DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 5, 16 were amended, claims 1-20 are pending.
Response to Arguments
Applicant's arguments filed 06/29/22 have been fully considered but they are not persuasive. On page 14 the applicant argued that “simply disclosing that threat sensors are deployed, as disclosed by Shieh does not disclose that “the threat sensor deployment and management” service is configured to: determine a deployment plan for the plurality of threat sensors" as claim 1 recites. Shieh does not disclose that any "threat sensor deployment and management service" is able to "determine a deployment plan for the plurality of threat sensors" as claim 1 recites. Examiner respectfully disagrees. As per [0015-16] in collaboration with FIG 1, threat detection system (142) deploy sensors (120 ) which collect(threats) through cluster of servers (112 ) . [0016] clearly mentioned that number of sensors may be deployed around data centers, around networks, etc., are managed, suggest threat detection system(142) has certain plan/policy to deploy quantity of sensors in networks. Here threat detection system (142) coordinating as deployment and management service. 
On page 15 the applicant further argued that Shieh, does not disclose "wherein individual threat sensors specify a plurality of threat data collectors of a plurality of different types of threat data collectors" as amended claim 1 recites. Examiner respectfully disagrees. [0019] suggest sensor may execute as process within VM hypervisors collect information/data from network elements([0019] In another embodiment, a threat sensor, such as threat sensor 120-1, may be executed as an agent or virtual machine (VM) process within an existing network device, such as server 112-1. In yet another embodiment, a threat sensor may be executed as a process within a VM hypervisor (such as VMware ESXi, Citrix Xen, or KVM hypervisors) that supports the virtual machines of server 112-1. Each network segment may include a different deployment of its respective threat sensor, which can be selected based on the topology, performance characteristics, computing resources, etc. associated with that network segment. Note: FIG 1 discloses  sensors 120 collect data though servers 112 as multiple VM process to collect data).

On same page the applicant further argued that Shieh in view of Wang does not disclose "perform the adjustments to at most some of the threat sensors in one or more of the geographic regions according to the adjusted deployment plan." Examiner respectfully disagrees. Wang abstract clearly discloses about dynamic deployment of honeynet in real time based on capacity. Shieh also explain idea of dynamic adjustment of deployment ([0022] Furthermore, each of the threat detection server(s) 140 can execute one or more threat detection systems 142, with additional threat detection systems 142 dynamically established based on real-time properties. For example, a number of virtualized threat detection systems 142, executed as processes within a virtual environment of the threat detection server(s) 140, may be dynamically provisioned by the threat detection server(s) 140 based on real-time threat conditions within networks 110-1 through 110-N, as well as real-time resource usage at threat detection server(s) 140 [0027] Furthermore, although only one threat sensor is illustrated, the techniques discussed herein may include a plurality of geographically or logically distributed threat sensors deployed on distributed segments of the same or different computer networks. ).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-11, 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Shieh(US 20150229656 A1) in view of Wang et al(“Dynamic Deploying Distributed Low-interaction Honeynet”; JOURNAL OF COJMPUTERS, VOL. 7, NO. 3, MARCH 20l2; pages 692-698 : IDS supplied).

