DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 11/23/2020 was filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 8-9 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. US 2018/0145986 A1 to Chien and further in view of US-PGPUB No. 2019/0166159 A1 to Avrahami et al. (hereinafter “Avrahami”)
Regarding claim 1:
Chien discloses: 
A non-transitory computer-readable storage medium (¶31: “… Mass memory 24 …”) storing a generation program (¶33: “Mass memory 24 further includes … Programs 34 … Programs 34 may include computer executable instructions …”) that causes a processor (¶31: “… a processing unit 22 …”, Fig. 2, item 22: “central processing unit”) to execute a process, the process comprising: 
when malware is detected in a first information processing device (¶129: “… a networking device 801 …”, Fig. 8, item 801) that belongs to a first system, changing a destination address of packets (¶143: “…  the process redirects the network communication to a mock destination computing system. The process here may modify destination addresses stored in packets so that the destination addresses reference the mock system instead of the original destination system.”) transmitted from the first information processing device to an address corresponding to a second information processing device (¶129: “… a mock computing system 803 …”, Fig. 8, mock System 803) that belongs to a second system based on a predetermined rule to transmit the packets to the second information processing device that belongs to the second system (¶132: “…  the communication from the questionable device 811 is disallowed, because one or more of the following are true: the device 811 is not using an IP address that is included in the white list, is not communicating from an approved geographic location, or the like. In this embodiment, upon determining that the communication is not allowed, the networking device 801 redirects the communication (e.g., transmits the packet, generates an HTTP redirect, etc.) to the mock computing system 803, rather than the destination system 802.”); 
However, Chien failed to disclose the following limitations taught by Avrahami:
executing a generation process (Avrahami, ¶39: “… a fake data generator 312 …) that, based on log information generated in the first system, generate at least one of a fake file (¶40: “… a masked file …”) of a file related to the first system, a fake email of an email related to the first system, or fake communication information of communication information related to the first system (Avrahami, ¶38: “The logger 304 can store each executed operation for each user. … recorder 302 and the logger 304 can enable data lineage to be tracked …”, ¶40: “… the fake data generator 312 can generate a masked file in response to identifying a suspicious user accessing a file or creating a new file via the FAM 310. …  the FAM 310 can detect relevant false sensitive information stored in a local file and transmit the relevant false sensitive information to the DAM 308 so that any database query provides results consistent with the relevant false sensitive information.”); and 
transmitting the generated fake file or fake communication information to the second information processing device (Avrahami, ¶40: “… the fake data generator 312 transmits relevant false sensitive information to the network monitor 306 … “). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Chien to incorporate the functionality of the fake data generator to generate false data for suspicious users and transmit it to the network monitoring device, as disclosed by Avrahami, such modification would allow the system to generate relevant false sensitive information that appears to a suspicious user to be legitimate and accurate, thus making it easier to continuously and safely collect unauthorized access information without the attacker noticing it.
Regarding claim 2:
The combination of Chien and Avrahami disclose:
The non-transitory computer-readable storage medium according to claim 1, wherein the process further comprising: 
transmitting the generated fake file or fake communication information to the second information processing device together with the packets (Chien, ¶143: “…  the packets are transmitted and carried via the network to the mock system.”, ¶134: “The mock system 803 may … store or provide false or fake data”).  
	Regarding claim 3:
The combination of Chien and Avrahami disclose: 
The non-transitory computer-readable storage medium according to claim 1, wherein the generation process generates a fake file of a file of a file server that belongs to the first system based on log information generated in the file server that belongs to the first system (Avrahami, ¶38: “The logger 304 can store each executed operation for each user. … recorder 302 and the logger 304 can enable data lineage to be tracked …”, ¶40: “… the fake data generator 312 can generate a masked file in response to identifying a suspicious user accessing a file or creating a new file via the FAM 310. …  the FAM 310 can detect relevant false sensitive information stored in a local file and transmit the relevant false sensitive information to the DAM 308 so that any database query provides results consistent with the relevant false sensitive information.”).  
The same motivation which is applied to claim 1, applies to claim 3.
Regarding claims 8-9:
Claims 8 and 9 substantially recite the same limitations as claims 1 and 3, respectively, in the form of a method implementing the corresponding processes, therefore they are rejected by the same rationale.
Regarding claim 14:
Chien discloses:
An apparatus (¶30: “… an electronic device…”), comprising: 
a communicator (¶37: “… a network communication interface unit 48 …”) configured to communicate with an information processing device (¶36: “… client device 20 …”) that belongs to a first system (Fig. 8, Destination System 802) or a second system (Fig. 8, Mock System 803); and 
a processor (¶31: “… processing unit 22 …”, Fig. 2, item 22: “central processing unit”) configured to:
In addition to the above limitations, claim 14 substantially recites the same limitations as claim 1 in the form of an apparatus to realize the corresponding processes, therefore it is rejected by the same rationale. 
Regarding claim 15:
Claim 15 substantially recites the same limitation as claim 3 in the form of an apparatus to realize the corresponding processes, therefore it is rejected by the same rationale.
