DETAILED ACTION
This Reasons for Allowance is in response to applicants’ After Final amendment and remarks filed on 08/26/2022.  Claims 1, 2, 11, and 18 have been amended, and Claims 8, 14-17, and 19 have been canceled.  New Claims 22-29 have been added.  The Examiner hereby enters the proposed AF amendment filed 08/26/2022.  Therefore, Claims 1-7, 11-13, 18, and 21-29 are currently pending and have been considered as follows.
The text of those sections of Title 35 U.S. Code not included in this section can be found in the prior office action.
The prior office actions are incorporated herein by reference.  In particular, the observations with respect to claim language, and response to previously presented arguments.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Allowable Subject Matter
Claims 1-7, 11-13, 18, and 21-29 are allowed.
Response to Arguments
Applicants’ arguments filed 08/26/2022, with respect to amended Claims 1, 11, and 18 have been fully considered and are persuasive. 
Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
In interpreting the claims in light of the specification, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.
Independent Claims 1, 11, and 18 are allowed for the reasons argued by applicants in the remarks filed 08/26/2022.  Claims 2-7, 12, 13, and 21-29 depend upon respective independent claims above and are allowed by virtue of their dependencies.
Although, the prior art of record Joffe (US 9356942 B1) discloses “The threat analyzer 60 gathers and analyzes data from multiple sources, which may include decoy bot computers D, decoy control computers 25, sinkhole computers 50, DNS or DDNS servers 40, and other data sources (as described below), to identify evidence of an attack” [column 6 lines 23-27]; “Data gathered at decoy victim computers D, a decoy control computer 25, and a sinkhole 50 are analyzed in combination to dissect the malware used in an attack. In addition to identifying the origin (e.g., a victim computer) and content of the malicious traffic, the threat analyzer 60 can also perform conventional network behavior analyses of the malicious data including netflow analysis, anomaly detection, and signature correlation” [column 6 lines 43-50]; “In addition to the IP addresses that are assigned to connect servers, firewalls, computers, and the like, the network 80 also includes a number of IP addresses that are not being used and should not be accessed. Some of the unused IP addresses can be dedicated to an internal darknet 82… Because the IP addresses of darknet 82 are designated as unused by the network 80, computers within the network 80 have no legitimate reason to access the darknet 82. Traffic attempting to access an unused IP address of the darknet 82 can be immediately identified as malicious… When victim computer V attempts to access an unused IP address of the internal darknet 82, traffic from the victim computer V is redirected to honeypot 83. A honeypot is a network element or computer that imitates the operation of the network 80 and analyzes the traffic of victim computer V in order to better understand the malware that has infiltrated the network 80. One or more honeypot computers are located at IP addresses that would not otherwise be used by the network 80. The internal darknet 82 redirects traffic from a victim computer V to the honeypot 83 so that the malware can be analyzed” [column 7 lines 31-67]; “The threat analyzer 60 also gathers internal monitor information 35 corresponding to data collected from the internal monitors 84 of its customers. With the threat data of a plurality of customer networks, threat information of one customer network can be used to assist a second customer network. After an internal monitor 84 performs network behavior analysis including netflow analysis, anomaly detection, and signature correlation, the results of the each internal monitor 84 may be analyzed in combination. Within the threat analyzer 60, the internal monitor data 35 of each customer can be made anonymous. In other words, information identifying a particular customer network can be removed when being used to analyze other customer networks. After being made anonymous, the internal monitor data 35 of each customer may be combined with internal monitor data 35 of other customers that has also been made anonymous. In this manner, the internal threat data of one customer may be used to assist other customers. For example, if one customer is subjected to an attack of a new malware, the internal monitors 84 of other customers are updated to more quickly identify the attack” [column 8 lines 46-65]),
None of the prior art of record teaches individually or in combination at least the limitations listed below as recited in applicants’ independent Claims:
[Claim 1] “predicting, by the service, a cyber attack based on the information received from the client computing devices of the client networks, including determining that the client networks that are receiving the incoming network traffic addressed to the dark IP address spaces thereof share a common characteristic in that the client networks belong to entities of a same industrial sector, the cyber attack unable to be predicted based on the incoming network traffic addressed to the dark IP address space of any one of the client networks… notifying, by the service, the client computing device of each client network sharing the common characteristic that the cyber attack is targeting the clients sharing the common characteristic”;
[Claim 11] “transmit information regarding the incoming network traffic addressed to the dark IP address space to a service receiving information regarding incoming network traffic addressed to other dark IP address spaces of other client networks; receive a notification from the service, the notification comprising an indication that the client network is a source of a cyber attack, a target of the cyber network being one of the other client networks; and institute a network countermeasure at the client network to correct a misconfiguration of the client network that caused the client network to be the source of the cyber attack”
[Claim 18] “predict a cyber attack based on the received information, including determining that the client networks that are receiving the incoming network traffic addressed to the dark IP address spaces thereof share a common characteristic in that the client networks belong to entities of a same industrial sector, the cyber attack unable to be predicted based on the incoming network traffic addressed to the dark IP address space of any one of the client networks; and notify the client computing device of each client network sharing the common characteristic that the cyber attack is targeting the clients sharing the common characteristic”.