With regards to claim 1, Shieh discloses, A system, comprising: 
a plurality of computing devices, physically located in a plurality of different geographic regions, that have respective processors and memory to execute a plurality of threat sensors (FIG 1-2 and associated text; [0018] The system architecture 100 includes a threat detection server 140, and one or more threat sensors, such as threat sensors 120-1 through 120-N, distributed in networks 110-1 through 110-N. As discussed herein, networks 110-1 through 110-N may be different segments of the same physical network, different logical network segments within the same physical network, different networks provisioned to different organizations, networks distributed across different geographical locations, other network configuration types, as well as a combination of different network configurations. However, in each of the different configurations of network segments, each network segment includes at least one threat sensor.); 
one or more computers with one or more processors and associated memory configured to implement a threat sensor deployment and management service of a provider network ([0041]  Thus, the centralized threat detection system is able to monitor many distributed network segments for potential threats. The monitoring is also scalable, and may easily respond to the creation and destruction of network segments, via the distribution of lightweight threat sensors, and not with the distribution and deployment of new servers. That is, a large number of threat sensors can be deployed in numerous and distributed network segments to monitor for network probes or attacks, while deploying a centralized server or server cluster to execute one or more centralized threat detection systems. By separating presence of threat sensors from the server deployment on which the threat detection systems operate, the present embodiments take advantage of a scalable architecture to deploy threat monitoring with a simple management framework.), wherein the threat sensor deployment and management service is configured to: determine a deployment plan for the plurality of threat sensors ([0016] As discussed in greater detail below, each threat sensor exposes the services of the threat monitoring system to the network segment in which the threat sensor is deployed. In one embodiment, the threat sensor is a virtualized passive server that may be dynamically created or removed, as different logical or virtual network segments are created or removed. Thus, any number of threat sensors may be deployed around data centers, around networks, etc., and communicate potential threats to the threat detection system deployed and managed in a centralized location.), 
wherein individual threat sensors specify a plurality of threat data collectors of a plurality of different types of threat data collectors ([0043] Referring to FIG. 4, processing logic begins by threat sensor receiving an unsolicited request from a network element (processing block 402). In one embodiment, the request is communicated on a network segment in which the network element and threat sensor are collocated. Threat sensor forwards the request to the threat detection system (processing block 404). As discussed in great detail below, prior to message forwarding, threat sensor may exchange one or more network handshaking or configuration messages with the network element and/or the threat detection system. [0015] In one embodiment, the threat detection system may be a server or a cluster of servers in an isolated portion of a network that may be remote from one or more of the threat sensors. The threat sensors therefore coordinate communications between the potentially infected network elements, such as host machines or host processes, and the threat detection system. Note: FIG 1 discloses  sensors 120 collect data though servers 112 as multiple VM process to collect data ), wherein at least some of the different types of threat data collectors utilize different communication protocols or communication ports, or provide different responses to inbound communications (FIG 4 422 and associated text; ), and 
collect threat data from the deployed threat sensors (FIG 4 402 and associated text;); 
perform the adjustments to the threat sensors in one or more of the geographic regions according to the adjusted deployment plan ([0022]);

Shieh does not exclusively but Wang teaches, wherein the deployment plan specifies threat sensors with different lifetimes (Page 693 So the redeploying time should be determined by analyzing the collected data captured in the honeynet. Note: redeploying time suggest honeynet has specific lifetime; page 694; The honeypot life is controlled by this mechanism that works as follows: In the initialization phase, each honeypot within the honeynet is set initial value.);  
deploy and configure according to the deployment plan the plurality of threat sensors at different network addresses in the plurality of different geographic regions of the provider network (page 693; Based on this principle, we present a novel honeynet deployment technique, which is simple but effective to distributed, virtual, low-interaction honeynet. Compared with the traditional static deployment technique, the novel technique is dynamic deploying scheme. When the honeynet redeploys again, it becomes new honeynet and must spend more time to detect it. To our knowledge, this
is the first paper to systematically discuss dynamic deployment honeynet that could improve the disguise capacity of honeynet. Although Kuwatly developed a dynamic honeypot to identi(y attacks [14]. However, the honeypot still needed adjust manually during the deploying process and he concentrated on the single honeypot to dynamic deploying rather than the whole honeynet. ); 
collect threat data from the deployed threat sensors (Page 693-694); 
based on the collected threat data and the different lifetimes of the threat sensors, determine an adjusted deployment plan comprising one or more adjustments to the deployment plan (Page 693-694; In this work, we want to design independently deploying honeynet system regardless the other security detection systems. So the redeploying time should be determined by analyzing the collected data captured in the honeynet.); and
perform the adjustments to the threat sensors in one or more of the geographic regions according to the adjusted deployment plan (Page 695-696; Dynamic deployment engine analyzes the uniform log of currently honeynet and determines when to redeploy the honeynet. It includes different dynamic deployment algorithms that determine how to build the new configuration for honeynet. Topology engine is to assigned the IP address for honeypot or generate specific topology for the whole
honeynet. The topology engine maintains a IP address queue. This prevents the IP address conflicts between the honeypots and the real computers. In addition, it automatically assigns IP address for different sub-net honeypots.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Shieh system/method with teaching of Wang in order to enhance capacity of detection(honeynet)(Wang abstract). 
 
