DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 5/19/2022.
Claims 1, 8, 13, and 17-18 have been amended.
Claims 1-20 are pending for consideration.

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Daniel Lee on 8/1/2022.

Claim 9 has been canceled.
Claims 1, 13 and 17 have been amended as follows: 

Claim 1:
A method in a cloud network to detect compromises of enterprise end stations within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network, comprising:
receiving, at a tunnel gateway server within the cloud network that is implemented by one or more electronic devices, a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network, wherein the first set of one or more packets were generated by the first server responsive to the first server receiving a second set of one or more packets that originated from within the enterprise network by an enterprise end station attempting to access the first server and that included data and a source enterprise network address, wherein the first set of one or more packets includes the data and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed outside of the enterprise network, wherein the data includes a token; 
transmitting, by the tunnel gateway server, the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses[[.]];
monitoring, by a traffic monitoring module within the cloud network that is implemented by one or more electronic devices, traffic transmitted to the second server, including the third set of one or more packets transmitted to the second server; and
providing, by the traffic monitoring module, alert data to the enterprise network in response to detecting, based on the monitoring, use of the token in the third set of one or more packets.

Claim 9:	
(Canceled)

Claim 13:
A non-transitory computer-readable storage medium having stored therein instructions which, when executed by one or more processors of one or more devices in a cloud network to detect compromises of enterprise end stations within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network by performing operations comprising:
receiving a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network, wherein the first set of one or more packets were generated by the first server responsive to the first server receiving a second set of one or more packets that originated from within the enterprise network by an enterprise end station attempting to access the first server and that included data and a source enterprise network address, wherein the first set of one or more packets includes the data and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed outside of the enterprise network, wherein the data includes a token; 
transmitting the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, ;
monitoring traffic transmitted to the second server, including the third set of one or more packets transmitted to the second server; and
providing alert data to the enterprise network in response to detecting, based on the monitoring, use of the token in the third set of one or more packets.

Claim 17:
A network device to operate in a cloud network, comprising:
one or more processors; and
a non-transitory computer-readable storage medium having instructions stored therein which, when executed by the one or more processors, causes the device to 
receive a first set of one or more packets via a tunnel across a public network from a first server within the enterprise network, wherein the first set of one or more packets were generated by the first server responsive to the first server receiving a second set of one or more packets that originated from within the enterprise network by an enterprise end station attempting to access the first server and that included data and a source enterprise network address, wherein the first set of one or more packets includes the data and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed outside of the enterprise network, wherein the data includes a token ,
transmit the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, ,
monitor traffic transmitted to the second server, including the third set of one or more packets transmitted to the second server, and
provide alert data to the enterprise network in response to detecting, based on the monitoring, use of the token in the third set of one or more packets.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 6/2/2022 has been entered.

Terminal Disclaimer
The terminal disclaimer filed on 8/1/2022 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Response to Arguments
In view of amendments to claims 1-20, the prior art rejection, §112(b) rejection and double patenting rejection of claims 1-20 have been withdrawn.  

Reasons for Allowance
Claims 1-8 and 10-20 are allowed.
The following is an examiner’s statement of reasons for allowance: 

The present invention is directed to a method in a cloud network to detect compromises within an enterprise network based on tokens tunneled outside of the enterprise network to the cloud network (see Abstract).
The closest prior art of record, Shulman (US 20150013006) teaches a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server (see Abstract).  In addition, Britist (EP 2541861) teaches a method of determining a source of traffic attacking servers (70), the method comprising assigning a new IP address to an attacked server (44), generating a plurality of decoy servers (90) having the same characteristics as said attacked server (44), monitoring traffic directed at said plurality of decoy servers (90), analyzing traffic monitored at a plurality of decoy servers (90) to determine one or more traffic characteristics indicative of a server attack, determining if one or more source addresses of traffic having characteristics indicative of a server attack are the same, and if so, identifying said source address as an attack source (see Abstract). 
However, the closest prior art of record fails to anticipate or render obvious the recited features of 
“transmitting, by the tunnel gateway server, the data within a third set of one or more packets to a second server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein outside of the enterprise the identifier distinguishes between traffic transmitted from different source enterprise network addresses without disclosing the different source enterprise network addresses;
monitoring, by a traffic monitoring module within the cloud network that is implemented by one or more electronic devices, traffic transmitted to the second server, including the third set of one or more packets transmitted to the second server; and
providing, by the traffic monitoring module, alert data to the enterprise network in response to detecting, based on the monitoring, use of the token in the third set of one or more packets”, as in independent claims 1, 13 and 17.  
These features, together with the other limitations of the independent claims are novel and non-obvious over the prior art of record.  The dependent claims 2-8, 10-12, 14-16 and 18-20 being definite, enabled by the specification, and further limiting to the independent claims, are also allowable.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed below,
Li (10447710) discloses a shielding is provided to prevent attacks on network architecture or reduce the impact thereof. The system reconfigures the network differently for each user, operating system, and host and the configuration changes as time passes. The system can use dynamic redirection to create a reconfigurable network, and include intermediary nodes to dynamically reconfigure the network infrastructure for all traffic.
Touboul (9553886)  discloses a deception management system to detect attackers within a dynamically changing network, including a deployment governor dynamically designating a deception policy that includes one or more decoy attack vectors, one or more resources of the network in which the decoy attack vectors are generated, and a schedule for generating the decoy attack vectors in the resources, wherein an attack vector is an object in a first resource that may be used by an attacker to access or discover a second resource, and wherein the network of resources is dynamically changing, a deception deployer dynamically generating decoy attack vectors on resources in the network, in accordance with the current deception policy, a deception adaptor dynamically extracting characteristics of the network, and a deception diversifier dynamically triggering changes in the deception policy based on changes in the network as detected from the network characteristics extracted by the deception adaptor.
Malachi (20150295943) discloses a system and method for detecting a cyber-threat according to embodiments of the present invention comprise automatically discovering resources on a network, by a resource detection unit, emulating, by a faked asset creation unit, at least one resource discovered on the network, associating a malware trap sensor with the emulated resource and detecting by the malware trap sensor, a malware related to the emulated resource.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TRANG T DOAN/Primary Examiner, Art Unit 2431