Detailed Action
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

RCE filed on 05/16/2022 has been acknowledged.  Claims 1-20, as originally filed, are currently pending and have been considered below. Claim 1, 7, 12 and 17 are independent claim. Claims 1, 7, 12 and 17 have been amended.

Priority
The application claims priority of PRO 62/936,990 filed on 11/18/2019.

Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 05/20/2022 is in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/16/2022 has been entered.
Remarks and Response
Applicant’s arguments filed in the amendments on 05/16/2022 have been fully considered but are moot in view of new grounds of rejection. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Wu (US Patent Application Publication No 2017/0310704 A1) in view of Hannis (US Patent Application Publication No 2015/0047032 A1). 

Regarding Claim 1, Wu discloses a method implemented by a network traffic management system comprising one or more network traffic management apparatuses, server devices, or client devices, the method comprising: 
intercepting a response from a network application and destined for a client, the response sent in response to a request associated with a user identifier (Wu, Fig-17A-17D, ¶[0308], the deception mechanism has received a packet from a possible threat source. ¶[0309], analysis engine can examine the packet header to determine information such as the port number, a network protocol used by the received packet, a format for the header, content of the header such as source IP address and destination IP address. ¶[0315], threat source send email to the decoy addresses, the emails can be intercepted and analyzed); 
determining that the user identifier associated with the request is a suspicious or malicious user identifier (Wu, Fig-17A-17D, ¶[0310], the source IP address can indicate whether the threat source is inside or outside of the site network. The payload format and payload contents can indicate that the threat source is attempting to exploit a particular vulnerability);
Wu does not explicitly teach the following limitation that Hannis teaches:
based on the determining, forwarding a modified response to the client, the modified response comprising a honeytrap embedded within the intercepted response (Hannis, ¶[0246],honeypot is mainly designed to trap the hackers or present a virtual system to the hacker that never exists. ¶[0264], set up a honeypot to act as a dummy file transfer program and your computer will direct the hacker to the honeypot where he would be taken in by a program that while it might look real);
wherein the honeytrap comprises a deceptive payload inserted into the intercepted response that appears useful to an attacker during an attack of the network application (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service);
detecting engagement with the honeytrap in a subsequent request to the network application (Hannis, ¶[0248]- ¶[0251], three types of honeytrap available: small interaction mainly keeps the log of IP address which are trying to access the system using the port. Medium honeytrap keeps track of files accessed. Large honeytrap uses security features that can simulate virtual operating systems for the intruders);
in response to detecting the engagement with the honeytrap, storing an indication that the user identifier is malicious (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service);
Wu in view of Hannis are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “detecting unauthorized users and hackers and deploying honeypots to distract attackers”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Wu in view of Hannis to include the idea of presenting artificial content in response to web request when the web request is verified as malicious. The modification will protect web services and their components from being attacked by inspecting network traffic at varying degrees of depth, typically by matching incoming traffic data with library of patterns and network protocol analyzers.

Regarding Claim 2, Wu in view of Hannis discloses the method of claim 1, further comprising: 
determining an attack type of the subsequent request (Hannis, ¶[0246],honeypot is mainly designed to trap the hackers or present a virtual system to the hacker that never exists. ¶[0264], set up a honeypot to act as a dummy file transfer program and your computer will direct the hacker to the honeypot where he would be taken in by a program that while it might look real); and 
sending a deceptive response to the subsequent request, the deceptive response formatted consistently with the attack type of the subsequent request (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service).

Regarding Claim 3, Wu in view of Hannis discloses the method of claim 1, wherein the honeytrap is selected from a plurality of honeytraps, and the plurality of honeytraps are dynamically updateable (Hannis, ¶[0248]- ¶[0251], three types of honeytrap available: small interaction mainly keeps the log of IP address which are trying to access the system using the port. Medium honeytrap keeps track of files accessed. Large honeytrap uses security features that can simulate virtual operating systems for the intruders).
 
Regarding Claim 4, Wu in view of Hannis discloses the method of claim 1, wherein the honeytrap comprises a false uniform resource identifier (URI), and the engagement with the honeytrap in the subsequent request is a request to access the false URI (Hannis, ¶[0248]- ¶[0251], three types of honeytrap available: small interaction mainly keeps the log of IP address which are trying to access the system using the port. Medium honeytrap keeps track of files accessed. Large honeytrap uses security features that can simulate virtual operating systems for the intruders). 