With regards claim 2, Shieh in view of Wang discloses, wherein the provider network provides a plurality of services including a virtual compute instance service, and wherein the threat sensor deployment and management service uses the virtual compute instance service to deploy at least some of the plurality of threat sensors (Wang 695 col 2-696 col 1). Motivation would be same as stated in claim 1. 

With regards to claim 3 Shieh in view of Wang discloses, wherein at least a particular one of the plurality of threat sensors not implemented by the virtual compute instance service is deployed outside of the provider network (Shieh FIG 1-2 and associated text; [0018] The system architecture 100 includes a threat detection server 140, and one or more threat sensors, such as threat sensors 120-1 through 120-N, distributed in networks 110-1 through 110-N. As discussed herein, networks 110-1 through 110-N may be different segments of the same physical network, different logical network segments within the same physical network, different networks provisioned to different organizations, networks distributed across different geographical locations, other network configuration types, as well as a combination of different network configurations. However, in each of the different configurations of network segments, each network segment includes at least one threat sensor.), and wherein to collect threat data from the deployed threat sensors, the threat sensor deployment and management service is further configured to: collect data from at least the particular one of the plurality of threat sensors deployed outside of the provider network (Shieh FIG 4 416 and associated text;).

Claims 5, 16 are Method and product claims corresponding to system claim 1, also rejected accordingly.

With regards to claim 6, 17 Shieh in view of Wang discloses, performing adjustment iterations by the threat sensor deployment and management component at different times (Wang page 693 col1-col2; In this work, we want to design independently deploying honeynet system regardless the other security detection systems. So the redeploying time should be determined by analyzing the collected data captured in the honeynet.), wherein a particular adjustment iteration comprises repeating the collecting the threat data from the deployed threat sensors (Wang 693 col 2; So the inducing degree require a sign that is positive or negative to distinguish the changing direction. When the inducing degree is positive, this means it is on the rise. And when the inducing degree is negative, this means it is declining. In brief, when the inducing degree is negative and greater value. The honeynet should be considered to redeploy.); the determining the adjusted deployment plan (Wang 693 col 2); and the performing the adjustments to the threat sensors (Wang 693 col 1-2; DYNAMIC DEPLOYING SCHEME ). Motivation would be same as stated in claim 1.

With regards to claim 7, 18 Shieh in view of Wang discloses, wherein the performing the adjustments to the threat sensors according to the adjusted deployment plan further comprises one or more of: terminating a threat sensor (Wang Page 694 col 2; The algorithm first checks the status of all the honeypots in the honeynet by using function CheckStatus (line 2). If the status of h, is mature, a new honeypot will be genernted based on the h; configuration and be added to H' (line 5). If the status is death, this honeypot will be deleted from H' (line 7). ), deploying at least one new threat sensor at new network address different from the plurality of different network addresses at which the plurality of threat sensors were deployed, or modifying the lifetime of a deployed threat sensor. Motivation would be same as stated in claim 1.

With regards to claim 8, Shieh in view of Wang discloses, further comprising: recording, by threat data collectors of corresponding ones of the deployed threat sensors, information about inbound communications received at the corresponding ones of the deployed threat sensors (Wang Page 696 col 1- 2; The preprocessor is used to record and count the packets captured in the honeynet. ); and generating, by the corresponding ones of the deployed threat sensors, threat sensor logs from the recorded actions of the corresponding threat data collectors (Wang Page 696 col 1- 2;Thus the different formats of logs need to be transformed into a uniform. The uniform log is comprised of eight fields: unique id, timestamp, source IP address, source port, destination IP address, destination port, and network protocol, packet size. Dynamic deployment engine analyzes the uniform log of currently honeynet and determines when to redeploy the honeynet.). Motivation would be same as stated in claim 1.