Claims 4, 10 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Chien, Avrahami and further in view of USPAT No. 11,316,895 B1 to Wright et al. (hereinafter “Wright”)
Regarding claim 4:
The combination of Chien and Avrahami disclose the non-transitory computer-readable storage medium according to claim 1, but failed to explicitly disclose the following information taught by Wright: 
wherein the generation process generates the fake file according to data selected from a plurality of templates based on a file name of a file of a file server that belongs to the first system (Wright, col 2, lines 49-60: “… receiving, by a computer, from a threat intelligence server, an intelligence file containing a plurality of uniform resource locators associated with a plurality of phishing websites respectively; selecting … from the intelligence file received from the threat intelligence server, a uniform resource locator associated with a phishing website, in response to a webserver receiving one or more network data packets from a device associated with a user directed from the uniform resource locator; generating, by the computer, a set of fake credentials uniquely associated with the uniform resource locator”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Chien and Avrahami to incorporate the functionality of the method to select, from a plurality of url templates provided by the threat intelligence server, and generate fake credentials uniquely associated with the url, as disclosed by Wright, such modification would allow the system to generate relevant fake files from the corresponding saved templates, thus providing a more efficient way of collecting attack information. 
Regarding claim 10:
Claim 10 substantially recites the same limitation as claims 4 in the form of a method implementing the corresponding processes, therefore it is rejected by the same rationale.
Regarding claim 16:
Claim 16 substantially recites the same limitation as claim 4 in the form of an apparatus to realize the corresponding processes, therefore it is rejected by the same rationale.
Claims 5-7, 11-13 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Chien, Avrahami and further in view of USPAT No. 10,298,598 B1 to McClintock et al. (hereinafter “McClintock”)
Regarding claim 5:
The combination of Chien and Avrahami disclose the non-transitory computer-readable storage medium according to claim 1, but failed to explicitly disclose the following information taught by McClintock: 
wherein the generation process generates a fake email (McClintock, col 19, line 43: “… a fake email response …”) of an email of a mail server that belongs to the first system based on log information (McClintock, col 14, lines 54-56: “… the host computer system 406 may log 412 the connection requests with an attack detector 414 …) generated in the mail server that belongs to the first system (McClintock, col 15, lines 5-7: “… the attack detector may also alert 434 an attack analyzer learning system that may be configured to at least analyze the pattern of the attack”; col 19, lines 41-45: “… the attack analyzer learning system may inform 1014 an imposter 1016, which may then generate 1018 a fake email response and that fake email response 1020 may be sent to the known attacker 1002. “).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Chien and Avrahami to incorporate the functionality of the imposter to generate a fake email response and send the generated fake email response to the known attacker, as disclosed by McClintock, such modification would allow the system to generate relevant fake email response from the corresponding log data, thus providing a more efficient way of collecting attack information from saved historical data.
Regarding claim 6:
The combination of Chien and Avrahami disclose the non-transitory computer-readable storage medium according to claim 1, but failed to explicitly disclose the following information taught by McClintock: 
wherein the generation process generates the fake email according to data selected from a plurality of templates based on a subject of an email of a mail server that belongs to the first system (McClintock, col 19, lines 62-67: “… the fake email response 1020 may include a query to the known attacker 1002 for further information which may then cause the known attacker 1002 to send a next attack email 1022 that may be received by the imposter, triggering the generation 1026 of a next fake email response that may be 1028 sent to the known attacker 1002.”).  
The same motivation which is applied to claim 5 applies to claim 6.
Regarding claim 7:
T The combination of Chien and Avrahami disclose the non-transitory computer-readable storage medium according to claim 1, but failed to explicitly disclose the following information taught by McClintock: 
wherein the generation process generates, based on log information generated in response to communication in the first system, the fake communication information according to data selected from a plurality of templates based on packets of the communication (McClintock, col 15, lines 39-63: “… responses to communications requests from known attackers may be generated …  generating one or more fake responses and presenting the one or more fake responses to the known attacker. The fake response 612 received by the known attacker may be one of a plurality of fake responses sent by the host computer system with altered behavior, with such fake responses designed, for example, to present the known attacker 602 with an overwhelming set of false positive connections and thereby limiting the efficiency of the attack. In some embodiments, a fake response 612 may be presented to the known attacker 602 with long delays, or with many small packets, or with large packets, or with low bandwidth, or with other such delaying tactics to further limit the efficiency of the attack.”).
The same motivation which is applied to claim 5 applies to claim 7.
Regarding claims 11-13:
Claims 11-13 substantially recite the same limitations as claims 5-7, respectively, in the form of a method implementing the corresponding processes, therefore they are rejected by the same rationale.
Regarding claims 17-19:
Claims 17-19 substantially recite the same limitations as claims 5-7, respectively, in the form of an apparatus to realize the corresponding processes, therefore they are rejected by the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Srivastava (US-PPGPUB No 2021/0021637-A1)- disclosed a method and a system for detecting and managing phishing attack. if a user is likely phished, his communication is automatically rerouted through a deep proxy that can generate fake data and pretend to service the request while invoking a second review and out of band notification. 
Jordan et al. (US-PGPUB No. 2016/0366099-A1)- disclosed a device, system, and method for defending a computer network where network communications are received by a traffic filter, which dynamically determines whether the communications include an anomaly (i.e., are “anomalous” communications), or whether the communications are normal, and do not include an anomaly. The traffic filter routes normal communications to the correct device within its network for servicing he service requested by the communications. The traffic filter routes any anomalous communications to a virtual space engine, which is configured to fake a requested service (e.g., to entice deployment of a malicious payload).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491