Notice of Pre-AIA  or AIA  Status
Claims 1-20 remain for examination. The amendment filed 6/29/22 amended claims 1, 8, & 15.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/29/22 has been entered.

Response to Arguments
Applicant’s arguments, see page 11 of the amendment filed 6/29/22, with respect to the rejection(s) of claim(s) 1-20 under 35 USC 103, and particularly the argument regarding whether the Turgeman reference teaches the “type of hacker” limitation have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of the newly discovered reference to Wright.

Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 2, 4-9, 11-15, & 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Seger (U.S. Patent 9,716,727) in view of Ettema (U.S. Patent 9,882,929) in view of Wright (U.S. Patent Publication 2019/0058733).

Regarding claims 1, 8, and 15:
Seger discloses a computer-implemented method, program product, and system comprising: receiving, by one or more processors, from a rule-based intrusion detection system, an intercepted request sent by a hacker (col. 16, lines 15-60; see also col. 9, lines 25-35 & 55-65 regarding rules-based systems performing the forwarding of attack traffic); responsive to receiving the intercepted request, analyzing, by the one or more processors, the intercepted request to determine, in part, a type of service (see the services table of e.g. col. 10, line 64 – col. 11, line 31); building, by the one or more processors, a first layer of a honeypot maze based on the analyzed intercepted request that includes at least one service corresponding to the service type (Ibid, and furthermore col. 11, line 31 – col. 12, line 10); responsive to building the first layer of the honeypot maze, simulating, by the one or more processors, the initial layer of the honeypot maze to the hacker (Ibid); and iteratively building, by the one or more processors, additional layers of the honeypot maze based on additional intercepted requests from the hacker (column 11, Ibid; see also e.g. col. 17, lines 15-25: “Once the attacker attempts to scan virtual devices associated with IP addresses in the honey network, the honey network emulation can process probes from the attacker's network scanning attempts and automatically generate responses for each scanned virtual device in the honey network, in which such responses would result in an appropriate fingerprint…”; emphasis Examiner’s).
The building step disclosed by Seger occurs prior to analyzing any intercepted request.  However, Ettema discloses a related invention for intelligent honey networks wherein it also engages in network scanning to create profile data usable for creating duplicate decoys of the target nodes in one’s network (Ettema, e.g. col. 15, lines 1-40 compare to col. 10, line 64 – col. 11, line 31); however, Ettema discloses that in at least one embodiment the invention does not instantiate the decoy network immediately, but instead waits until a malicious communication from an attacker has been detected and analyzed (step 1004 of Figure 10, and col. 38, lines 55-65; details of how Ettema analyzes the communication at col. 38, lines 5-15), and upon identifying the target of the attacker’s communication, selects and instantiates the appropriate VM image comprising the decoy target (step 1006 of Figure 10, and col. 38, line 65 – col. 39, line 5) and further configures [i.e. “builds”] the VM images in real-time to synchronize its state as appearing identical to the target as currently configured (step 1008 of Figure 10, and col. 39, lines 5-10).  Thus, it would have been obvious prior to the effective filing date of the instant application to modify Seger to build its initial layer of the honeypot maze (i.e. instantiate and configure [synchronize] the appropriate VM) specifically based on receiving and analyzing the attacker’s request, as this lightweight approach disclosed by Ettema allows for inter alia reducing computing resource requirements including due to lack of demand for high interactions with a particular device emulated in the honey network (Ettema, col. 16, lines 30-40).
	Seger and Ettema are silent regarding also identifying a type of hacker attacking the system.  However, Wright discloses a related invention for intrusion detection (e.g. paragraph 0002) wherein that invention can determine an attacker profile based on observed behavior of the attacker, and construct a honeypot customized to interact with said attacker (e.g. paragraphs 0008 & 0012-0013), and that furthermore the profile(s) of the attacker (paragraphs 0027, 0056, and 0096-0097).  It would have been obvious, prior to the filing date of the instant application, for Seger’s invention to detect the type of attacker as part of its honeynet system, as specifically doing so would allow one to dictate a more appropriate response depending on inter alia the demonstrated skill level of the attacker (i.e. a script kiddie attempting to exploit known and already patched vulnerabilities requires a less intense response than an expert human hacker attempting to exploit new vulnerabilities (Wright, paragraphs 0096-0097, Ibid).

Regarding claims 2 and 9:	The combination further discloses wherein the type of hacker is selected from the group consisting of a human hacker and a bot hacker (Wright, paragraphs 0096-0097, noting that “script kiddies” are known in the art as pre-written scripts [i.e. “bots”] that automatically attempt to exploit previously known vulnerabilities without any other human intervention; the Wright invention as cited teaches that it can distinguish these from human hackers that are manually performing more novel exploits directly).  

Regarding claims 4, 11, and 17:
	The combination further discloses wherein analyzing the intercepted request to determine, in part, the type of service and the type of hacker comprises: correlating, by the one or more processors, behavior of the hacker with known security vulnerabilities (Seger, col. 5, line 32 – col. 6, line 2); and determining, by the one or more processors, an expertise level of the hacker and a currentness of knowledge of the hacker based on known security vulnerabilities (Wright, paragraphs 0096-0097).

Regarding claims 5, 12, and 18:	The combination further discloses wherein analyzing the intercepted request to determine, in part, the type of service and the type of hacker comprises: determining, by the one or more processors, a target of the hacker based on the known security vulnerabilities (Seger, col. 5, line 32 – col. 6, line 2).  

Regarding claims 6, 13, and 19:	The combination further discloses wherein building the initial layer of the honeypot maze comprises: activating, by the one or more processors, a service, based on the type of service and the type of hacker, by selecting a microservice image from a set of microservice images and instantiating the microservice image (see the various virtual machines implementing the various emulated devices of the honeynet at Seger, col. 7, line – col. 8, line 25; and Figure 2).  

Regarding claims 7, 14, and 20:	The combination further discloses wherein iteratively building the additional layers of the honeypot maze based on the additional intercepted requests from the hacker further comprises: responsive to receiving the additional intercepted requests from the hacker, iteratively building, by the one or more processors, the additional layers of the honeypot maze based on P201810376US01Page 18 of 24analyzing the additional intercepted requests to determine additional microservices to activate (Seger: all of column 11 to col. 12, line 10) leveraging a Software-Defined Networking (SDN) approach (using the nmap software to define the emulated network: e.g. col. 12, lines 35-55).

Claims 3, 10, & 16 are rejected under 35 U.S.C. 103 as being unpatentable over Seger in view of Ettema in view of Wright as applied to claims 1, 8, & 15 above, and further in view of Turgeman (U.S. Patent Publication 2018/0103047).

Regarding claims 3, 10, and 16:	Although each of the previously cited invention can distinguish a valid user from an attacker, none of the previously cited references specifically teach do so by determining, by the one or more processors, the type of hacker by analyzing credential information included in the intercepted request.  However, Turgeman discloses a related invention for intrusion detection (e.g. Abstract) wherein this limitation is specifically taught (Turgeman, paragraphs 0053-0054).  It would have been obvious, prior to the filing date of the instant application, for Seger’s invention to detect the type of attacker by way of the credentials provided therefrom as part of its honeynet system, as specifically doing so would help reduce the false-positive and false-negative error rates of conventional detection systems, as well as detect & protect against new types of bots not yet known to security providers (Turgeman, paragraphs 0019-0020).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        7/30/22