DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 7/14/2022.
In the instant Amendment, claims 13-15 has been amended; claim 40 has been newly added; claims 1, 13 and 34 are independent claims. Claims 1-7, 12-15 and 27-40 have been examined and are pending. This Action is made Final. 

Response to Arguments
The 35 U.S.C. 101 rejection towards Claims 13-15 and 30-33 are withdrawn as the claims have been amended.
Applicant's arguments filed on 7/14/2022 with respect to 35 U.S.C. 103 have been fully considered but they are not persuasive. 
Applicant argues: Independent claim 1 recites a method for detecting malicious interactions in a computer network, the method comprising:
generating, by a processor, at least one decoy segment associated with at least one decoy vulnerability of the computer network, wherein the at least one decoy segment comprises a decoy segment that comprises a legitimate item containing a content item, the content item comprising false data;
...
Singh and Stolfo, alone and in combination, fail to describe at least the above-emphasized language of independent claim 1. The Office Action (p. 6) concedes that Singh does not describe the above-emphasized language, but alleges that Stolfo ( 51) does. Applicant disagrees because Stolfo fails to describe the above-emphasized language. For this reason, the 35 U.S.C. 103 rejection should be withdrawn.  
The cited paragraph (151) of Stolfo describes that decoy information can be a login (e.g., an e-mail login) that appears and functions like an actual login. However, as Stolfo makes clear in 51, the login is a legitimate login - because it is an actual login that allows a rogue system administrator or a network security staff member to actually log in; the act of logging in will set off a notification that the user logging in is malicious. This login is therefore an actual functioning login, and it is not a "decoy segment that comprises a legitimate item containing a content item, the content item comprising false data," as claimed. Thus, Stolfo fails to describe the above-quoted language of claim 1.
Since neither Singh nor Stolfo describe the above-emphasized language of claim 1, no combination of them does so. Accordingly, it is respectfully requested that the 35 U.S.C. § 103 rejection of independent claim 1, and each claim that depends therefrom, be withdrawn.
Examiner’s response:   The examiner respectfully disagrees.  Stolfo discloses [0051] - In some embodiments, generated decoy information can be tested to ensure that the decoy information complies with document properties that enhance the deception for different classes or types of inside attackers that vary by level of knowledge and sophistication. For example, decoy information can be generated to appear realistic and indistinguishable from actual information used in the system. If the actual information is in the English language, the decoy information is generated in the English language and the decoy information looks and sounds like properly written or spoken English. In another example, to entice a sophisticated and knowledgeable attacker, the decoy information can be a login (e.g., an email login, a system login, a network login, a website username) that appears and functions like an actual login such that it is capable of entrapping a rogue system administrator or a network security staff member. In another example, decoy information can appear to contain believable, sensitive personal information and seemingly valuable information. As described further below, decoy information can be generated such that the documents are believable, variable (e.g., not repetitive, updatable such that attackers do not identify decoy information, etc.), enticing (e.g., decoy information with particular keywords or matching particular search terms), conspicuous (e.g., located in particular folders or files), detectable, differentiable from actual information, non-interfering with legitimate users, etc.).   The examiner respectfully constructs a legitimate item to be, i.e. a login or document.  The examiner further notes a login or document when constructed as a legitimate item would contains content item(s) that are used to entice or be differentiable from actual information.  For example, when a login is construed as a legitimate item containing login information/credentials (i.e., content items comprising false data) and/or when a document is construed as a legitimate item it would contain enticing information or even believable, sensitive personal information or seemingly valuable information (i.e., content items comprising false data).   Thus, when a login and/or document is broadcasted to the public it would be monitored with respect to the decoy segment (i.e., credentials used to login or viewing data within the document, see [0187])). Thus as reasonably constructed the metes and bounds of the claim scope have been met; therefore the examiner finds this argument not persuasive. 
The examiner notes similar rationale applies towards the arguments for Claim 13 and Claim 24; therefore the examiner finds those arguments not persuasive.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claim(s) 1, 2, 5, 6, 7, 29, 34, 35, 39 and 40 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Singh et al. (US 2017/0223037 A1) in view of Stolfo et al. (US 2010/0077483 A1). 



