DETAILED ACTION
Claims 1-18 and 20 are pending in this action.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-4 are rejected under 35 U.S.C. 103 as being unpatentable over Chari et al. (US PGPUB No. 2006/0161982) [hereinafter “Chari”] in view of Giokas (US PGPUB No. 2015/0033340).

As per claim 1, Chari teaches a computer-implemented security method comprising: receiving, processing and logging network traffic data received from a plurality of users ([0026], monitoring communications over network from clients to applications in the system); determining an attacker profile from the network traffic data ([0031], monitoring and analyzing attack to generate an “attack signature” which can be used for subsequent attack identification); determining a configuration of a honeypot or honeynet (Claim interpretation - alternative language therefore only “honeypot” is required – furthermore honeynet is defined in the specification of the instant application at [0005] as simply one or more honeypots which is taught in Chari at [0028]) based on the attacker profile ([0031], creating a dynamic honeypot based on the “targets of interest” in the system where the dynamic honeypot includes customized virtual copies of requested resources) see also ([0034], predefined honeypot plans selected based on a particular attack).
Chari does not explicitly teach upon receipt of a request from a user of the plurality of users, providing the determined attacker profile and configuration to the user. Giokas teaches upon receipt of a request from a user of the plurality of users, providing the determined attacker profile and configuration to the user ([0110], whereby a main process in a protected system can listen and request for new or updated vulnerabilities which are stored in repositories of the network – in combination, these vulnerabilities would include the attack signatures and customized honeypot configurations taught in Chari) ([0029], the user is ultimately the one who requests and uses the vulnerability information).
	At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari with the teachings of Giokas, upon receipt of a request from a user of the plurality of users, providing the determined attacker profile and configuration to the user, to allow for a need based efficient distribution of attack signatures and remedies including honeypot plans.

As per claim 2, the combination of Chari and Giokas teaches the method of claim 1, wherein the honeypot or honeynet configuration is based on network traffic data of the plurality of users and is available for use by the plurality of users (Chari; [0026] and [0033], clients communicate with the various protected applications in the honeypot system) see also (Giokas; [0029], vulnerability information available to users) (Claim interpretation – a “plurality of user” is interpreted as all user on a network see [0012] of the instant application – based off [0013]-[0016] of the instant application, there is no reason to interpret “plurality of users” in any other way) (Examiner suggests including that the users are registered or authorized on the network as recited in [0015]).

As per claim 3, the combination of Chari and Giokas teaches the method of claim 1, and comprising the step of using a computer-based resource to store: the network traffic data (Chari; [0031], attack statistics are considered network traffic); the attacker profile (Chari; [0031], attack signatures and statistics are collected and saved for subsequent attack identification, i.e. they are stored); the honeypot or honeynet configuration (Chari; Claim 15, storing PVE and honeypot plans); and/or (Claim interpretation – “and/or” will be interpreted as “or”) data relating to the users (Claim interpretation – alternative feature so not given patentable weight however see Abstrasct of Ayyagari in pertinent art below, teaching collecting user behavior information to create user profiles in crafting honeypot environments).

As per claim 4, the combination of Chari and Giokas teaches the method according to claim 1, and comprising the step of directing network traffic to a honeypot or honeynet generated in accordance with, or using, the determined configuration (Chari; [0031], creating a dynamic honeypot based on the “targets of interest” in the system where the dynamic honeypot includes customized virtual copies of requested resources) see also (Chari; [0034], predefined honeypot plans selected based on a particular attack).

Claims 5-9 are rejected under 35 U.S.C. 103 as being unpatentable over Chari and Giokas in view of Legrand et al. (US PGPUB No. 2010/0274892) [hereinafter “Legrand”[.

As per claim 5, the combination of Chari and Giokas teaches the method according to claim 1.
The combination of Chari and Giokas does not explicitly teach wherein the plurality of users comprises users who are designated as authorised or legitimate users. Legrand teaches wherein the plurality of users comprises users who are designated as authorised or legitimate users ([0248], authentication of a user based on username/password) ([0161], once inside the system, i.e. authenticated, user is considered legitimate unless monitored activity deviates from standard user profile).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari and Giokas with the teachings of Legrand, wherein the plurality of users comprises users who are designated as authorised or legitimate users, to further assist in determining whether abnormal behavior is from a legitimate source or from an attack source which would create an system with less false-positive results.

