Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

This action is in response to the communication filed on 4/7/21.
All objections and rejections not set forth below have been withdrawn.
Claims 1 – 20 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.

	
Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Converse et al. (Converse), US 2005/0166072 A1 in view of Allen. (Allen), US 2018/0262529 A1.

Regarding claim 1, Converse discloses:
detecting, …, a plurality of malicious attacks from a plurality of network connections (e.g. Converse, par. 80, 98).
Converse discloses that a plurality of malicious users may be detected by a honeypot system.  However, Converse appears to illustrate the attack of only a single malicious user at a time (e.g. Converse, fig. 5a:500).  Thus, Converse does not appear to explicitly illustrate the feature of “…simultaneously…”.
Allen, however, also discloses a honeypot system for the detection of attacks by a plurality of malicious users (e.g. Allen, Abstract; par. 2, 5).  Furthermore, Allen illustrates a plurality of malicious users (i.e. “simultaneously”) attacking and being detected by a honeypot (e.g. Allen, par. 5, 21, 22, 39, 55, 73; fig. 1:104; fig. 9:906 - “malicious users”).  
It would have been obvious to one of ordinary skill in the art to recognize the simultaneous attack and detection teachings of Allen within the system of Converse for detecting the attacks of a plurality of malicious users.  This would have been obvious because one of ordinary skill in the art would have been motivated by the advantage of increased system performance and efficiency of enabling a honeypot system to effectively handle the multitude of connections and attacks to the system at any point in time (e.g. Allen, par. 22, 39). 
Thus, the combination enables:
receiving, at a honeypot, a first network connection of the plurality of network connections and a second network connection of the plurality of network connections, both as part of an interactive session that comprises a first set of malicious attacks of the plurality of malicious attacks from the first network connection and a second set of malicious attacks of the plurality of malicious attacks from the second network connection (e.g. Converse, fig. 5a:504, 506; par. 6, 8, 10, 45; Allen; fig. 1:104);
identifying a first source internet protocol (IP) address of the first network connection and a second source IP address of the second network connection (e.g. Converse, par. 99; fig. 8a:812; Allen, par. 105, 110);
accessing a personality state table maintained internally by the honeypot (e.g. Fig. 5a:542; par. 115, 116); 
selecting, from the personality state table, and based on the first source IP address and the second source IP address, a first personality with a first set of host attributes expected by a first set of exploits presented by the first network connection as part of the first set of malicious attacks and a second personality with a second set of host attributes expected by a second set of exploits presented by the second network connection as part of the second set of malicious attacks (e.g. Converse, par. 83, 85, 99, 115, 116; fig. 5a:540, 542; fig. 8a:812, 814; Allen, fig. 1:104); 
and presenting the first personality to the first network connection and the second personality to the second network connection to ensure continuity of the interactive session with the honeypot (e.g. Converse, fig. 5a:504, 506; Allen, fig. 1:104).

Regarding claim 2, the combination enables:
updating the personality state table with one or more new source IP addresses of the plurality of network connections and one or more new exploits presented by the plurality of network connections (e.g. Converse, fig. 7a; par. 82, 83, 85, 86 – non-existent personalities associated with detected attackers may be added to the honeypot’s table of personality rules).

Regarding claim 3, the combination enables:
accessing a security exploits database (e.g. Converse, fig. 5a:522); 
identifying a plurality of expected attributes associated with a plurality of known exploits (e.g. Converse, fig. 5a:526); 
accessing a malicious attacks database (e.g. Converse, fig. 5a:524); 
identifying a plurality of existing source IP addresses associated with the plurality of known exploits (e.g. Converse, par. 99); 
correlating the plurality of existing source IP addresses with the plurality of known exploits (e.g. Converse, fig. 5a:542, 540; par. 55-60, 99); 
generating one or more new profiles, based on the correlation (e.g. Converse, par. 55, 57, 59, 85); 
generating the personality state table (e.g. Converse, par. 49, 82 – 86, 115); 
and storing the personality state table on the honeypot (e.g. Converse, fig. 5a:542; par. 49, 115).

Regarding claim 4, the combination enables:
if the first personality does not exist in the personality state table, generating a first alternate personality for the first network connection based on a first set of expected attributes of the plurality of expected attributes that are identified, by a first profile of the one or more profiles, as being similar to the first set of host attributes expected by the first set of exploits, by virtue of the correlation maintained by the personality state table between a first set of known exploits of the plurality of known exploits and a first existing source IP address of the plurality of existing source IP addresses (e.g. Converse, fig. 8:818; par. 99, 105, 114).

Regarding claim 5, the combination enables:
if the second personality does not exist in the personality state table, generating a second alternate personality for the second network connection based on a second set of expected attributes of the plurality of expected attributes that are identified, by a second profile of the one or more profiles, as being similar to the second set of host attributes expected by the second set of exploits, by virtue of the correlation maintained by the personality state table between a second set of known exploits of the plurality of known exploits and a second existing source IP address of the plurality of existing source IP addresses (e.g. Converse, fig. 8:818; par. 99, 105, 114).

Regarding claim 6, the combination enables:
presenting, simultaneously, the first alternate personality to the first network connection and the second alternate personality to the second network connection, if the first personality and the second personality do not exist in the personality state table (e.g. Converse, fig. 5a:504, 506; fig. 8a:818, 808; par. 105, 114; Allen, fig. 1:104).

Regarding claim 7, the combination enables:
wherein the first personality comprises a first state of a first protected host that is targeted by the first set of malicious attacks at a first point in time prior to, during, or after one or more previous malicious attacks from the first source IP address (e.g. Converse, par. 43, 88, 98, 99, 100), and as part of generating the first alternate personality, the first profile is correlated to the first state of the first protected host at the first point in time to determine similarity between the first set of expected attributes and the first set of host attributes expected by the first set of exploits and presented by the first network connection as part of the first set of malicious attacks (e.g. Converse, par. 98-100).

Regarding claim 8, the combination enables:
wherein the second personality comprises a second state of a second protected host that is targeted by the second set of malicious attacks at a second point in time prior to, during, or after one or more previous malicious attacks from the second source IP address (e.g. Converse, par. 43, 88, 98, 99, 100; Allen, fig. 1:104), and as part of generating the second alternate personality the second profile is correlated to the second state of the second protected host at the second point in time to determine similarity between the second set of expected attributes and the second set of host attributes expected by the second set of exploits and presented by the second network connection as part of the second set of malicious attacks (e.g. Converse, par. 98-100; Allen, fig. 1:104).
.
	Regarding claims 8 – 20, they are medium and system claims essentially corresponding to the above method claims and they are rejected, at least, for the same reasons.  Furthermore, regarding claims 8 and 15, Converse discloses a computer readable storage medium, instructions, processors, and memory (e.g. Converse, fig. 1; claim 15, 18).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
See Notice of References Cited.	

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495