Regarding Claim 1;
Singh discloses a method of detecting malicious interactions in a computer network, the method comprising:
generating, by a processor, at least one decoy segment (FIG. 46 and [0609] - Returning to FIG. 46, the usernames for the decoy email addresses 4630 are typically generated to resemble legitimate email addresses that may be used by the customer network 4602); 
broadcasting, by the processor, the generated at least one decoy segment in a public database (FIG. 46 and [0702] - The decoy email addresses 4630 are meant to attract the attention of malicious actors. The decoy email addresses 4630 are thus made publicly available... by placing them on websites in plain text (i.e., public database)... The decoy email addresses 4630 may be made public by the email address generation engine 4610, or by some other device or process in the customer network 4602.); 
monitoring, by the processor, communication within the computer network to identify at least one interaction associated with the generated at least one decoy segment (FIG. 46 – Email Monitor/Malicious Email detection Engine); 
determining, by the processor, at least one indicator of compromise for the identified at least one interaction (FIG. 46 and FIG. 47 and [0726] - The status determined by the decision engine 4722 may be provided to the analytic engine 4724. The analytic engine 4724 may generate indicators 4736 that identify the email 4706. The indicators 4736 may include, for example, values from the email header 4742 such as values indicating the source of the email 4706 and/or a distinct or unique subject string. The indicators 4736 can also include "indicators of compromise" (IOCs). Indicators of compromise are a set of data that describes identified malicious activity. Indicators of compromise can be used to describe virus signatures, Internet Protocol (IP) addresses associated with suspicious activity, Message Data algorithm 5 (MD5) hashes of malware files, or Uniform Resource Locations (URLs) or domain names of botnet command and control servers. Indicators of compromise can be used by intrusion detection systems and anti-virus software to detect attacks on a network. Indicators of compromise may be formatted for both human and machine readers, such as for example using XML.); and 
blocking communication between the computer network and any computer associated with the determined at least one indicator of compromise ([0320] – ...an intrusion detection system (IDS), an intrusion prevention system (IPS), and/or some other network security tool or system... The IDS is a system that monitors network and system activities for malicious activities. The IPS also monitors network and system activities for malicious activity, and also actively prevents or blocks intrusions that are detected. [0726] - The indicators 4736 can also include "indicators of compromise" (IOCs). Indicators of compromise are a set of data that describes identified malicious activity. ... Indicators of compromise can be used by intrusion detection systems and anti-virus software to detect attacks on a network. and [0727] - The malicious email detection engine 4712 can send these indicators to the customer network's system administrator and/or to an automated system, either of which can attempt to find computers in the customer network that have the same modifications. Computers in the customer network that match the indicators may have had infected with the same malware and [0729]).
Singh fails to explicitly disclose generating, by a processor, at least one decoy segment associated with at least one decoy vulnerability of the computer network, wherein the at least one decoy segment comprises a decoy segment that comprises a legitimate item containing a content item, the content item comprising false data.
However, in an analogous art, Stolfo teaches generating, by a processor, at least one decoy segment associated with at least one decoy vulnerability of the computer network, wherein the at least one decoy segment comprises a decoy segment that comprises a legitimate item containing a content item, the content item comprising false data (Stolfo, [0051] - In some embodiments, generated decoy information can be tested to ensure that the decoy information complies with document properties that enhance the deception for different classes or types of inside attackers that vary by level of knowledge and sophistication. For example, decoy information can be generated to appear realistic and indistinguishable from actual information used in the system. If the actual information is in the English language, the decoy information is generated in the English language and the decoy information looks and sounds like properly written or spoken English. In another example, to entice a sophisticated and knowledgeable attacker, the decoy information can be a login (e.g., an email login, a system login, a network login, a website username) that appears and functions like an actual login such that it is capable of entrapping a rogue system administrator or a network security staff member. In another example, decoy information can appear to contain believable, sensitive personal information and seemingly valuable information. As described further below, decoy information can be generated such that the documents are believable, variable (e.g., not repetitive, updatable such that attackers do not identify decoy information, etc.), enticing (e.g., decoy information with particular keywords or matching particular search terms), conspicuous (e.g., located in particular folders or files), detectable, differentiable from actual information, non-interfering with legitimate users, etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Stolfo to the decoy information of Singh to include generating, by a processor, at least one decoy segment associated with at least one decoy vulnerability of the computer network, wherein the at least one decoy segment comprises a decoy segment that comprises a legitimate item containing a content item, the content item comprising false data
One would have been motivated to combine the teachings of Stolfo to Singh to provide users with a means for baiting inside attackers (Stolfo, [0004]).

Regarding Claim 2;
Singh and Stolfo disclose the method to Claim 1.
	Singh further discloses wherein the processor is external to the computer network ([0693] - Alternatively or additionally, the services provided by the email address generation engine 4610, the malicious email detection engine 4612, and/or the email monitor 4614 may be provided by a cloud service provider).

