DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a reply to the application filed on 09/19/2020, in which, claim(s) 1-20 are pending. Claim(s) 1, 15 and 20 are independent.

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d). Receipt is acknowledged of papers submitted under 35 U.S.C. 119(a)-(d), which papers have been placed of record in the file.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/22/2020 and 06/07/2021, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Drawings
The drawings filed on 09/19/2020 are accepted by The Examiner.

Claim Objections
Claims 1 and 20 are objected to because of the following informalities:  
Claim 1 and claim 20 recite “if an IP address of a node in the configuration information” and “if no IP address of a node in the configuration information”. Examiner suggests to amend the word “if” to “when” as shown in claim 15.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Claim 15 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 15 recites "a memory unit”, “a communications interface” and “one or more processors”, in the claim body. As recited in the body of the claim, the claimed system lacks a structural component because the memory unit, interface and processor can be implemented as software only. Therefore, claim 15 is directed to non-statutory subject matter for lack of a hardware component. The Examiner respectfully suggests that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101 such as “a hardware processor” or “a hardware memory”. 
Claims 16-19 don't cure the deficiency of Claim 15 and are rejected under 35 U.S.C. 101 for their dependency upon Claim 15.
Claim 20 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 20 is non-statutory under the most recent interpretation of the Interim Guidelines regarding 35 U.S.C.101 because: the computer-readable storage medium claimed is not positively disclosed in the specification as a statutory only embodiment. ([0175], “one or more computer-usable storage media (including but not limited to a disk memory, a CD-ROM, an optical memory, and the like)”). When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.S.C. § 101 as covering non-statutory subject matter. (See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) transitory embodiments are not directed to statutory subject matter, further see MPEP 2106). Examiner suggests amending the claim to include “non-transitory computer-readable storage medium” consistent with the OG notice (2/23/2010, 1351 OG 212, http://www.uspto.gov/web/offices/com/sol/og/2010/week08/TOC.htm#ref20) concerning “Subject Matter Eligibility of Computer Readable Media”.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Seger et al. (US 9,716,727 B1, cited by the applicant in the 06/07/2021 IDS) in view of Trama et al. (US 8,955,128 B1).
Regarding Claims 1, 15, and 20, Seger discloses A method for defending against a network attack, comprising: 
receiving, by a network security device, a first packet sent by an external device, wherein the network security device is deployed between a protected network and an external network in which the external device is located, the network security device stores configuration information of a fake network, and the configuration information comprises an internet protocol IP address of each node in the fake network (Col 12, Lines 11-15, “the honey network emulation engine responds to various packets that are directed to the honey network”, see Fig. 2 & Col 9, Lines 23-30, Lines 56-66, “data appliance 202 (e.g., a device that performs various security related functions, such as a security device, which can be in the form of, for example, a security appliance, security gateway, security server, and/or another form of a security device)”, “data appliance 202 can perform IP-based routing of traffic (e.g., based on layer-3 destination IP-based routing rules) to route traffic sent to specific destination IP addresses”, Col 17, Lines 6-12, “the honey network includes a set of additional IP addresses (e.g., additional IP addresses that are not associated with any actual, physical devices in enterprise network 210, but are used to be associated with virtual, emulated devices in the honey network that appear to be part of enterprise network 210 to an unauthorized user, such as an attacker”, Fig 7, “a honey network configuration”); 
Seger does not explicitly teach but Trama teaches
matching, by the network security device, a destination IP address of the first packet with the configuration information of the fake network (Col 5, Lines 15-17, “If a packet's destination IP address matches an IP address in the honeypot”); and 
processing, by the network security device, the first packet based on a fake network policy if an IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address, wherein each fake network policy comprises a matching condition and an action corresponding to the matching condition, and the action comprises constructing and sending a response packet, or prohibiting answering the first packet, or redirecting the first packet to a honeypot device (Col 5, Lines 15-18, “If a packets destination IP address matches an IP address in the honeypot, then the packet information is logged, the packet is dropped and the packet's source IP address is flagged”, Col 1, Lines 66-67, “subnetted (prefix) network addresses”); or 
processing, by the network security device, the first packet based on a firewall policy if no IP address of a node in the configuration information of the fake network has a same subnet prefix as the destination IP address (Col 6, Lines 30-37, “The LISTS chain compares 410 the incoming packet's source IP address with IP addresses and network ranges have been defined in various designated "lists" within the system. If it doesn't match, the packet information is either logged 290 first and then routed 500 or simply just routed 500 depending on how it is configured by the user”, Col 1, Lines 66-67, “subnetted (prefix) network addresses”).  
Seger and Trama are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Trama with the disclosure of Seger. The motivation/suggestion would have been for reducing unwanted network traffic via easily configured lists and other malicious network traffic abatement measures (Trama, Col 2, Lines 55-60).

