DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This office action is in response to the communication filed on 08/15/2019.
Claims 1-20 are pending.

CLAIM OBJECTIONS
Claims 1-20 are objected to because of the following informalities: 
In claim 1, on line 7, “that that” is a typographical error.  
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites “route the packet, via the SDN switch, to a resource within the decoy environment” after the packet has been transmitted to a decoy controller. It is indefinite how the packet is routed via the SDN switch but not via the decoy controller.
Claim 2 recites “the configuration resource” that lacks antecedent basis and is indefinite whether configuration resources are related to “a configuration resource rule” in claim 1.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claim(s) 1-9, 13, 14, 19, 20 is/are rejected under AIA  35 U.S.C. 102(a)(1) as being anticipated by Fan et al. (A Novel SDN based Stealthy TCP Connection Handover Mechanism for Hybrid Honeypot Systems, 2017, cited in IDS).
For claim 1, Fan discloses a computing system for moving target defense using software-defined networking (SDN) based routing (abstract, SDN based controller for a hybrid honeypot system), the system comprising at least one processor and a memory comprising computer-executable instructions, the instructions, when executed by the at least one processor, operable to:
receive a packet, determining a source identifier of the packet; responsive to a determination that that the source identifier does not match a pre-defined packet flow rule of an SDN switch (fig. 1, section III B, Traffic Filtering Approach, page 5, right column, In the first step, Ryu controller will read and parse the Snort rules, translate them into flow entries, and install those flow entries into the main OVS switch during the system initialization phase. This step aims to set a data reduction measure to improve the data capture efficiency. Only the rules with a ”DROP” action that do not check the ”content” field are translated into ”drop” flow entries. Therefore, any traffic that matches these flow entries will be efficiently discarded in the data plane, avoiding them to reach to the controller. In other words, OVS switch (read as SDN switch) using Snort IDS rules to analyze a packet header (first step) from an attacker, including a source IP address, in order to DROP (matching a pre-defined packet flow rule) or to route the packet to a Ryu controller (read as decoy controller) for MIH or HIH honeypot functions): 
transmit at least a first segment of the packet, via the SDN switch, to a decoy controller, the decoy controller structured to manage packet flow rules regarding packet routing to a decoy environment (section III B, Traffic Filtering Approach, page 5, right column, the rest rules will be translated into ”allow” flow entries, and the traffic that matches them will be forwarded as a PacketIn event to the Ryu controller for processing. In the second step, the Ryu controller will cooperate with Snort to carry out the content based traffic filtering and redirection);
if at least the first segment of the packet violates a configuration resource rule of the decoy controller, modify a second segment of the packet, comprising operations to replace a destination identifier with a decoy environment identifier; and route the packet, via the SDN switch, to a resource within the decoy environment (fig. 3, SDN controller sends the packet out to Snort for inspecting the payload. If the payload does not generate an alert DROP, SDN controller starts TCP handover for packet redirection seen in fig. 2, wherein destination of a packet is modified from frontend honeypot to backend honeypot by changing FCF out port at the OVS).

For claim 2, Fan discloses the configuration resource of the decoy controller is a whitelist (section III B, Traffic Filtering Approach, IDS rules include matching for source IP address or whitelist).

For claim 3, Fan discloses the configuration resource comprises any of an application-layer information, a link-layer information, and a transport-layer information (fig. 2, redirection is changing destination port of the packet by the OVS to another honeypot).

For claim 4, Fan discloses the application-layer or the link-layer comprises at least one of a VLAN identifier, a destination address, and a destination port (fig. 2, redirection is changing destination port of the packet by the OVS to another honeypot).

For claim 5, Fan discloses the destination address is a partial destination address comprising an IP subnet identifier (page 5, right col., subnet 192.168.1.0/24).

For claim 6, Fan discloses the destination address is one of an IP address and a MAC address of a decoy host in the decoy environment (page 5, right col., subnet 192.168.1.0/24).

For claim 7, Fan discloses at least a portion of the first segment of the packet comprises at least a portion of the second segment of the packet (p. 5, right col., first portion is the entire packet, second portion is the destination port).

For claim 8, Fan discloses the at least the first segment of the packet comprises a copy of content of the packet (p. 5, right col., first segment is the entire packet, second segment is the destination port).

For claim 9, Fan discloses the first segment of the packet comprises a copy of entire packet (p. 5, right col., first portion is the entire packet, second portion is the destination port).