Regarding Claim 5;
Singh and Stolfo disclose the method to Claim 1.
Singh further discloses wherein at least one decoy segment further comprises a decoy segment that has information associated with the computer network ([0696] - An email address identifies an individual email user, who is a sender and/or receiver of email. An email address typically consist of a username, followed by an "@" symbol, followed by a domain name (e.g., "John.Doe@receiverdomain.com"), where the domain name is the name of a network (i.e., information associated with the computer network) from which the email user is sending and receiving email.).
Regarding Claim 6;
Singh and Stolfo disclose the method to Claim 1.
Singh further discloses wherein the at least one decoy segment further comprises a decoy segment that has at least one of: decoy injection or decoy cross-site scripting code ([0067] - For example, deception system 114 can include a decoy information broadcaster to inject decoy traffic information into a communications network and [0076]).
Regarding Claim 7; 
Singh and Stolfo disclose the method to Claim 1.
Singh further discloses wherein the legitimate item is an email account and the content item is an email item (FIG. 46 and [0609] - Returning to FIG. 46, the usernames for the decoy email addresses 4630 are typically generated to resemble legitimate email addresses that may be used by the customer network 4602).
Stolfo additionally teaches wherein the legitimate item is an email account and the content item is an email item (Stolfo, [0051] - In some embodiments, generated decoy information can be tested to ensure that the decoy information complies with document properties that enhance the deception for different classes or types of inside attackers that vary by level of knowledge and sophistication. For example, decoy information can be generated to appear realistic and indistinguishable from actual information used in the system. If the actual information is in the English language, the decoy information is generated in the English language and the decoy information looks and sounds like properly written or spoken English. In another example, to entice a sophisticated and knowledgeable attacker, the decoy information can be a login (e.g., an email login, a system login, a network login, a website username) that appears and functions like an actual login such that it is capable of entrapping a rogue system administrator or a network security staff member. In another example, decoy information can appear to contain believable, sensitive personal information and seemingly valuable information. As described further below, decoy information can be generated such that the documents are believable, variable (e.g., not repetitive, updatable such that attackers do not identify decoy information, etc.), enticing (e.g., decoy information with particular keywords or matching particular search terms), conspicuous (e.g., located in particular folders or files), detectable, differentiable from actual information, non-interfering with legitimate users, etc.).

Regarding Claim 29;
Singh and Stolfo disclose the method to Claim 1.
Singh further discloses wherein at least one indicator of comprises a virus signature, a uniform resource locator, and/or an IP address (FIG. 46 and FIG. 47 and [0726] - The status determined by the decision engine 4722 may be provided to the analytic engine 4724. The analytic engine 4724 may generate indicators 4736 that identify the email 4706. The indicators 4736 may include, for example, values from the email header 4742 such as values indicating the source of the email 4706 and/or a distinct or unique subject string. The indicators 4736 can also include "indicators of compromise" (IOCs). Indicators of compromise are a set of data that describes identified malicious activity. Indicators of compromise can be used to describe virus signatures, Internet Protocol (IP) addresses associated with suspicious activity, Message Data algorithm 5 (MD5) hashes of malware files, or Uniform Resource Locations (URLs) or domain names of botnet command and control servers. Indicators of compromise can be used by intrusion detection systems and anti-virus software to detect attacks on a network. Indicators of compromise may be formatted for both human and machine readers, such as for example using XML.).

Regarding Claim(s) 34, 35, and 39; claim(s) 34, 35, and 39 is/are directed to a/an medium associated with the method claimed in claim(s) 1 and 29. Claim(s) 34, 35, and 39 is/are similar in scope to claim(s) 1 and 29, and is/are therefore rejected under similar rationale.

Regarding Claim 40;
Singh and Stolfo disclose the method to Claim 1.
Stolfo further teaches wherein the content item is an email message stored in a legitimate email account within the computer network, and the false data is within the e-email message (Stolfo, [0051] - In some embodiments, generated decoy information can be tested to ensure that the decoy information complies with document properties that enhance the deception for different classes or types of inside attackers that vary by level of knowledge and sophistication. For example, decoy information can be generated to appear realistic and indistinguishable from actual information used in the system. If the actual information is in the English language, the decoy information is generated in the English language and the decoy information looks and sounds like properly written or spoken English. In another example, to entice a sophisticated and knowledgeable attacker, the decoy information can be a login (e.g., an email login, a system login, a network login, a website username) that appears and functions like an actual login such that it is capable of entrapping a rogue system administrator or a network security staff member. In another example, decoy information can appear to contain believable, sensitive personal information and seemingly valuable information. As described further below, decoy information can be generated such that the documents are believable, variable (e.g., not repetitive, updatable such that attackers do not identify decoy information, etc.), enticing (e.g., decoy information with particular keywords or matching particular search terms), conspicuous (e.g., located in particular folders or files), detectable, differentiable from actual information, non-interfering with legitimate users, etc. and [0187] - In accordance with some embodiments, decoy information can be inserted into a particular software application. For example, decoy information can be inserted specifically into the Microsoft Outlook application. The decoy information can be inserted as decoy mails, decoy notes, decoy email addresses, decoy address book entries, decoy appointments, etc.).  As constructed a decoy email account (or event a regular email account) would contain decoy mails with decoy information inserted in them. 