As per claim 6, the combination of Chari and Giokas teaches the method according to claim 1.
The combination of Chari and Giokas does not explicitly teach receiving a request from a user, and determining whether the request is from an authorised user or an attacker. Legrand teaches receiving a request from a user, and determining whether the request is from an authorised user or an attacker ([0162]-[0164], using messages and requests to access/modify resources in comparison with “user”, “admin” and “attacker” profiles to determine legitimacy of message/request).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari and Giokas with the teachings of Legrand, receiving a request from a user, and determining whether the request is from an authorised user or an attacker, to further assist in determining whether abnormal behavior is from a legitimate source or from an attack source which would create an system with less false-positive results.

As per claim 7, the combination of Chari and Giokas teaches the method according to claim 1.
The combination of Chari and Giokas does not explicitly teach determining a profile for one or more of the users in the plurality of users. Legrand teaches determining a profile for one or more of the users in the plurality of users ([0168], users are labeled “user”, “administrator” or “attacker” based on profiles see [0162]-[0164] – they are further monitored based on the type of activities classified in the profiles as normal/abnormal see id.).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari and Giokas with the teachings of Legrand, determining a profile for one or more of the users in the plurality of users, to further assist in determining whether abnormal behavior is from a legitimate source or from an attack source which would create an system with less false-positive results.

As per claim 8, Chair and Giokas teaches a computer implemented security system comprising a processor and memory, the memory storing instructions that when executed by the processor (Chari; [0023], security system made up of processors, memory, and other components), cause the processor to implement the method of claim 1,  wherein: a computer-based storage resource is arranged to receive, process and log the network traffic data received from the plurality of users (Chari; [0031], collecting data and attack statistics - considered network traffic); and a software component is arranged to: determine the attacker profile from the network traffic data (Chari; [0031], creating a dynamic honeypot based on the “targets of interest” in the system where the dynamic honeypot includes customized virtual copies of requested resources) see also (Chari; [0034], predefined honeypot plans selected based on a particular attack); determine the configuration of the honeypot or the honeynet (Claim interpretation - alternative language therefore only “honeypot” is required – furthermore honeynet is defined in the specification of the instant application at [0005] as simply one or more honeypots which is taught in Chari at [0028]) based on the attacker profile (Chari; [0031], creating a dynamic honeypot based on the “targets of interest” in the system where the dynamic honeypot includes customized virtual copies of requested resources) see also (Chari; [0034], predefined honeypot plans selected based on a particular attack); and provide, upon receipt of the request from the user of the plurality of users, the determined attacker profile and configuration to the user based upon, or derived using, the network traffic data (Giokas; [0110], whereby a main process in a protected system can listen and request for new or updated vulnerabilities, i.e. security configurations, which are stored in repositories of the network – in combination, these vulnerabilities would include the attack signatures and customized honeypot configurations taught in Chari) (Giokas; [0029], the user is ultimately the one who requests and uses the vulnerability information).

As per claim 9, the combination of Chari, Giokas and Legrand teaches the system according to claim 8, wherein the storage resource is also arranged to store: profile(s) relating to one or more of the plurality of users (Legrand; [0162], profiles related to users which can be customized for instances of specific users see [0168]); profile(s) relating to one or more attackers or groups or types of attacker (Chari; [0031], “attack signature” are stored for subsequent attack identification) see also (Legrand; [0164], profiles related to attackers); and/or honeypot/honeynet configuration parameters (Chari; [0034], predefined honeypot plans selected based on a particular attack).

Claims 10-14 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Ahmadzadeh et al. (US PGPUB No. 2017/0134405) [hereinafter “Ahmadzadeh”].

As per claim 10, Chari teaches a computer-implemented method comprising: receiving attacker profile information ([0031], monitoring and analyzing attack to generate an “attack signature” which can be used for subsequent attack identification); monitoring traffic to a network address; comparing the monitored traffic to the attacker profile information ([0031], “attack signatures” are used to monitor subsequent traffic for subsequent attack identification); upon determining that the monitored traffic is associated with an attacker, retrieving configuration information to configure a computer decoy ([0034], predefined honeypot plans selected based on a particular attack); and configuring the computer decoy based on the retrieved configuration ([0031], creating a dynamic honeypot based on the “targets of interest” in the system where the dynamic honeypot includes customized virtual copies of requested resources) see also ([0034], predefined honeypot plans would be used to configure honeypots too).
Chari does not explicitly teach configuring the computer decoy using a machine learning model. Ahmadzadeh teaches configuring the computer decoy using a machine learning model ([0046]-[0047], honeypot system uses machine learning and prediction modeling to determine potential attacks and crafting triggering conditions).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari with the teachings of Ahmadzadeh, configuring the computer decoy using a machine learning model, to allow for an adaptive and dynamic approach to recognizing and handling attack behavior.