Regarding Claim 5, Wu in view of Hannis discloses the method of claim 1, wherein the honeytrap comprises a false credential, and the engagement with the honeytrap in the subsequent request is a request to access a resource using the false credential (Wu, ¶[0218], remote access is accomplished by telephone number and access control credential (ID or password). ¶[0311], if the threat source is attempting a connection that requires a password, the deception mechanism can be configured to accept whatever password the threat source provides. Also Hannis, ¶[0099], scanning attack generates a large number of sequences of characters that could be telephone number or password). 

Regarding Claim 6, Wu in view of Hannis discloses the method of claim 1, wherein the response is modified in response to detecting the user identifier associated with the request is suspicious based on a behavioral analysis of a plurality of requests from the user identifier (Wu, Fig-17A-17D, ¶[0310], the source IP address can indicate whether the threat source is inside or outside of the site network. The payload format and payload contents can indicate that the threat source is attempting to exploit a particular vulnerability). 
Regarding Claim 7, Wu discloses a system comprising one or more network application firewall modules, networking modules, or server modules, memory comprising programmed instructions stored thereon, and one or more processors configured to be capable of executing the stored programmed instructions to: 
intercept a response from a network application and destined for a client, the response sent in response to a request associated with a user identifier (Wu, Fig-17A-17D, ¶[0308], the deception mechanism has received a packet from a possible threat source. ¶[0309], analysis engine can examine the packet header to determine information such as the port number, a network protocol used by the received packet, a format for the header, content of the header such as source IP address and destination IP address. ¶[0315], threat source send email to the decoy addresses, the emails can be intercepted and analyzed); 
determine that the user identifier associated with the request is a suspicious or malicious user identifier (Wu, Fig-17A-17D, ¶[0310], the source IP address can indicate whether the threat source is inside or outside of the site network. The payload format and payload contents can indicate that the threat source is attempting to exploit a particular vulnerability);
Wu does not explicitly teach the following limitation that Hannis teaches:
based on the determination, forward a modified response to the client, the modified response comprising a honeytrap embedded within the intercepted response (Hannis, ¶[0246],honeypot is mainly designed to trap the hackers or present a virtual system to the hacker that never exists. ¶[0264], set up a honeypot to act as a dummy file transfer program and your computer will direct the hacker to the honeypot where he would be taken in by a program that while it might look real);
wherein the honeytrap comprises a deceptive payload inserted into the intercepted response that appears useful to an attacker during an attack of the network application (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service);
detect engagement with the honeytrap in a subsequent request to the network application (Hannis, ¶[0248]- ¶[0251], three types of honeytrap available: small interaction mainly keeps the log of IP address which are trying to access the system using the port. Medium honeytrap keeps track of files accessed. Large honeytrap uses security features that can simulate virtual operating systems for the intruders).
in response to detecting the engagement with the honeytrap, store an indication that the user identifier is malicious (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service). 
Wu in view of Hannis are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “detecting unauthorized users and hackers and deploying honeypots to distract attackers”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Wu in view of Hannis to include the idea of presenting artificial content in response to web request when the web request is verified as malicious. The modification will protect web services and their components from being attacked by inspecting network traffic at varying degrees of depth, typically by matching incoming traffic data with library of patterns and network protocol analyzers..

Regarding Claim 8, Wu in view of Hannis discloses the system of claim 7, wherein the one or more processors are further configured to be capable of executing the stored programmed instructions to: 
determine an attack type of the subsequent request (Hannis, ¶[0246],honeypot is mainly designed to trap the hackers or present a virtual system to the hacker that never exists. ¶[0264], set up a honeypot to act as a dummy file transfer program and your computer will direct the hacker to the honeypot where he would be taken in by a program that while it might look real); and 
send a deceptive response to the subsequent request, the deceptive response formatted consistently with the attack type of the subsequent request (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service). 

Regarding Claim 9, Wu in view of Hannis discloses the system of claim 7, wherein the honeytrap comprises a false uniform resource identifier (URI), and the engagement with the honeytrap in the subsequent request is a request to access the false URI (Hannis, ¶[0248]- ¶[0251], three types of honeytrap available: small interaction mainly keeps the log of IP address which are trying to access the system using the port. Medium honeytrap keeps track of files accessed. Large honeytrap uses security features that can simulate virtual operating systems for the intruders).
 
Regarding Claim 10, Wu in view of Hannis discloses the system of claim 7, wherein the honeytrap comprises a false credential, and the engagement with the honeytrap in the subsequent request is a request to access a resource using the false credential (Wu, ¶[0218], remote access is accomplished by telephone number and access control credential (ID or password). ¶[0311], if the threat source is attempting a connection that requires a password, the deception mechanism can be configured to accept whatever password the threat source provides. Also Hannis, ¶[0099], scanning attack generates a large number of sequences of characters that could be telephone number or password). 