Claims 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Stolfo et al. (US 2010/0077483 A1) and further in view of Tock et al. (US 2015/0135316 A1).

Regarding Claim 3;
Singh and Stolfo disclose the method to Claim 1.
Singh discloses a firewall service of the computer network..., wherein the communication is blocked by the firewall service ([0077] - For example, a site's network typically includes a firewall attached to or incorporated into a gateway device that connects the site's network to outside networks. A firewall generally applies rules to network traffic, and controls what network traffic can come into a network. The firewall also typically controls network traffic that can go out of the network and [0176] – a firewall may block instructions originating from the internet).
Singh and Stolfo fail to explicitly disclose further comprising updating an indicator of compromise database of a firewall service of the computer network with the identified at least one indicator of compromise, wherein the communication is blocked by the firewall service.
However, in an analogous art, Tock teaches updating an indicator of compromise database of a firewall service of the computer network with the identified at least one indicator of compromise, wherein the communication is blocked by the firewall service (Tock, FIG. 4 – Firewall “410” and [0049] - The firewall 410 is a program that protects the client computer 210 by selectively blocking connections to specific sites and/or specific types of data and [0075] and [0088] - FIG. 12 conceptually illustrates a process 1200 of some embodiments for re-evaluating previously collected sets of potential IOCs. The process 1200 receives (at 1210) an update to the IOCs. For example, the threat response platform of some embodiments re-evaluates when a new set of actual IOCs are added to the database (e.g., when a new malware or a new version of an old malware is discovered), when a set of IOCs are modified (e.g., when a malware is discovered to have more IOCs than previously realized), and/or when the known actual IOCs are re-weighted (e.g., when a value related to the actual IOCs that is used to calculate a likelihood of malware is changed in such a way that the determined likelihood of malware increases based on that IOC, alone and/or in combination with other actual IOCs).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tock to the detecting malicious interaction Singh and Stolfo to include updating an indicator of compromise database of a firewall service of the computer network with the identified at least one indicator of compromise, wherein the communication is blocked by the firewall service
One would have been motivated to combine the teachings of Tock to Singh and Stolfo to provide users with a means for provide users with a means for a threat response platform that enables a user to determine whether suspicious activity is a result of malware, or is not the result of malware (Tock, [0024]).





Claims 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Stolfo et al. (US 2010/0077483 A1) and further in view of Nachenberg et al. (US 2018/0191747 A1).

Regarding Claim 4;
Singh and Stolfo disclose the method to Claim 1.
Singh and Stolfo fail to explicitly disclose further comprising filtering out at least one indicator of compromise based on predetermined whitelists.
However, in an analogous art, Nachenberg teaches filtering out at least one indicator of compromise based on predetermined whitelists (Nachenberg, [0032] - For example, the IOC gathering server 112 may compare a received IOC 142 and/or its provider to a whitelist that specifies legitimate software and/or trusted IOC providers. If the received IOC matches a file in the whitelist of legitimate software, or the IOC provider does not match an IOC provider specified by the whitelist, the IOC gathering server 112 may discard the received IOC).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Nachenberg to the method of Singh and Stolfo to include filtering out at least one indicator of compromise based on predetermined whitelists.
One would have been motivated to combine the teachings of Nachenberg to Singh and Stolfo to provide users with a means for detecting presence of security threats in ... computer systems using the indicators of compromise (Nachenberg, [0003]).

Claims 12 and 38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view Stolfo et al. (US 2010/0077483 A1) and further in view of Ettema et al. (US 2017/0019425 A1).

