DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a reply to the application filed on 04/15/2020, in which, claim(s) 1-20 are pending. Claim(s) 1 and 11 are independent.

Drawings
The drawings filed on 04/15/2020 are accepted by The Examiner.

Examiner’s Note
Claim 11 recites “A system comprising: …executable code that, when executed by the one or more processing devices” and has been analyzed for 35 U.S.C. 101. No 35 U.S.C. 101 deemed necessary since the processing device is interpreted as hardware processing device in order to “execute” instructions. Therefore the examiner has viewed the system as meeting 35 U.S.C. 101 eligibility requirements.

Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.
The abstract of the disclosure is objected to because it is more than 150 words (i.e. 156 words). See MPEP § 608.01(b).
Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claims 1-20 are non-provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over:
          Claims 1-10 of Patent 10,599,842.

Although the conflicting claims are not identical, they are not patentably distinct from each other because claims 1-20 are anticipated by claims 1-10 of Patent 10,599,842.
Patent application No. US 10,599,842 (15/383,522)  
Instant Application No.(16/849,813) 
Claim 1. A method comprising: 

providing on a computer system a listing of sanctioned applications; 
receiving, by the computer system, a command referencing subject data from a source; 
(a) determining, by the computer system, that the command was not received from one of the sanctioned applications by determining that a certificate of the source does not match a certificate of one of the sanctioned applications, a hash of binary code for the source does not match a hash of one of the sanctioned applications, and that a path to the binary code for the source does not match a path of one of the sanctioned applications; and 
(b) in response to (a) refraining from executing the command with respect to the subject data; 
(c) determining, by the computer system, that the command is a request for the subject data; 
in response to (c), passing, by the computer system, the command to an operating system executing on the computer system having a reference to the subject data replaced with a reference to deception data that is different from the subject data, the subject data having a format, the deception data being decoy data having the format, the subject data referencing a production server and the deception data referencing a decoy server that is different from the production server and coupled to the computer system by a network; 
(d) detecting, by the decoy server, an attempt by a module to access the deception server using the deception data; 
in response to (d), engaging and monitoring the module; 
(e) determining that the command is a request to modify the subject data; and 
in response to (e), refraining from executing the request to modify the subject data and returning to a source of the command an indication that the request to modify the subject data was executed successfully. 
Claim 1. A method comprising: 


receiving, by a computer system, a system call from a source to obtain information regarding a remote network resource; 




evaluating, by the computer system, whether the source is sanctioned; 

determining that the source is not sanctioned; and 










in response to determining that the source is not sanctioned, returning, by the computer system, a response to the system call having the information regarding the remote network resource replaced with information regarding a decoy server.  










Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1, 7-11, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Niemela et al. (US 2017/0149787 A1) in view of Vissamsetty et al. (US 2015/0326588 A1).
Regarding Claims 1 and 11, Niemela discloses
receiving, by a computer system, a request from a source to obtain information regarding a remote network resource ([0030], “detecting the request in step 300 that the client process needs the requested resource as a part of its normal operation”, [0015], “computer resources of the computer network”); 
evaluating, by the computer system, whether the source is sanctioned; determining that the source is not sanctioned ([0022], “determine whether or not the second process attempts to carry out malicious of the fake resource”, [0031], “Upon receiving the request in step 300 and determining that the reference database indicates that the client process does not need the requested resource as the part of its normal operation”); and 
in response to determining that the source is not sanctioned, returning, by the computer system, a response to the request having the information regarding the remote network resource replaced with information regarding a decoy server ([0031], “replace the requested resource, e.g. the requested network address, with a resource directing the client process to the honeypot”, [0022], “directed to a resource that does not exist in the computer network, e.g. the resource may be a fake file, fake e-mail address, fake domain name, or a fake proxy server address”).  
Niemela does not explicitly teach but Vissamsetty teaches
the request is a system call ([0168], “the ability to watch file accesses and monitor system calls”),
Niemela and Vissamsetty are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Vissamsetty with the disclosure of Niemela. The motivation/suggestion would have been for detecting and protecting malicious and unauthorized access of a computer system (Vissamsetty, [0003]).

Regarding Claims 7 and 17, the combined teaching of Niemela and Vissamsetty teaches 
wherein the system call is an instruction to list credentials for network services stored on the computer system (Vissamsetty, [0168], “system calls”, [0283], “The memory 716 may further include a cache 720 for storing credentials 722 as generated by a service”, “decoy or fake credentials 724 generated”).  

Regarding Claims 8 and 18, the combined teaching of Niemela and Vissamsetty teaches 
wherein the system call is an instruction to list domain controllers (Niemela, [0017], “provide information on a name and/or network address of the servers 104, 106, databases 108, and other devices 110 of the network”, [0022], “directed to a resource that does not exist in the computer network, e.g. the resource may be a … fake domain name”, Vissamsetty, [0168], “system calls”).  

