DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a final office action in response to communications received 02/07/2022. Claims 21, 34, have been amended. Therefore, claims 21-40 are pending and addressed below.

Response to Amendment
Applicant’s amendments and response to the claims are NOT sufficient to overcome the Double Patenting rejections set forth in the previous office action. The double patenting rejection is maintained.

Response to Arguments
Applicant’s arguments filed 02/07/2022 have been fully considered but they are not persuasive. Applicant argues that (1) Ettema does not disclose selecting the devices or services to be emulated in a honey network based on a type of network traffic monitoring to be performed on the network traffic traversing a host computer network….

In response to argument (1), Examiner respectfully disagrees. Ettema discloses that the honey network has been configured to clone a subnet of a target enterprise network…a network scan can be performed on the subnet of the target enterprise network to generate a network scan survey…the network scan survey data and then be processed to implement a low interaction emulation of that subnet of the target enterprise network as a honey network…a virtual clone can be instantiated for one or more of the target devices in the enterprise network to support high interactions for such target devices in the honey network…a virtual clone can be instantiated for a target device based on various policies or criteria, such as to facilitate an intelligent detonation of malware that was destined to be sent to the target device (interpreted as type of network traffic monitoring to be performed on the network traffic traversing a host computer network)…agents can also be deployed on each of the devices and/or a subset of the devices…assuming that device profile data is available for the target device, a virtual clone can be instantiated as a net VM instance on the VM server to implement a high-interaction emulation of the target device in the honey network…see col. 24, lines 35-65. Therefore Examiner maintains Ettema does teach and disclose this limitation.



Claim Rejections - 35 USC § 102

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 21, 26-28, 34, 39-40 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Ettema et al (Pat. No. US 9882929).


As per claim 21, Ettema discloses a computer-implemented method comprising: receiving input identifying a type of network traffic monitoring to be performed on network traffic traversing a host computer network (see col.16 lines 45-50), wherein the type of network traffic monitoring relates to identifying one or more types of malicious activity in the host computer network (…a virtual clone can be instantiated for one or more of the target devices in the enterprise network to support high interactions for such target devices in the honey network…a virtual clone can be instantiated for a target device based on various policies or criteria, such as to facilitate an intelligent detonation of malware that was destined to be sent to the target device (interpreted as type of network traffic monitoring to be performed on the network traffic traversing a host computer network)…agents can also be deployed on each of the devices and/or a subset of the devices…assuming that device profile data is available for the target device, a virtual clone can be instantiated as a net VM instance on the VM server to implement a high-interaction emulation of the target device in the honey network…see col. 24, lines 35-65); selecting, by a controller, a plurality of network nodes in the host computer network to be replicated in a test computer network, wherein the plurality of network nodes is selected based on the type of network traffic monitoring to be performed on the network traffic traversing the host computer network (…the honey network has been configured to clone a subnet of a target enterprise network…a network scan can be performed on the subnet of the target enterprise network to generate a network scan survey…the network scan survey data and then be processed to implement a low interaction emulation of that subnet of the target enterprise network as a honey network…a virtual clone can be instantiated for one or more of the target devices in the enterprise network to support high interactions for such target devices in the honey network…a virtual clone can be instantiated for a target device based on various policies or criteria, such as to facilitate an intelligent detonation of malware that was destined to be sent to the target device (interpreted as type of network traffic monitoring to be performed on the network traffic traversing a host computer network)…agents can also be deployed on each of the devices and/or a subset of the devices…assuming that device profile data is available for the target device, a virtual clone can be instantiated as a net VM instance on the VM server to implement a high-interaction emulation of the target device in the honey network…see col. 24, lines 35-65); and causing the controller to create the test computer network, wherein the test computer network includes a plurality of cloned network nodes corresponding to the plurality of network nodes (see col.17 line 56-col.18 line 16).