Regarding Claim 12;
Singh and Tock and Stolfo disclose the method to Claim 1.
Singh discloses ... wherein the at least one decoy segment further comprises a decoy segment that includes information associated with the ... computer network (FIG. 46 – Email Monitor/Malicious Email detection Engine); and monitoring the ... computer network to identify one or more interactions associated with the generated at least one decoy segment (FIG. 46 – Email Monitor/Malicious Email detection Engine);
Singh and Tock and Stolfo fails to explicitly disclose creating a virtual computer network corresponding to the computer network.../virtual computer network; and monitoring the virtual computer network to identify interactions associated with... 
However, in an analogous art, Ettema teaches creating a virtual computer network corresponding to the computer network.../virtual computer network ([0044] - In either use case scenario, a clone of Alice's targeted host device can be instantiated as a customized VM instance in a VM environment (e.g., instrumented VM environment), along with instances for emulating a subset of devices from the target network environment (e.g., email server, DNS server, printer, etc.) in the VM environment (e.g., using a cloud security service or on a data appliance deployed on the target network environment). In particular, the VM environment can be configured to automatically synchronize with relevant portions of the target network (e.g., network layout, IP addresses, customized host images, etc.) to implement a honey network for the target network. The malware sample (e.g., malware URL, malware file/web download, malware email, and/or malware email attachment, etc.); and monitoring the virtual computer network to identify interactions associated with [malware] ([0044] -  The behavior of the malware and any subsequent activities on the virtual clone of Alice's target host on the device and/or network interactions with other devices emulated in the honey network implemented in the VM environment and/or, in some cases, external network activities, such as over the Internet and/or with other devices on the actual target network, can also be monitored and logged to gain competitive analysis and to facilitate advanced threat prevention, as further described below.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ettema to the method of Singh and Tock and Stolfo to include creating a virtual computer network corresponding to the computer network...; and monitoring the virtual computer network to identify interactions associated with such a combination would provide users with a means for [a] new and improved virtual machine (VM) techniques for advanced security threats (Ettema, [0037]).
One would have been motivated to combine the teachings of Ettema to Singh and Stolfo to provide users with a means for deny or permit network transmission based on a set of rules (Ettema, [0003]).

Regarding Claim(s) 38; claim(s) 38 is/are directed to a/an medium associated with the method claimed in claim(s) 12. Claim(s) 38 is/are similar in scope to claim(s) 12, and is/are therefore rejected under similar rationale.

Claims 13, 14, and 33 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Tock et al. (US 2015/0135316 A1) and Stolfo et al. (US 2010/0077483 A1).

