DETAILED ACTION
This communication is in respond to application filed on June 24, 2020 in which claims 1-20 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/26/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-8 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 1 recites the limitation "the network security device" in line 3.  There is insufficient antecedent basis for this limitation in the claim.
Claim 1 recites the limitation “determining, the processing resource, an Internet Protocol (IP) address of a computer system that originated the attack chain”, the scope of this limitation is not clear. It is not clear what is being determined. For the following rejection, this limitation is read as “determining, by the processing resource, an Internet Protocol (IP) address of a computer system that originated the attack chain” according to the context.
Claim 8 recites the limitation "The method of claim 6, the active content a hyperlink,..." in line 1.  There is insufficient antecedent basis for this limitation (“the active content”) in the claim. For the following rejection, this limitation is read as "The method of claim [[6]] 7, the active content is a hyperlink,...".
The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore, they are rejected based on the same rationale as applied to their parent claims above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-4, 9, 11-12, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over US PG-PUB No. 2017/0195346 A1 to Levin et al. (hereinafter Levin) in view of US PG-PUB No. 2021/0011985 A1 to Korotaev (hereinafter Korotaev).
As per claim 1, Levin disclosed a method comprising- 
storing, by a processing resource of a deception-based intrusion detection system, a decoy file on a deception host deployed by the network security device within a private network (Levin, par 0024, digital minefield being implemented include “decoy deceptive resources 22, such as decoy files, processes and objects, that will lure the attacker to interact with them”), wherein the decoy file contains therein a traceable object that is detectable by network security scanning performed by a plurality of network security devices protecting the private network (Levin, par 0032, “Mines 20 may be added to a list of monitored decoy resource 22, which may be monitored by detection and termination module 14. For example, detection and termination module 14 may include a driver in the kernel level of OS 11, supplied with a function such as, for example, a callback function 16, and the function may be called every time a handle to a monitored resource such as, for example, process, file or object, is opened. According to some embodiments of the present invention, when attacker 30 looks for a resource to interact with, for example a file, process or object with certain characteristics, he will find a mine 20, e.g., a decoy resource 22 imitating the desired resource that has the same looked-for characteristics, and will interact with it by opening a handle 18 to decoy resource 22. Once a handle 18 is opened, OS 11 may execute callback function 16. Callback function 16 may check whether the resource accessed by the opened handle is one of the monitored resources. If the accessed resource is a monitored resource, callback function 16 may inform detection and termination module 14.”; par 0038, “mines 20 may be integrated in various resources 12 such as, for example, systems, files and/or processes to deceive attacker 30”); 
receiving, by the processing resource, from one or more network security devices of the plurality of network security devices, information regarding an attack chain associated with an access to the decoy file or a transmission of the decoy file through the one or more network security devices, wherein the information is created responsive to detection of a security incident by the network security scanning performed by the one or more network security devices (Levin, par 0032, “If the accessed resource is a monitored resource, callback function 16 may inform detection and termination module 14”, information sent to detection and termination module for terminating attack correspond to the claimed information regarding an attack chain; also par 0033, “A network mine may be used for deception of an attacker 30 trying to steal files from shares over Server Message Block (SMB) and or Common Internet File Systems (CIFS)....Once attacker 30 interacts with a monitored decoy network share, the interaction may be detected and stopped by detection and termination module 14”); 
Levin does not explicitly disclose determining, the processing resource, an Internet Protocol (IP) address of a computer system that originated the attack chain; i.e., Levin disclosed the resources terminate the attack in response to detection of attacker trying to interact with decoy resources (Levin, par 003, “...any process may be imitated by a produced decoy resource 22, which may be monitored by detection and termination module 14. Once an attacker tries to interact with such decoy resource 22, detection and termination module 14 may detect the interaction and terminate the attack in real time”), but does not disclose determining IP address of a computer system that originated the attack chain; however, in an analogous art in deception-based intrusion detection system, Korotaev disclosed determining IP address of a computer system that originated attack chain (Korotaev, par 0024, 0062, “...the intrusion reaction module 106 may react to the exploit attempts....In another aspect, the detected exploit attempts result in the blocking of the login of the user associated with the attack. In some aspects, the detected exploit attempts result in the blocking of network traffic (all or partial) from the original network address(es) associated with the attack”, determining IP address (or equivalent of IP address) of origin of attack is implied in the process of blocking network traffic from original network addresses associated with the attack); it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Levin to incorporate the intrusion reaction including blocking network traffic from the original network addresses associated with attack as disclosed Korotaev, in order to protect system from exploits as disclosed by Korotaev (Korotaev, par 0062).

As per claim 3, Levin-Korotaev disclosed the method of claim 1, wherein said receiving, by the processing resource, from one or more network security devices of the plurality of network security devices, information regarding an attack chain is responsive to a request by the deception-based intrusion detection system (Levin, par 0027, “The interaction of attacker 30 with the monitored decoy resource 22 may be detected by detection and termination module 14, and the attack may be stopped by detection and termination module 14 in real time”, request is implied in initiation of the stopping of attack as information regarding the attack needs to be obtained in order to stop the attack).

As per claim 4, Levin-Korotaev disclosed the method of claim 3, wherein the request by the deception-based intrusion detection system is via a cooperative security fabric involving the plurality of network security devices (Levin, par 0004-0005, 0021, “digital minefield layer 10 may include mines 20 in different layers of OS 11 and in various process layers in endpoint machines 15 (as described in more detail with reference to FIG. 4), which may be potential targets of a cyber attacker 30. Mines 20 are configured to protect against different threat types and phases in the attack chain. Digital minefield layer 10 may further include a detection module 14 to detect interaction with at least one of mines 20”, the disclosed minefield layer corresponds to the claimed cooperative security fabric) .

