DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant’s claim for domestic priority under 35 U.S.C. 119 (e).

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function.  Such claim limitation(s) is/are: “processor…configured…to execute” in claim 15.
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 16, 17, and 19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ludwig et al, US 2019/0379696.

As per claim 16, it is disclosed of by Ludwig et al of a method of deployment of malware detection traps by at least one processor, the method comprising:
performing a first interrogation (via a cognitive system) of a first NA of a specific NA family (network containing multiple computing devices)(see paragraph 0043, lines 1-6 and paragraph 0045, lines 15-27);
determining, based on the interrogation, a value of one or more first NA property data elements (activity data) of the first NA (paragraph 0046, lines 1-12 and paragraph 0053, lines 1-9);
obtaining one or more second NA property data elements corresponding to the specific NA family (matching properties are collected from various devices within the network, see paragraph 0046, lines 1-12 and paragraph 0053, lines 1-9);
integrating the one or more first NA property data elements and the one or more second NA property data elements to generate a template (corpus) data element, corresponding to the specific NA family (paragraph 0055, lines 1-18);
producing, from the template data element, a malware detection trap module (paragraph 0055, lines 1-18); and
deploying, on one or more computing devices of a computer network, one or more instantiations of the malware detection trap module (the trap function isolates the malicious activity) as decoys of at least one of the first NA and second NA of the at least one NA (paragraph 0056, lines 1-5).
As per claim 17, it is disclosed of further comprising receiving at least one configuration data element, and wherein producing from the template (corpus) data element a malware detection trap module is done based on the received at least one configuration data element (paragraph 0055, lines 1-18).
As per claim 19, it is taught wherein obtaining one or more second NA property data elements of comprises performing an interrogation of a second NA; and determining the one or more second NA property data elements based on the interrogation (determines if there exists matching or unmatched characteristics, see paragraph 0055, lines 1-22).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ludwig et al, US 2019/0379696 in view of Kawasaki et al, US 2018/0375897.

As per claim 1, it is taught by Ludwig et al of a method of automatic generation of malware detection traps by at least one processor, the method comprising:
performing an interrogation (via a cognitive system) of at least one network asset (NA), comprised within a computer network (see paragraph 0043, lines 1-6 and paragraph 0045, lines 15-27);
determining, based on the interrogation, one or more data elements pertaining to a device level fingerprint (port activity) of the at least one NA (paragraph 0046, lines 1-12 and paragraph 0053, lines 1-9);
automatically generating a trap module adapted to emulate behavior of the at least one NA, based on the one or more data elements of the device level fingerprint (paragraph 0055, lines 1-22); and
deploying, on one or more computing devices of the computer network , one or more instantiations of the trap module as decoys (the trap function isolates the malicious activity) of the at least one NA (paragraph 0056, lines 1-5).
Although the teachings of Ludwig disclose of characteristics related to the device and of using various operating system types, (see paragraphs 0066 and 0071), however the teachings fail to disclose of operating system (OS)-level fingerprint of the at least one network asset.
The teachings of Kawasaki et al, US 2018/0375897 are relied upon for disclosing of an operating system (OS)-level fingerprint of the for one network asset by distinguishing between the two (paragraph 0023, lines 1-7).  It would have been obvious to a person of ordinary skill in the art before the effective date of the claimed invention to have been motivated to uniquely identify a device by collecting specific characteristics.  The teachings of Kawasaki et al disclose of probing device to determine if they are real (paragraph 0023, lines 1-7).  The teachings of Kawasaki et al further disclose of capturing the operating system data to appear are real devices which is used for simulations in honeypots, see paragraph 0050, lines 1-9.  The teachings of Ludwig et al are suggestive of additional device specific characteristic data (paragraph 0055, lines 1-18 and it is obvious to combine the teachings of Ludwig et al with Kawasaki et al since Ludwig et al is directed towards using decoys similar in a manner of Kawasaki et al that use honeypots to deceive attackers.
As per claim 2, it is disclosed by Ludwig et al of further comprising determining, based on the interrogation, one or more data elements pertaining to a network-level fingerprint of the NA, wherein the generated trap module is adapted to emulate behavior of the NA, based on the one or more data elements of network-level fingerprint (paragraph 0055, lines 1-22).