Regarding Claim 13;
Singh discloses a system for detecting malicious interactions in a computer network with at least one blocking service ([0320], [0726]. [0727], and [0729]), the system method comprising:
a hardware processor, in communication with the computer network (FIG. 46 and [0693]); 
...wherein the hardware processor is configured to: 
generate at least one decoy segment (FIG. 46 and [0609] - Returning to FIG. 46, the usernames for the decoy email addresses 4630 are typically generated to resemble legitimate email addresses that may be used by the customer network 4602); 
broadcast the generated at least one decoy segment in a public database (FIG. 46 and [0702] - The decoy email addresses 4630 are meant to attract the attention of malicious actors. The decoy email addresses 4630 are thus made publicly available... by placing them on websites in plain text (i.e., public database)... The decoy email addresses 4630 may be made public by the email address generation engine 4610, or by some other device or process in the customer network 4602.);
monitor communication within the computer network to identify at least one interactions associated with the generated at least one decoy segment (FIG. 46 – Email Monitor/Malicious Email detection Engine);; 
determine at least one indicator of compromise for the identified at least one interaction (FIG. 46 and FIG. 47 and [0726] - The status determined by the decision engine 4722 may be provided to the analytic engine 4724. The analytic engine 4724 may generate indicators 4736 that identify the email 4706. The indicators 4736 may include, for example, values from the email header 4742 such as values indicating the source of the email 4706 and/or a distinct or unique subject string. The indicators 4736 can also include "indicators of compromise" (IOCs). Indicators of compromise are a set of data that describes identified malicious activity. Indicators of compromise can be used to describe virus signatures, Internet Protocol (IP) addresses associated with suspicious activity, Message Data algorithm 5 (MD5) hashes of malware files, or Uniform Resource Locations (URLs) or domain names of botnet command and control servers. Indicators of compromise can be used by intrusion detection systems and anti-virus software to detect attacks on a network. Indicators of compromise may be formatted for both human and machine readers, such as for example using XML.);; 
...block communication between the computer network and any computer associated with the determined at least one indicator of compromise ([0320] – ...an intrusion detection system (IDS), an intrusion prevention system (IPS), and/or some other network security tool or system... The IDS is a system that monitors network and system activities for malicious activities. The IPS also monitors network and system activities for malicious activity, and also actively prevents or blocks intrusions that are detected. [0726] - The indicators 4736 can also include "indicators of compromise" (IOCs). Indicators of compromise are a set of data that describes identified malicious activity. ... Indicators of compromise can be used by intrusion detection systems and anti-virus software to detect attacks on a network. and [0727] - The malicious email detection engine 4712 can send these indicators to the customer network's system administrator and/or to an automated system, either of which can attempt to find computers in the customer network that have the same modifications. Computers in the customer network that match the indicators may have had infected with the same malware and [0729]).
Singh fails to explicitly disclose
...a first database, coupled to the hardware processor and comprising indicator of compromise registers, wherein the processor is configured to: 
generate, at least one decoy segment associated with at least one decoy vulnerability of the computer network, wherein the at least one decoy segment comprises a decoy segment that comprises a legitimate item containing a content item, the content item comprising false data.
store the determined IOC in the first database; and 
15P-577698-USshare the first database with the at least one blocking service in order to block communication between the computer network and any computer associated with the determined at least one IOC,
However, in an analogous art, Tock teaches:
...a first database, coupled to the hardware processor and comprising indicator of compromise registers (Tock, FIG. 4), wherein the processor is configured to: 
store the determined indicator of compromise in the first database (Tock, FIG. 4 and [0088]); and 
15P-577698-USshare the first database with the at least one blocking service in order to block communication between the computer network and any computer associated with the determined at least one indicator of compromise (Tock, FIG. 4 – Firewall “410” and [0049] - The firewall 410 is a program that protects the client computer 210 by selectively blocking connections to specific sites and/or specific types of data and [0075] and [0088] - FIG. 12 conceptually illustrates a process 1200 of some embodiments for re-evaluating previously collected sets of potential IOCs. The process 1200 receives (at 1210) an update to the IOCs. For example, the threat response platform of some embodiments re-evaluates when a new set of actual IOCs are added to the database (e.g., when a new malware or a new version of an old malware is discovered), when a set of IOCs are modified (e.g., when a malware is discovered to have more IOCs than previously realized), and/or when the known actual IOCs are re-weighted (e.g., when a value related to the actual IOCs that is used to calculate a likelihood of malware is changed in such a way that the determined likelihood of malware increases based on that IOC, alone and/or in combination with other actual IOCs).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Tock the method of Singh to include ...a first database, coupled to the hardware processor and comprising indicator of compromise registers, wherein the processor is configured to: store the determined indicator of compromise in the first database; and 15P-577698-USshare the first database with the at least one blocking service in order to block communication between the computer network and any computer associated with the determined at least one indicator of compromise. 
One would have been motivated to combine the teachings of Tock to Singh to enable a user to determine whether suspicious activity is a result of malware, or is not the result of malware (Tock, [0024]).
However, in an analogous art, Stolfo teaches generate, at least one decoy segment associated with at least one decoy vulnerability of the computer network, wherein the at least one decoy segment comprises a decoy segment that comprises a legitimate item containing a content item, the content item comprising false data.
 (Stolfo, [0051] - In some embodiments, generated decoy information can be tested to ensure that the decoy information complies with document properties that enhance the deception for different classes or types of inside attackers that vary by level of knowledge and sophistication. For example, decoy information can be generated to appear realistic and indistinguishable from actual information used in the system. If the actual information is in the English language, the decoy information is generated in the English language and the decoy information looks and sounds like properly written or spoken English. In another example, to entice a sophisticated and knowledgeable attacker, the decoy information can be a login (e.g., an email login, a system login, a network login, a website username) that appears and functions like an actual login such that it is capable of entrapping a rogue system administrator or a network security staff member. In another example, decoy information can appear to contain believable, sensitive personal information and seemingly valuable information. As described further below, decoy information can be generated such that the documents are believable, variable (e.g., not repetitive, updatable such that attackers do not identify decoy information, etc.), enticing (e.g., decoy information with particular keywords or matching particular search terms), conspicuous (e.g., located in particular folders or files), detectable, differentiable from actual information, non-interfering with legitimate users, etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Stolfo to the decoy information of Singh and Tock to include generating, by a processor, at least one decoy segment associated with at least one decoy vulnerability of the computer network, wherein the at least one decoy segment comprises a decoy segment that comprises a legitimate item containing a content item, the content item comprising false data
One would have been motivated to combine the teachings of Stolfo to Singh and Tock to provide users with a means for baiting inside attackers (Stolfo, [0004]).

Regarding Claim 14;
Singh and Tock and Stolfo discloses the system to Claim 13.
	Singh further discloses wherein the hardware processor is embedded within the computer network (FIG. 46 and [0693]).