Regarding Claim 11, Wu in view of Hannis discloses the system of claim 7, wherein the response is modified in response to detecting the user identifier associated with the request is suspicious based on a behavioral analysis of a plurality of requests from the user identifier (Wu, Fig-17A-17D, ¶[0310], the source IP address can indicate whether the threat source is inside or outside of the site network. The payload format and payload contents can indicate that the threat source is attempting to exploit a particular vulnerability).

Regarding Claim 12, Wu discloses a non-transitory computer readable medium having stored thereon instructions comprising executable code that, when executed by one or more processors, causes the one or more processors to: 
intercept a response from a network application and destined for a client, the response sent in response to a request associated with a user identifier (Wu, Fig-17A-17D, ¶[0308], the deception mechanism has received a packet from a possible threat source. ¶[0309], analysis engine can examine the packet header to determine information such as the port number, a network protocol used by the received packet, a format for the header, content of the header such as source IP address and destination IP address. ¶[0315], threat source send email to the decoy addresses, the emails can be intercepted and analyzed); 
determine that the user identifier associated with the request is a suspicious or malicious user identifier (Wu, Fig-17A-17D, ¶[0310], the source IP address can indicate whether the threat source is inside or outside of the site network. The payload format and payload contents can indicate that the threat source is attempting to exploit a particular vulnerability);
Wu does not explicitly teach the following limitation that Hannis teaches:
 based on the determination, forward a modified response to the client, the modified response comprising a honeytrap embedded within the intercepted response (Hannis, ¶[0246],honeypot is mainly designed to trap the hackers or present a virtual system to the hacker that never exists. ¶[0264], set up a honeypot to act as a dummy file transfer program and your computer will direct the hacker to the honeypot where he would be taken in by a program that while it might look real);
wherein the honeytrap comprises a deceptive payload inserted into the intercepted response that appears useful to an attacker during an attack of the network application (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service); 
detect engagement with the honeytrap in a subsequent request to the network application (Hannis, ¶[0248]- ¶[0251], three types of honeytrap available: small interaction mainly keeps the log of IP address which are trying to access the system using the port. Medium honeytrap keeps track of files accessed. Large honeytrap uses security features that can simulate virtual operating systems for the intruders).
in response to detecting the engagement with the honeytrap, store an indication that the user identifier is malicious (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service);
Wu in view of Hannis are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “detecting unauthorized users and hackers and deploying honeypots to distract attackers”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Wu in view of Hannis to include the idea of presenting artificial content in response to web request when the web request is verified as malicious. The modification will protect web services and their components from being attacked by inspecting network traffic at varying degrees of depth, typically by matching incoming traffic data with library of patterns and network protocol analyzers.

Regarding Claim 13, Wu in view of Hannis discloses the computer readable medium of claim 12, wherein the instructions further comprise executable code that, when executed by the one or more processors, causes the one or more processors to: 
determine an attack type of the subsequent request (Hannis, ¶[0246],honeypot is mainly designed to trap the hackers or present a virtual system to the hacker that never exists. ¶[0264], set up a honeypot to act as a dummy file transfer program and your computer will direct the hacker to the honeypot where he would be taken in by a program that while it might look real); and 
send a deceptive response to the subsequent request, the deceptive response formatted consistently with the attack type of the subsequent request (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service). 

Regarding Claim 14, Wu in view of Hannis discloses the computer readable medium of claim 12, wherein the honeytrap comprises a false uniform resource identifier (URI), and the engagement with the honeytrap in the subsequent request is a request to access the false URI (Hannis, ¶[0248]- ¶[0251], three types of honeytrap available: small interaction mainly keeps the log of IP address which are trying to access the system using the port. Medium honeytrap keeps track of files accessed. Large honeytrap uses security features that can simulate virtual operating systems for the intruders). 

Regarding Claim 15, Wu in view of Hannis discloses the computer readable medium of claim 12, wherein the honeytrap comprises a false credential, and the engagement with the honeytrap in the subsequent request is a request to access a resource using the false credential (Wu, ¶[0218], remote access is accomplished by telephone number and access control credential (ID or password). ¶[0311], if the threat source is attempting a connection that requires a password, the deception mechanism can be configured to accept whatever password the threat source provides. Also Hannis, ¶[0099], scanning attack generates a large number of sequences of characters that could be telephone number or password).  