For claim 13, Fan discloses the memory further comprising instructions that, when executed by the at least one processor, are operable to: route the packet to a first port associated with an application impersonation service on a decoy host in the decoy environment (p. 3, left col., The frontend and the backend honeypots use the same IP and MAC addresses, but they are connected to different out ports).

For claim 14, Fan discloses the memory further comprising instructions that, when executed by the at least one processor, are operable to: generate a decoy response message; and transmit the decoy response message to a computing device associated with the source identifier (fig. 2, phase 1, Forward SYN_ACK pkt to Attacker).

For claim 19, Fan discloses the SDN switch comprises the decoy controller (fig. 4, OVS (Snort) read as SDN switch and OFSoftswitch (Ryu controller, read as decoy controller) is in one server).

For claim 20, Fan discloses the resource within the decoy environment is a virtualized resource comprising at least one of a virtual server and a virtual host (section IV, Honeyvers honeypot environment is a virtual server).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 16 is/are rejected under AIA  35 U.S.C. 103 as being unpatentable over Fan in view of Bingham et al. (US 2017/0230336, “Bingham”).

For claim 16, Fan does not disclose the memory further comprising instructions that, when executed by the at least one processor, are operable to: cause the packet to be forwarded to a second port associated with an attack analytics application (p. 3, left col., The frontend and the backend honeypots (attack analytics applications) are connected to different out ports); and capturing data including least one of payload, metadata, header, and footer of the packet (fig. 2, 3).
Fan does not disclose causing the attack analytics application to generate a visualization based on an evaluation of at least one of payload, metadata, header, and footer of the packet.
Bingham discloses causing the attack analytics application to generate a visualization based on an evaluation of captured data ([0012], attack visualization based on captured data).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Bingham’s teachings of attack visualization to Fan’s teachings in order to aid users /admins of such system with visualization of the attacks.

Claim(s) 17 is/are rejected under AIA  35 U.S.C. 103 as being unpatentable over Fan-Bingham and in view of Schwartz et al. (US 2017/0099305, “Schwartz”).

For claim 17, Fan-Bingham does not disclose the memory further comprising instructions that, when executed by the at least one processor, are operable to: cause the attack analytics application to generate an SDN switch rule recommendation based on an evaluation of at least one of the payload, the metadata, the header, and the footer of the packet.
Schwartz discloses causing the attack analytics application to generate an SDN switch rule recommendation based on an evaluation of at least one of the payload, the metadata, the header, and the footer of the packet ([0012]).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Schwartz’s teachings of rule generation to Fan’s teachings in order to dynamically adapt rule changes to the Snort IDS of Fan.

Claim(s) 18 is/are rejected under AIA  35 U.S.C. 103 as being unpatentable over Fan in view of what was known in the art (by taking Official Notice or “ON”).

For claim 18, Fan discloses the packet is transmitted between the SDN switch and the decoy controller over an SSH communications channel (section V B, p. 7, right col., SSH for TCP handover).
Fan does not teach transmission over at least one of an SSL communications channel and a TLS communications channel.
However, Official Notice is taken that transmission over at least one of an SSL communications channel and a TLS communications channel was well-known before the effective filing date of the claimed invention.
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify Fan’s teachings of SSH secure communication channel with other known techniques in order to apply other well-known secure communication channels to provide alternatives to Fan’s SSH for TCP redirection.

Allowable Subject Matter and Reasons for Allowance
Claims 10, 11, 12, 15 would be allowable if rewritten to include all of the limitations of the base claim and any intervening claims and to overcome the claim objection(s), rejections of the base claim and any intervening claims set forth in this Office action.

The following is an examiner's statement of reasons for allowance:
By interpreting the claims in light of the Specification, the Examiner finds the claimed invention to be patentably distinct from the prior art of records. Specifically, the prior art of records, individually or in combination, fail to explicitly teach, suggest or render obvious the claimed invention as recited in each of claims , including “the at least the first segment of the packet comprises a pointer to a memory location shared by the SDN switch and the decoy controller” in claim 10, “generate a new packet flow rule comprising at least one property of the packet, the new packet flow rule generated in part based on instructions from the configuration resource of the decoy controller; and add the new packet flow rule to the SDN switch” in claims 11-12, “the decoy response message comprises at least one of a time-out message, a service unavailable message, and a restricted access message” in claim 15.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance." 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is included in form PTO 892.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HIEU T HOANG whose telephone number is (571)270-1253. The examiner can normally be reached Mon-Fri 9 AM -5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HIEU T HOANG/Primary Examiner, Art Unit 2452