Regarding Claims 9 and 19, the combined teaching of Niemela and Vissamsetty teaches 
wherein the system call is an instruction to enumerate network computers (Vissamsetty, [0034], “total number of IP addresses (i.e. network computers) supported”, [0168], “system calls”).  

Regarding Claims 10 and 20, the combined teaching of Niemela and Vissamsetty teaches 
wherein the system call is an instruction to list users and groups (Niemela, [0017], “authorized users”, “the user groups to the resources”, Vissamsetty, [0168], “system calls”), the method further comprising: 
generating, by the computer system, a first response including references to a decoy group defined on the decoy server; returning, by the computer system, the first response to the source (Niemela, [0017], “the user groups to the resources”, [0031], “replace the requested resource, e.g. the requested network address, with a resource directing the client process to the honeypot”); 
receiving, by the computer system form the source, a request for information regarding the decoy group; in response to the request for information regarding the decoy group, returning a second response to the source, the second response including decoy account information for a decoy user in the decoy group (Niemela, [0022], “directed to a resource that does not exist in the computer network, e.g. the resource may be a fake file, fake e-mail address”).  

Claims 2-5 and 12-15 are rejected under 35 U.S.C. 103 as being unpatentable over Niemela et al. (US 2017/0149787 A1) in view of Vissamsetty et al. (US 2015/0326588 A1) further in view of Thakar et al. (US 2017/0032122 A1).
Regarding Claims 2 and 12, the combined teaching of Niemela and Vissamsetty does not explicitly teach but Thakar teaches
wherein receiving the system call comprises receiving a call to a first function, the first function being substituted for a reference to a second function in a dynamic link library, the first function referencing the second function ([0039], “For an executable to use a system call, such as an Application Programming Interface (API) call, the executable must first import a DLL that exposes the API call, and then run the API”, “address list can be scanned for one or more DLLs that expose network related API calls, or otherwise exhibit network activity”),
Niemela, Vissamsetty and Thakar are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Thakar with the combined teaching of Niemela and Vissamsetty. The motivation/suggestion would have been to determine whether an executable file attempts to contact a network during execution that may be untrusted or potentially malicious (Thakar, [0001], [0040]).

Regarding Claims 3 and 13, the combined teaching of Niemela, Vissamsetty and Thakar teaches 
wherein the system call is a first system call and the source is a first source (Vissamsetty, [0168], “system calls”, Niemela, [0031], “the client process”), the method further comprising: 
receiving, by the computer system, a second system call to the first function from a second source; determining, by the first function, that the second source is sanctioned; and in response to determining that the second source is sanctioned, invoking, by the first function, the second function (Vissamsetty, [0168], “system calls”, Niemela, [0024], “if the anti-malware process detects, on the basis of the monitoring in the secured environment, that the second computer process has no malicious purposes, it may release the second computer process after which the first computer process may provide the second computer process with the response that contains the requested information as unmodified”).  

Regarding Claims 4 and 14, the combined teaching of Niemela, Vissamsetty and Thakar teaches
invoking, by the first function, the second function in response to the system call; receiving, by the first function, a result from the second function; modifying, by the first function, the result to obtain a modified result referencing the decoy server (Vissamsetty, [0168], “system calls”, Niemela, [0031], “replace the requested resource, e.g. the requested network address, with a resource directing the client process to the honeypot”, [0022], “a fake proxy server address”); 
replacing, by the first function, a first reference in the response with a second reference referencing a decoy server to obtain a modified response; returning, by the first function, the modified response to the source (Niemela, [0031], “replace the requested resource, e.g. the requested network address, with a resource directing the client process to the honeypot”, [0022], “a fake proxy server address”).

Regarding Claims 5 and 15, the combined teaching of Niemela, Vissamsetty and Thakar teaches
modifying, by the first function, an argument of the system call to replace a domain name service (DNS) address with an internet protocol (IP) address of the decoy server to obtain a modified argument (Vissamsetty, [0168], “system calls”, Niemela, [0031], “replace the requested resource, e.g. the requested network address, with a resource directing the client process to the honeypot”, [0022], “a fake proxy server address”); 
invoking, by the first function, the second function in response to the system call with the modified argument; receiving, by the first function, a result from the second function; and returning, by the first function, the result to the source of the system call (Vissamsetty, [0168], “system calls”, Niemela, [0031], “replace the requested resource, e.g. the requested network address, with a resource directing the client process to the honeypot”, [0022], “a fake proxy server address”).


Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Niemela et al. (US 2017/0149787 A1) in view of Vissamsetty et al. (US 2015/0326588 A1) further in view of Hager et al. (US 2007/0226320 A1).
Regarding Claims 6 and 16, the combined teaching of Niemela and Vissamsetty does not explicitly teach but Hager teaches
wherein the system call is an instruction to list network shares mounted to the computer system ([0066], “by mounting a NFS share on a server and using file system calls”),
Niemela, Vissamsetty and Hager are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hager with the combined teaching of Niemela and Vissamsetty. The motivation/suggestion would have been for storage and access of computer files and data (Hager, [0005]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497