Regarding Claim 16, Wu in view of Hannis discloses the computer readable medium of claim 12, wherein the response is modified in response to detecting the user identifier associated with the request is suspicious based on a behavioral analysis of a plurality of requests from the user identifier (Wu, Fig-17A-17D, ¶[0310], the source IP address can indicate whether the threat source is inside or outside of the site network. The payload format and payload contents can indicate that the threat source is attempting to exploit a particular vulnerability). 

Regarding Claim 17, Wu discloses a network traffic management apparatus, comprising memory comprising programmed instructions stored thereon and one or more processors configured to be capable of executing the stored programmed instructions to: 
intercept a response from a network application and destined for a client, the response sent in response to a request associated with a user identifier (Wu, Fig-17A-17D, ¶[0308], the deception mechanism has received a packet from a possible threat source. ¶[0309], analysis engine can examine the packet header to determine information such as the port number, a network protocol used by the received packet, a format for the header, content of the header such as source IP address and destination IP address. ¶[0315], threat source send email to the decoy addresses, the emails can be intercepted and analyzed); 
determine that the user identifier associated with the request is a suspicious or malicious user identifier (Wu, Fig-17A-17D, ¶[0310], the source IP address can indicate whether the threat source is inside or outside of the site network. The payload format and payload contents can indicate that the threat source is attempting to exploit a particular vulnerability);
Wu does not explicitly teach the following limitation that Hannis teaches:
 based on the determination, forward a modified response to the client, the modified response comprising a honeytrap embedded within the intercepted response (Hannis, ¶[0246],honeypot is mainly designed to trap the hackers or present a virtual system to the hacker that never exists. ¶[0264], set up a honeypot to act as a dummy file transfer program and your computer will direct the hacker to the honeypot where he would be taken in by a program that while it might look real);
wherein the honeytrap comprises a deceptive payload inserted into the intercepted response that appears useful to an attacker during an attack of the network application (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service); 
detect engagement with the honeytrap in a subsequent request to the network application (Hannis, ¶[0248]- ¶[0251], three types of honeytrap available: small interaction mainly keeps the log of IP address which are trying to access the system using the port. Medium honeytrap keeps track of files accessed. Large honeytrap uses security features that can simulate virtual operating systems for the intruders).
in response to detecting the engagement with the honeytrap, store an indication that the user identifier is malicious (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service);
Wu in view of Hannis are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “detecting unauthorized users and hackers and deploying honeypots to distract attackers”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Wu in view of Hannis to include the idea of presenting artificial content in response to web request when the web request is verified as malicious. The modification will protect web services and their components from being attacked by inspecting network traffic at varying degrees of depth, typically by matching incoming traffic data with library of patterns and network protocol analyzers.

Regarding Claim 18, Wu in view of Hannis discloses the network traffic management apparatus of claim 17, wherein the programmed instructions stored thereon and one or more processors are further configured to be capable of executing the stored programmed instructions to: 
determine an attack type of the subsequent request (Hannis, ¶[0246],honeypot is mainly designed to trap the hackers or present a virtual system to the hacker that never exists. ¶[0264], set up a honeypot to act as a dummy file transfer program and your computer will direct the hacker to the honeypot where he would be taken in by a program that while it might look real); and 
send a deceptive response to the subsequent request, the deceptive response formatted consistently with the attack type of the subsequent request (Hannis, ¶[0271], if the server is not in a listening state on that port, the server will send the client a TCP reset (RST) which will tell the client to close its side of the connection. HoneyTrap will sniff outbound packets for this TCP Reset. HoneyTrap emulates service responses by sending the client back the contents of local response files for a particular service). 

Regarding Claim 19, Wu in view of Hannis discloses the network traffic management apparatus of claim 17, wherein the honeytrap comprises a false uniform resource identifier (URI), and the engagement with the honeytrap in the subsequent request is a request to access the false URI (Hannis, ¶[0248]- ¶[0251], three types of honeytrap available: small interaction mainly keeps the log of IP address which are trying to access the system using the port. Medium honeytrap keeps track of files accessed. Large honeytrap uses security features that can simulate virtual operating systems for the intruders). 

Regarding Claim 20, Wu in view of Hannis discloses the network traffic management apparatus of claim 17, wherein the response is modified in response to detecting the user identifier associated with the request is suspicious based on a behavioral analysis of a plurality of requests from the user identifier (Wu, Fig-17A-17D, ¶[0310], the source IP address can indicate whether the threat source is inside or outside of the site network. The payload format and payload contents can indicate that the threat source is attempting to exploit a particular vulnerability). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-Form 892).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WASIKA NIPA whose telephone number is (571)272-8923.  The examiner can normally be reached on M-F, 8 am to 5 pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/WASIKA NIPA/           Primary Examiner, Art Unit 2433