With regards to claim 9, Shieh in view of Wang discloses, responding, by a particular one of the threat data collectors of a deployed threat sensor, to inbound communications with different identifying information to simulate responses from different types of systems (Shieh [0045] When the threat detection system is not able to handle the request (processing block 410), processing logic advances to processing block 422 where one or more corrective actions are initiated (processing block 422). In one embodiment, the corrective actions may include dropping the packets of the network element that initiated the request received at processing block 402. In another embodiment, the corrective actions may include notifying a network administrator of the potential threat, a potential identity of the threat, location of the threat, etc. to enable the network administrator to take further actions.).

With regards to claim 10, Shieh in view of Wang discloses, performing by the threat sensor deployment and management component: determining that one or more threat sensors of a particular geographic region are receiving a greater number of inbound communications compared to a threshold; and deploying, based at least in part on the determining, additional threat sensors at network addresses in the particular geographic region (Wang 694 col 1; However, when the specific case appears h;d = h/, then  the number of inbound ICMP packets is considered. In this case, the honeypot has the maximum value of the number of inbound ICMP packets that is selected as the maximum active honeypot. The maximum active honeypot is the current optimal configuration solution within the honeynet. And the main idea of cooperative learning algorithm is to mimic the configuration of the maximum active honeypot. After
finding the maximum active honeypot, the others honeypots will modify theirs configuration following the maximum active honeypot with mimic probability. Pls also see Definition 3, Note: probability high will engage the optimistic learning strategy suggest gathering more packets in the area. ). Motivation would be same as stated in claim 1.

With regards to claim 11, Shieh in view of Wang discloses, further comprising: performing by the threat sensor deployment and management component: determining that a particular threat sensor of the deployed plurality of threat sensors is receiving a larger number of inbound communications than a threshold; and extending, based at least in part on the determining, the lifetime of the particular threat sensor (Wang 694 col 1; Definition 4). Motivation would be same as stated in claim 1.


Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Shieh(US 20150229656 A1) in view of Wang et al(“Dynamic Deploying Distributed Low-interaction Honeynet”; JOURNAL OF COJMPUTERS, VOL. 7, NO. 3, MARCH 20l2; pages 692-698) and Agarwal et al(WO 2016154320 A1).

Shieh in view of Wang  do not but, Agarwal teaches, wherein the threat sensor deployment and management service is further configured to: provide an interface for a client of the provider network to specify details for a desired threat sensor deployment; and wherein to determine the deployment plan for the plurality of threat sensors, the threat sensor deployment and management service is further configured to: determine the deployment plan based at least in part on the specified details from the client ([0096] In order to provide a detailed deployment plan the system provides an interactive user interface for specifying building information and user requirements, including automated algorithms for fast placement of sensors and assessment of connectivity, and a visual representation of an installation map to assist with field deployments. The system 100 allows multiple users to complete a method 201 for planning a building system, shown in Fig. 2A and boxes 202, 204, 206, 208, 210 and 212. The method 201 includes the following key steps: (1) obtaining a floor plan; (2) obtaining user requirements; (3) selecting system components; (4) placing system components; (S) assessing connectivity; and (6) generating a price quote.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Shieh in view of Wang System with teaching of Agarwal in order to detect sensor performance in distributed system (Agarwal [002]).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Shieh(US 20150229656 A1) in view of Wang et al(“Dynamic Deploying Distributed Low-interaction Honeynet”; JOURNAL OF COJMPUTERS, VOL. 7, NO. 3, MARCH 20l2; pages 692-698) and Smith et al(US 20160191548 A1).