As per claim 34, Ettema discloses a system comprising: a first one or more electronic devices to implement a network monitoring application, wherein the network monitoring application includes first instructions that upon execution cause the network monitoring application to: receive input identifying a type of network traffic monitoring to be performed on network traffic traversing a host computer network, wherein the type of network traffic monitoring relates to identifying one or more types of malicious activity in the host computer network (…a virtual clone can be instantiated for one or more of the target devices in the enterprise network to support high interactions for such target devices in the honey network…a virtual clone can be instantiated for a target device based on various policies or criteria, such as to facilitate an intelligent detonation of malware that was destined to be sent to the target device (interpreted as type of network traffic monitoring to be performed on the network traffic traversing a host computer network)…agents can also be deployed on each of the devices and/or a subset of the devices…assuming that device profile data is available for the target device, a virtual clone can be instantiated as a net VM instance on the VM server to implement a high-interaction emulation of the target device in the honey network…see col. 24, lines 35-65), cause a controller to create a test computer network, wherein the test computer network includes a plurality of cloned network nodes corresponding to a plurality of network nodes in the host computer network (see col.17 line 56-col.18 line 16); and a second one or more electronic devices to implement a controller, wherein the controller includes second instructions that upon execution cause the controller to: select the plurality of network nodes in the host computer network to be replicated in a test computer network (…network interactions with other devices emulated in the honey network…can be monitored…the results of the network scan the network scan survey, can be imported and processed by the translation engine to facilitate a generation of a honey network configuration to emulate the devices and services identified in the network scan survey…the honey network can be configured to replicate the IP addresses of the devices in the target network…see col.10 lines 15-23, col.17 lines 8-23), wherein the plurality of network nodes is selected based on the type of network traffic monitoring to be performed on the network traffic traversing the host computer network (…the honey network has been configured to clone a subnet of a target enterprise network…a network scan can be performed on the subnet of the target enterprise network to generate a network scan survey…the network scan survey data and then be processed to implement a low interaction emulation of that subnet of the target enterprise network as a honey network…a virtual clone can be instantiated for one or more of the target devices in the enterprise network to support high interactions for such target devices in the honey network…a virtual clone can be instantiated for a target device based on various policies or criteria, such as to facilitate an intelligent detonation of malware that was destined to be sent to the target device (interpreted as type of network traffic monitoring to be performed on the network traffic traversing a host computer network)…agents can also be deployed on each of the devices and/or a subset of the devices…assuming that device profile data is available for the target device, a virtual clone can be instantiated as a net VM instance on the VM server to implement a high-interaction emulation of the target device in the honey network…see col. 24, lines 35-65); and create the test computer network (…the honey network can emulate the devices and services identified in the network scan survey of the target enterprise network using different assigned IP address…col.10 lines 55-65, see col.17 lines 43-50).


As per claims 26, 39, Ettema discloses wherein the host computer network has no network connectivity to the test computer network (Ettema: col.16 lines 8-15).


As per claims 27, 40, Ettema discloses wherein at least one of the plurality of cloned network nodes is assigned a media access control (MAC) address and an internet protocol (IP) address of a corresponding node of the plurality of network nodes (Ettema: see col.17 line 47-col.18 line 5).


As per claim 28, Ettema discloses wherein at least one of the plurality of cloned network nodes is configured to match at least one of the following configurations of a corresponding node of the plurality of network nodes: an operating system, a patch level, available ports, and available services (Ettema: see col.18 lines 45-51).




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 22-25, 29-33, 35-38 are rejected under 35 U.S.C. 103 as being unpatentable over Ettema et al (Pat. No. US 9882929) in view of Jordan et al (Pub. No. US 2014/0283052)