Regarding Claim 33
Singh and Tock and Stolfo discloses the system to Claim 13.
Singh further discloses wherein at least one indicator of comprises a virus signature, a uniform resource locator, and/or an IP address (FIG. 46 and FIG. 47 and [0726] - The status determined by the decision engine 4722 may be provided to the analytic engine 4724. The analytic engine 4724 may generate indicators 4736 that identify the email 4706. The indicators 4736 may include, for example, values from the email header 4742 such as values indicating the source of the email 4706 and/or a distinct or unique subject string. The indicators 4736 can also include "indicators of compromise" (IOCs). Indicators of compromise are a set of data that describes identified malicious activity. Indicators of compromise can be used to describe virus signatures, Internet Protocol (IP) addresses associated with suspicious activity, Message Data algorithm 5 (MD5) hashes of malware files, or Uniform Resource Locations (URLs) or domain names of botnet command and control servers. Indicators of compromise can be used by intrusion detection systems and anti-virus software to detect attacks on a network. Indicators of compromise may be formatted for both human and machine readers, such as for example using XML.);

Claims 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Tock et al. (US 2015/0135316 A1) Stolfo et al. (US 2010/0077483 A1) and further in view of and Catakoglu, Onur, Marco Balduzzi, and Davide Balzarotti. "Attacks landscape in the dark side of the web." Proceedings of the Symposium on Applied Computing. 2017.

Regarding Claim 15; 
Singh and Tock and Stolfo discloses the system to Claim 13.
Singh and Tock and Stolfo fail to explicitly disclose further discloses comprising a second database coupled to the hardware processor and comprising a list of public databases for broadcasting of the generated decoy segments
However, in an analogous art, Catakoglu teaches further discloses comprising a second database coupled to the hardware processor and comprising a list of public databases for broadcasting of the generated at least one decoy segment (Catakoglu, Honeypot Setup and Deployment, p. 1741-1742, ¶last paragraph of the page - We started by advertising our honeypot applications in three different ways: (i) by posting their URLs in several Tor network’s forums, channels, search engines and yellow pages, (ii) by visiting (twice a day) the applications via the Tor2Web proxy – which shares the visited URLs with Ahmia [2], a search engine for Tor, and (iii) by posting their URLs to several pages on the Surface Web and Other Services p. 1742 – This machine, reachable only over the Tor Network, ran the following... also advertised all he previously described channels...).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Catakoglu to the broadcasting of Singh and Tock and Stolfo to include further discloses comprising a second database coupled to the hardware processor and comprising a list of public databases for broadcasting of the generated at least one decoy segment 
One would have been motivated to combine the teachings of Catakoglu to Singh and Tock and Stolfo to provide users with a means for exploring the modus operandi of attackers on the Dark Web (Catakoglu, Conclusions, p. 1745).


Claims 27 and 36 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Stolfo et al. (US 2010/0077483 A1) and further in view of Wright et al. (US 2018/0046796 A1)

Regarding Claim 27; 
Singh and Stolfo discloses the method of Claim 1.
	Singh further discloses wherein the at least one decoy segment further comprises a decoy segment generated using information...  (FIG. 46 and [0609]
	Stolfo further teaches wherein the at least one decoy segment further comprises a decoy segment generated using information...  .  (Stolfo, [0051]).
Singh and Stolfo fail to explicitly disclose ... information scraped and/or harvested from paste sites. 
However, in an analogous art, Wright teaches ... information scraped and/or harvested from paste site (Wright, [0019]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wright to the decoy segment generated using information of Singh and Stolfo to include ... information scraped and/or harvested from paste sites. 
One would have been motivated to combine the teachings of Wright to Singh and Stolfo to provide users with a means for identifying comprised credentials (Wright, [0019]).

Regarding Claim(s) 36; claim(s) 36 is/are directed to a/an medium associated with the method claimed in claim(s) 27. Claim(s) 36 is/are similar in scope to claim(s) 27, and is/are therefore rejected under similar rationale.







Claims 28 and 37 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Stolfo et al. (US 2010/0077483 A1) and further in view of Abrahami et al. (US 2015/0089354 A1).

Regarding Claim 28; 
Singh and Stolfo discloses the method of Claim 1.
	Singh further discloses wherein the at least one decoy segment further comprises a decoy sergeant inkling a ... email address   (FIG. 46 and [0609]
Singh and Stolfo fail to explicitly disclose a one time use email address. 
However, in an analogous art, Abrahami a one time use email address for specific contact (Abrahami, [0313]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Abrahami to the email Address of Singh and Stolfo to include a one time use email address for specific contact.
One would have been motivated to combine the teachings of Wright to Singh and Stolfo to provide users with a means for track the at least one activity message (Abrahami, [0027]).

Regarding Claim(s) 37; claim(s) 37 is/are directed to a/an medium associated with the method claimed in claim(s) 28. Claim(s) 37 is/are similar in scope to claim(s) 28, and is/are therefore rejected under similar rationale.