Regarding Claims 2, and 16, the combined teaching of Seger and Trama teaches wherein the processing, by the network security device, the first packet based on a fake network policy comprises: 
determining, by the network security device, matching information of the first packet, wherein the matching information comprises at least one of the following: a protocol type of the first packet, the destination IP address of the first packet, and a destination port number of the first packet (Trama, Col 5, Lines 15-18, “If a packets destination IP address matches an IP address in the honeypot, then the packet information is logged, the packet is dropped and the packet's source IP address is flagged”); 
separately matching, by the network security device, the matching information of the first packet with a matching condition comprised in at least one fake network policy, and selecting a fake network policy matching the first packet, wherein the matching information of the first packet meets a matching condition in the selected fake network policy; and performing, by the network security device, an action in the selected fake network policy (Trama, Col 5, Lines 15-18, “If a packets destination IP address matches an IP address in the honeypot, then the packet information is logged, the packet is dropped and the packet's source IP address is flagged”).  

Regarding Claims 3, and 17, the combined teaching of Seger and Trama teaches
wherein the matching condition in the selected fake network policy is: a protocol type is the internet control message protocol ICMP, and a destination IP address is an IP address of a first node in the fake network; and the action in the selected fake network policy is: constructing and sending a response packet, or redirecting the first packet to the honeypot device, wherein the response packet is 10used to indicate that the destination IP address is reachable (Trama, Col 5, Lines 15-18, “If a packets destination IP address matches an IP address in the honeypot, then the packet information is logged, the packet is dropped and the packet's source IP address is flagged”, Seger, Col 23, Line 40-42, “an ICMP queue for the Internet Control Message Protocol (ICMP)”).

Regarding Claims 4, and 18, the combined teaching of Seger and Trama teaches
wherein the configuration information further comprises a topological relationship between nodes in the fake network, and the response packet carries a time to live, wherein the time to live is determined by the network security device based on the topological relationship, and the time to live 15indicates a quantity of routing nodes through which a packet passes in a process of transmitting the packet to the first node (Seger, Col 23, Line 35-43 , “each of the four primary queues handles a different type of packet that is received at the honey network VM instance (e.g., a TCP queue for the Transmission Control Protocol (TCP), a UDP queue for the User Datagram Protocol (UDP), an ICMP queue for the Internet Control Message Protocol (ICMP), and an IP queue for the Internet Protocol (IP))”, Col 11, Line 25-30 , “the appropriate/expected probe responses for each emulated system can be determined at run-time by honey network emulation engine”).

Regarding Claim 5, the combined teaching of Seger and Trama teaches
wherein the matching condition in the selected fake network policy is: a protocol type is the ICMP, and a destination IP address is not an IP address of any node in the fake network; and the action in the selected fake network policy is: constructing and sending a response packet, or redirecting the first packet to the honeypot device, wherein the response packet is used to indicate that the destination IP address is unreachable, and an IP address of a gateway device corresponding to a subnet prefix of the destination IP address is reachable (Trama, Col 6, Lines 30-37, “The LISTS chain compares 410 the incoming packet's source IP address with IP addresses and network ranges have been defined in various designated "lists" within the system. If it doesn't match, the packet information is either logged 290 first and then routed 500 or simply just routed”, Seger, Col 23, Line 40-42, “an ICMP queue for the Internet Control Message Protocol (ICMP)”).  

Regarding Claim 6, the combined teaching of Seger and Trama teaches
wherein the configuration information further 25comprises a topological relationship between nodes in the fake network, and the response packet carries a time to live, wherein the time to live is determined by the network security device based on the topological relationship, and the time to live indicates a quantity of routing nodes through which a packet passes in a process of transmitting the packet to the gateway device corresponding to the subnet prefix of the 30destination IP address (Seger, Col 23, Line 35-43 , “each of the four primary queues handles a different type of packet that is received at the honey network VM instance (e.g., a TCP queue for the Transmission Control Protocol (TCP), a UDP queue for the User Datagram Protocol (UDP), an ICMP queue for the Internet Control Message Protocol (ICMP), and an IP queue for the Internet Protocol (IP))”, Col 11, Line 25-30 , “the appropriate/expected probe responses for each emulated system can be determined at run-time by honey network emulation engine”).