With regards to claim 14, Shieh in view of Wang discloses, performing by a particular one of the threat data collectors of a deployed threat sensor: analyzing an inbound communication (Wang page 697 col 2; We can further demonstrate that the dynamic deploying method improves the disguise capacity through analyzing the packets number of the maximum active IP. In generally, the maximum active IP address is currently the most active attack source. Its inbound or outbound packets number indicates the hackers from this IP address has launched a intrusion or not. ), 
Shieh in view of Wang  do not but, Smith teaches, wherein the inbound communication comprises a request to initiate a communication to a network address (Smith [0005] Another example of a social engineering attack is when a user is sent an email inviting the user to click on a link to download content that harbors malware. The term malware generally refers to any kind of program that is designed to perform operations that the owner or user of the computer on which the program resides would not approve of, and may include viruses, worms, Trojan horses, spyware, adware, etc. For example, a user may be sent an email that purports to be from a person or an institution that the user knows. The email invites the user to download a song or movie by providing a link. However, the link may instead point to malware that, once downloaded and executed by the user, installs a Trojan horse, virus, or any other form of malware on the user's computer.); determining the network address present in the inbound communication (Smith [0067] The collection process may select the initial webpage or website using a number of different techniques. For example, the system may possess existing information about the website, domain name, URL, IP address, or other information associated with the webpage that indicates that the webpage or website may be associated with malicious activity. Such information may include lists of websites, IP addresses, or registrants associated with known previous malicious activity, such as previous social engineering attempts, spamming, malware or virus distribution or hosting, participation in rogue DNS or DNS cache poising activity, denial-of-service attacks, port scanning, association with botnets or other command-and-control operations, etc. Such lists may also comprise websites that, although not primarily engaged in malicious activity, have nonetheless been compromised in the past and therefore may serve as a likely conduit, unsuspecting or otherwise, for malicious activity originating from otherwise unknown sources.); and downloading data from the network address present in the inbound communication in order to determine information useful for threat intelligence (FIG 2 step 210 to 240 and associated text; ). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Shieh in view of Wang method with teaching of Smith in order to protects the network from attack (Smith [006]).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Shieh(US 20150229656 A1) in view of Wang et al(“Dynamic Deploying Distributed Low-interaction Honeynet”; JOURNAL OF COJMPUTERS, VOL. 7, NO. 3, MARCH 20l2; pages 692-698) and Vogt et al(US 20110103394 A1). 

With regards to claim 15, Shieh in view of Wang  do not but, Vogt teaches, wherein the different network addresses at which the plurality of network element(threat sensors) are deployed are not publicized ([0007] A mechanism in a network element interfacing an internal network with an external network for translating an Internet Protocol (IP) address of a client of the internal network and using the translated IP address to route packets associated with the client to and from a remote node of the external network without exposing an internal network portion of the IP address of the client to the remote node is provided.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Shieh in view of Wang method with teaching of Vogt in order to protects the network from attack (Vogt[002]).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Shieh(US 20150229656 A1) in view of Wang et al(“Dynamic Deploying Distributed Low-interaction Honeynet”; JOURNAL OF COJMPUTERS, VOL. 7, NO. 3, MARCH 20l2; pages 692-698) and Etheridge et al(US 20040054925 A1).

With regards to claim 19, Shieh in view of Wang  do not but, Etheridge teaches, wherein the program instructions further cause the one or more processors of the threat sensor deployment and management component to: 
determine that a threshold number of inbound communications have been received by a particular deployed threat sensor from a single source; and prevent the plurality of different threat data collectors of the particular deployed threat sensor from responding to further inbound communications from the single source ([0016] After establishing the thresholds, the present invention can statistically analyze the network traffic to determine when the traffic exceeds the thresholds. If the traffic exceeds the thresholds, an attack is detected. Then, a countermeasure can be initiated to block data packets from an IP address. A countermeasure also can be initiated to block data packets to or from a common port, data packets having a common protocol, or data packets having the target destination IP address.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Shieh in view of Wang product with teaching of Etheridge in order to prtotect the network from attack (Etheridge Abstract ).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Shieh(US 20150229656 A1) in view of Wang et al(“Dynamic Deploying Distributed Low-interaction Honeynet”; JOURNAL OF COJMPUTERS, VOL. 7, NO. 3, MARCH 20l2; pages 692-698) and Jarva et al(WO 2017109272 A1).

With regards to claim 20, Shieh in view of Wang  do not but, Jarva teaches, wherein the program instructions further cause the one or more processors of the threat sensor deployment and management component to: 
determine that a particular Node has been compromised by malware; and terminate, based at least in part on the determining, the node (,[0027] where a node on the list is compromised by malware, its changed behaviour may be detected by detecting its changed behaviour, enabling termination of the compromised node.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Shieh in view of Wang product with teaching of Jarva in order to detect Spurious node (Jarva [0088]).


Allowable Subject Matter
Claims 12-13 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987. The examiner can normally be reached 8.30 to 430 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498