As per claim 11, the combination of Chari and Ahmadzadeh teaches the method of claim 10, and further comprising the step of directing traffic to the computer decoy (Chari; [0025], creating virtual copies of the requested resources which appear to attacker as the actual resources, i.e. attacker is directed to interact with the dynamic honeypot with the virtual resources).

As per claim 12, the combination of Chari and Ahmadzadeh teaches the method of claim 10, further comprising the step of storing the attacker profile information in a computer-based resource (Chari; [0031], “attack signature” are stored for subsequent attack identification).

As per claim 13, the combination of Chari and Ahmadzadeh teaches the method according to claim 10, wherein the attacker profile information is generated using network traffic data provided by a plurality of users (Chari; [0031], monitoring and analyzing attack to generate an “attack signature” which can be used for subsequent attack identification which are collected from network communications from clients/users see [0026]).

As per claim 14, Chari teaches a system, comprising: one or more processors; and memory storing instructions executable by the one or more processors to cause the system to: determine an attacker profile based on network traffic data ([0031], monitoring and analyzing potential attack to generate an “attack signature” which can be used for subsequent attack identification wherein the potential attack comprises network traffic see [0026], monitored requests made by clients across network); determine a configuration of a honeypot or honeynet based on the attacker profile ([0034], predefined honeypot plans selected based on a particular attack); configure a honeypot or honeynet according to the determined configuration ([0031], creating a dynamic honeypot based on the “targets of interest” in the system where the dynamic honeypot includes customized virtual copies of requested resources) see also ([0034], predefined honeypot plans used to create dynamic honeypots); and cause a request associated with the attacker profile to be forwarded to the configured honeypot or honeynet ([0025], creating virtual copies of the requested resources which appear to attacker as the actual resources, i.e. attacker is directed, i.e. forwarded, to interact with the dynamic honeypot with the virtual resources – attackers are identified via attack signatures see [0031]).
Chari does not explicitly teach wherein the instructions cause the system to determine the configuration of the honeypot or honeynet using a machine learning model. Ahmadzadeh teaches wherein the instructions cause the system to determine the configuration of the honeypot or honeynet using a machine learning model ([0046]-[0047], honeypot system uses machine learning and prediction modeling to determine potential attacks and crafting triggering conditions).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari with the teachings of Ahmadzadeh, wherein the instructions cause the system to determine the configuration of the honeypot or honeynet using a machine learning model, to allow for an adaptive and dynamic approach to recognizing and handling attack behavior.

As per claim 18, the combination of Chari and Ahmadzadeh teaches the system according to claim 14, wherein the instructions further cause the system to configure different honeypots or honeynets for different attacker profiles (Chari; [0034], predefined honeypot plans selected based on a particular attack which are identified via attack signatures see [0031]).

Claims 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Chari in view of Wang et al. (US PGPUB No. 2013/0145465) [hereinafter “Wang”].

As per claim 15, the combination of Chari and Ahmadzadeh teaches the system according to claim 14.
the combination of Chari and Ahmadzadeh does not explicitly teach wherein the instructions further cause the system to generate a database for the honeypot or honeynet. Wang teaches wherein the instructions further cause the system to generate a database for the honeypot or honeynet (Claim interpretation - multilayer deception system with multiple honey servers and computers interpreted to be a “honeynet”) (Wang; Abstract, generating a honey database on a honey server or honey computer see also [0046]) (Claim interpretation - multilayer deception system with multiple honey servers and computers interpreted to be a “honeynet” see specification of instant application at [0006]).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari and Ahmadzadeh with the teachings of Wang, wherein the instructions further cause the system to generate a database for the honeypot or honeynet, to lure and analyze attacker behavior without jeopardizing sensitive data.

As per claim 16, the combination of Chari, Ahmadzadeh and Wang teaches the system according to claim 15, wherein the database is an altered or false database (Wang; [0046], honey database contain completely fake databases or individual components, i.e. tables, rows, columns, etc.).

As per claim 17, the combination of Chari, Ahmadzadeh and Wang teaches the system according to claim 16, wherein the database lacks data that is commercially or confidentially sensitive (Wang; [0047], honey files/folders and honey databases can contain honey profiles with which excludes sensitive information like real name and real contact information).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Chari and Ahmadzadeh in view of Rounthwaite et al. (US PGPUB No. 2004/0177110) [hereinafter “Rounthwaite”].

As per claim 20, the combination of Chari and Ahmadzadeh teaches the system according to claim 14.
The combination of Chari and Ahmadzadeh does not explicitly teach wherein the machine learning model is a neural network. Rounthwaite teaches wherein the machine learning model is a neural network (Claim interpretation – it is well known that machine learning includes neural network) ([0011], defining machine learning systems to include neural networks).
At the time of filing, it would have been obvious to one of ordinary skill in the art to combine Chari and Ahmadzadeh with the teachings of Rounthwaite, wherein the machine learning model is a neural network, to allow for an adaptive and dynamic approach to recognizing and handling attack behavior.