Regarding Claims 7, and 19, the combined teaching of Seger and Trama teaches
wherein the matching condition in the selected fake network policy is: a protocol type is the transmission control protocol TCP, and a destination port is a first port in the fake network, wherein the destination port is determined based on the destination IP address and the destination port number; and the 5action in the selected fake network policy is: constructing and sending a response packet, or redirecting the first packet to the honeypot device, wherein the response packet is used to indicate that the destination port is in an open state (Seger, Col 6, Line 14-30 , “sends selected probes to a given target device, and then evaluates the responses to generate a fingerprint that can be used to identify various attributes of the target device, such as an operating system and version, open ports and available services, and/or other attributes”, “open TCP ports”).

Regarding Claim 8, the combined teaching of Seger and Trama teaches
wherein the matching condition in the selected fake network policy is: a protocol type is the TCP, and a destination port is not a first port in the fake network, wherein the destination port is determined based on the destination IP address and the destination port number; and the action in the selected fake network policy is: constructing and sending a response packet, or redirecting the first packet to the honeypot device, wherein the response packet is used to indicate that the destination port is in an unopened state (Seger, Col 23, Line 40, “Transmission Control Protocol (TCP)”, Col 1, Lines 35-40, “determine which ports are open on a particular computer on the network”, Col 24, Lines 5-10, “determine whether the TCP service is active/exists for the destination port number of the destination IP address in the honey network”, therefore the response can indicate the destination port is in an unopened state).

Regarding Claim 9, the combined teaching of Seger and Trama teaches
wherein the matching condition in the selected fake network policy is: a protocol type is the user datagram protocol UDP, and a destination port is not a second port in the fake network, wherein the destination port is determined based on the destination IP address and the destination port number; and the action in the selected fake network policy is: constructing and sending a response packet, or redirecting the first packet to the honeypot device, wherein the response packet is used to indicate that the destination port is unreachable (Seger, Col 23, Line 41, “User Datagram Protocol (UDP)”, Col 24, Lines 35-40, “a packet is received that is destined for a UDP port”, Col 24, Lines 40-50, “determine whether the UDP service is active/exists for the destination port number of the destination IP address in the honey network” and sending a response packet indicate the destination port is unreachable).

Regarding Claim 10, the combined teaching of Seger and Trama teaches
wherein the matching condition in the selected fake network policy is: a protocol type is the UDP, and a destination port is a second port in the fake network, wherein the destination port is determined based on the destination IP address and the destination port number; and the action in the selected fake network policy is: prohibiting answering the first packet, or redirecting the first packet to the honeypot device (Seger, Col 23, Line 41, “User Datagram Protocol (UDP)”, Col 24, Lines 35-40, “a packet is received that is destined for a UDP port”, Col 24, Lines 40-50, “determine whether the UDP service is active/exists for the destination port number of the destination IP address in the honey network”, Trama, Col 5, Lines 15-18, “the packet is dropped”).

Regarding Claim 11, the combined teaching of Seger and Trama teaches
constructing, by the network security device, a response packet, and sending theClient Reference No.: 85705376US04 response packet after a delay of preset duration (Seger, Col 11, Line 15-20, “include probe responses for each emulated system in the systems table and for each emulated service in the services table with responses to provide to specific probes”).

Regarding Claim 12, the combined teaching of Seger and Trama teaches
wherein the matching condition in the selected fake network policy is: a destination IP address is an IP address of a fourth node in the fake network; and the action in the selected fake network policy is: redirecting the first packet to the honeypot device (Trama, Col 5, Lines 15-18, “If a packets destination IP address matches an IP address in the honeypot, then the packet information is logged” and redirect to the honeypot device).

Regarding Claim 13, the combined teaching of Seger and Trama teaches
constructing, by the network security device, a response packet in a first packet format based on the firewall policy, wherein the first packet format is a packet format corresponding to a first system type, the first system type is inconsistent with a second system type corresponding to a first internal device, the first internal device is located in the protected network, and an IP address of the first internal device is the same as the destination IP address; and sending, by the network security device, the response packet in the first packet format to the external device (Seger, Col 23, Line 45-50, “to provide responses that would provide matches (fingerprints) for systems and services represented in the honey network”).

Regarding Claim 14, the combined teaching of Seger and Trama teaches
receiving, by the network security device, a second packet sent by a second internal device, wherein the second internal device is any device in the protected network; modifying, by the network security device, a packet format of the second packet into a second packet format, wherein a third system type corresponding to the second packet format is inconsistent with a fourth system type corresponding to the second internal device; and forwarding, by the network security device, the second packet in the second packet format (Seger, Col 23, Line 45-50, “to provide responses that would provide matches (fingerprints) for systems and services represented in the honey network”).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497