Claims 30 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Tock et al. (US 2015/0135316 A1) and Stolfo et al. (US 2010/0077483 A1) and further in view of Wright et al. (US 2018/0046796 A1)

Regarding Claim 30; 
Singh and Tock and Stolfo discloses the system to Claim 13.
	Singh further discloses wherein the at least one decoy segment further comprises a decoy segment generated using information...  (FIG. 46 and [0609]
	Stolfo further teaches wherein the at least one decoy segment further comprises a decoy segment generated using information....  (Stolfo, [0051]).
Singh and Tock and Stolfo fail to explicitly disclose ... information scraped and/or harvested from paste sites. 
However, in an analogous art, Wright teaches ... information scraped and/or harvested from paste site (Wright, [0019]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Wright to the decoy segment generated using information of Singh and Tock and Stolfo to include ... information scraped and/or harvested from paste sites. 
One would have been motivated to combine the teachings of Wright to Singh and Tock and Stolfo to provide users with a means for identifying comprised credentials (Wright, [0019]).



Claims 31 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view of Tock et al. (US 2015/0135316 A1) and Stolfo et al. (US 2010/0077483 A1) and further in view of Abrahami et al. (US 2015/0089354 A1).

Regarding Claim 29; 
Singh and Tock and Stolfo discloses the system of Claim 13.
	Singh further discloses wherein the at least one decoy segment further comprises a decoy sergeant inkling a ... email address   (FIG. 46 and [0609]
Singh and Tock and Stolfo fail to explicitly disclose a one time use email address. 
However, in an analogous art, Abrahami a one time use email address for specific contact (Abrahami, [0313]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Abrahami to the email Address of Singh and Tock and Stolfo to include a one time use email address for specific contact.
One would have been motivated to combine the teachings of Wright to Singh and Tock and Stolfo to provide users with a means for track the at least one activity message (Abrahami, [0027]).



Claims 32 is/are rejected under 35 U.S.C. 103 as being unpatentable over Singh et al. (US 2017/0223037 A1) in view Tock et al. (US 2015/0135316 A1) and Stolfo et al. (US 2010/0077483 A1) and further in view of Ettema et al. (US 2017/0019425 A1).

Regarding Claim 32;
Singh and Tock and Stolfo disclose the system to Claim 13.
Singh discloses ... wherein the at least one decoy segment further comprises a decoy segment that includes information associated with the ... computer network (FIG. 46 – Email Monitor/Malicious Email detection Engine); and monitoring the ... computer network to identify one or more interactions associated with the generated at least one decoy segment (FIG. 46 – Email Monitor/Malicious Email detection Engine);
Singh and Tock and Stolfo fails to explicitly disclose creating a virtual computer network corresponding to the computer network.../virtual computer network; and monitoring the virtual computer network to identify interactions associated with... 
However, in an analogous art, Ettema teaches creating a virtual computer network corresponding to the computer network.../virtual computer network ([0044] - In either use case scenario, a clone of Alice's targeted host device can be instantiated as a customized VM instance in a VM environment (e.g., instrumented VM environment), along with instances for emulating a subset of devices from the target network environment (e.g., email server, DNS server, printer, etc.) in the VM environment (e.g., using a cloud security service or on a data appliance deployed on the target network environment). In particular, the VM environment can be configured to automatically synchronize with relevant portions of the target network (e.g., network layout, IP addresses, customized host images, etc.) to implement a honey network for the target network. The malware sample (e.g., malware URL, malware file/web download, malware email, and/or malware email attachment, etc.); and monitoring the virtual computer network to identify interactions associated with [malware] ([0044] -  The behavior of the malware and any subsequent activities on the virtual clone of Alice's target host on the device and/or network interactions with other devices emulated in the honey network implemented in the VM environment and/or, in some cases, external network activities, such as over the Internet and/or with other devices on the actual target network, can also be monitored and logged to gain competitive analysis and to facilitate advanced threat prevention, as further described below.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ettema to the method of Singh and Tock and Stolfo to include creating a virtual computer network corresponding to the computer network...; and monitoring the virtual computer network to identify interactions associated with such a combination would provide users with a means for [a] new and improved virtual machine (VM) techniques for advanced security threats (Ettema, [0037]).
One would have been motivated to combine the teachings of Ettema to Singh and Tock and Stolfo to provide users with a means for deny or permit network transmission based on a set of rules (Ettema, [0003]).







Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KARI L SCHMIDT whose telephone number is (571)270-1385. The examiner can normally be reached Monday-Friday 10am - 6pm (MDT).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KARI L SCHMIDT/Primary Examiner, Art Unit 2439