As per claim 3, it is taught by Ludwig et al of further comprising determining, based on the interrogation, one or more data elements pertaining to a vendor (security professional) associated with the NA, wherein the generated trap module is adapted to emulate behavior of the NA, based on the one or more vendor data elements (paragraph 0055, lines 1-28).
As per claim 4, it is disclosed by Kawasaki et al wherein the one or more OS-level fingerprint data elements are selected from a list consisting of: an OS type of the NA and an OS version of the NA (see paragraph 0117 of Kawasaki et al).  Please refer above for the motivational reasoning of applying the teachings of Kawasaki et al with Ludwig et al.
As per claim 5, it is disclosed by Ludwig et al wherein the one or more network-level fingerprint data elements are selected from a list consisting of: an address of the NA, an identification of one or more communication ports of the NA, status of the one or more ports, a service associated with a port of the one or more ports, and a communication protocol utilized on a port of the one or more ports (paragraph 0055, lines 1-22).
As per claim 6, it is taught by Ludwig et al of further comprising: selecting an open port of one or more communication ports; utilizing a communication protocol associated with the selected port to communicate with a service associated with the selected port; and obtaining one or more application-level data elements from said service, wherein the generated trap software module is adapted to emulate behavior of the NA based on the determined one or more application-level data elements (paragraph 0055, lines 1-22).
As per claim 7, it is disclosed by Ludwig et al wherein one or more application-level data elements are selected from a list consisting: information pertaining to a filesystem that is comprised within the NA, information pertaining to a banner (context data) associated with the NA metadata of applications executed on the interrogated NA, and metadata of services, served by the interrogated NA (paragraph 0042).
As per claim 8, it is taught by Ludwig et al wherein service associated with the selected port is a web server, and wherein the method further comprises: communicating the web server via the computer network; and obtaining one or more application-level data elements that comprise information from a web page, served by the web server, wherein the generated trap software module is further adapted to emulate application-level behavior of the NA, based on the information from the web page (paragraph 0057, lines 1-13).
As per claim 9, it is taught by Ludwig et al wherein generating a trap module comprises: generating, based on the interrogation, a template (corpus) module; receiving, via a user interface, one or more customization data elements; and customizing the template module based on the one or more customization data elements to produce one or more instantiations of trap modules (paragraph 0057).
As per claim 10, Ludwig et al discloses wherein the one or more received customization data elements are selected from a list consisting of:  device level fingerprint data elements, network-level fingerprint data elements, vendor (security professional) data elements and application-level data elements, and wherein the trap module is adapted to emulate behavior of the NA, based on the received customization data elements (paragraph 0055, lines 1-22).  Kawasaki et al discloses wherein the one or more OS-level fingerprint data elements (see paragraph 0117 of Kawasaki et al).  Please refer above for the motivational reasoning of applying the teachings of Kawasaki et al with Ludwig et al.
As per claim 11, it is taught by Ludwig et al of further comprising deploying, on a computing device of the computer network, a first instantiation of a trap module and a second instantiation of a trap module, wherein the first instantiation differs from the second instantiation by at least one of: an device level fingerprint data element, a network-level fingerprint data element, a vendor (security professional) data element and an application-level data element (paragraph 0055, lines 1-28).  Kawasaki et al discloses wherein the one or more OS-level fingerprint data elements (see paragraph 0117 of Kawasaki et al).  Please refer above for the motivational reasoning of applying the teachings of Kawasaki et al with Ludwig et al.
As per claim 12, it is disclosed by Ludwig et al of further comprising: generating a virtual (emulated) computing device on a node of the computer network; deploying, on the virtual computing device of the computer network a first instantiation of a trap module and a second instantiation of a trap module, wherein the first instantiation differs from the second instantiation by at least one of: a device-level fingerprint data element, a network-level fingerprint data element, and an application-level data element (paragraph 0055, lines 1-22).  Kawasaki et al discloses wherein the one or more OS-level fingerprint data elements (see paragraph 0117 of Kawasaki et al).  Please refer above for the motivational reasoning of applying the teachings of Kawasaki et al with Ludwig et al.
As per claim 13, it is taught by Ludwig et al wherein an instantiation of at least one trap module is adapted to: identify at least one data transaction comprising access of an unauthorized computing device to the trap module; gather information pertaining to the unauthorized computing device, based on the identified at least one data transaction; and perform, based on the gathered information, at least one action of mitigation (isolation) on a network component of the computer network, to evade a cyber-attack from the unauthorized computing device (paragraph 0055, lines 1-22).
