DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
No information disclosure statement(s) (IDS) was filed before the mailing date of this office action.  Accordingly, no information disclosure statement is being considered by the examiner. 
Claim Objections
Claims 7 and 18 are objected to because of the following informalities:  
  	Claim 7, lines 5-6: “the commands” should read “the plurality of commands”.
	Claim 7, line 8: “predetermined selection criteria” should read “a predetermined selection criterion”.
	Claim 7, line 10: “criteria” should read “criterion”
	Claim 18, line 8: “predetermined selection criteria” should read “a predetermined selection criterion”.
	Claim 18, line 10: “criteria” should read “criterion”
Appropriate correction is required.
Claim Rejections - 35 USC § 112
Claims 7, 15 and 18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 7 recites the limitation "the command" in line 7.  
Claim 15 recites the limitation "the command" in line 7.
Claim 18 recites the limitation "the command" in line 8.
There is insufficient antecedent basis for these limitations in the respective claims.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 2013/0242743 A1 to Thomas et al. (hereinafter “Thomas”), US-PGPUB No. 2020/0067935 A1 to Carnes, III et al. (hereinafter “Carnes”), and further in view of US-PGPUB No. 2008/0018927 A1 to Martin et al. (hereinafter “Martin”) 
Regarding claim 1: 
Thomas discloses:
A system (¶32: “… a system 400 …”, see Fig. 4) comprising:
 a processor (¶39: “… firewall 404 …”), the processor configured to: 	
capture network data (¶39: “… direct predetermined network traffic …”) directed to a host node (¶39: “… first set of nodes 402A and/or the second set of nodes 402B …”), the host node comprising a honeypot (¶39: “… honeypot 406 …”), the honeypot configured to emulate operation of a physical or virtual device (¶28: “… the honeypot may emulate (e.g. imitate, etc.) a system to which the predetermined network traffic was originally destined (e.g. prior to being directed to the honeypot).”) to attract malicious activity (¶38: “… the predetermined network traffic may include any network traffic predetermined to be unauthorized, unwanted, undesirable, malicious, etc.”); 
However, Thomas does not disclose the following limitations taught by Carnes:
classify (Carnes, ¶32: “… classification may be done with …”), based on a supervised machine learning model (Carnes, ¶32: “… labeled supervised, unlabeled supervised … machine learning.”), the network data as being one of malicious (Carnes, ¶101: “… suspicious …”, ¶48: “… classified as malicious.”) or not malicious (Carnes, ¶101: “… suspicious or not.”, ); 
classify (Carnes, ¶32: “… classification may be done with …”), based on an unsupervised machine learning model (Carnes, ¶32: “… unsupervised machine learning …”), the network data as being one of anomalous (Carnes, ¶32: “… suspicious …”) or not anomalous (Carnes, ¶32: “… trusted …”); 
retrain the supervised machine learning model and unsupervised machine learning model based on the network data (Carnes, ¶33: “… The classifier can be continuously trained and upon discovery of a suspicious device re-trained excluding the traffic of the suspicious device …”, see Fig. 3: “Retrain network classifier”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Thomas to incorporate the functionality of the classification process to classify endpoint network devices into trusted and one or more categories of suspicious devices and re-routing network traffic of a device in a suspicious category into a corresponding isolated network domain (or a honeypot), as disclosed by Carnes, such modification would allow the system to break or slow attackers down and provide information to investigate and restrain the attack on time. 
This same motivation applies to the claims where Carnes is cited as a reference.
The combination of Thomas and Carnes does not disclose the following limitations taught by Martin:
alter operation of the honeypot (Martin, ¶19: “… switching the software environment to the honeypot mode of operation …”); 
determine (Martin, ¶19: “… enabling the electronic device to …”), after operation of the honeypot is altered (Martin, ¶19: “… when in the honeypot mode of operation …”), the honeypot is accessed (Martin, ¶19: “… automatically send a non-user-detectable report …”, ¶63: “… the unauthorized user will continue to have access to the device and at least some of the device functions/operations when the device operates in honeypot mode …”); 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Thomas and Carnes to incorporate the functionality of the method to switch the software environment to a honeypot mode of operation in response to a detection of a predetermined condition, as disclosed by Carnes, such modification would allow the system to learn about malicious behavior of attackers and create profiles, and detect and trace malicious actors without the actors being aware of their activities being monitored. 
This same motivation applies to the following claims where Martin is cited as a reference.
Regarding claim 2:
The combination of Thomas, Carnes and Martin discloses:
The system of claim 1, wherein to alter operation of the honeypot (see Martin, Figure 2, steps 300-500 to alter operation of the honeypot) the processor is further configured to: 
select a predetermined instruction configured to cause the honeypot to alter operation (Martin, ¶19: “… detecting at the electronic device the predetermined condition; in response to the detection, switching the software environment to the honeypot mode of operation …”, Figure 2, step 400);
and 
execute the predetermined instruction (Martin, ¶19: “in response to the detection, switching the software environment to the honeypot mode of operation …”, Figure 2, step 400).  
Regarding claim 3:
The combination of Thomas, Carnes and Martin discloses:
The system of claim 1, wherein the supervised machine learning model is trained based on a plurality of attack signatures stored in a repository (Carnes, ¶55: “… a fingerprint database 40 …”) (Carnes, ¶101: “FIG. 10 is a flowchart of a blacklisting process 200 based on traffic signatures. The blacklisting process 200 collects network traffic (step 201), labels traffic as suspicious as appropriate (step 202), and trains a supervised machine learning model (step 203).”).  