Claims 9, 11 and 12 recite substantially the same limitations as claims 1, 3 and 4, respectively, in the form of a system implementing the corresponding method, therefore, they are rejected under the same rationale.

Claim 17 recites substantially the same limitations as claim 1, in the form of a computer-readable storage medium with instructions for implementing the corresponding method, therefore, it is rejected under the same rationale.

Claims 2, 10, 14, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Levin in view of Korotaev as applied to claim 1 above, and further in view of US PG-PUB No. 2014/0007246 A1 to Nelson et al. (hereinafter Nelson).
As per claim 2, Levin-Korotaev disclosed the method of claim 1, Levin does not explicitly disclose the network security scanning comprises Data Leak Prevention (DLP) scanning, however, in an analogous art in network security management, Nelson disclosed Data Leak Prevention (DLP) scanning (Nelson, par 0007, Data Leak Prevention (DLP) in an enterprise network, and par 0024, 0044, DLP sensor for detecting watermark embedded in file); it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Levin to further incorporate the implementation of Data Leak Prevention (DLP) in an enterprise network as disclosed in Nelson, in order to ensure transmission of documents only to authorized personnel as suggested by Nelson (Nelson, par 0023).

As per claim 6, Levin-Korotaev-Nelson disclosed the method of claim 2, wherein the traceable object comprises a DLP watermark (Nelson, par 0024, 0044, DLP sensor for detecting watermark embedded in file, the reasons of obviousness have been noted in the rejection of claim 2 above and applicable herein).

Claims 10 and 14 recite substantially the same limitations as claims 2 and 6, respectively, in the form of a system implementing the corresponding method, therefore, they are rejected under the same rationale.

Claims 18 and 20 recite substantially the same limitations as claims 2 and 6, respectively, in the form of a computer-readable storage medium with instructions for implementing the corresponding method, therefore, they are rejected under the same rationale.

Claims 5, 13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Levin in view of Korotaev as applied to claim 3 above, and further in view of US PG-PUB No. 2019/0098027 A1 to Wang (hereinafter Wang).
As per claim 5, Levin-Korotaev disclosed the method of claim 3; Levin does not explicitly disclose the information regarding the attack chain is received in a form of logs maintained by the one or more network security devices; however, in an analogous art in network security management, Wang disclosed obtain information about attack chain based on log information from security devices (Wang, par 0020, 0100-0102, attack information is obtained based on event data from log information pushing module); it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Levin to further incorporate the log information used for attack detection as disclosed by Wang, in order to identify source of detected attack as suggested by Wang (Wang, par 0080).

Claim 13 recites substantially the same limitations as claim 5, in the form of a system implementing the corresponding method, therefore, it is rejected under the same rationale.

Claim 19 recites substantially the same limitations as claim 5, in the form of a computer-readable storage medium with instructions for implementing the corresponding method, therefore, it is rejected under the same rationale.

Claims 7-8, and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Levin in view of Korotaev as applied to claim 1 above, and further in view of US PG-PUB No. 2017/0279854 A1 to Ramalingam et al. (hereinafter Ramalingam).
As per claim 7, Levin-Korotaev disclosed the method of claim 1; Levin does not explicitly disclosed the traceable object comprises active content, which when activated transmits a hidden code via an active connection; however, in an analogous art in network security management, Ramalingam disclosed embedding active content in document for tracking purposes (Ramalingam, par 0024, “The active decoy data 133 is “active” in the sense that it includes executable instructions that facilitate reporting of its own exfiltration. The executable instructions within the active decoy data 133 may correspond to machine code and/or interpreted code. The active decoy data 133 may correspond to a file such as, for example, an image file, a document, an animation file, an executable file, a script file, an application package, an embedded Flash° object, a macro in a spreadsheet, an email file, and/or other types of files.”); it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Levin to further incorporate the implementation of active decoy data as disclosed by Ramalingam, in order to track and identify malicious uses of the resources as suggested by Ramalingam (Ramalingam, par 0012).
As per claim 8, Levin-Korotaev-Ramalingam disclosed the method of claim 7, wherein the active content a hyperlink, embedded media, JavaScript, or a macro (Ramalingam, par 0024, “The active decoy data 133 is “active” in the sense that it includes executable instructions that facilitate reporting of its own exfiltration. The executable instructions within the active decoy data 133 may correspond to machine code and/or interpreted code. The active decoy data 133 may correspond to a file such as, for example, an image file, a document, an animation file, an executable file, a script file, an application package, an embedded Flash° object, a macro in a spreadsheet, an email file, and/or other types of files.”; the reasons of obviousness have been noted in the rejection of claim 7 above and applicable herein).

Claims 15 and 16 recite substantially the same limitations as claims 7 and 8, respectively, in the form of a system implementing the corresponding method, therefore, they are rejected under the same rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Kolton et al. (US Pat. No. 9,992,225 B2) disclosed a method and system for identifying malware network activity using a decoy environment.
Touboul et al. (US Pat. No. 9,553,886 B2) disclosed a method and system for managing dynamic deceptive environment.
			
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Linglan Edwards whose telephone number is (571)270-5440. The examiner can normally be reached 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/LINGLAN EDWARDS/Primary Examiner, Art Unit 2491