of the Base64 representation of the encrypted IP address to create the reverse honey token 130A, which is placed in one or more configuration repositories 1”).
Regarding claims 12 and 20, Shulman further discloses wherein the first set of one or more packets utilizes, as a source Internet Protocol (IP) address, a routable IP address that is different than the source enterprise network address (Shulman: paragraphs 0053 and 0096, “a reverse honey token 130A, in an embodiment, could be an illegitimate IP address for a web application server 116, and thus the illegitimate IP address could appear in a destination IP address field of an IP header of the packets 132. As another example, a reverse honey token 130A could be a name of an invalid database table not existing within the set of tables 111A-111M of the database server 112; thus, the name of the invalid database table could exist within a database query (e.g., a SQL query) carried by a payload of the set of packets 132.”).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3-5 are rejected under 35 U.S.C. 103 as being unpatentable over Shulman in view of British (EP 2541861) (hereinafter Bristish).
Regarding claim 3, Shulman does not explicitly disclose the following limitation which is disclosed by Bristish, wherein the identification of the one trap server to be the second server is based on a client identifier included within the first set of one or more packets (Bristish: figure 15; and paragraphs 0104 and 0105, “when server 44 changes its IP address (shown in Figure 9 for example as now comprising server 72), this triggers a plurality of decoy servers 90 for server 72 to become detectable at a plurality of different IP addresses in communications network”).  Shulman and Bristish are analogous art because they are from the same field of endeavor, data protection. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Shulman and Bristish before him or her, to modify the system of Shulman to include the identification of the decoy servers of Bristish. The suggestion/motivation for doing so would have been to protect or remove multiple threats (Bristish: paragraph 0009).
Regarding claim 4, Shulman does not explicitly disclose the following limitation which is disclosed by Bristish, wherein the identification of the one trap server to be the second server is based on a protocol used within the data (Bristish: figure 15; and paragraphs 0105-0106, “when a server changes its IP address this triggers at least one other decoy server to become active at least one other IP address. It is possible for the decoy server to be located in the same or a different communications network if virtual machine technology is used to generate a virtual image of the server. Where virtual machine technology is used, the decoy servers 90 comprise server presences that through allocation of network addresses which are part of the sub-network at the remote termination point of a virtual private network which also includes the relocated server 72, the decoy servers shall be addressable as part of that subnet”).  Shulman and Bristish are analogous art because they are from the same field of endeavor, data protection. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Shulman and Bristish before him or her, to modify the system of Shulman to include the identification of the decoy servers of Bristish. The suggestion/motivation for doing so would have been to protect or remove multiple threats (Bristish: paragraph 0009).
Regarding claim 5, Shulman as modified discloses wherein the identification of the one trap server to be the second server is based on a source address of the first set of one or more packets (Bristish: figure 15; and paragraphs 0105-0106, “when a server changes its IP address this triggers at least one other decoy server to become active at least one other IP address. It is possible for the decoy server to be located in the same or a different communications network if virtual machine technology is used to generate a virtual image of the server. Where virtual machine technology is used, the decoy servers 90 comprise server presences that through allocation of network addresses which are part of the sub-network at the remote termination point of a virtual private network which also includes the relocated server 72, the decoy servers shall be addressable as part of that subnet”).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/TRANG T DOAN/Primary Examiner, Art Unit 2431