As per claims 22, 35, Ettema does not explicitly disclose obtaining, from at least one first sensor coupled to the host computer network, first network flow records generated by the at least one first sensor based on first network traffic involving the plurality of network nodes; obtaining, from at least one second sensor coupled to the test computer network, second network flow records generated by the at least one second sensor based on second network traffic involving network nodes of the plurality of cloned network nodes; merging, by a detection processing pipeline, the first network flow records and the second network flow records to obtain merged network flow records; and training a machine learning model to identify instances of malicious network traffic based on the merged network flow records. However Jordan discloses obtaining, from at least one first sensor coupled to the host computer network, first network flow records generated by the at least one first sensor based on first network traffic involving the plurality of network nodes; obtaining, from at least one second sensor coupled to the test computer network, second network flow records generated by the at least one second sensor based on second network traffic involving network nodes of the plurality of cloned network nodes; merging, by a detection processing pipeline, the first network flow records and the second network flow records to obtain merged network flow records; and training a machine learning model to identify instances of malicious network traffic based on the merged network flow records (inspecting network traffic for malicious data using a signature based sensor and simultaneously inspecting the network traffic for malicious data using a machine-learning based sensor…the machine learning based sensor has been trained to detect attacks on blind sports of the signature based sensor by modifying patterns of attack on the signature based sensor to compile blind spot malicious samples that avid intrusion detection by the signature based sensor…a machine learning raining dataset comprising the tagged malicious samples…is then presented to the machine learning based sensor to create models of normal network traffic and to detect samples that fail to conform to the models of normal network traffic as malicious data…see par. 31). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Jordan in Ettema for including the above limitations because one ordinary skill in the art would recognize it would further enhance the ability to detect the full spectrum of network attacks while eliminating the blind spot and false positive rates per sensor experiences…see Jordan, par. 10.


As per claims 23, 36, the combination of Ettema and Jordan discloses wherein the second network flow records include at least one network flow record reflecting an instance of malicious network traffic artificially introduced into the test computer network (Jordan: see par. 31). The motivation for claims 23, 3 is the same motivation as in claims 22, 35 above.


As per claims 24, 37, the combination of Ettema and Jordan discloses obtaining additional network flow records generated by the at least one first sensor based on additional network traffic involving the plurality of network nodes of the host computer network; using the machine learning model to identify an instance of malicious network traffic based on the additional network flow records; and generating an alert indicating the instance of the malicious network traffic (Jordan: see par. 5, 31). The motivation for claims 34, 37 is the same motivation as in claims 22, 35 above.


As per claims 35, 38, the combination of Ettema and Jordan discloses obtaining additional network flow records generated by the at least one first sensor based on additional network traffic involving the plurality of network nodes of the host computer network; using the machine learning model to identify an instance of malicious network traffic based on the additional network flow records; and using the instance of malicious network traffic to search for other network flow records related to the instance of malicious network traffic (Jordan: see par. 31-33). The motivation for claims 25, 38 is the same motivation as in claims 22, 35 above.


As per claim 29, the combination of Ettema and Jordan discloses wherein a network flow record of the first network flow records corresponds to a communication between a first node and a second node of the plurality of network nodes, and wherein the network flow record identifies one or more of: an initiating node, a receiving node, a length of time of associated with the communication, a number of data packets associated with the communication, a size of the communication, MAC addresses associated with the first node and the second node, and IP addresses associated with the first node and the second node (Ettema: see col.17 lines 47-60).


As per claim 30, the combination of Ettema and Jordan discloses wherein the detection processing pipeline includes a plurality of machine learning models, and wherein each of the plurality of machine learning models is used to identify one or more particular types of malicious network traffic (Jordan: see par. 31). The motivation for claim 30 is the same motivation as in claim 22 above.


As per claim 31, the combination of Ettema and Jordan discloses wherein the merged network flow records appear to originate from the plurality of network nodes of the host computer network (Jordan: see par. 31-33). The motivation for claim 31 is the same motivation as in claim 22 above.


As per claim 32, the combination of Ettema and Jordan discloses wherein the second network-traffic is generated based on one or more scripts that in part generate the malicious network traffic (Jordan: see par. 36-37). The motivation for claim 32 is the same motivation as in claim 22 above.


As per claim 33, the combination of Ettema and Jordan discloses wherein the first network flow records are overlaid on the second network flow records to obtain the merged network flow records (Jordan: see par. 31-33). The motivation for claim 33 is the same motivation as in claim 22 above.




Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to creating an environment for detecting malicious content.

Stratton et al (Pub. No. US 2008/0271019); “System and Method for Creating a Virtual Assurance System”;
-Teaches the assurance system may copy a plurality of target systems and manage a plurality of virtual application environments…the virtual application environments may be created from various different environments on various different devices…see par. 33-35.



THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 



Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2499