The closest prior art made of record and cited consisted of the following references.
RONEN et al. (US 20180324193 A1) disclosed a system for detecting a non-targeted attack by a first machine on a second machine is provided. The system includes an application that includes instructions configured to: extract network data corresponding to traffic flow between the first and second machines, where the second machine is implemented in a cloud-based network; identify a first suspect external IP address based on the network data; calculate features for the first suspect external IP address, where the features include exploration type features and exploitation type features; train a classifier based on predetermined examples and the features to generate and update a model; classify the first suspect external IP address based on the model and at least some of the features; and perform a countermeasure if a classification provided from classifying the first suspect external IP address indicates that the first suspect external IP address is associated with a malicious attack on the second machine.
Sutton (US 8413238 B1) disclosed distributed security that monitors communications to identify access attempts to/from darknet addresses. Such attempts can be inferred to be associated with malicious activity and a notification or other corrective action can be provided identifying such potentially malicious activity.
Quarterman et al. (US 8560413 B1) disclosed a method and service of visualization of Internet nodes involved in distributed electronic crime in order to see patterns of actionable intelligence, such as multiple phishing nodes hosted at the same hosting center, or domain names registered in one country that are actually in another country or nodes related by one or more aspects, such as specific criminal attack campaign, target or technical weakness exploited to ease commandeering of the node. The invention involves collecting topological and latency data including changes over time and using the data to determine probable topological and geographical locations of single or multiple nodes, as well as inferential geolocation.
Aziz et al. (US 8898788 B1) disclosed malware attack prevention where network data is copied from a communication network. It is then determined if a possible malware attack is within the copied network data. The network data is intercepted based on the determination. The network data is then analyzed to identify a malware attack.
Beauchesne et al. (US 20150264078 A1) disclosed a method and system for detecting network reconnaissance is disclosed wherein network traffic can be parsed into unidirectional flows that correspond to sessions. A learning module may categorize computing entities inside the network into assets and generate asset data to monitor the computing entities. If one or more computing entities address a flow to an address of a host that no longer exists, ghost asset data may be recorded and updated in the asset data. When a computing entity inside the network contacts an object in the dark-net, the computing entity may be recorded a potential mapper. When the computing entity tries to contact a number of objects in the dark-net, such that a computed threshold is exceeded, the computing entity is identified a malicious entity performing network reconnaissance.
Chu et al. (US 20040117640 A1) disclosed a system in which a networked device automatically evaluates hacker attack notification information and, based thereon, selects and executes responses to the attack. The notification may include information such as the address of the infected system, identification of the specific worm, and a list of vulnerable applications and operating systems. The evaluation is based on factors including criticality and vulnerability of applications running on the system and connectivity of the device. A variety of automatic responses can be selected, including notification of network administration, shutdown of the device or services running on the device, updating and activation of anti-virus software, and selective handling of data sent from the address of the suspect network device. The selection of responses can occur automatically based on rules input during setup or by intervention of network administration.
Huang et al. (US 20080162592 A1) disclosed a logging system includes an event receiver and a storage manager. The receiver receives log data, processes it, and outputs a data "chunk." The manager receives data chunks and stores them so that they can be queried. The receiver includes buffers that store events and a metadata structure that stores metadata about the contents of the buffers. The metadata includes a unique identifier associated with the receiver, the number of events in the buffers, and, for each "field of interest," a minimum value and a maximum value that reflect the range of values of that field over all of the events in the buffers. A chunk includes the metadata structure and a compressed version of the contents of the buffers. The metadata structure acts as a search index when querying event data. The logging system can be used in conjunction with a security information/event management (SIEM) system.
Cruz Mota et al. (US 20160028763 A1) disclosed a traffic model manager node receives data flows in a network and determines a degree to which the received data flows conform to one or more traffic models classifying particular types of data flows as non-malicious. If the degree to which the received data flows conform to the one or more traffic models is sufficient, the traffic model manager node characterizes the received data flows as non-malicious. Otherwise, the traffic model manager node provides the received data flows to a denial of service (DoS) attack detector in the network to allow the received data flows to be scanned for potential attacks.
However, the prior art of record, taken by itself or in any combination, do not anticipate or make obvious the invention of the present application and in particular the claim features listed above.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure.
Fachkha et al., (“Investigating the Dark Cyberspace: Profiling, Threat-Based Analysis and Correlation”, October 2012, 7th International Conference on Risks and Security of Internet and Systems, pp. 1-8) is cited for gathering of cyber threat intelligence to collect and analyze traffic destined to unused Internet addresses known as darknets and profiling darknet data.
Amoroso et al. (US 20060101515 A1) is cited for a method of assigning a dark network address to a trap and monitoring network traffic directed there.
Vissamsetty et al. (US 20170026387 A1) is cited for a dark space in a network that is consumed by a BotSink from source host attempts.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth W Chang whose telephone number is (571)270-7530. The examiner can normally be reached Monday - Friday 9-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KENNETH W CHANG/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
    PNG
    media_image1.png
    35
    280
    media_image1.png
    Greyscale

09.06.2022