As per claim 14, it is disclosed Ludwig et al wherein emulating behavior of the NA comprises initiating one or more computer network transactions on the computer network (paragraph 0026, lines 1-14).
As per claim 15, it is taught by Ludwig et al of a system for automatic generation of malware detection traps, the system comprising:
a non-transitory memory device, wherein modules of instruction code are stored, and at least one processor associated with the memory device, and configured to execute the modules of instruction code, whereupon execution of said modules of instruction code, the at least one processor is configured to:
perform an interrogation (via a cognitive system) of a NA, comprised within a computer network (see paragraph 0043, lines 1-6 and paragraph 0045, lines 15-27);
determine, based on the interrogation, one or more data elements pertaining to a device level fingerprint (port activity) of the NA (paragraph 0046, lines 1-12 and paragraph 0053, lines 1-9);
generate a trap module adapted to emulate behavior of the NA, based on the one or more data elements of device level fingerprint (paragraph 0055, lines 1-22); and
deploy, on one or more computing devices of the computer network, one or more instantiations of the trap module as decoys (the trap function isolates the malicious activity) of the NA (paragraph 0056, lines 1-5).
Although the teachings of Ludwig disclose of characteristics related to the device and of using various operating system types, (see paragraphs 0066 and 0071), however the teachings fail to disclose of operating system (OS)-level fingerprint of the at least one network asset.
The teachings of Kawasaki et al, US 2018/0375897 are relied upon for disclosing of an operating system (OS)-level fingerprint of the for one network asset by distinguishing between the two (paragraph 0023, lines 1-7).  It would have been obvious to a person of ordinary skill in the art before the effective date of the claimed invention to have been motivated to uniquely identify a device by collecting specific characteristics.  The teachings of Kawasaki et al disclose of probing device to determine if they are real (paragraph 0023, lines 1-7).  The teachings of Kawasaki et al further disclose of capturing the operating system data to appear are real devices which is used for simulations in honeypots, see paragraph 0050, lines 1-9.  The teachings of Ludwig et al are suggestive of additional device specific characteristic data (paragraph 0055, lines 1-18 and it is obvious to combine the teachings of Ludwig et al with Kawasaki et al since Ludwig et al is directed towards using decoys similar in a manner of Kawasaki et al that use honeypots to deceive attackers. 
As per claim 18, Ludwig et al discloses wherein the at least one first NA property data elements and the at least one second NA property data elements are selected from a list consisting of: an NA type data element; a device data element; a filesystem data element; a vendor (security professional data element; an architecture data element; a network-level fingerprint data element; and an application-level data element (paragraph 0055, lines 1-28).
Although the teachings of Ludwig disclose of characteristics related to the device and of using various operating system types, (see paragraphs 0066 and 0071), however the teachings fail to disclose of operating system (OS)-level fingerprint of the at least one network asset.
The teachings of Kawasaki et al, US 2018/0375897 are relied upon for disclosing of an operating system (OS)-level fingerprint of the for one network asset by distinguishing between the two (paragraph 0023, lines 1-7).  It would have been obvious to a person of ordinary skill in the art before the effective date of the claimed invention to have been motivated to uniquely identify a device by collecting specific characteristics.  The teachings of Kawasaki et al disclose of probing device to determine if they are real (paragraph 0023, lines 1-7).  The teachings of Kawasaki et al further disclose of capturing the operating system data to appear are real devices which is used for simulations in honeypots, see paragraph 0050, lines 1-9.  The teachings of Ludwig et al are suggestive of additional device specific characteristic data (paragraph 0055, lines 1-18 and it is obvious to combine the teachings of Ludwig et al with Kawasaki et al since Ludwig et al is directed towards using decoys similar in a manner of Kawasaki et al that use honeypots to deceive attackers. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Ettema et al, U.S. Patent 9,882,929 is relied upon for disclosing of analyzing malware in a honey network that emulates a target device, see column 9, lines 12-15.
Kolton et al, U.S. Patent 9,807,114 is relied upon for disclosing of decoy recourses and mini-traps in regards to malware detection, see abstract.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431