Response to Arguments
Applicant’s arguments with respect to the objection to claim 16 have been fully considered and are persuasive.  The objection has been withdrawn.

Applicant’s arguments with respect to the rejection of claims 8 and 9 under 35 U.S.C. 101 have been fully considered and are persuasive.  The rejection has been withdrawn.

Applicant’s arguments with respect to the rejection of claims 1-18 and 20 under 35 U.S.C. 102 and 103 have been fully considered but are not persuasive.
	As per independent claim 10, Applicant argues that the cited prior art reference Chair does not teach the using a machine learning model to configure a computer decoy. Examiner submits that this feature was introduced in the latest amendments by moving the substance of claim 19 into claim 10 and therefore the secondary reference, Ahmadzadeh, is now cited to teach this feature.
	As per independent claim 14, Applicant similarly argues that Chari does not teach "configure a honeypot or honeynet according to the determined configuration, wherein the instructions cause the system to determine the configuration of the honeypot or honeynet using a machine learning model." Examiner submits that this feature was introduced in the latest amendments by moving the substance of claim 19 into claim 14 and therefore the secondary reference, Ahmadzadeh, is now cited to teach this feature.
	As per independent claim 1, Applicant argues that the cited prior art reference Giokas does not teach "receiving, processing and logging network traffic data received from a plurality of users" and "providing the determined attacker profile and configuration to the user." Applicant reasons that Giokas does not mention providing a configuration to the system rather only provides “new and updated vulnerabilities” to trigger a restart or re-initiation of the optimization procedure. Examiner submits that  Giokas is used in combination with Chari to teach this feature. Giokas at [0110] teaches “a main process that can listen and request for new or updated vulnerabilities which are stored in repositories of the network” which is combined with the attack signatures and customized honeypot configurations taught in Chari.
	As per dependent claims 2-13, 15-18 and 20, the above arguments are reasserted due to claim dependency. Accordingly, these arguments are addressed in the same manner as above.
	In conclusion, the prior art rejections under 35 U.S.C. 102 and 103 are maintained.


Examiner notes Applicant’s rescission of any previous disclaimers.

To expedite prosecution, Examiner is open to conducting an after-final interview to discuss claim amendments to overcome the current rejection and/or place the application in condition for allowance. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Wei et al. (CN 101087196 A) discloses formulating attack characteristics and threat levels. El-Moussa et al. (US PGPUB No. 2010/0122342) discloses determining legitimate users. Bufford et al. (CN 102546621 A) discloses honeypot profiles. Hazzani et al. (EP 2 657 880 A1) and Ayyagari et al. (US PGPUB No. 2013/0305357) discloses activity/baseline profiles of users. Tian et al. ("A Study of Intrusion Signature Based on Honeypot", IEEE, doi: 10.1109/PDCAT.2005.51, 2005, pp. 125-129), Dagdee et al. ("Intrusion Attack Pattern Analysis and Signature Extraction for Web Services Using Honeypots", IEEE, doi: 10.1109/ICETET.2008.192, 2008, pp. 1232-1237), Kuwatly et al. ("A dynamic honeypot design for intrusion detection", IEEE, doi: 10.1109/PERSER.2004.1356776, 2004, pp. 95-104) and Wagener et al. ("Adaptive and self-configurable honeypots", IEEE, doi: 10.1109/INM.2011.5990710, 2011, pp. 345-352) all disclose dynamic and configurable honeypot environments. Marion et al. (US-20140298469-A1), Porras et al. (US-20160218933-A1), Ohayon et al. (US-20170324773-A1), Alese et al. ("Improving deception in honeynet: Through data manipulation," The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014), 2014, pp. 198-204, doi: 10.1109/ICITST.2014.7038805), O'Leary et al. ("Development of a Honeynet Laboratory: a Case Study," Seventh ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD'06), 2006, pp. 401-406, doi: 10.1109/SNPD-SAWN.2006.35) and Capalik ("Next-Generation Honeynet Technology with Real-Time Forensics for U.S. Defense," MILCOM 2007 - IEEE Military Communications Conference, 2007, pp. 1-7, doi: 10.1109/MILCOM.2007.4455171) all generally disclose aspects of the claimed invention.

Applicant's amendment necessitated any new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to PETER C SHAW whose telephone number is (571)270-7179. The examiner can normally be reached Max Flex.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PETER C SHAW/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        August 19, 2022