Regarding claim 4:
The combination of Thomas, Carnes and Martin discloses:
The system of claim 3, wherein to retrain the supervised machine learning model, the processor is further configured to: 
determine features based on the network data (Thomas, ¶36: “… the firewall 404 may identify characteristics of the network traffic during the processing. … the characteristics of the network traffic may include a source address, source port, destination address, destination port, protocol, type, state, flags, size, and/or any other information related to the network traffic.”, ¶38: “The firewall 404 may accordingly utilize such characteristics identified with respect to the network traffic for determining whether the network traffic includes predetermined network traffic.”); 23PATENT 68713-02 
generate a new attack signature comprising the determined features (Thomas, ¶39: “… the firewall 404 may direct predetermined network traffic to a honeypot 406.”); and 
store the new attack signature in the repository (Thomas, ¶44: “… load new records stored on the honeypot 406 into the database 410 in response to the honeypot 406 processing predetermined network traffic.”).  
Regarding claim 5:
The combination of Thomas, Carnes and Martin discloses:
The system of claim 1, wherein the processor is further configured to: 
extract, from the network data, features from a physical layer portion of the network data and the network layer portion of the network data (Thomas, ¶36: “… identify characteristics of the network traffic … the characteristics of the network traffic may include a source address, source port, destination address, destination port, protocol, type, state, flags, size, and/or any other information related to the network traffic. Optionally, the source address and/or destination address may include a media access control (MAC) address, an Internet protocol (IP) address, an address resolution protocol (ARP) address, etc.”).  
Regarding claim 6:
The combination of Thomas, Carnes and Martin discloses:
The system of claim 1, wherein the unsupervised machine learning model comprises a one-class deep neural network (Carnes, ¶29: “… utilizes a one-class classifier … unsupervised machine learning implemented with deep neural networks, such as autoencoders and generalized adveserial networks.”).  
Regarding claim 7:
The combination of Thomas, Carnes and Martin discloses:
The system of claim 1, wherein to alter operation of the honeypot, the processor is further configured to: 
identify a plurality of commands (Martin, ¶59: “… Internal Trigger Option 410 … nth failed attempt to enter a password might be the internal …”, ¶60: “… External Trigger Option 420 …”, ¶61: “… Authenticated External Trigger Option 430 …”) associated with respective reward metrics (Martin, ¶59: “… internal state …”, ¶60: “… message is received … and checked … to see if it recognizes the message as a honeypot-triggering command.”, ¶61: “A message is received … and authenticated … to verify that the message is a legitimate honeypot-triggering command sent by an authorized sender.”), the respective reward metrics inversely proportional to a measure of confidence to forecast a response from a source node after execution of the commands, respectively (Martin, ¶59: “By way of illustration only, an nth failed attempt to enter a password might be the internal, honeypot-triggering event, where n is a predetermined value, for example 10. As envisioned here, the nth failed attempt would not block further password attempts (as is often the case in many systems). Rather, it would be "accepted," leading the unsuspecting user into the honeypot snare.”. It will be apparent to those of ordinary skill in the art that higher number of failed attempts (n) is associated with lower confidences of attacker behavior, thus the reward metrics inversely proportional to measure of confidence.); 
determine a reward metric (Martin, ¶59: “… monitors its internal state …”) associated with the command (Martin, ¶59: “… Internal Trigger Option 410 … nth failed attempt to enter a password might be the internal …”) satisfies predetermined selection criteria (Martin, ¶59: “…  protected device 10 monitors its internal state to see if it matches at step 411 a predetermined criterion which warrants ordering the protected device to operate in honeypot mode.”); and 
select the command from the plurality of commands in response to satisfaction of the predetermined selection criteria (Martin, ¶59: “If it does, then the protected device proceeds to step 500 (FIG. 2).”).  
Regarding claim 8:
The combination of Thomas, Carnes and Martin discloses:
The system of claim 7, wherein satisfaction of the predetermined selection criteria comprises the reward metric being greater than a threshold reward value (Martin, ¶59: “… predetermined value, for example 10.”) or the reward metric being ranked highest among the respective reward metrics (Martin, ¶59: “… predetermined value, for example 10. … the nth failed attempt would not block further password attempts … Rather, it would be "accepted," leading the unsuspecting user into the honeypot snare.”).
Regarding claims 9-16:
Claims 9-16 substantially recite the same limitations as claims 1-8, respectively, in the form of a system implementing the corresponding method, therefore they are rejected by the same rationale.
Regarding claims 17-20:
Claims 17, 18-19 and 20 substantially recite the same limitations as claims 1, 7-8 and 4, respectively, in the form of a non-transitory computer readable storage medium for storing instructions to execute the corresponding methods, therefore they are rejected by the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Buford et al. (US-PGPUB No. 2012/0167208-A1)- disclosed systems, methods, and computer-readable storage media for a honeypot addressing cyber threats enabled by convergence of data and communication services in an enterprise network. Suspicious incoming VoIP calls from the Internet to the enterprise network are intercepted and directed to a VoIP honeypot that acts as a network decoy and responds automatically during call sessions for the suspicious incoming VOIP calls while tracing the suspicious incoming VOIP calls.
Pliskin et al. (US-PGPUB No 2020/0053123-A1)- disclosed methods, systems, and computer program products are described herein for detecting malicious cloud-based resource allocations. Such detection may be achieved using machine learning-based techniques that analyze sequences of cloud-based resource allocations to determine whether such sequences are performed with a malicious intent.
Krylov et al. (US-PGPUB No. 2019/0243972-A1)- disclosed systems and methods for training and retraining a model for detection of malicious activity from container files, which contain at least two or more objects constituting logically separate data regions. Parameters of each object chosen from at least one safe container and one malicious container are determined which uniquely characterize the functional relation of the mentioned object to at least one selected object.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491



/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491